Privacy Policy

This Privacy Policy explains how Starvox Labs Pvt. Ltd. (“Starvox Labs”, “we”, “us”) collects, uses, discloses, and protects personal data when you access our websites, products, APIs, browser voice demos, and enterprise services (including the VaniVoice platform).

We collect information you provide directly and through use of the Service, including:

• Identity and Account Data: Name, email, phone, company, role, billing profile, and account credentials.
• Voice and Conversation Data: Audio input/output, voiceprints, transcripts, call metadata, outcomes, and related analytics.
• Support and Communication Data: Emails, tickets, feedback, and product inquiry forms.
• Technical Data: IP address, browser/device identifiers, session logs, and diagnostics.
• Integrations Data: CRM/context data that you connect or upload to power call flows.
• Consent and Authorization Data: Disclosure prompts, call-consent logs, and authorization evidence for cloned or synthetic voices.

Voice data (including voiceprints and cloned/synthetic voice artifacts) may be considered sensitive personal data and, in some jurisdictions, biometric data. We treat such data as high-sensitivity and apply heightened technical and organizational safeguards.

• Default position: We do not use identifiable customer recordings, transcripts, or voiceprints to train shared foundation models without your explicit opt-in.
• Model improvement: We may use anonymized and aggregated telemetry/usage data to improve platform performance, safety, and quality.
• Opt-in controls: Where optional data contribution for AI improvement is offered, participation is voluntary and can be disabled by account settings or written request.

We process personal data for the following purposes:

• Provide and operate voice AI services, including browser streaming and telephony flows.
• Authenticate users, prevent abuse, and maintain platform security and integrity.
• Monitor service quality, latency, reliability, and customer support operations.
• Bill for subscriptions/usage and manage contracts and invoicing.
• Comply with legal, tax, accounting, and regulatory obligations.
• Improve platform performance and AI quality using anonymized and aggregated usage insights. We do not use identifiable customer voice recordings or transcripts to train shared foundation models unless you explicitly opt in.

You can opt out of eligible product-improvement processing at any time from account settings or by contacting us.

Where required, we rely on one or more of the following lawful bases:

• Performance of a contract with you or your organization.
• Legitimate interests (security, analytics, product improvement, fraud prevention).
• Consent (for optional recordings, marketing communication, or region-specific requirements).
• Compliance with legal obligations.

We retain personal data only for as long as necessary for the purposes described in this policy, including contractual, legal, accounting, and security requirements.

• Call recordings: retained for 90 days by default, unless you configure a shorter/longer contracted period.
• Transcripts and call metadata: retained while your workspace remains active and then deleted or anonymized according to your retention settings.
• Voice cloning assets: retained only while enabled by you and deleted when consent is withdrawn or the feature is disabled, unless law requires retention.

You may request deletion earlier, subject to legal obligations and fraud/security exceptions.

We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 encryption in transit, and SOC 2 Type II certified infrastructure. Our servers are hosted in India (Mumbai region) to comply with data localization requirements.

We may share data with vetted service providers in the following categories:

• Cloud and Infrastructure Providers: Hosting, compute, storage, and AI model infrastructure (for example, Google Cloud).
• Communication Providers: Telephony, messaging, and call routing partners (for example, Twilio).
• Data and Identity Providers: Authentication, database, and workflow services (for example, Supabase).
• Analytics and Monitoring Tools: Service reliability, performance, and product analytics.
• Professional Advisors and Authorities: Legal, compliance, audit, tax, or lawful government requests.

We require third-party subprocessors to follow contractual data protection obligations. We do not sell personal data.

Your data may be processed in India and other countries where our providers operate. Where cross-border transfers are necessary, we implement appropriate safeguards such as contractual protections, access controls, and vendor security assessments in accordance with applicable law.

Under applicable data protection laws, you have the right to:

• Access and receive a copy of your personal data.
• Correct inaccurate personal data.
• Request deletion of your personal data.
• Withdraw consent at any time where processing is based on consent.
• Object to or restrict processing of your data.
• Data portability — receive your data in a structured format.

Before using voice features, you must have an appropriate lawful basis and explicit, informed consent where required.

• You must own the voice used in the Service or have explicit, provable authorization from the voice owner.
• Explicit consent is required before recording calls, cloning voices, and enabling long-term voice storage.
• Consent for voice cloning and long-term storage should be specific, auditable, and revocable.
• Unauthorized voice cloning, deepfake generation, deceptive impersonation, or identity misuse is strictly prohibited.
• You are responsible for configuring call disclosures and obtaining required permissions from call participants.

You may not use our Services to impersonate individuals or organizations, create deceptive synthetic identities, or conduct fraud, harassment, or unlawful surveillance. Accounts and data associated with such activity may be suspended or terminated.

We use essential cookies for authentication and session management. We do not use third-party tracking cookies. See our Cookie Policy for more details.

Our Services are intended for business users and are not directed to children. Do not submit sensitive personal data unless required for a lawful and disclosed business workflow. Voice recordings and voiceprints may be treated as sensitive or biometric data and should only be processed with clear notice, lawful basis, and enhanced safeguards.

AI-generated transcripts, summaries, classifications, and recommendations may not always be complete, accurate, or appropriate for every use case. You are responsible for reviewing outputs and for decisions made using AI-generated content. Automated actions should be implemented with human oversight and business-appropriate controls.

We may update this policy periodically. Material changes will be communicated through product notices, email, or website updates with a revised “Last updated” date.

For privacy-related inquiries, contact our Data Protection Officer at privacy@vaanilabs.in or visit our Contact page.