policy

Legal

GDPR Compliance

ProsodyAI is fully committed to compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This page provides transparency about our data processing activities and explains your rights as a data subject.

calendar_todayLast updated: March 1, 2026GDPR Compliant

business

Data Controller

ProsodyAI, Inc.

location_on

Established In

United States

contact_mail

DPO Contact

dpo@prosodyai.ai

info

GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, and applies to all organizations that process personal data of individuals located in the European Economic Area (EEA).

As a data-driven platform, ProsodyAI processes personal data to deliver our Services. We act in two capacities:

Data Controller — we determine the purposes and means of processing personal data of our registered users (account holders, API customers)
Data Processor — we process text and voice data on behalf of our customers who use our API to serve their own end users

For API customers who process data on behalf of their users, a Data Processing Agreement (DPA) is available. Enterprise customers may request a signed DPA by contacting dpo@prosodyai.ai.

business

Data Controller Information

The Data Controller responsible for your personal data is:

ProsodyAI, Inc.

Email: privacy@prosodyai.ai

DPO: dpo@prosodyai.ai

ProsodyAI does not have an EU establishment. We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance and serve as the primary contact for data protection matters.

balance

Legal Bases for Processing

We rely on the following legal bases under Article 6 of the GDPR to process personal data:

Performance of a ContractArt. 6(1)(b)

Processing necessary to provide the Services you have signed up for, including account management, TTS synthesis, billing, and quota enforcement.

ConsentArt. 6(1)(a)

Processing based on your explicit, freely given consent, including marketing communications and optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Legitimate InterestsArt. 6(1)(f)

Processing for our legitimate interests where they are not overridden by your rights, including security monitoring, fraud prevention, service improvement, and aggregate analytics.

Legal ObligationArt. 6(1)(c)

Processing required to comply with applicable law, such as financial record-keeping obligations or responses to lawful government requests.

Where we process special categories of personal data (e.g., biometric voice characteristics used for voice cloning), we rely on explicit consent pursuant to Article 9(2)(a) GDPR. You may revoke this consent at any time, which will trigger deletion of the associated voice model.

database

Categories of Personal Data

Category	Data Elements	Legal Basis
Identity Data	Name, email, password hash	Contract
Billing Data	Payment method, billing address, invoice history	Contract, Legal Obligation
Usage Data	API calls, characters synthesized, audio duration	Contract, Legitimate Interests
Technical Data	IP address, browser, device type, timestamps	Legitimate Interests
Voice Data	Reference audio for voice cloning	Explicit Consent (Art. 9)
Communications	Support tickets, contact form messages	Contract, Legitimate Interests

verified_user

Your Rights Under GDPR

As an EEA data subject, you have the following rights under GDPR Articles 15–22:

Art. 15

Right of Access

Obtain confirmation of whether we process your data and request a copy of it.

Art. 16

Right to Rectification

Request correction of inaccurate or completion of incomplete personal data.

Art. 17

Right to Erasure

Request deletion of your personal data where there is no overriding legal basis to retain it.

Art. 18

Right to Restriction

Request that we limit how we use your data while a dispute is being resolved.

Art. 20

Right to Portability

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

Art. 21

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Art. 22

Right Against Automated Decisions

Not be subject to decisions based solely on automated processing that significantly affect you.

How to Exercise Your Rights

Submit your request to dpo@prosodyai.ai. We will respond within 30 days (extendable by two months for complex requests with prior notice). We may require identity verification before processing sensitive requests.

Many rights can also be exercised directly from your account settings dashboard without contacting us.

language

International Data Transfers

ProsodyAI is based in the United States. If you are located in the EEA, your personal data may be transferred to and processed in the US, a country that the European Commission has not determined provides an adequate level of data protection.

We safeguard such transfers through the following mechanisms:

Standard Contractual Clauses (SCCs) — EU Commission-approved clauses (2021/914) included in all sub-processor agreements
EU-U.S. Data Privacy Framework (DPF) — where our sub-processors are DPF-certified
Transfer Impact Assessments (TIAs) conducted for all third-country transfers
Binding Corporate Rules — under evaluation for intra-group transfers

You may request a copy of the applicable transfer safeguards by contacting dpo@prosodyai.ai.

history

Data Retention Periods

Data Category	Retention Period	Justification
Account data	Duration of account + 90 days	Service provision, recovery window
Billing records	7 years	Legal / tax obligation
Synthesized audio	30 days	Service provision, user access
Voice reference audio	Until model training completes	Deleted immediately after processing
Log data	12 months	Security monitoring, debugging
Support records	3 years after resolution	Legitimate interests, dispute resolution
Marketing consent records	3 years from last interaction	Demonstrating lawful processing

hub

Sub-processors

We engage the following sub-processors to assist in providing our Services. All sub-processors are bound by Data Processing Agreements that impose GDPR-equivalent protections.

Sub-processor	Purpose	Location
Stripe, Inc.	Payment processing	USA
Paddle.com Market Ltd.	Payment processing (EU)	UK/EU
Amazon Web Services	Cloud infrastructure, storage	USA/EU
Sentry, Inc.	Error monitoring	USA
Resemble AI, Inc.	Chatterbox TTS engine	USA
Redis Ltd.	In-memory caching, queuing	USA/EU

We will notify you of any material changes to our sub-processor list with at least 10 days' notice, giving you the opportunity to object before the change takes effect.

person_search

Data Protection Officer

ProsodyAI has appointed a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance program, handling data subject requests, and serving as the primary point of contact for data protection authorities.

Data Protection Officer

ProsodyAI, Inc.

Email: dpo@prosodyai.ai

Response time: within 5 business days

account_balance

Supervisory Authority

You have the right to lodge a complaint with the relevant data protection supervisory authority in the EU member state where you reside, work, or where an alleged infringement took place.

A list of all EU supervisory authorities and their contact details is available on the European Data Protection Board website.

We ask that you contact us first at dpo@prosodyai.ai so we have the opportunity to address your concern before you escalate to the supervisory authority. We are committed to resolving complaints promptly and fairly.

info

EEA residents may also use the EU Online Dispute Resolution platform at ec.europa.eu/consumers/odr for resolving disputes with online businesses operating in the EU.