🇮🇳 India First · Legal

Privacy Policy

ClonevoxApp · clonevox.app · Effective: April 2026

सरल भाषा में (In Simple Words): We collect your account info, voice samples, and usage data to run our voice cloning service. Your voice is biometric data — we treat it with the highest protection under Indian law. You own your voice clones. We never sell your data. You can request deletion anytime. We are an Indian company, governed primarily by Indian law, launching first for Indian creators.

1. Who We Are

Techity Solutions Private Limited ("ClonevoxApp", "we", "us", "our") is an Indian technology company operating an AI-powered voice cloning platform at clonevox.app. We are incorporated under the Companies Act, 2013 with our registered office in India.

Data Fiduciary (under DPDP Act 2023): Techity Solutions Private Limited
Grievance Officer: [email protected]
Registered in: India

We are launching first in India, built for Indian creators, podcasters, educators, and voiceover artists. Our platform, policies, and data handling are designed with Indian users and Indian law as the primary focus.

2. Scope

This policy applies to:

All visitors to clonevox.app and our mobile apps
Registered users (Free, Pro, Enterprise tiers)
Developers using our REST API
Third parties whose voice samples are processed through our platform

3. Information We Collect

3.1 What You Give Us

Account Details: Name, email, password (stored as bcrypt hash — never plaintext), phone number (optional), country
Voice Samples (Biometric Data): Audio recordings you upload for cloning. This is sensitive personal data under Indian law.
Text Input: Text you enter for speech generation
Payment Info: Processed by Razorpay (UPI, cards, net banking, wallets). We store only last 4 digits, billing address, and transaction IDs. Full card/UPI details are never on our servers.
KYC Documents (Commercial Plans): Aadhaar, PAN, or other government ID may be required for enterprise plan activation
Support Communications: Emails, tickets, feedback

3.2 What We Collect Automatically

IP address, browser type, OS, pages visited, timestamps
Device type, screen resolution
Features used, API calls, characters processed, clones created
Performance data: load times, error logs

3.3 From Third Parties

Google Sign-In: Name, email, profile photo (as authorised by you)
Razorpay: Transaction status, fraud signals

3.4 Biometric Data — Special Category

⚠ Important: Voice samples are biometric data under the Digital Personal Data Protection Act, 2023 and the Information Technology (Reasonable Security Practices) Rules, 2011. We process this data only with your explicit, separate, informed consent. You can withdraw consent and delete your voice data at any time.

4. Legal Basis — Indian Law (Primary)

As an Indian company serving Indian users first, our data processing is governed primarily by:

4.1 Digital Personal Data Protection Act, 2023 (DPDP Act)

Consent (Section 6): We obtain your free, specific, informed, and unambiguous consent in clear language (English and Hindi, with more Indian languages planned) before processing voice samples, marketing communications, and analytics
Consent is separate from other terms — not bundled or pre-ticked
Withdrawal of consent is available at any time with a single click, and is as easy as giving consent
Legitimate Uses (Section 7): Processing necessary to fulfil our contract with you — account management, billing, service delivery, customer support
Legal Obligation: Compliance with IT Act, GST, FEMA, Companies Act, and court orders

4.2 Information Technology Act, 2000 & Rules

Section 43A: We maintain reasonable security practices aligned with IS/ISO 27001 for sensitive personal data (including voice biometrics)
IT (Reasonable Security Practices) Rules, 2011: Voice data is classified as sensitive personal data. We implement a documented information security programme
Section 72A: Any employee who discloses personal information in breach of contract faces criminal liability — our staff are bound by strict NDAs
Section 69: We comply with lawful government interception and data decryption orders
Section 66C & 66D: Identity theft and impersonation using our platform are criminal offences — we cooperate fully with law enforcement

4.3 CERT-In Directions, 2022

Security incidents reported to CERT-In within 6 hours of discovery
All system logs retained for 180 days within Indian jurisdiction
Accurate registration data maintained for all users
KYC records maintained for a period of 5 years after cancellation or withdrawal

4.4 Indian Payment & Tax Compliance

RBI Guidelines: Payment data processed through RBI-compliant payment aggregators (Razorpay)
GST Compliance: Invoices generated with GSTIN; input tax credit documentation maintained
Companies Act, 2013: Financial records retained as per statutory requirements
FEMA: Cross-border payment flows comply with Foreign Exchange Management Act regulations

5. How We Use Your Information

5.1 Running the Service

Creating and managing your account
Training AI voice models from your uploaded samples
Generating speech from text using your clones
Processing payments via Razorpay (UPI, cards, wallets, net banking)
Delivering generated audio files
Customer support

5.2 Security & Fraud Prevention

Detecting deepfake misuse, impersonation, and platform abuse
Verifying identity for commercial accounts
Maintaining audit logs for investigation
Monitoring for violations of our Acceptable Use Policy

5.3 Legal Compliance

Responding to court orders, government data requests, and regulatory inquiries
Maintaining records under Indian tax law (GST, Income Tax Act)
CERT-In incident reporting
Enforcing our Terms of Service

5.4 Improvement (Only With Your Consent)

Improving AI models — only with explicit opt-in, never by default
Analysing aggregate, anonymised usage patterns

5.5 Communications

Transactional: Account confirmations, billing receipts, security alerts (mandatory — cannot opt out)
Product updates: Feature announcements (opt-out available)
Marketing: Only with explicit opt-in; one-click unsubscribe

6. Voice Data — Special Provisions

Your voice is your identity. We treat it accordingly:

You retain full ownership of your voice samples and trained models
We will never use your voice to train general-purpose models without separate opt-in consent
Your clones are private — no other user can access them unless you explicitly share
We cannot generate audio from your voice without your authenticated session or API key
All generated audio is watermarked with an imperceptible identifier (account ID + timestamp) for accountability
On account deletion: voice samples deleted within 30 days, trained models within 90 days, consent audit logs retained for 7 years (legal requirement)

7. Data Sharing

7.1 We Share With:

Razorpay Software Pvt Ltd (India): Payment processing — under data processing agreement
Cloud Infrastructure: AWS India (Mumbai region preferred), CloudFront CDN — under data processing agreements
Google LLC: Only if you use Google Sign-In
Email Providers: Transactional emails — under data processing agreements
Legal Advisors & Auditors: Under confidentiality agreements, only as required

7.2 We Never:

Sell your personal data or voice data to anyone
Share your voice samples with other users or companies
Use your data for advertising
Share data with data brokers

7.3 Government & Law Enforcement

We disclose data only when legally required — valid court orders, requests under IT Act 2000, DPDP Act 2023, or national security situations. We will notify you unless prohibited by law, challenge overly broad requests, and disclose only the minimum required.

8. Cross-Border Data Transfers

We primarily store and process data in India. Where data needs to be transferred outside India:

DPDP Act Section 16: Transfers only to countries/regions permitted by the Central Government
Contractual safeguards: Data processing agreements with all international vendors
Preference for Indian infrastructure: AWS Mumbai region is our primary data centre

9. Data Retention

Data Type	Retention	Reason
Account Info	Account duration + 3 years	Legal claims, tax compliance
Voice Samples	Until deleted + 30 days	Biometric data minimisation
Trained Models	Until deleted + 90 days	Model cleanup
Generated Audio	90 days (Free) / 1 year (Pro)	Download window
Payment Records	7 years	GST, Income Tax Act
Consent Records	7 years	DPDP Act evidence
API Logs	90 days	Debugging, fraud detection
Security Logs	180 days (CERT-In) / 2 years	CERT-In Directions 2022
KYC Documents	5 years after account closure	CERT-In Directions 2022
Support Tickets	3 years	Quality assurance

10. Your Rights Under Indian Law

As an Indian user, you have the following rights under the DPDP Act 2023:

Right to Information (Section 11): Know what data we process and why
Right to Correction & Erasure (Section 12): Correct inaccurate data or request complete deletion
Right to Grievance Redressal (Section 13): File a complaint with our Grievance Officer — we respond within 30 days
Right to Nominate (Section 14): Nominate someone to exercise your rights in case of death or incapacity
Right to Withdraw Consent: One-click withdrawal, as easy as giving consent
Right to Data Portability: Export your data in standard formats
Right to Compensation: Seek compensation through the Data Protection Board of India for harm caused by our negligence

How to Exercise Your Rights

Email: [email protected]

Response: Acknowledgment within 48 hours, full response within 30 days.

Escalation: Data Protection Board of India (once operational under DPDP Act 2023)

11. Data Security

We implement security measures aligned with IS/ISO 27001 as required under Section 43A of the IT Act:

Encryption: AES-256 at rest, TLS 1.3 in transit
Voice Model Security: Encrypted S3 buckets with access controls
Authentication: JWT + refresh token rotation, MFA available
Access Controls: Role-based (RBAC), least privilege for all staff
Infrastructure: VPC isolation, private subnets, no public access to data stores
Monitoring: 24/7 automated security monitoring with incident response plan
Audits: Annual penetration testing, quarterly internal reviews
Staff Training: Mandatory data protection training before handling customer data

In case of a data breach:

CERT-In: Reported within 6 hours (mandatory)
Data Protection Board: As per DPDP Act timelines
Affected users: Notified within 72 hours

12. Cookies

Essential: Auth tokens, CSRF protection, session management (cannot be disabled)
Functional: Language preferences, theme, recent clones
Analytics: Usage patterns (require consent, can be disabled)
No advertising or tracking cookies — we don't do ads

13. Children's Privacy

⚠ Age Restriction: ClonevoxApp is NOT for users under 18. Voice cloning of minors is prohibited. We do not knowingly collect data from anyone under 18. If discovered, we delete immediately. Report concerns to [email protected].

14. International Users

While we are an India-first platform, we acknowledge the rights of international users:

EU/UK Users (GDPR)

If you access our service from the EU/UK, we process your data under GDPR lawful bases (consent, contract performance, legal obligation, legitimate interests). Cross-border transfers are protected by Standard Contractual Clauses. You have rights to access, rectification, erasure, restriction, portability, and objection. Contact [email protected] to exercise these rights.

US Users (CCPA/CPRA)

California residents have rights under CCPA/CPRA including the right to know, delete, and opt-out. We do not sell personal information. Voice prints are treated as sensitive personal information with explicit consent required. Contact [email protected] to exercise these rights.

15. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect, display a banner on the platform, and require re-consent where legally required.

16. Contact & Grievance Redressal

Grievance Officer: [email protected]
Response: Acknowledgment within 48 hours, resolution within 30 days
Escalation: Data Protection Board of India (once established under DPDP Act 2023)

Last updated: April 2026 · Governed by the laws of India