At iPulse Labs ("iPulse", "we", "us", or "our"), protecting your privacy and sensitive biometric data is our fundamental commitment. This Privacy Policy outlines our practices regarding the collection, use, disclosure, and safeguarding of your information when you use our website, APIs, and AI audio generation services (collectively, the "Service"). This Policy is incorporated by reference into our Terms of Use.
1. Our Core Promise: AI Model Training Policy
We do not use your personal data or user-generated content to train our foundational AI models.
We recognize the profound sensitivity of voice and audio data. Any text prompts you submit, audio files you upload, voice clones you create, and the resulting audio outputs are utilized strictly to provide the Service directly to you. Your data is isolated and never pooled into shared datasets to improve our base generative AI engines.
2. Categories of Information We Collect
Depending on how you interact with our Service, we may collect the following categories of information:
- Identifiers & Account Data: Name, email address, username, account password (stored as a secure hash), and authentication tokens (e.g., Google OAuth tokens).
- Biometric Information (Voice Data):When you use our voice cloning features, you may upload audio recordings of a voice. We process these recordings to extract acoustic and vocal characteristics (a "voiceprint") solely to map and synthesize the requested audio output. This category of data is treated with the highest level of protection under this Policy.
- User Content: Text prompts, generated audio files, project settings, voice model names, and any customer support communications.
- Commercial Information: Subscription tier, transaction history, and service usage metrics. (Note: Full payment card details are processed directly by Polar.sh, our Merchant of Record; we only retain billing status and limited transaction identifiers.)
- Internet & Network Activity: IP addresses, browser types, device identifiers, operating systems, log data, session duration, and interaction metrics with our platform.
- Inference and Usage Logs: API call timestamps, character counts, voice model IDs used, and generation parameters (e.g., language, speed, format). This data is used for billing accuracy, rate limit enforcement, and abuse detection.
3. Biometric Data Notice and Consent
Compliance with laws such as the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and equivalent regulations is a priority for iPulse.
- Purpose: Voiceprints are created and used exclusively to provide the voice synthesis and cloning features you explicitly request. They are never sold, licensed, or used for any other purpose.
- Consent: By uploading audio for cloning, you certify that: (a) if the voice is your own, you are the speaker; or (b) if the voice belongs to another person, you hold valid written authorization from that individual permitting the processing of their biometric data for this specific purpose.
- Retention & Destruction: We retain your custom voice models only for as long as your account is active and you choose to keep the model. If you delete a voice model or your account, the associated voiceprints and biometric identifiers are permanently destroyed from our systems within 30 days. In no event will biometric data be kept for more than 3 years after your last interaction with the Service.
- No Disclosure: We do not sell, lease, trade, or otherwise profit from your biometric data. Biometric data is shared only with the subprocessors listed in §5, strictly as necessary to provide voice synthesis, and under equivalent data protection obligations.
- Security Standards: Voiceprints and associated acoustic features are stored in encrypted, access-controlled environments isolated from general-purpose data stores. Access is restricted to authorized engineering personnel on a need-to-know basis.
4. How We Use Your Information
We process your information for the following legitimate business purposes:
- To provide, operate, and maintain the Service, including processing TTS requests and managing voice clone models.
- To process payments and manage your subscription via Polar.
- To detect, investigate, and prevent fraud, abuse, policy violations, and unauthorized voice cloning activity (e.g., detecting deepfakes generated in violation of §2 of our Terms of Use).
- To enforce our Terms of Use, including investigating reports of unauthorized voice cloning or misuse of Generated Content.
- To communicate with you regarding service updates, security alerts, billing notices, and support.
- To generate anonymized, aggregated analytics about platform usage (e.g., average session length, popular language settings) that cannot be used to identify you.
- To comply with applicable legal obligations, court orders, and regulatory requirements.
5. Third-Party Subprocessors and Data Sharing
We share information only with trusted third parties strictly necessary to operate iPulse. We do not sell your data. Our current subprocessors include:
| Subprocessor | Category | Purpose |
|---|
| AWS / Google Cloud | Infrastructure | Secure data hosting, GPU inference, storage |
| Modal.com | AI Compute | Serverless voice cloning inference backend |
| x.ai | AI API | Text-to-speech synthesis engine |
| Polar.sh | Payments | Merchant of Record; processes all transactions |
| Supabase / PostgreSQL | Database | User accounts, voice model metadata |
We may disclose your data to law enforcement if legally required by a valid subpoena, court order, or to protect the safety and rights of iPulse, our users, or the public. We will, where legally permitted, notify you of such a request before complying.
6. Cookies, Tracking, and Analytics
We use a minimal set of tracking technologies to operate and improve the Service. We do not use advertising cookies or sell browsing data to third parties.
A. Types of Cookies We Use
- Essential / Functional Cookies: Required for the Service to operate. These include session authentication tokens (e.g., Supabase auth cookies) and CSRF protection tokens. These cannot be disabled without breaking core functionality.
- Preference Cookies: Store your settings such as theme preference or last-used voice model. These are session-local and expire when you close your browser.
- Analytics Cookies (Optional): We may use privacy-respecting, cookie-free analytics tools (e.g., Plausible Analytics or equivalent) to understand aggregate usage patterns. These tools do not use persistent cross-site tracking cookies and do not collect personally identifiable information.
B. Cookie Consent
Where required by law (e.g., under the EU ePrivacy Directive), we will present a cookie consent notice before setting non-essential cookies. You may update your cookie preferences at any time via your account settings.
C. Do Not Track
We honor browser-level "Do Not Track" (DNT) signals for analytics purposes. When DNT is enabled, we do not load optional analytics scripts.
7. Regional Privacy Rights
A. European Economic Area (EEA) and UK (GDPR / UK GDPR)
If you are located in the EEA or UK, you have the following rights regarding your personal data:
- Right to Access (Art. 15): Obtain a copy of your personal data we hold.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to Erasure — "Right to be Forgotten" (Art. 17): Request deletion of your data where we no longer have a lawful basis to retain it.
- Right to Restrict Processing (Art. 18): Temporarily limit how we use your data while a dispute is pending.
- Right to Data Portability (Art. 20): Receive your account data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Rights related to Automated Decision-Making (Art. 22): We do not make automated decisions with significant legal effect on individuals based solely on automated processing.
Our legal bases for processing include: performance of a contract (delivering the Service), legitimate interests (security and fraud prevention), explicit consent (biometric data), and compliance with legal obligations. To exercise your GDPR rights, contact legal@ipulse.ai with the subject line "GDPR Rights Request". We will respond within 30 days.
B. United States — California (CCPA/CPRA), Virginia, Colorado, and Other State Laws
If you are a resident of certain US states, you may have the right to request:
- Disclosure of the categories and specific pieces of personal information we have collected about you;
- Deletion of your personal information (subject to certain exceptions);
- Correction of inaccuracies in your personal information;
- The right to opt-out of the "sale" or "sharing" of personal data. iPulse does not sell or share your personal data for advertising purposes.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
For biometric data specifically, we comply with BIPA (Illinois), CUBI (Texas), and equivalent state laws, including obtaining consent before collection and honoring deletion requests within the timeframes specified in §3 of this Policy. To submit a US state privacy request, contact legal@ipulse.ai with the subject line "US Privacy Rights Request" and specify your state of residence.
C. Singapore and Southeast Asia (PDPA)
For users in Singapore, we comply with the Personal Data Protection Act 2012 (PDPA). You have the right to access and correct your personal data. To make a request, contact legal@ipulse.ai.
8. Data Security and International Transfers
We implement robust, industry-standard security measures including:
- Encryption at Rest: AES-256 encryption for all stored user data and voice models.
- Encryption in Transit: TLS 1.3 for all data transmitted between your browser, our servers, and our subprocessors.
- Access Controls: Role-based access controls (RBAC) limit internal access to user data; biometric data is access-restricted to a minimal set of authorized engineers.
- Incident Response: We maintain an incident response plan. In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by applicable law (e.g., within 72 hours under GDPR).
By using the Service, you acknowledge that your data may be transferred to, stored, and processed in the United States or other countries where our subprocessors operate. For transfers of personal data from the EEA/UK, we utilize Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection.
9. Data Retention
We retain different categories of data for different periods, based on operational necessity and legal requirements:
- Account Data: Retained for the life of your account, plus up to 90 days after account deletion to resolve disputes and comply with legal obligations.
- Biometric Data (Voiceprints): Deleted within 30 days of your deletion request or account closure, or after 3 years of inactivity — whichever comes first.
- Generated Audio Files: Stored per your dashboard settings. You can delete individual files at any time. Files are permanently removed within 30 days of deletion.
- Billing and Transaction Records: Retained for 7 years as required by financial and tax regulations.
- Security and Audit Logs: Retained for up to 12 months for fraud investigation and abuse prevention purposes.
10. Children's Privacy
iPulse is intended for users who are at least 18 years of age and is not directed at children. We do not knowingly collect personal information from minors under 18. If we become aware that a minor has provided us with personal data — including biometric data — we will take immediate steps to delete such information and terminate the account. If you believe a child has created an account, please notify us at legal@ipulse.ai.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, subprocessors, or legal requirements. We will notify you of any material changes by:
- Posting the updated policy on this page and updating the "Last Updated" date at the top;
- Sending an email notification to your registered email address at least 14 days before material changes take effect (except where shorter notice is required by law).
For material changes to how we handle biometric data, we will seek fresh explicit consent before applying those changes to your existing data. Continued use of the Service after the effective date of an updated Policy constitutes acceptance of the non-material portions of the changes.
12. Contact Us — Data Protection Officer
To exercise your privacy rights, report a potential privacy violation, request data deletion, or ask questions about this Privacy Policy, please contact our Data Protection Officer at:
Email: legal@ipulse.ai
Subject: Privacy / Data Rights Request
We aim to respond to all privacy inquiries within 5 business days and to complete substantive requests within 30 calendar days. If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).