1. Categories of Personal Data We Collect
1(a) Personal Data you provide to us
| Category | Typical examples |
|---|---|
| Account & Contact Data | Name, business e-mail, phone, job title, company name, address, preferred language |
| Authentication Data | Hashed passwords, SSO tokens, MFA seeds |
| Payment & Billing Data | Cardholder name, card last-4, VAT/tax ID (processed by Stripe and local providers) |
| Voice Data | Raw audio uploads, voice recordings, derived voice models, transcripts |
| Support & Communications | Help-desk tickets, survey responses, event registrations, newsletter sign-ups |
| Marketing Preferences | Opt-in status, campaign interaction history |
| Verification / KYC Data | Government ID, selfie, proof-of-address (only for identity verification features) |
1(b) Personal Data we collect automatically
- Usage & Device Data – IP address, browser type, OS version, device identifiers, click-stream events, interaction timestamps.
- Cookie & Similar Technologies Data – see Section 9 (Cookies).
1(c) Personal Data we receive from third parties
- OAuth / SSO providers – e.g., name, e-mail, profile picture.
- Payment processors – confirmation of completed transactions.
- Analytics & advertising partners – aggregated usage metrics, campaign performance.
- Public sources & partners – voice or language datasets licensed for AI research and model training.
2. Purposes of Processing and Legal Bases
| Purpose | Description | Legal Basis |
|---|---|---|
| Provide & secure the Services | Set up accounts, authenticate users, deliver features, provide support, maintain uptime, detect abuse | Contract; Legitimate Interest (security) |
| Process payments | Handle subscriptions, invoices, refunds, tax compliance | Contract; Legal Obligation |
| Personalise user experience | Remember settings, recommend features, suggest content | Legitimate Interest (opt-out available) |
| Train & improve AI models | Refine ASR, TTS, LLM performance | Consent for identifiable data; Legitimate Interest for de-identified data |
| Marketing communications | Product updates, event invites, surveys | Consent (EEA/UK); Legitimate Interest elsewhere |
| Fraud prevention & KYC | Verify identity, screen against sanctions lists, investigate misuse | Legitimate Interest; Legal Obligation |
| Comply with legal requests | Respond to subpoenas, court orders, regulatory enquiries | Legal Obligation |
3. Personal Data and Voice Services
When you upload voice recordings, our proprietary AI analyses acoustic patterns to build a voice model. Depending on your jurisdiction, Voice Data may be considered biometric data; we obtain explicit checkbox consent before processing. We do not use Voice Data to infer sensitive traits (e.g., gender identity, health status) and we delete or de-identify Voice Data per Section 6.
4. Sharing and Disclosure
We may disclose Personal Data to:
- Affiliates under common ownership, subject to this Policy.
- Service providers / processors who support the Services (hosting, payments, analytics, email delivery, support tooling, error monitoring).
- Other users if you deliberately publish or share content.
- Third-party partners for jointly developed features or co-branded events (disclosed at point of collection).
- Law-enforcement, regulators, courts, or auditors where legally required.
- Successors in the event of a merger, acquisition, or reorganisation.
- With your consent for any additional purpose you authorise.
Key Vendors
| Vendor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting, databases, storage | Ireland / Germany / UAE |
| Google Cloud Platform | Hosting, databases, storage | Saudi Arabia |
| Groq | AI inference / accelerator nodes | Saudi Arabia |
| Rime Labs | LLM / voice APIs | USA |
| Stripe | Payments & billing | USA / Ireland |
| Google Analytics 4 | Usage analytics | USA |
| Sentry | Error tracking | USA / EU |
| Postmark | Transactional e-mail | USA |
| Livekit | WebRTC | USA |
| Anthropic Claude | LLM inference | USA |
We do not sell Personal Data or share it for cross-context behavioural advertising.
5. International Transfers
Primary production workloads run on AWS eu-west-1 (Ireland) with disaster-recovery in eu-central-1 (Frankfurt). Enterprise customers may contract for data-residency in AWS me-central-1 (UAE). For transfers outside the EEA/UK, we rely on 2021 EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and/or the EU-US Data Privacy Framework.
6. Retention of Personal Data
| Category | Retention period |
|---|---|
| Chat logs & text prompts | Until user deletes or 90 days after account closure |
| Raw voice recordings | Until user deletes or 90 days after account closure |
| Derived voice models | Until user deletes or 90 days after account closure |
| Billing & tax records | 7 years (statutory) |
| Inactive accounts | Anonymised or deleted after 24 months of no login |
User-initiated deletions trigger immediate logical deletion; physical purge from active systems occurs within 30 days and backups within 60 days.
7. Security Measures
- End-to-end encryption: TLS 1.3 in transit, AES-256 at rest.
- Role-based access control and mandatory MFA for all employees.
- Network segmentation, least-privilege IAM, secret-management vault.
- 24 × 7 intrusion-detection and anomaly monitoring.
- Annual external penetration testing and vulnerability scanning.
- ISO 27001 certification and SOC 2 Type I attestation in progress.
- Voice-model watermarking and abuse-detection heuristics.
8. Your Privacy Rights
Depending on your location, you may have rights to:
- Access a copy of Personal Data we hold about you
- Correct inaccurate or incomplete data
- Delete Personal Data (subject to legal exceptions)
- Restrict or object to certain processing
- Data portability
- Withdraw consent (including model-training or marketing)
- Opt out of targeted advertising or certain analytics
- Lodge a complaint with a supervisory authority
Exercise most rights through in-app controls or by e-mailing [email protected].
9. Cookies and Similar Technologies
We use cookies, SDKs, pixels, and local-storage to:
- Ensure site functionality ("strictly necessary" cookies)
- Measure traffic and diagnose performance (Google Analytics 4, Sentry, Mixpanel)
- Provide live chat and account-based messaging
- Run limited remarketing campaigns
Visitors from the EEA/UK receive a granular consent banner. You can also manage cookies via browser settings.
10. Third-Party Links
Our Services may link to or interoperate with third-party sites, plugins, or APIs we do not control. Their privacy practices are governed by their own policies; we encourage you to review those policies before providing information.
11. Children’s Privacy
The Services are not directed to children under 18. Uploading voice recordings of minors or otherwise providing their Personal Data is strictly prohibited. If you believe we have inadvertently processed such data, contact [email protected] and we will delete it.
12. Biometric Information (Voice Data)
Where Voice Data constitutes biometric identifiers under applicable law:
- We obtain explicit written consent before collection.
- We use Voice Data solely to provide, secure, and improve voice-based features.
- We do not disclose Voice Data to third parties other than contracted processors.
- We store Voice Data for no longer than the period specified in Section 6.
- We implement reasonable measures to protect Voice Data from unauthorised access.
13. Automated Decision-Making
Wittify.ai does not engage in fully automated decision-making that produces legal or similarly significant effects about individuals.
14. Updates to This Policy
We may revise this Policy from time to time. If we make material changes, we will provide notice (e.g., via e-mail or in-product banner) and update the "Updated" date above. Continued use of the Services after the effective date constitutes acceptance.
15. Contact Us
If we are unable to resolve your concerns, you have the right to lodge a complaint with your local data-protection authority.
Thank you for reading our Privacy Policy.