AI Use Disclosure
Provider: Valiquest AB · Org.nr 559577-0347 · Stockholm, Sweden Service: Virtual Customer Version: v1 — 2026-04-22 (DRAFT — pre-counsel review) Public URL (after publication): https://app.virtualcustomer.io/legal/ai-use.html
The EU AI Act (Regulation (EU) 2024/1689) requires providers and deployers of certain AI systems to be transparent with users. Virtual Customer falls primarily within the "limited-risk" category (interaction with AI, generation of synthetic content). This document tells you, in plain language, where AI is in our product, what model providers we use, what we do with your inputs and outputs, and what you should and should not do with the results.
1. Where AI is in Virtual Customer
Virtual Customer is built around AI. The main places you will encounter AI are:
| Surface | What it does | Who you are talking to |
|---|---|---|
| Conversational interview | Asks questions in real time and follows up like a customer interviewer would. | An AI system. Not a human. |
| Voice mode (LiveKit) | Same as above, but in voice instead of text. The voice is synthetic (text-to-speech). | An AI system. Not a human. |
| Insight extraction | Reads transcripts and produces summaries, themes, quotes, and pain points. | An AI system. |
| Question generation | Suggests new questions based on your study brief. | An AI system. |
| Trial / billing email content | Pre-written by humans; only personalisation tokens are templated. | A human-written template. |
| Support replies | Currently written by humans (Valiquest founders / staff). | A human. |
You are interacting with an AI system whenever the surface is labelled with the AI badge or speaks via the synthetic voice.
2. EU AI Act classification
Based on our current understanding of Regulation (EU) 2024/1689:
- Article 50(1) — interaction with AI: ✅ Applies. We tell users (in the UI and here) when they are interacting with the AI system.
- Article 50(2) — synthetic audio/text/image/video: ✅ Applies to voice mode (synthetic voice) and to AI-generated transcripts/summaries. We mark such outputs in the UI and in exported artefacts.
- Article 50(3) — emotion recognition / biometric categorisation: ❌ Does not apply. Virtual Customer does not perform emotion recognition or biometric categorisation. Voice is processed for transcription only.
- Article 50(4) — deep fakes: ❌ Does not apply. We do not generate audio, video, or imagery of real persons.
- High-risk system (Annex III): ❌ Does not apply. Virtual Customer is not used for employment decisions, credit scoring, law enforcement, education access, etc. Customers are responsible for not deploying the Service in a high-risk context (see §6).
- Prohibited practices (Article 5): ❌ Does not apply. We do not perform social scoring, manipulation, real-time biometric ID, etc.
- General-Purpose AI (GPAI) provider obligations (Article 53): ❌ Does not apply to us directly. We are a deployer of third-party general-purpose models (OpenAI, Anthropic, Google AI) — see §3 — not a provider of one.
Reviewer flag: counsel to confirm the classification, especially around Article 50(2) marking obligations on machine-readable AI-generated content.
3. Models and providers we use
We use third-party large language models from one or more of the following providers, depending on the feature and the customer's organisation settings:
| Provider | Models (typical) | Region | Training on our inputs? |
|---|---|---|---|
| OpenAI (OpenAI Ireland Ltd / OpenAI L.L.C.) | GPT-class models | US | No — API tier; OpenAI does not use API inputs/outputs to train. |
| Anthropic, PBC | Claude-class models | US | No — API tier; Anthropic does not use API inputs/outputs to train. |
| Google AI (Google Ireland Ltd / Google LLC) | Gemini-class models | Google Cloud regions | No — paid API tier; Google does not use prompts to train. |
Voice mode additionally uses a real-time speech-to-text and text-to-speech path. Audio is processed transiently for transcription and is not retained by the speech provider beyond the call (or per provider's own retention policy where shorter; see DPA Annex 3).
We may switch model providers between releases for quality, cost, or latency reasons, as long as the new provider has equivalent or better data-protection commitments. Any addition or removal of a provider is reflected in the public Subprocessor List (see subprocessor-list-v1.md) with 30 days' notice.
4. What happens to your data when AI runs
When you (or one of your respondents) talks to Virtual Customer:
- Inputs (prompts, transcripts): Sent to the model provider listed in §3. Subject to the provider's API DPA — no training, abuse-monitoring retention only.
- Outputs (model replies, summaries, themes): Returned to Valiquest, stored in your organisation's Firestore document, and shown in the UI.
- Logs: We log the fact of each call (timestamp, model, latency, token counts) for billing and reliability. We do not log full prompts or full outputs, except in narrow debugging windows under explicit footer-approved investigations (see Privacy Policy §10).
- Training: Valiquest does not train any AI model on your data. We do not have a training pipeline. We do not share data with model providers for training.
If you delete a study, we delete the associated transcripts and AI outputs from our active store on the timeline described in Privacy Policy §8.
5. Limitations and risks of AI outputs
Customers and respondents should be aware:
- AI outputs can be wrong. Models hallucinate. They can invent facts, misattribute quotes, exaggerate, or under-represent edge cases.
- AI outputs are statistical. They reflect the training data of the third-party model and the prompts we use. They are not a substitute for direct customer reading.
- AI outputs reflect bias. Models can carry bias from their training data. We do not run formal fairness benchmarks on our prompts. Customers should review outputs critically before publishing them.
- AI outputs are not legal, medical, financial, or safety advice. Do not rely on Virtual Customer for any decision with legal, medical, financial, or physical-safety consequences.
- Voice mode is synthetic. The Virtual Customer voice is not a real person. We mark the voice as synthetic at session start. We do not impersonate any specific real person.
- Real-time replies may differ between sessions. The same question may receive different follow-ups across sessions due to model non-determinism.
6. What you may NOT use Virtual Customer for
Reflecting Article 5 (prohibited practices) and the high-risk list (Annex III) of the EU AI Act, and our own Acceptable Use Policy (acceptable-use-policy-v1.md once published):
- No high-risk decisions. Do not use Virtual Customer to make decisions about a person's employment, credit, education, healthcare, social benefits, immigration, criminal justice, biometric ID, or critical infrastructure.
- No deceptive deployment. Do not represent the Virtual Customer AI as a real human. Always tell respondents they are talking to an AI when their consent or expectations require it.
- No medical, psychological, or legal advice without a qualified human in the loop.
- No prohibited categories under Article 5 of the EU AI Act, including but not limited to: subliminal manipulation, exploitation of vulnerabilities of specific groups, social scoring by public authorities, untargeted scraping of facial images, real-time remote biometric identification.
- No training of competing models on Virtual Customer outputs (see Terms of Service §6 — IP).
Breach of the rules in this §6 is a material breach of the Terms of Service.
7. Transparency markings ("AI" labels)
In line with Article 50(2):
- In-product: every AI-generated section is shown with an "AI" badge or visible header. Synthetic voice is announced at the start of each session.
- In exports (PDF, CSV, transcript downloads): AI-generated summaries, themes, and quotes are marked with an "AI-generated" header. AI-paraphrased quotes (where the model has reformulated a respondent's words) are flagged separately from verbatim quotes.
- Machine-readable marking: for raw text exports we include a leading metadata block (e.g.
# AI-generated content — model: <provider>; date: <iso>). Where the EU AI Act ultimately requires watermarks or C2PA-style content credentials for synthetic content, we will add them in a future release.
Reviewer flag: counsel to confirm whether the AI Office's forthcoming guidance on Article 50(2) machine-readable marking requires us to act before our next release.
8. Human oversight
You always retain human oversight:
- You design the study brief and the question library.
- You can edit, override, or delete any AI-generated output before sharing it.
- You decide when and where to share outputs.
- Valiquest does not auto-publish, auto-share, or auto-decide anything on your behalf.
We do not have an "auto-pilot" mode where the AI takes irreversible actions in your account.
9. Reporting AI-related concerns
- Bias, harm, or unsafe output: email
info@valiquest.comwith a description, screenshot, and (if comfortable) the prompt/output. We aim to acknowledge within 5 business days. - Suspected use of the Service for prohibited practices: email
info@valiquest.com. See AUP for our enforcement steps. - EU AI Act compliance questions: email
info@valiquest.com.
10. Changes to this document
We will update this document when we materially change which AI providers we use, what data we send them, or what AI features the Service exposes. Material changes will be announced at least 30 days in advance via the in-product changelog and via the Subprocessor RSS feed if a provider changes.
Reviewer flags
For the external Swedish data protection / IT lawyer (G4.6.13):
- [REVIEW] §2 Confirm Article 50 sub-paragraph mapping — particularly whether voice mode triggers any obligation beyond §50(2) (synthetic content).
- [REVIEW] §3 Confirm "no training" representations are accurate against the current API DPAs of OpenAI, Anthropic, and Google AI as at publication. These change.
- [REVIEW] §6 Confirm whether the AUP draft (G4.6.7) cross-reference is sufficient or whether the prohibitions should be repeated verbatim here for enforceability.
- [REVIEW] §7 Confirm marking obligations under the AI Office's secondary legislation as it crystallises through 2026.
- [REVIEW] Naming "AI Office" vs "European AI Board" — use whichever the lawyer prefers per current EU communications.
End of draft v1 — 2026-04-22