Privacy Policy

Vephon AI (“Vephon,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you:

• Visit our website at vephon.com (the “Website”);
• Use the Vephon Studio application and platform (the “Service”);
• Access our APIs, SDKs, or developer tools; or
• Communicate with us through any channel.

This policy applies to all users worldwide and addresses requirements under the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Illinois Biometric Information Privacy Act (“BIPA”), the EU AI Act, and other applicable data protection laws.

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

We collect the following categories of information:

(a) Account Information

When you create an account, we collect your email address, full name, and profile picture (provided via Google Sign-In through Firebase Authentication). We receive a Firebase user identifier (UID) but do not store plaintext passwords—authentication is handled entirely by Firebase.

(b) Voice and Biometric Data

If you use our voice cloning feature, we collect:

• Reference audio recordings you upload;
• Reference transcripts accompanying your audio;
• Voice embeddings and clone prompt tensors derived from your audio; and
• Voice descriptions you provide for voice design.

Voice recordings and derived voiceprints may constitute biometric data under certain laws, including BIPA, GDPR, and the EU AI Act. We process this data only with your explicit consent. See Section 5 for detailed information.

(c) Content and Persona Data

We collect data related to AI personas you create, including display names, handles, biographical details, appearance descriptions, reference images, asset tags, outfit and location references, and any other creative inputs you provide.

(d) Generated Content

We store AI-generated content (images, audio, captions, posts) produced through the Service, along with associated metadata such as generation parameters, timestamps, and credit costs.

(e) Usage Data

We automatically collect data about how you use the Service, including features accessed, generation jobs submitted, credit consumption, session duration, content types created, platforms targeted, and language preferences.

(f) Payment Data

Payment processing is handled by our third-party payment processor, Razorpay. We store only your subscription tier, credit balance, transaction history (amounts and dates), and payment order status. We never store your credit card number, CVV, or full payment credentials.

(g) Device and Technical Data

We collect your IP address, browser type and version, operating system, device identifiers, referring URLs, and pages visited. Our audit logging system records IP addresses and user agents for security and compliance purposes.

(h) Communications Data

When you contact us via email or support channels, we retain the content of your communications, your email address, and any attachments you provide.

(i) Early Access and Prebooking Data

If you sign up for early access, we collect your email address, full name, company or role (optional), intended use case, and consent status.

If you are in the European Economic Area (“EEA”), United Kingdom (“UK”), or another jurisdiction that requires a legal basis for processing, we rely on the following grounds under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process payments, deliver generated content, and fulfill our obligations under the Terms of Service.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for voice cloning, marketing communications, and the processing of biometric data.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests that are not overridden by your rights, including fraud prevention, service security, analytics, product improvement, and enforcing our terms.
• Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

Special category data (Art. 9): Voice recordings and derived voiceprints constitute biometric data—a special category under GDPR. We process biometric data only on the basis of your explicit consent (Art. 9(2)(a)), which you provide through our voice cloning consent mechanism before any voice data is processed.

We use your information for the following purposes:

• Service delivery: To operate Vephon Studio, generate AI content, process voice cloning requests, and deliver generated outputs.
• Account management: To create and maintain your account, authenticate sessions, and manage your subscription and credits.
• Payment processing: To process subscriptions, credit top-ups, and manage billing through our payment processor.
• Service improvement: To analyze aggregate usage patterns, improve AI model routing, optimize performance, and develop new features.
• Security and fraud prevention: To detect, prevent, and investigate security incidents, unauthorized access, fraud, and abuse of the Service.
• Communications: To send transactional emails (account verification, payment receipts, job completions), service announcements, and, with your consent, marketing communications.
• Legal compliance: To comply with applicable laws, respond to legal processes, and enforce our terms and policies.
• Content moderation: To detect and prevent prohibited content as described in our Acceptable Use Policy.
• Audit and accountability: To maintain audit logs of significant actions for security, compliance, and dispute resolution.

We do not use your generated content or voice data to train our AI models without your explicit, separate consent.

Given the sensitive nature of voice and biometric data, we provide this dedicated disclosure:

What constitutes biometric data: Under applicable law (including BIPA, GDPR, and the EU AI Act), voice recordings, voiceprints, and voice embeddings derived from audio may be classified as biometric identifiers or biometric information.

Consent mechanism: Before any voice data is processed, you must provide explicit consent through our voice cloning consent checkbox. This consent is recorded, timestamped, and stored. You may withdraw consent at any time by deleting the associated voice from your account or contacting us.

Purpose limitation: We process voice data solely to provide voice cloning and voice design features within the Service. Voice data is not used for identification, surveillance, or any purpose other than generating synthetic speech at your direction.

Storage and security: Voice reference audio is stored in encrypted object storage. Voice embeddings (clone prompts) are stored separately from raw audio. Access is restricted to the organization that created the voice.

Retention: Reference audio and voice embeddings are retained for as long as the associated voice exists in your account. When you delete a voice, we delete all associated audio, transcripts, and embeddings within 30 days. Generated audio is retained per your organization’s configured retention period (default: 7 days for generated audio files).

Your responsibility: If you clone a voice other than your own, you represent and warrant that you have obtained the voice owner’s explicit, informed, written consent. You are solely liable for any claims arising from unauthorized voice cloning. See our Acceptable Use Policy and Terms of Service for detailed requirements.

BIPA compliance: For users in Illinois, we provide this notice: Vephon collects voiceprints solely for the purpose of providing voice cloning features within the Service. We obtain your informed written consent before collection. We do not sell, lease, trade, or otherwise profit from your biometric data. We store biometric data using reasonable security measures and destroy it when the purpose for collection has been satisfied or within three years of your last interaction with the Service, whichever comes first, unless you request earlier deletion.

EU AI Act compliance: Consistent with Article 50 of the EU AI Act, AI-generated voices produced by the Service are labeled as synthetically generated in their metadata. Users must disclose that voice content is AI-generated when required by applicable law.

Ownership: Subject to our Terms of Service, you retain ownership of content you generate using Vephon Studio on paid plans (Creator and above). Content generated on the Free plan is licensed for personal, non-commercial use only.

No model training: We do not use your inputs, prompts, generated content, or voice data to train or fine-tune AI models without your explicit, separate consent. Your creative data remains yours.

SynthID watermarks: All AI-generated images produced by the Service contain an invisible SynthID watermark identifying them as AI-generated content. You may not remove, obscure, alter, or attempt to circumvent this watermark.

AI output disclaimer: AI-generated content may contain inaccuracies, artifacts, or unintended similarities to real persons or copyrighted works. We do not guarantee the accuracy, originality, or fitness of AI-generated outputs for any particular purpose. You are responsible for reviewing all generated content before use or publication.

Disclosure obligations: Many jurisdictions, including the EU under the AI Act, require disclosure that content is AI-generated. You are solely responsible for complying with applicable AI content disclosure laws in your jurisdiction.

We share your data with the following categories of third parties, solely as necessary to operate and improve the Service:

Authentication provider:

• Google Firebase (Google LLC): Receives your email, name, and profile picture for authentication. Firebase Privacy Policy

Payment processor:

• Razorpay Software Private Ltd: Receives payment details necessary to process transactions. We do not have access to your full card information. Razorpay Privacy Policy

AI service providers (for content generation):

• Google Gemini API (Google LLC): Receives text prompts and parameters for image generation and AI orchestration.
• Anthropic (Anthropic PBC): Receives text prompts for content planning and AI orchestration.
• ElevenLabs (ElevenLabs Inc.): Receives voice data and text for voice synthesis on applicable plans.
• xAI (xAI Corp.): May receive text and image prompts for supplementary AI generation.
• Google Veo (Google LLC): May receive prompts for video generation features.

Each AI provider processes data according to their respective privacy policies and data processing agreements. We select providers that offer appropriate data protection commitments and do not use customer data for model training without consent.

Analytics:

• Vercel Analytics (Vercel Inc.): Privacy-friendly, cookie-free web analytics. Collects aggregate, non-personally-identifiable usage patterns. Vercel Analytics Privacy

Infrastructure:

• Amazon Web Services (AWS): Cloud hosting, database, storage, and content delivery. Data is processed within AWS infrastructure subject to our configuration and AWS’s data processing addendum.

We also share data when:

• Required by law, regulation, legal process, or governmental request;
• Necessary to protect the rights, safety, or property of Vephon, our users, or the public;
• In connection with a merger, acquisition, or sale of assets (with prior notice to you); or
• With your explicit consent.

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising.

Your data may be transferred to and processed in countries other than your country of residence, including the United States and India, where our team members, infrastructure providers, and AI service providers are located.

For transfers from the EEA or UK, we rely on:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with our service providers that process personal data outside the EEA.
• Adequacy decisions: Where applicable, we transfer data to countries recognized by the European Commission as providing adequate data protection.
• Supplementary safeguards: We implement additional technical and organizational measures, including encryption in transit and at rest, access controls, and contractual obligations on sub-processors.

You may request a copy of the safeguards we use for international transfers by contacting us at connect@vephon.com.

We retain your data for the following periods:

• Account data: Retained for as long as your account is active. Upon account deletion, personal data is purged within 30 days, except as required for legal compliance.
• Generated content (images, posts): Stored for 90 days by default. You may delete content at any time from your account.
• Generated audio: Retained per your organization’s configured retention period (default: 7 days). Expired audio is purged by automated nightly cleanup.
• Voice reference audio and embeddings: Retained for as long as the associated voice exists. Deleted within 30 days of voice deletion.
• Payment records: Transaction history is retained for 7 years to comply with tax and financial reporting obligations.
• Audit logs: Retained for 2 years for security and compliance purposes.
• System logs: Retained for 30 days for debugging and operational purposes.
• Prebooking/early access data: Retained until the Service launches publicly, or until you request deletion, whichever comes first.
• Communications: Retained for as long as necessary to resolve your inquiry, plus 2 years for reference.

When retention periods expire, data is securely deleted or anonymized. You may request deletion of your data at any time (see Your Rights sections below).

We implement technical and organizational measures designed to protect your personal data, including:

• Encryption: Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption for stored data and database volumes.
• Access controls: Role-based access controls restrict data access to authorized personnel. Administrative access requires separate authentication with bcrypt-hashed passwords and JWT tokens.
• Infrastructure security: SSH hardening (no password authentication, no root login), firewall rules limiting ingress to HTTP/HTTPS/SSH, automatic security updates, and systemd service hardening (NoNewPrivileges, ProtectSystem, ProtectHome, PrivateTmp).
• API security: API keys are stored as SHA-256 hashes. Rate limiting is enforced per user and per tier. Webhook payloads are verified using HMAC-SHA256 signatures.
• Audit logging: Significant actions (credit adjustments, voice creation, API key operations, administrative actions) are logged with timestamps, actor identifiers, and IP addresses.
• Database security: Database connections require SSL (sslmode=require). Redis is bound to localhost. Automated backups are retained for 7 days.

While we implement commercially reasonable security measures, no system is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach affecting your personal data, we will notify you and applicable supervisory authorities as required by law.

If you are in the EEA or UK, you have the following rights under the GDPR:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention requirements.
• Right to restriction (Art. 18): You may request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 14.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at connect@vephon.com. We will respond within 30 days. We may request verification of your identity before processing your request. If the request is complex or numerous, we may extend the response period by an additional 60 days with notice.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with the following rights:

• Right to know: You may request the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes for collection, and the categories of third parties with whom we share it. You may request information dating back to January 1, 2022.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing transactions).
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but you may still submit a request and we will confirm this.
• Right to limit use of sensitive personal information: You may direct us to limit our use of sensitive personal information (including biometric data) to purposes necessary to provide the Service.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

Categories of personal information collected:

• Identifiers (name, email, IP address, account ID)
• Commercial information (subscription tier, transaction history, credit balance)
• Internet/electronic activity (usage data, pages visited, features accessed)
• Biometric information (voice recordings, voiceprints—only if you use voice cloning)
• Audio/visual information (reference images, generated content, reference audio)
• Professional information (company/role, if provided)
• Inferences (usage patterns, content preferences)

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require verification that the agent is authorized to act on your behalf.

Global Privacy Control: We honor Global Privacy Control (GPC) signals as a valid opt-out request.

To exercise your CCPA/CPRA rights, contact us at connect@vephon.com. We will verify your identity and respond within 45 days.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, you may not create an account or use the Service.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that a child under 18 has provided us with personal information, please contact us immediately at connect@vephon.com.

For users in the EEA, we do not knowingly process data of individuals under 16 without verifiable parental consent, in accordance with GDPR Article 8.

We use automated systems in the following ways:

• Content moderation: We may use automated tools to detect prohibited content (as defined in our Acceptable Use Policy), including nudity, violence, or other policy violations in generated images. Flagged content may be automatically blocked or queued for human review.
• Rate limiting and abuse prevention: Automated systems enforce rate limits and detect patterns indicative of abuse, such as excessive API calls or credential-stuffing attempts.
• AI model routing: Our orchestration layer automatically selects AI models based on your request parameters, quality requirements, and system load. This is a technical optimization that does not produce legal or similarly significant effects on you.

None of these automated processes produce decisions with legal or similarly significant effects on you solely through automated means. Account suspensions or terminations involve human review. If you believe an automated decision has adversely affected you, you may contact us to request human review.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the “Last updated” date at the top of this page.
• For material changes that affect how we process your personal data, we will provide notice via email (to the address associated with your account) or through a prominent notice within the Service at least 30 days before the changes take effect.
• Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

We encourage you to review this policy periodically.

Data controller: Vephon AI is the data controller responsible for the processing of your personal data under this Privacy Policy.

Contact information:

• Email: connect@vephon.com
• Subject line: “Privacy Inquiry”

Privacy inquiries: For any questions about this Privacy Policy, to exercise your data protection rights, or to file a complaint about our data practices, please contact us at the email above. We aim to respond to all legitimate requests within 30 days.

This Privacy Policy should be read in conjunction with our Terms of Service, Cookie Policy, and Acceptable Use Policy.