What we keep. What we don’t.

Bout is a voice-first sales practice tool. To run it, we collect the things you put into the product — your account, the personas and scenarios you build, the practice calls you run, and the recordings + transcripts those calls produce. We use that data to provide the service, generate coaching analyses, and keep your account secure. We don’t sell it, share it with advertisers, or use it to train third-party AI models on top of your content.

This page covers both the marketing site at getbout.app and the product itself. If your company signed you up under a separate enterprise agreement, that agreement governs your data and may add to or override what’s on this page.

Bout operates the service at getbout.app. When you sign up individually, Bout is the data controller for your account information and your practice data.

When your employer or organization signs up and adds you as a member, your organization is the controller — they decide what content gets uploaded, who has access, and how long things are retained inside the org. Bout acts as the processor on their behalf. Direct individual-rights requests to your org admin first; we’ll route to them.

Account & identity

• Your email, display name, and (optionally) profile image, captured when you sign in via Firebase Authentication.
• Your organization name + role (admin, manager, rep), and the manager you report to inside the org if one is set.
• Sign-in timestamps and device/browser metadata for security + abuse detection.

Practice content you upload

• Personas, roleplay scenarios, scoring rubrics, and any knowledge documents (decks, methodology PDFs, battlecards) you attach to ground the AI buyer.
• Custom fields and notes attached to those personas / scenarios.

Practice calls

• Audio recordings of calls between you and the AI buyer.
• Transcripts of those calls (speaker-labeled).
• AI-generated coaching analyses, scores, and recommendations derived from the transcript + your roleplay’s rubric.
• Session metadata: duration, cost in cents, error/warning events.

Billing

• Subscription state (plan, seat count, trial end date, current period). Held in our database; the source of truth lives at Stripe.
• A Stripe customer ID linking to your payment method. We never see or store full credit-card numbers ourselves — Stripe processes those directly.

Operational logs

• An audit log of state-changing actions: invites sent, members added/removed, role changes, knowledge docs uploaded, sessions analyzed, managers viewing a rep’s session. Retained for compliance and abuse investigation.
• Server access logs (IP address, user agent, request path) and error reports via Sentry. Retained 30 days.

We don’t run advertising trackers, third-party fingerprinting, or session-recording software (e.g. FullStory, Hotjar) on either the marketing site or the product.

• To run the product. Authenticate you, route practice calls through the voice provider, generate coaching reports with our LLM provider, store recordings + transcripts so you can revisit them.
• To improve our prompts and rubrics. We may review aggregate, de-identified patterns (e.g. which rubric categories see the lowest scores) to tune coaching quality. We don’t use your practice content to train any third-party AI model.
• To bill you. Process subscription charges through Stripe and email you receipts.
• To send transactional email. Invitations, password resets, billing notices, abuse warnings. We don’t send marketing email to product users without explicit opt-in.
• To keep things safe. Detect and respond to abuse, fraud, and security incidents.
• To respond to legal process. Comply with valid subpoenas, court orders, and lawful requests, where we’re required to.

We use a small number of third-party services to actually run the product. Each processes only the data they need to do their job, on our instructions.

• Firebase Authentication (Google LLC, US) — sign-in, password reset, session cookies.
• Vapi (US) — real-time voice calls, including the speech-to-text and text-to-speech that ride along (ElevenLabs voices, Deepgram transcription).
• Anthropic (US) — Claude model that generates coaching analyses from your transcripts. Anthropic does not train on data sent through their API.
• Stripe (US) — payment processing, subscription billing, hosted checkout + customer portal.
• Resend (US) — transactional email delivery (invites, password resets, billing notices).
• Cloudflare R2 (US) — object storage for recordings, knowledge documents, and persona avatars.
• Neon (US, N. Virginia) — managed Postgres database hosting your account + practice content.
• Render (US, N. Virginia) — backend application + worker hosting.
• Vercel (US) — frontend application hosting.
• Sentry (US) — error monitoring. Receives stack traces and request metadata; we scrub recording URLs and credentials before sending.

We don’t share your data with marketers, ad networks, data brokers, or third-party AI training pipelines. If we ever add a subprocessor or change one, we’ll update this list.

Account, billing, and practice data are stored in the United States (Neon, N. Virginia for Postgres; Cloudflare R2 for files). Our subprocessors may transfer limited data through their own global infrastructure (e.g. Stripe’s fraud-detection systems, Sentry’s ingestion), but the system of record is US-based.

If you’re using Bout from outside the United States, your data will be transferred to and processed in the US.

• Account data — kept until you (or your org admin) delete the account. Soft-deleted org members are retained until full org deletion so audit history stays intact.
• Practice recordings, transcripts, and analyses — kept for the lifetime of the account on Standard. Enterprise contracts can negotiate shorter retention or specific deletion schedules.
• Knowledge documents — kept until you remove them or your org is deleted.
• Audit log — kept for the lifetime of the org.
• Server logs & error reports — 30 days, then automatically purged.
• Waitlist email (legacy) — kept until you ask us to delete it or twelve months after unsubscribing, whichever comes first.
• Stripe records — Stripe retains payment records per their own retention policy and applicable financial-services law; we can’t shorten that.

You can ask us to do any of the following at any time:

• Tell you what information we hold about you.
• Export your practice content and analyses in a machine-readable format.
• Correct anything that’s wrong.
• Delete your account and the practice content tied to it.
• Stop sending you any marketing email (transactional notices will continue while you have an account).

If you’re a member of an org account, your org admin handles most of these for you and we’ll route requests to them. Email welcome@getbout.app and we’ll handle it within 30 days (usually within 7).

California residents (CCPA), EEA / UK residents (GDPR), and residents of other jurisdictions with data-protection laws have specific rights under those laws — the rights above cover the substantive ones, and we’ll honour any additional legal mechanism (data portability, objection to processing, automated-decision review, etc.) on request.

Coaching analyses, scores, and rewrites are generated by an AI model from your practice transcripts. They’re intended for self-improvement and team coaching only. They are not professional advice and aren’t designed for use in employment decisions (hiring, firing, performance reviews, promotions). If your organization wants to use Bout’s output in any HR context, that needs human review and a written internal policy — talk to us first.

The marketing site uses no tracking cookies. Inside the product we set a first-party Firebase session cookie so you stay signed in for 14 days, and we set a small number of essential preference cookies (e.g. last-used filter on the team page). We don’t use third-party advertising or analytics cookies.

We use TLS for everything in transit and AES-256 for storage at rest (handled by our infrastructure providers). Recordings are served via short-lived signed URLs (1-hour expiry) so a leaked URL stops working. Auth uses Firebase session cookies that you can revoke by signing out. We log all state-changing actions to an audit trail.

No system is perfect. If you notice a vulnerability, please email welcome@getbout.app and we’ll respond as quickly as we can.

Bout is built for working salespeople and the managers who run them. It isn’t intended for anyone under 16, and we don’t knowingly collect information from anyone under 16. If you believe we’ve collected such information by mistake, email welcome@getbout.app and we’ll delete it.

We’ll update this policy as the product changes. The “last updated” date at the top tells you when. If a change materially affects your rights or the data we collect, we’ll email registered users at least 30 days before it takes effect.

Privacy questions, deletion requests, security reports, anything else: welcome@getbout.app.

See also: Terms.