WollowVoice Privacy Policy

Data controller:Wollow Inc., a Delaware corporation (“Wollow”). Service: WollowVoice generative voice platform at voice.wollow.ai and related APIs.

1. Introduction

Wollow Inc. operates WollowVoice, a software-as-a-service platform that lets customers generate, clone, and design synthetic voices on managed GPU infrastructure. This policy explains how we collect, use, retain, and protect personal data in compliance with the EU and UK GDPR, the Brazilian LGPD, the California CCPA/CPRA, the Google API Services User Data Policy, and other applicable data protection laws.

By accessing the Service you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

• Personal Data: information relating to an identified or identifiable natural person.
• Processing: any operation performed on Personal Data (collection, storage, use, disclosure, erasure).
• Controller: the entity that determines the purposes and means of Processing.
• Processor: the entity that processes Personal Data on behalf of the Controller.
• Service: the WollowVoice platform, including voice.wollow.ai, its dashboard, and its public REST API.
• Customer: the individual or organization with a registered WollowVoice account.
• End Listener: the individual who hears audio generated by a Customer.
• Voice Sample: reference audio uploaded by a Customer to clone, design, or evaluate a voice.
• Generated Audio: output produced by the WollowVoice neural model.

3. Scope

This policy applies to Personal Data we collect from Customers in the course of providing the Service. It does not apply to:

• Audio Customers post to third-party platforms after downloading it
• Personal data End Listeners share with Customers outside of WollowVoice
• Websites or services not operated by Wollow

Where a Data Processing Addendum exists between Wollow and the Customer, its terms take precedence over conflicting terms in this Policy.

4. Information We Collect

4.1 Information You Provide Directly

• Identification data: full name, email address, organization name, locale, time zone.
• Authentication credentials: passwords stored only as a salted bcrypt hash; OAuth tokens issued by Google when you sign in with Google.
• Billing data: billing address and tax identifiers; payment cards are processed exclusively by PCI-DSS-compliant processors.
• Voice Samples: reference audio you upload to clone or design a voice, plus the optional transcript you provide.
• Generated Audio: synthetic audio you generate, with the input text and voice configuration that produced it.
• Customer support content: messages, attachments, and metadata you send to support.
• Configuration data: non-sensitive dashboard settings (plan, voice library, project layout).

4.2 Information Collected Automatically

• Device and connection data: IP address, browser type, operating system, language preference, device identifiers.
• Usage data: request timestamps, endpoints accessed, request and response sizes, billable characters and seconds, error codes.
• Infrastructure metadata: GPU node region, queue position, model version.
• Security telemetry: authentication attempts, suspicious access patterns, rate-limit signals, fraud detection signals.

4.3 Information from Connected Accounts

When you sign in with Google we receive only the minimum data required: name, email address, profile picture, and an OAuth access token scoped to identity. We do not request access to Gmail, Drive, Calendar, or other Google services.

5. Information We Do Not Collect

WollowVoice follows strict data minimization. We do not collect:

• The content of conversations between Customers and their End Listeners
• Audio recorded by End Listeners on Customer devices
• Biometric voiceprints used for identification (Voice Samples are stored solely to enable voice generation, not to identify the speaker)
• API keys for third-party services other than your OAuth provider tokens
• Marketing tracking data; we use no cross-site behavioral trackers

6. Purposes of Processing and Legal Bases

Wollow does not sell Personal Data, use it for behavioral advertising, or train resellable machine-learning models with it. Voice Samples are used only to generate the audio you request and are not added to any general training set.

7. Disclosure of Personal Data

Personal Data is disclosed only to recipients with written data protection agreements.

7.1 Service Providers and Sub-Processors

• Cloud infrastructure and GPU compute providers (for inference)
• Database, storage, and backup providers (for accounts, voices, audio)
• Authentication providers (Supabase Auth)
• Payment processors
• Transactional email providers
• Logging, observability, and incident-response providers
• Customer-support tooling providers

The current Sub-Processor list, with identity, region, and function, is available upon request to privacy@wollow.ai. Material changes are announced at least fourteen days in advance.

7.2 Connected Third-Party Platforms

Google Sign-In: we receive only the OpenID Connect identity scopes (name, email, profile picture). Access can be revoked at any time at myaccount.google.com/permissions.

7.3 Legal Disclosures

We disclose Personal Data when necessary to comply with law, respond to lawful requests by public authorities, protect the safety, rights, or property of any person, or address fraud, security, or technical issues. Affected Customers receive notification where legally permissible.

7.4 Business Transfers

If Wollow is involved in a merger, acquisition, financing, reorganization, asset sale, or bankruptcy, Personal Data may transfer. Successors must honor the commitments in this Policy. Customers receive advance notice where feasible.

8. International Data Transfers

Wollow processes data in the United States and other jurisdictions where the company or its Sub-Processors operate. For transfers from the European Economic Area, United Kingdom, or Switzerland to non-adequate jurisdictions, we rely on the European Commission Standard Contractual Clauses and supplementary measures. Safeguards documentation is available upon request to privacy@wollow.ai.

9. Data Retention

Upon expiration, data is irreversibly deleted or anonymized. Backup copies are purged on the next rotation.

10. Information Security

• TLS 1.2+ encryption for all data in transit
• Authenticated encryption at rest for sensitive credentials and OAuth tokens
• Per-account row-level security on the underlying Postgres database
• Role-based access controls and least-privilege principles for production personnel
• Mandatory multi-factor authentication for engineers with production access
• Comprehensive audit logging of administrative actions
• Regular security reviews, dependency scanning, and vulnerability remediation
• Incident response plan with customer and regulator notification per legal timeframes

No transmission or storage method is one hundred percent secure; you are responsible for safeguarding your account credentials.

11. Your Rights

Subject to applicable law and identity verification, you may exercise:

• Right of access: request confirmation of Processing and obtain copies of your Personal Data.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion (subject to lawful exceptions).
• Right to restriction of Processing: request limited use in defined circumstances.
• Right to data portability: receive data in a structured, commonly used, machine-readable format.
• Right to object: object to legitimate-interest-based Processing, including profiling.
• Right to withdraw consent: at any time, without affecting the lawfulness of prior Processing.
• Right to lodge a complaint: with your local data-protection authority.

Email privacy@wollow.ai to exercise your rights. We respond within legally required timeframes (typically thirty days) and may request identity verification.

12. Revoking Third-Party Access

Revoking your Google Sign-In permission does not delete your WollowVoice account or its associated data. For full deletion instructions see the Data Deletion page, use the “Delete account” option in Settings → Account, or email privacy@wollow.ai.

• From within WollowVoice: open Settings → Account → Connected accounts and select “Disconnect.” Tokens are revoked within 24 hours.
• Google: visit myaccount.google.com/permissions, find WollowVoice, and select “Remove access.”

13. Cookies and Similar Technologies

We use only strictly necessary cookies (exempt from prior consent under most data protection laws):

• Authentication and session management cookies
• Cross-site request forgery protection tokens
• Load balancer affinity cookies

We do not use advertising cookies, tracking pixels, third-party visitor-profiling analytics, or cross-site behavioral profiling.

14. Region-Specific Disclosures

14.1 European Economic Area, United Kingdom, and Switzerland

Wollow Inc. is the Personal Data Controller. Legal bases are described in Section 6. You hold the rights described in Section 11 and may file complaints with your country’s supervisory authority. For data protection inquiries contact privacy@wollow.ai.

14.2 Brazil (LGPD)

Individuals located in Brazil hold rights under the Lei Geral de Proteção de Dados: access, correction, anonymization, blocking or deletion, portability, sharing information, and consent revocation. Contact privacy@wollow.ai or file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

14.3 California (CCPA / CPRA)

California residents hold the following rights under the CCPA/CPRA:

• Right to know: categories of Personal Information collected, sources, purposes, third-party sharing categories.
• Right to delete: request deletion (subject to statutory exceptions).
• Right to correct: request inaccuracy correction.
• Right to opt out: decline Personal Information sale or sharing for cross-context behavioral advertising.
• Right to limit: restrict use and disclosure of Sensitive Personal Information.
• Right to non-discrimination: no discrimination for exercising privacy rights.

Wollow does not sell Personal Information, share it for cross-context behavioral advertising, or use Sensitive Personal Information beyond purposes described in California Civil Code section 1798.121(a). Contact privacy@wollow.ai to exercise rights.

15. Children’s Privacy

The Service is not directed to children under sixteen and we do not knowingly collect their Personal Data. If we discover that a child has provided data without verified parental consent, it is promptly deleted. Contact privacy@wollow.ai if you believe a child has provided data.

16. Automated Decision-Making

Wollow does not make legally effective or similarly significantly affecting decisions based solely on automated Processing within the meaning of Article 22 GDPR. Account-level decisions that materially affect Customers are reviewed by qualified personnel before they take effect.

17. Third-Party Links

The Service may contain links to non-Wollow operated sites. We are not responsible for their privacy practices. Review their privacy policies before providing data.

18. Changes to this Privacy Policy

Updates occur periodically; material changes are notified by email or prominent in-Service notice at least fourteen days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy. The “Last updated” date reflects the most recent revision. Prior versions are available upon request.

19. How to Contact Us

Email: privacy@wollow.ai
Postal address: Wollow Inc., a Delaware corporation. Registered office address available upon request to privacy@wollow.ai.