Privacy Policy

01 Introduction

Who we are and how this policy applies.

FirstPass Inc. operates an AI-powered sales training platform. This Privacy Policy describes how we collect, use, store, and protect personal data when you use our platform.

Data controller

Your organization

For enterprise deployments, the customer organization is the data controller — they determine the purposes and means of processing personal data for their employees and users.

Data processor

FirstPass Inc.

FirstPass acts as the data processor, processing personal data on behalf of the customer organization in accordance with their instructions and our service agreement.

This policy applies to all users of the FirstPass platform, including sales representatives, managers, administrators, annotators, and observers within customer organizations.

Effective date

Version 1.1 — effective May 19, 2026, last updated May 20, 2026.

02 Data we collect

What personal data we collect and where it comes from.

We collect and process several categories of personal data to provide the FirstPass platform. Here's a breakdown of each category.

Account data

Identity & profile

Email address, display name, and profile image sourced from Google OAuth or SAML SSO. Organization membership, role assignments, and user preferences.

Practice session data

Transcripts & feedback

Conversation transcripts between users and AI-simulated customers. AI-generated performance scorecards with 7-dimension scoring, help requests, and session configuration.

Call recording data

Audio & annotations

Uploaded audio files of real sales calls stored in encrypted object storage. Machine-generated transcripts, human annotations, scores, and behavioral observations.

Coaching data

Notes & assignments

Coaching notes written by managers about specific representatives. Practice assignments created by managers for their team members.

Micro-learning data

Scenarios & practice

Manager-authored micro-learning scenarios, AI-generated conversation skeletons and persona variations, assignments linking scenarios to representatives, and practice attempt transcripts with AI feedback.

Technical & usage data

Logs & metrics

Audit log entries with timestamps, IP addresses, and user agent strings. AI model usage metrics and authentication events.

LMS integration data

Learner identifiers

When accessed via a Learning Management System: learner identifiers, names, and email addresses provided through SCORM, LTI 1.3, or xAPI protocols.

03 How we use data

Why we process your data and what we do with it.

We process personal data strictly for the purposes of providing, securing, and improving the FirstPass platform. Your data is never used to train AI models.

Providing the service — practice conversations, feedback scorecards, coaching workflows, micro-learning exercises All AI processing uses Anthropic Claude; no customer data is used for model training
AI-grounded responses — retrieving relevant examples from annotated call data within your organization Retrieval-based only; grounds AI simulations in realistic behavior patterns without fine-tuning
Authentication and access control — verifying identity via OAuth or SAML, enforcing role-based permissions Sessions managed via JWT with 24-hour maximum lifetime
Compliance and security — maintaining audit trails, enforcing retention policies, detecting abuse Data subject requests supported through built-in GDPR tools
Service reliability — monitoring system health, capacity planning, and error investigation Structured logging to AWS CloudWatch with no PII in log messages

No model training on your data

FirstPass does not use your practice sessions, transcripts, or call data to train AI models. The AI customer simulator is prompt-engineered with your product and persona context — not fine-tuned on your team's conversations. Your data is used to serve you, and only you.

04 Third-party processors

Who processes your data and what they see.

FirstPass uses the following third-party services. No customer data is used to train any AI model. Each provider's data processing terms are linked below.

Provider	Purpose	Data shared	Trains on data?
Anthropic	Customer simulation, feedback generation, micro-learning exercises	Prompts, conversation history, scenario data	No
OpenAI	Speech-to-text (Whisper) and text-to-speech (TTS-1-HD)	Audio files, text content	No
Deepgram	Real-time speech-to-text (Nova-2)	Real-time audio stream	No
Voyage AI	Text embeddings for retrieval	Text content (max 8,000 chars)	Per policy
Simli AI	Avatar rendering (optional)	Audio for lip-sync	Not persisted
AWS	Infrastructure hosting (database, storage, compute, cache)	All data categories	Per DPA

05 Data retention

Configurable retention. Two-phase deletion.

Data retention is configurable per organization. Administrators can set retention periods independently for each data category, from 1 day to 10 years.

Practice sessions

1 to 3,650 days

Practice session transcripts and feedback scorecards. Retention period is configurable by the organization administrator, or set to unlimited.

Call recordings

1 to 3,650 days

Uploaded audio files, machine-generated transcripts, and associated annotations. Configurable or unlimited.

Audit logs

1 to 3,650 days

All audit log entries including user actions, timestamps, and IP addresses. Default is indefinite retention.

Deletion process

Two-phase

Records are first soft-deleted (hidden but recoverable for 30 days), then permanently removed along with associated files. Automated daily purge runs at 03:00 UTC.

06 Your rights

Access, export, delete, and correct your data.

We support data subject rights through built-in platform features. Most actions are available self-service — no need to file a request and wait.

Right of access

Data export

Export all your personal data via the built-in GDPR export feature. Includes user profile, practice sessions with conversation history, annotations, coaching notes, and uploaded calls.

Right to erasure

Account anonymization

Request account anonymization: email is replaced with an anonymized address, display name set to "Deleted User", sessions soft-deleted, coaching notes permanently removed.

Right to rectification

Profile updates

Update your profile information directly. Organization administrators can modify user role assignments.

Right to portability

Machine-readable JSON

The GDPR export provides personal data in a structured, machine-readable JSON format suitable for transfer to another service.

How to exercise these rights

Self-service: Data export and account deletion are available directly in the platform. Contact: For any other requests, email shaun@myfirstpass.com.

07 Security measures

Technical and organizational measures that protect your data.

We implement comprehensive security measures across encryption, access control, monitoring, and infrastructure. For full details, see our Security page.

AES-256

Field-level encryption (GCM)

TLS 1.2+

All data in transit

6 roles

33 granular permissions

HSTS

1-year max-age enforced

Organization-scoped data isolation preventing cross-tenant access Enforced at the query layer, not just the UI
JWT-based session management with 24-hour maximum age No persistent server-side session state to compromise
Comprehensive audit logging of all data operations IP address and user agent tracking on every action
Rate limiting, CSP headers, and input validation on all endpoints 6 endpoint-specific rate limiters with schema-based validation

08 Cookies

One cookie. First-party. No tracking.

FirstPass uses a single authentication cookie managed by NextAuth.js to maintain user sessions. We do not use any analytics, advertising, or social media tracking cookies.

Type

Strictly necessary

The cookie is required for platform functionality (authentication). It cannot be opted out of because the platform cannot work without it.

Scope

First-party only

No third-party cookies are set. The authentication cookie is not used for tracking, analytics, or advertising of any kind.

09 International transfers

Where your data lives and how cross-border transfers are protected.

FirstPass infrastructure is hosted on Amazon Web Services in the US-East-1 (N. Virginia) region. All personal data is stored and processed in this region.

For customers in the European Economic Area (EEA) or United Kingdom, data transfers to the United States are governed by appropriate safeguards including Standard Contractual Clauses (SCCs) as required by applicable data protection law.

AI service providers (Anthropic, OpenAI, Deepgram, Voyage AI) process data in the United States. Data transmitted to these providers is protected by TLS encryption in transit and is subject to each provider's data processing terms.

10 Contact

Questions about privacy? Get in touch.

For questions about how your organization uses FirstPass, contact your organization's administrator or data protection officer. For questions about FirstPass's data processing practices, reach out to us directly.

Privacy inquiries

shaun@myfirstpass.com

For data processing questions, data subject requests, or any privacy-related concerns.

Policy updates

Notified via email

When we make material changes, the "Last Updated" date is revised and customer organization administrators are notified via email.

Children's data

FirstPass is a business-to-business enterprise tool designed for professionals within customer organizations. The platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

Who we are and how this policy applies.

What personal data we collect and where it comes from.

Why we process your data and what we do with it.

Who processes your data and what they see.

Configurable retention. Two-phase deletion.

Access, export, delete, and correct your data.

Technical and organizational measures that protect your data.

One cookie. First-party. No tracking.

Where your data lives and how cross-border transfers are protected.

Questions about privacy? Get in touch.

Questions about privacy or data protection?