● LEGAL · PRIVACY POLICY

Privacy Policy

Last Updated: June 7, 2026. Effective Date: June 7, 2026.

Quick read:We're a B2B platform. Most data on Revenue OS belongs to the company that hired us — not to us. We process it on their behalf. We don't sell your data. We don't train third-party AI models on it. We comply with GDPR, CCPA/CPRA, and every state privacy law in force. If you're an employee of a client company and want your data deleted, ask your employer first — they control it.

This Privacy Policy describes how Stupar Enterprises LLC (“Stupar Enterprises,” “Revenue OS,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with the Revenue OS platform, websites, mobile applications, and related services (collectively, the “Services”). By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

1. Scope & Application

This Policy applies to:

  • Visitors to userevenueos.com, jordanstupar.com, cashcards.ai, and any other website we operate;
  • Individual subscribers and trial users of Revenue OS;
  • Authorized users of client organizations that license the Services (sales representatives, managers, owners, administrators);
  • Prospects who provide information through forms, calls, demos, or other marketing channels.

This Policy does not apply to: (a) information our clients independently collect or process outside the Services; (b) third-party websites or services that integrate with Revenue OS, which are governed by their own privacy policies; or (c) products and services not provided by Stupar Enterprises.

2. Who We Are — Our Role Under Privacy Law

Stupar Enterprises is a Wisconsin limited liability company headquartered in the United States. Our role under applicable privacy laws depends on the context:

Controller (we determine the purposes and means)

  • Information we collect about visitors to our marketing websites;
  • Information about individual subscribers and trial users who contract directly with us;
  • Information about our prospects, partners, and the contacts of business customers (administrators, billing contacts);
  • Business operational data such as billing records, support tickets, and security logs.

Processor / Service Provider (we process on behalf of a client)

  • All information uploaded, generated, or transmitted by authorized users of a client organization in the course of using the Services, including call recordings, transcripts, training records, compliance scores, role play submissions, CRM data, and messages (collectively, “Customer Data”).

For Customer Data, the client organization is the controller (or “business” under the CCPA/CPRA). If you are an employee, contractor, or representative of a client and you want to access, correct, delete, or restrict processing of your Customer Data, you must contact your employer or the administrator of your client organization. We will assist them in honoring valid requests but we cannot act unilaterally on Customer Data without their authorization.

3. Definitions

“Personal Data” means information relating to an identified or identifiable natural person.

“Sensitive Personal Information” or “Sensitive Data” has the meaning given in the CCPA/CPRA and equivalent state laws — for example, precise geolocation, account credentials, contents of mail/email/text messages where we are not a party, and racial or ethnic origin.

“Customer Data” means Personal Data we process on behalf of a client organization in the course of providing the Services.

“Subprocessor” means a third-party service provider engaged by us to process Personal Data in connection with the Services.

4. Information We Collect

4.1 Information You Provide to Us

  • Account registration data: name, work email, password (hashed), company name, role, phone.
  • Billing and payment data: billing contact, billing address, last four digits of payment card and card brand (full card data is collected and stored by our payment processor, Stripe, and is never stored on our systems).
  • Communications: messages you send through the platform, support tickets, sales inquiries, replies to our outreach campaigns.
  • Profile and configuration: organizational hierarchy, manager/rep assignments, sales playbooks, scripts, and policies you choose to upload.

4.2 Information We Collect Automatically

  • Device and connection data: IP address, browser type and version, operating system, device identifiers, referring URL, time zone, language preferences.
  • Usage data: pages viewed, features used, click events, session duration, login times, session identifiers, performance and error logs.
  • Cookies and similar technologies (see Section 14).

4.3 Information We Collect Through the Services

Through normal operation of the Services, we (or our subprocessors acting under our instructions) collect and process the following on behalf of client organizations:

  • Audio and video recordings of sales calls, role plays, and training sessions submitted to the Services;
  • Transcripts of those recordings and the corresponding metadata (timestamps, speaker labels, durations);
  • AI-generated scoring, summaries, flagged moments, and coaching outputs derived from those transcripts;
  • Training course completions, quiz scores, certifications, and time-on-task data;
  • Compliance Score, performance metrics, and CRM-derived close rates and pipeline data (when the client connects their CRM);
  • Notifications, in-app messages, and direct messages between users within a client organization.

4.4 Information from Third Parties

  • CRM and integration partners: when a client connects HubSpot, Salesforce, or another CRM, we receive contact, deal, company, and activity data necessary to provide CRM-linked analytics.
  • Conferencing platforms: when a client connects Zoom or a similar platform, we receive recording files, meeting metadata, host email, participant data, and event webhooks.
  • Identity verification and fraud prevention vendors, billing processors, and analytics providers.
  • Publicly available sources, business directories, and enrichment services used for sales and marketing.

4.5 Information We Do Not Knowingly Collect

We do not knowingly collect Personal Data from individuals under 16. We do not intentionally collect Sensitive Personal Information beyond what is described in Section 12 (voice data). We are not a HIPAA-covered entity or business associate and we do not knowingly collect Protected Health Information. We are not a financial institution under GLBA and we do not knowingly collect nonpublic personal information governed by GLBA.

5. How We Use Information

We use Personal Data for the following purposes, each grounded in a legal basis under applicable law:

PurposeLegal Basis (GDPR / UK GDPR)
Providing, operating, and improving the ServicesPerformance of contract; legitimate interests
Authentication, account management, billingPerformance of contract; legal obligation
Processing Customer Data per client instructionsProcessor on behalf of client controller
AI-assisted transcription, scoring, and coaching outputsProcessor on behalf of client; legitimate interests in product improvement (with safeguards in Section 6)
Customer support and communications about the ServicesPerformance of contract; legitimate interests
Security, fraud prevention, abuse detection, and audit loggingLegal obligation; legitimate interests
Marketing communications to business prospects and existing customersLegitimate interests; consent where required
Aggregated, de-identified analytics and benchmarkingLegitimate interests
Compliance with law, court orders, and regulatory requestsLegal obligation
Enforcement of our agreements; defense of legal claimsLegitimate interests; legal claims
Corporate transactions (financing, M&A, restructuring)Legitimate interests

We do not sell Personal Data for monetary consideration. We do not “share” Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

6. AI, Automated Processing, and Profiling

Revenue OS uses artificial intelligence to transcribe calls, score sales performance, generate coaching feedback, summarize meetings, and provide compliance ratings. You should understand the following:

  • Outputs are advisory, not determinative. All Stupar AI outputs — including Compliance Scores, call ratings, role play scores, flagged moments, and coaching recommendations — are decision-support outputs. They do not by themselves trigger employment decisions, terminations, demotions, or compensation changes. Any such decision is made by a human employed by the client organization based on multiple factors, including direct observation.
  • Human review is available. If you are subject to an AI-generated score that you believe is inaccurate, you may request human review through your employer's administrator, who has the ability to override, annotate, or recalculate any score within the Services.
  • No training on Customer Data without authorization. We do not use Customer Data to train, fine-tune, or otherwise develop the underlying large language models offered by third-party AI providers (such as Anthropic and OpenAI). Our agreements with these providers prohibit them from training their general models on Customer Data submitted via their APIs. We may use de-identified, aggregated data to evaluate and improve our own product features (such as adjusting scoring rubrics).
  • AI subprocessors. Our primary AI subprocessors are listed in Section 8. Audio transcription is performed by Deepgram. Generative scoring, summarization, and coaching is performed by Anthropic (Claude) and, in limited cases, OpenAI. Embeddings used for retrieval are generated by OpenAI.
  • State AI law compliance. We design our AI features to comply with applicable laws, including Colorado SB 24-205, the Illinois AI Video Interview Act (to the extent applicable), New York City Local Law 144 (where used in covered hiring decisions — a use we do not authorize), and similar laws as they come into effect.

7. Call Recording, Voice Data, and Biometrics

7.1 Call Recording

The Services include features that allow client organizations to record sales calls, role plays, coaching calls, training sessions, and demos. Recording is initiated by the client or its authorized users, not by Stupar Enterprises. The client organization is responsible for obtaining all legally required consents from call participants, including any “all-party” or “two-party” consent required in jurisdictions such as California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. Stupar Enterprises does not initiate recording, does not select participants, and does not control disclosure to call participants.

7.2 Voice Data Is Not Used as a Biometric Identifier

We process audio recordings for the purpose of producing text transcripts and content analysis. We do not extract, generate, store, sell, lease, trade, or otherwise use any “biometric identifier” or “biometric information” as those terms are defined in the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington biometric privacy statute (RCW 19.375), the New York City Biometric Identifier Information Law, or similar laws. Specifically, we do not perform voiceprint identification, voice-based authentication, speaker verification across recordings, or any other process that would produce a unique biometric template tied to a specific individual.

7.3 Retention of Audio

Audio files are retained for ninety (90) days from the date of upload, after which they are automatically deleted from our storage systems. The resulting transcript and metadata may be retained for longer periods as configured by the client organization.

8. Subprocessors and Sharing

We share Personal Data only with the following categories of recipients, and only as necessary for the stated purpose:

8.1 Subprocessors

We use the following primary subprocessors. A current list is maintained at userevenueos.com/subprocessors and is updated as changes occur.

SubprocessorFunctionRegion
Supabase (Inc.)Database, authentication, file storageUnited States
Vercel Inc.Application hosting, edge computeUnited States
Mux, Inc.Video hosting and streamingUnited States
Deepgram Inc.Audio transcriptionUnited States
Anthropic, PBCAI scoring, summarization, generative outputsUnited States
OpenAI, L.L.C.Embeddings and limited generative outputsUnited States
Stripe, Inc.Payment processingUnited States
HubSpot, Inc.CRM (where customer integrates)United States
Resend, Inc.Transactional emailUnited States
Salesmsg Inc.SMS messagingUnited States
Zoom Communications, Inc.Conferencing recording ingest (where customer integrates)United States
Sentry / observability toolsError monitoring and loggingUnited States

Each subprocessor is bound by a written data processing agreement that imposes confidentiality, security, and purpose-limitation obligations consistent with this Policy and applicable law.

8.2 Other Sharing

We may also share Personal Data with: (i) our affiliates and subsidiaries; (ii) professional advisors (attorneys, accountants, insurers, auditors) under confidentiality obligations; (iii) parties to a corporate transaction (financing, merger, acquisition, sale of assets, bankruptcy), subject to standard confidentiality protections and successor obligations; (iv) law enforcement, regulators, or other parties where required by law or to protect our rights, property, or safety, or that of our customers or the public; and (v) any other party with your direction or consent.

8.3 No Sale; No Cross-Context Behavioral Advertising

We do not sell Personal Data and we do not “share” Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA and analogous state laws.

9. International Data Transfers

The Services are operated from the United States and Personal Data is processed in the United States. If you access the Services from outside the United States, you understand that your data will be transferred to, stored in, and processed in the United States. For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) and we apply supplementary technical and organizational measures consistent with the Schrems II decision. A copy of the applicable transfer mechanism is available on request.

10. Data Retention

We retain Personal Data for as long as is necessary to provide the Services, fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Audio recordings: 90 days from upload, then automatic deletion;
  • Transcripts and AI-generated outputs: as configured by the client organization, default indefinite while the account is active;
  • Account and billing records: for the duration of the account plus seven (7) years for tax and accounting purposes;
  • Security and audit logs: up to two (2) years;
  • Marketing data: until you opt out or three (3) years of inactivity, whichever is earlier;
  • De-identified or aggregated data: indefinitely, as it no longer constitutes Personal Data.

When an account is terminated, Customer Data is deleted within 60 days unless a longer period is required by law or requested by the client controller.

11. Security

We implement administrative, technical, and physical safeguards designed to protect Personal Data, including:

  • Row-Level Security (RLS) on every multi-tenant database table to enforce organization-level isolation;
  • Encryption in transit (TLS 1.2+) for all data flowing to and from the Services;
  • Encryption at rest for stored data via our database and storage providers;
  • Role-based access controls and least-privilege access for our personnel;
  • Production secrets stored in dedicated secret management systems and never in source control;
  • Annual third-party security audits, regular dependency scanning, automated CVE monitoring, and constant-time secret comparison for cron and webhook authentication;
  • Signed webhook verification (HMAC-SHA256) for all third-party integrations;
  • Comprehensive audit logging of administrator and security-relevant events.

No system is impenetrable. While we use commercially reasonable measures, we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and notifying us immediately if you suspect unauthorized access.

If we become aware of a breach of security that has resulted in the unlawful acquisition of Personal Data, we will notify affected individuals and authorities as required by applicable law.

12. Sensitive Personal Information

To the extent we process Sensitive Personal Information (as defined under the CCPA/CPRA and analogous laws), we do so only to perform the Services, for security and fraud prevention, and for other purposes permitted under the relevant law that do not require an opt-out. We do not use Sensitive Personal Information for inferring characteristics about you, and we do not retain it longer than reasonably necessary for the disclosed purposes. To the extent applicable law provides a right to limit the use of Sensitive Personal Information, you may exercise that right by contacting us as described in Section 18.

13. Your Rights

Subject to applicable law, you have one or more of the following rights:

  • Right to Know / Access: Request confirmation of whether we process your Personal Data and a copy of that data.
  • Right to Correct: Request correction of inaccurate or incomplete Personal Data.
  • Right to Delete / Erasure: Request deletion of Personal Data, subject to permitted exceptions (legal obligation, fraud prevention, completion of the transaction, etc.).
  • Right to Portability: Receive your Personal Data in a portable format.
  • Right to Opt Out: Opt out of sale, sharing, and certain forms of targeted advertising (not applicable to us; we do not engage in these practices).
  • Right to Limit Sensitive Personal Information Use where provided by state law.
  • Right to Restrict / Object to certain processing under GDPR.
  • Right to Withdraw Consent where processing is based on consent.
  • Right Against Automated Decision-Making where required by GDPR Article 22 — Compliance Scores and AI outputs are advisory and not solely automated decisions producing legal or similarly significant effects.
  • Right to Non-Discrimination for exercising your privacy rights.
  • Right to Lodge a Complaint with a supervisory authority (for EEA/UK residents) or your state attorney general.

These rights are recognized under the GDPR (EEA), UK GDPR, Swiss Federal Act on Data Protection, the California Consumer Privacy Act and California Privacy Rights Act, and comprehensive privacy statutes in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, Rhode Island, Indiana, Tennessee, and Kentucky, as well as any analogous law in effect in your jurisdiction.

How to exercise rights

  • If we process your data as a controller, email support@jordanstupar.com with “Privacy Request” in the subject line, identify the right you are exercising, and provide enough information to verify your identity.
  • If we process your data as a processor on behalf of a client (your employer or a company you do business with), please contact that client directly. We will support them in responding to your request within the time allowed by law.

We will verify your identity using reasonable measures and respond within the timeframe required by applicable law (45 days under the CCPA, extendable by 45 days; one month under GDPR, extendable by two additional months). We will not discriminate against you for exercising any privacy right.

You may designate an authorized agent to make a request on your behalf, subject to verification.

14. Cookies and Tracking Technologies

We and our service providers use cookies, local storage, web beacons, and similar technologies for the following purposes:

  • Strictly necessary: authentication, session management, security, load balancing. These cannot be disabled.
  • Functional: remembering preferences and settings.
  • Analytics: understanding usage patterns and improving the Services. Aggregated and used in pseudonymous form.

We do not use advertising cookies and we do not participate in cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal as a valid request to opt out of sale and sharing where applicable law recognizes it. Browser-level “Do Not Track” signals are not currently recognized due to the absence of an industry-standard implementation.

You can control cookies through your browser settings; disabling strictly necessary cookies will prevent the Services from functioning.

15. Children's Privacy

The Services are not directed to individuals under 16 and we do not knowingly collect Personal Data from children. If we learn that we have collected Personal Data from a child under 16 without verified parental consent, we will delete that information. If you believe we have collected information from a child, contact us at support@jordanstupar.com.

16. Marketing Communications

We may send marketing communications to business prospects and existing customers regarding our products and services. You may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us. Transactional communications (account, billing, security) are not subject to opt-out for active accounts.

For SMS communications, message and data rates may apply. Frequency varies. Reply STOP to unsubscribe at any time. Reply HELP for help. By providing your mobile number, you consent to receive SMS messages from us; we do not share opt-in data with third parties for their marketing.

17. Third-Party Services

The Services may contain links to or integrate with third-party websites, applications, and services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any information.

18. Contact Us

Stupar Enterprises LLCAttn: Privacy
Wisconsin, United States
Email: support@jordanstupar.com
General contact: js@jordanstupar.com

For EEA, UK, and Swiss residents: we do not currently maintain an EU representative. Please contact support@jordanstupar.com directly and we will assist with your request.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, the Services, or the law. When we make material changes, we will provide notice through the Services, by email, or by posting the updated Policy with a new “Last Updated” date. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

20. Governing Law; Dispute Resolution; Class Action Waiver

This Privacy Policy is governed by the laws of the State of Wisconsin, without regard to its conflict-of-laws principles. Except where prohibited by law, any dispute arising under or relating to this Policy will be resolved exclusively by binding individual arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, seated in Waukesha County, Wisconsin. The parties waive any right to a jury trial and any right to participate in a class action, consolidated proceeding, or representative action. If any portion of this arbitration agreement is held unenforceable, the remainder shall continue in full force. Nothing in this section prevents either party from seeking injunctive or other equitable relief in a court of competent jurisdiction to protect intellectual property rights or confidential information, or from pursuing claims in small claims court where eligible.

21. Severability and Construction

If any provision of this Policy is held invalid or unenforceable by a court of competent jurisdiction, that provision shall be construed to give it maximum permissible effect and the remaining provisions shall remain in full force. Section headings are for convenience only and do not affect interpretation. The English language version of this Policy controls; any translation is provided for convenience only.

22. Entire Statement

This Policy, together with our Terms of Service and any applicable Data Processing Agreement, constitutes the entire statement of our privacy practices and supersedes any prior or contemporaneous statements regarding the subject matter.