Privacy Policy

Condor Vision (operated by Chicha Technology LLC, "we", "us") provides a cloud visual monitoring service. This policy explains what we collect, how we use it, and the choices you have. We collect only what we need to run the service and we do not sell your data.

1. Information We Collect

Account data. Email address, hashed password (when applicable), API keys, chosen plan, and billing identifiers from Stripe.

Camera content. JPEG frames you (or your edge agent) upload, along with metadata such as motion score, timestamp, and any analysis output. Frames are stored for the retention window of your plan (1, 14, or 30 days) and then deleted automatically.

Audio (opt-in only). If you turn on the per-camera microphone, Condor captures short audio chunks (~30 seconds) in WebM/Opus and stores them in Google Cloud Storage alongside that camera's frames. Audio uses the same retention window as frames — 1, 14, or 30 days depending on plan — and is deleted automatically when the window elapses or the camera is removed. Audio is never enabled by default and is wiped when you turn the mic off. We send audio to Google Gemini only when your question references hearing or sound.

Operational data. Request logs, error traces, and minimal client metadata (IP address, user agent) for security and abuse prevention. Logs are retained for up to 90 days.

2. How We Use It

• To deliver the service: storing frames, running AI analysis, sending webhooks.
• To operate billing and send transactional email (verification, alerts, receipts).
• To investigate abuse, debug failures, and improve reliability.

We do not use your camera content to train AI models. Frames are sent to Google Gemini for inference only; Gemini's terms prohibit reuse for training.

3. Sub-processors

To provide the service we share data with:

• Google Cloud Platform — hosting, storage, Pub/Sub.
• Google Gemini — AI vision analysis.
• Stripe — payment processing.
• Google Workspace (Gmail) — transactional email delivery.
• Firebase Authentication — sign-in (Google, email/password).

3a. AI Transparency (EU AI Act Art. 52)

Condor Vision uses an AI system to analyze images you submit. Specifically:

• Provider: Google Gemini (model family: gemini-2.5-flash and gemini-2.5-pro), accessed via Google Cloud Vertex AI.
• What it does: Generates natural-language answers about image content, evaluates user-defined visual conditions ("Watch"), and produces summary reports ("Monitor"). Outputs may be incorrect, incomplete, or biased and must not be relied on for life-safety, medical, legal, or other consequential decisions without independent verification.
• What it does not do: Identify or recognize specific individuals (no face-recognition lookup against a database). Frames you submit are not used to train any AI model — Gemini's terms prohibit training reuse and we do not opt into any training programs.
• Automated decision-making: Watch alerts and webhook deliveries are triggered by Gemini's image-analysis output. You configure the conditions; we route the alerts. You can disable any watch at any time, and you have the right under GDPR Art. 22 to request human review of any automated decision that produces legal or similarly significant effects on you.
• Confidence: Each alert payload includes a model-rated confidence value. Use it as guidance, not ground truth.

Customers in the EU should treat Watch and Monitor outputs as advisory only, consistent with the AI Act's transparency obligations for limited-risk AI systems.

4. Your Rights

You can:

• Export all your data at any time via GET /v1/me/export.
• Delete your account via DELETE /v1/me or by emailing us.
• Rotate your API keys from the dashboard.
• Request a copy or correction of your personal data by emailing privacy@condorbox.ai.

EU/UK residents have rights under GDPR (access, rectification, erasure, portability, restriction, objection). California residents have rights under CCPA. Submit requests to the email above; we respond within 30 days.

5. Data Retention

• Camera frames: deleted after your plan's retention window expires.
• Audio clips (when mic enabled): same retention as frames; deleted when the mic is turned off or the camera is removed.
• Account data: kept while your account is active; deleted within 30 days of account deletion.
• Audit logs and webhook delivery records: retained 90 days.
• Billing records: retained 7 years to comply with tax law.

6. Security

Data is encrypted in transit (TLS) and at rest (Google Cloud encryption). Webhook payloads are signed with HMAC-SHA256 so you can verify authenticity. We use deny-by-default authorization, JWT signature verification for Firebase tokens, and API key rotation. We do not store payment card numbers — that data lives with Stripe.

7a. Audio Recording Consent

The per-camera microphone is off by default and is only enabled when you turn it on from the camera tile. Before the first time you turn it on, Condor shows a consent dialog asking you to confirm you have legal authority to record audio in your environment.

Two-party (all-party) consent jurisdictions. Several U.S. states — including California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Vermont, and Washington — require every party to a private conversation to consent before it may be recorded. Some other jurisdictions (e.g. parts of the EU and UK) impose similar requirements. By enabling the microphone you represent that you either (a) have obtained the consent of every person whose voice may be recorded, or (b) are recording only your own voice or otherwise in a context where consent is not legally required. You are solely responsible for compliance with applicable recording laws.

Condor Vision does not perform speaker identification, voiceprint matching, or any biometric processing of audio. Audio is sent to Google Gemini only when a question you ask references hearing or sound (e.g. "did you hear anything?"). You can disable the mic at any time; doing so stops capture immediately and the trailing chunk is discarded.

7. Biometric Data

The optional edge agent, when enabled, uses OpenCV cascade classifiers for local motion detection and face detection. Face-detection events do not store face geometry templates or biometric identifiers, and images are never transmitted to a third party for biometric analysis. The edge agent only reports that a face was detected, not who the face belongs to.

Residents of Illinois (BIPA), Texas (CUBI), and Washington State who are subject to biometric privacy laws can disable on-device face detection by setting CONDOR_EDGE_FACE_DETECTION=false in the edge agent configuration.

By creating an account you acknowledge that if you enable face detection in the edge agent, motion and face-presence events may be generated based on video frames captured by your device.

8. Children

Condor Vision is not directed at children under 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If we learn that we have inadvertently collected data from a child under 13, we will delete it promptly. If you believe we have collected such data, contact us at privacy@condorbox.ai.

9. Healthcare and HIPAA

Condor Vision is NOT a HIPAA-eligible service and we do not enter into Business Associate Agreements (BAAs). Do not point cameras at medical settings, exam rooms, patient areas, or any location where Protected Health Information (PHI) may be captured or visible. Condor Vision has not implemented the administrative, physical, or technical safeguards required under HIPAA, and using it to process PHI would violate applicable law.

10. Cookies and Tracking

Essential cookies are required to operate the service:

• condor_token — Firebase session token for authentication (localStorage).
• condor_uid, condor_email — Account identifiers for the active session (localStorage).

Analytics cookies (optional) may be set if you accept them via the consent banner. These help us understand aggregate usage patterns. You can reject non-essential cookies at any time by clicking "Reject non-essential" in the cookie banner, or by clearing your browser's localStorage for this site.

condor_cookie_consent — Stores your cookie consent preference (localStorage).

11. Geographic Restrictions and Data Subject Rights

GDPR (EU/UK): EU and UK residents have rights of access, rectification, erasure, portability, restriction, and objection under the General Data Protection Regulation. To exercise these rights, use the data-export endpoint (GET /v1/me/export), the account-deletion endpoint (DELETE /v1/me), or email privacy@condorbox.ai. We respond within 30 days.

CCPA (California): California residents have the right to know what personal information is collected, to request deletion, and to opt out of sale (we do not sell personal data). Submit requests via GET /v1/me/export, DELETE /v1/me, or by email. We do not discriminate against users who exercise their CCPA rights.

12. Changes

We may update this policy. Material changes will be announced via email and on this page. Continued use after the effective date constitutes acceptance.

13. Data Controller & Contact

The data controller for the purposes of GDPR Art. 4(7) is:

Chicha Technology LLC
1209 Orange Street
Wilmington, DE 19801
United States
Email: privacy@condorbox.ai

Privacy contact: privacy@condorbox.ai. We do not currently maintain an EU representative under GDPR Art. 27; EU data subjects may direct inquiries to the address and email above.