Privacy & Data Handling

DriveState is a per-tenant training platform. Learner activity is stored against the tenant that paid for it, isolated from every other tenant, and never used to train any public AI model. This page summarizes how data moves through the system, what we keep, and what we don't.

At a glance

Per-tenant database isolation enforced at the row level by Postgres RLS.
Database credentials never reach the browser; the service-role key is server-side only.
Customer + learner audio streams in real-time through Gemini Live and is not retained by Google for model training.
LiveAvatar receives text strings only — no audio, no learner identity, no PII.
No third-party analytics SDKs. No advertising trackers. No cross-tenant access.
Tenant owns all data in their tenant. Deletion endpoints available on request.

1. Architecture & data flow

The browser talks to a Next.js application hosted on Vercel, which in turn talks to a Postgres database (with the pgvector extension) hosted on Supabase. Learner audio is captured in the browser and streamed directly to Google's Gemini Live API; the AI counterpart's reply comes back through the same channel. When the avatar is on, the avatar's spoken text — and only the text — is forwarded over a separate WebSocket to LiveAvatar, which returns a rendered video stream to the browser.

Vercel and Supabase are both SOC 2 Type II certified. The default deployment region is the United States; an EU deployment is available for tenants with data residency requirements.

2. Tenant isolation

Every domain object — learner, session, turn evaluation, mastery score, content asset, content chunk — carries a tenant_id. Postgres row-level security policies ensure no query, including a malformed or malicious one from the application, can return rows across tenants. A new tenant gets its own row in the tenant table; all of its data hangs off that row via foreign key. There is no shared learner pool, no shared mastery pool, no shared content library.

3. Authentication & access

The Supabase service-role key (the credential that bypasses RLS) is stored as a Vercel environment variable and is only ever read by serverless functions running server-side. The browser never sees database credentials. There is no public anon key in the client bundle.

The current demo environment is additionally protected by an access-code gate that an unauthenticated visitor cannot bypass — every backend API route is independently enforced by Edge middleware, not just the UI. Production deployments integrate with the tenant's identity provider (SAML, OIDC, or SCORM-tunneled SSO) so only authorized employees can sign in.

4. What we store about a learner

The learner record itself is intentionally minimal:

An email address (or SSO subject), used only to identify the same learner across devices.
A display name and role (e.g. client-advisor).
A timestamp for when the learner first appeared.

Per session, we store:

Start and end timestamps.
A transcript of the conversation (learner text + customer text).
Per-turn evaluation results (per-concept state: green / yellow / orange / red).
The running mastery score for each concept the learner has now exercised.

We do notstore demographic data, performance reviews, commission information, compensation, customer-facing sales records, or any data about the real customers the learner will eventually serve. The platform is a training simulator; it has no awareness of the learner's real-world transactions.

5. What we do not store

Raw audio. Learner microphone audio and AI counterpart reply audio are streamed in real time; neither party retains the audio after the conversation ends. The transcript is retained; the audio is not.
Avatar inputs. LiveAvatar receives the AI counterpart's text only — no learner identity, no audio, no transcripts. The avatar has no record of who it was rendering for.
Biometric data. No facial recognition, no voiceprints, no behavioral biometrics.
Third-party trackers. No Google Analytics, no Mixpanel, no advertising pixels, no fingerprinting. The single browser-storage key we set is the learner's own email so they don't have to retype it across devices.

6. Third-party processors

DriveState relies on three external services. Each one only receives the minimum data needed to do its job.

Google — Gemini Live (audio I/O) + Gemini Embeddings (retrieval)

Processes learner audio in real time and returns the AI counterpart's reply. Also embeds query text for content retrieval. Per Google's published Generative AI API terms, content sent through the API is not used to train or improve Google's foundation models. The Google API is the only AI provider in the live conversation loop.

HeyGen — LiveAvatar (video rendering)

Receives plain text (the AI counterpart's next utterance), renders the avatar speaking that text, and streams the video back. Receives no learner identity, no email, no transcript, and no audio. LiveAvatar is invoked only when the avatar is enabled; in audio-only mode it is never called at all.

Supabase — Postgres database + asset storage

Stores tenant data (learners, sessions, mastery, authored content) and tenant asset files (coach videos, content snapshots). Encrypted at rest with AES-256; encrypted in transit with TLS 1.2+. SOC 2 Type II certified. The database is per-deployment, never shared across tenants other than at the schema level.

Vercel — application hosting

Serves the application bundle and runs the serverless API routes. Sees request metadata (URLs, headers, response codes) for operational logging but does not persist learner transcripts or mastery data. SOC 2 Type II certified.

7. Retention & deletion

Tenant data is retained for as long as the tenant is active. On contract termination, all tenant rows can be deleted in cascade — sessions, turn events, mastery, content assets, content chunks, asset files — leaving no residual data in our systems. The deletion is idempotent and operates entirely within the tenant scope.

Individual learner deletion (right-to-erasure) is supported at the application level: a learner's sessions, turn events, and mastery scores can be wiped in one call while preserving the tenant's aggregate analytics. Learner deletion is already an in-product action available to administrators.

8. Encryption

In transit: TLS 1.2 or higher between every component.
At rest: AES-256 on the Supabase Postgres database and the Supabase asset bucket.
Secrets: Live in Vercel and Supabase environment variables. Never in source code, never in version control, never sent to the browser.

9. How we use AI, specifically

The AI components in DriveState are all in the live conversation loop, never in the background:

The AI counterpart (Gemini Live). Generates the AI counterpart's speech in response to the learner. Each session starts fresh; there is no persistent state across learners, no memory between sessions.
The evaluator (Gemini 2.0 Flash). Scores the learner's most recent turn against the tenant's authored rubric. The prompt contains the rubric, retrieved authored coaching, and the turn itself — no other learners' data is ever in any prompt.
The coach (authored content + retrieval). Returns the tenant's own coaching language; the LLM is not asked to invent guidance, only to find the most relevant authored snippet.
No fine-tuning. We do not fine-tune any model on tenant data. The same base models serve every tenant; the difference is the per-tenant content the prompts are grounded in.

10. Open items, configurable per tenant

A few choices are configurable rather than fixed:

Audio retention: off by default; can be turned on per tenant if QA review is wanted.
Deployment region: US by default; EU available on request.
Data Processing Addendum (DPA) and custom retention SLAs available on request.
SSO/SCORM integration tailored to the tenant's LMS.

Last updated: 2026-05-29. Questions or a request for a tenant-specific DPA? Email terry@1010development.com.