Privacy Policy

Voice AI is operated by Stanislav Shupilkin, a Serbian sole proprietor (preduzetnik) based in Belgrade, Serbia. We are the data controller for personal data processed through the Voice AI Telegram bot, the voice.smolevich.com website and any related browser extension or API (together, the “Service”).

For any privacy-related question or request, contact us at [email protected].

We collect only what we need to run the Service:

• Account data: Telegram user ID, username, first name, language code, and (if you link via Telegram Login on the website) an authentication hash.
• Content you submit (“Input”): voice messages, audio or video files, text prompts, voice samples for cloning. Voice samples for cloning are treated as a special category of data and stored separately.
• Content we generate (“Output”): transcripts, synthesized audio and cloned-voice profiles tied to your account.
• Usage and billing data: minutes used, plan, payment status, invoices.
• Technical data: IP address, browser type, device type, language, and pages viewed, collected to operate and secure the Service.
• Analytics data via Google Analytics 4 (cookies, page views, events) collected only after you accept analytics cookies in our consent banner.

We use your data to:

• Provide and maintain the Service — transcribe your audio, generate speech from your text, manage voice cloning profiles, deliver Output to you.
• Enforce usage limits, prevent abuse, detect fraud and protect the integrity of the Service.
• Process payments and manage subscriptions through our Merchant of Record.
• Communicate with you about service changes, security incidents, billing and support requests.
• Improve the Service through aggregated and de-identified analytics. We do not use your Input or Output to train AI models.
• Comply with legal obligations, respond to lawful requests by public authorities and enforce our Terms.

If you are in the European Economic Area, the United Kingdom or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

• Performance of a contract — to deliver the features you request and to manage your account and subscription.
• Legitimate interests — to secure the Service, prevent abuse, perform basic analytics and improve product quality, where these interests are not overridden by your rights.
• Consent — for analytics cookies, voice cloning of third-party voices (where you confirm consent on behalf of the voice owner) and any optional marketing communications. You can withdraw consent at any time.
• Legal obligation — to comply with tax, accounting and law-enforcement requirements.

We use third-party processors to run the Service. Each provider has its own privacy practices and may transfer data internationally under appropriate safeguards (Standard Contractual Clauses or equivalent). These service providers process your data only according to our instructions and are bound by data protection agreements.

Categories of processors we rely on:

• AI inference and content processing providers — when you use the bot, we transfer your content (voice messages, audio files, text input, voice samples) to third-party AI model and processing providers to perform speech-to-text, text-to-speech, voice cloning and related operations.
• Messaging platform providers — delivery of bot messages and user authentication.
• Hosting, CDN and infrastructure providers — application hosting, DNS, content delivery and DDoS protection (EU and global).
• Analytics providers — first-party analytics (cookieless by default) and Google Analytics 4 (loaded only after you accept analytics cookies). Search-indexing verification with major search engines.
• Merchant of Record (payment processing) — payment processing, tax handling, invoicing and refunds. Payment-card details are processed directly by the MoR and never reach our servers.

We will update this list as the Service grows. Material changes — for example, adding a new subprocessor for voice cloning — will be announced in advance.

We keep your data only as long as necessary for the purposes for which it was collected, unless a longer retention is required by law (for example, invoice records).

• Transcription inputs and outputs: retained for up to 30 days from creation to support quick re-downloads and troubleshooting, then deleted from active systems. You can delete them earlier from your account.
• Synthesised audio files generated for you: retained for up to 30 days, then deleted from active storage. Generated samples are not used to train models.
• Voice samples uploaded for cloning and the resulting cloned-voice profile: retained for as long as your account is active and you keep the cloned voice. You can delete a cloned voice at any time, which removes the underlying samples within 30 days.
• Account data: retained while your account is active and for up to 12 months after deletion for fraud-prevention and legal-defence purposes.
• Billing records: retained for the period required by Serbian tax and accounting law (currently 10 years).
• Web server logs: retained for up to 90 days for security purposes.

Depending on where you live, you may have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your personal data, subject to legal retention obligations.
• Restriction — ask us to limit how we process your data.
• Objection — object to processing based on our legitimate interests.
• Portability — receive a copy of the data you provided in a structured, machine-readable format.
• Withdraw consent — at any time, where processing is based on consent.
• Lodge a complaint — with the supervisory authority in your country (in Serbia: the Commissioner for Information of Public Importance and Personal Data Protection, poverenik.rs).

To exercise any of these rights, email us at [email protected]. For California residents, you have additional rights under the CCPA, including the right to know what personal information is collected and the right to opt out of any “sale” or “sharing” of personal information — we do not sell personal information and do not engage in cross-context behavioural advertising.

Voice samples uploaded for cloning may, under certain jurisdictions, qualify as biometric or sensitive data. We treat them as such regardless: they are stored separately, access is restricted, and we delete the underlying samples within 30 days after you delete a cloned voice.

If you upload a voice that is not your own, you must have written consent from the voice owner. You are responsible for that consent and may be asked to provide proof.

We do not sell, license or share voice samples or cloned voices with third parties outside the subprocessors strictly needed to deliver the cloning feature.

We use a small number of cookies and similar technologies to operate the Service. Strictly necessary cookies (for authentication, security and language preference) are always active. Google Analytics 4 cookies are loaded only after you accept them in the cookie banner — if you reject, GA4 is never injected into the page. As a fallback for users who decline GA4, we use Umami Cloud, a cookieless analytics service that does not store cookies, does not collect IP addresses and does not require consent under GDPR. You can change your choice at any time from the “Cookie settings” link in our footer.

Several subprocessors are located outside the EEA, primarily in the United States. Where personal data is transferred outside the EEA, we rely on EU Standard Contractual Clauses or, where applicable, the EU–US Data Privacy Framework. You can request a copy of the relevant safeguards by emailing us.

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete the information.

We take reasonable technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, monitored logging and regular dependency updates. No service is completely secure, however; if you believe your account has been compromised, contact us immediately.

We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top and, for material changes, notify you in the bot or by email. Continued use of the Service after the changes take effect means you accept the updated Policy.

Privacy questions, data-subject requests and breach reports: [email protected].