Privacy Policy

ProsodyAI, Inc. ("ProsodyAI", "we", "our", or "us") operates the ProsodyAI platform, including our website at prosodyai.ai and all related APIs, applications, and services (collectively, the "Services"). This Privacy Policy applies to all users of our Services.

By accessing or using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Services immediately.

We act as a data controller for the personal data of our registered users and account holders, and as a data processor for any text or voice data you submit for synthesis on behalf of your end users.

Information You Provide Directly

• Account information: name, email address, password (hashed), and company name when you register
• Billing information: payment method details processed and stored by our payment providers (we do not store raw card numbers)
• Text input: the text content you submit to our TTS synthesis engine
• Voice reference audio: recordings you upload for zero-shot voice cloning
• Communications: messages you send us via contact forms, support tickets, or email
• Profile preferences: display name, language preferences, notification settings

Information Collected Automatically

• Log data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps
• Usage metrics: API call frequency, character counts, audio duration, queue wait times, and error rates
• Device information: hardware model, screen resolution, and unique device identifiers
• Cookies and similar tracking technologies (see our Cookie Policy for details)

Information from Third Parties

• Payment confirmation and fraud-signal data from our payment processors (Stripe, Paddle)
• OAuth profile data (name, email, avatar) if you sign in via a third-party provider

We use the personal data we collect to:

• Provide, maintain, and improve the Services, including processing your TTS synthesis requests
• Create and manage your account and subscription
• Process payments and send receipts, invoices, and billing notifications
• Enforce our usage quotas and rate limits
• Send transactional communications (account confirmations, password resets, synthesis completions)
• Send promotional communications, where you have opted in and as permitted by law
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Monitor and analyze usage patterns to improve performance, reliability, and user experience
• Comply with legal obligations and respond to lawful requests from public authorities
• Protect the rights, property, and safety of ProsodyAI, our users, and the public

The legal bases we rely on under the GDPR are: performance of a contract (Art. 6(1)(b)) for account and billing operations; legitimate interests (Art. 6(1)(f)) for security, analytics, and service improvement; and consent (Art. 6(1)(a)) for marketing communications.

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

Service Providers

We engage trusted third-party vendors who process data on our behalf under strict data processing agreements:

• Payment processors (Stripe, Paddle) — billing and subscription management
• Cloud storage (MinIO / AWS S3-compatible) — audio file and asset storage
• Email service providers — transactional and marketing emails
• Error monitoring (Sentry) — crash and error reporting (data is anonymized where possible)
• Infrastructure providers — hosting, CDN, and load balancing

Legal Requirements

We may disclose your information if required by law, court order, or other governmental authority, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

We retain your personal data for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

• Account data is retained for the duration of your active account, plus 90 days after account deletion to allow for recovery and dispute resolution
• Billing records and invoices are retained for 7 years to comply with financial and tax regulations
• Synthesized audio files are stored for 30 days after generation, after which they are permanently deleted from our servers
• Voice cloning reference audio is deleted immediately upon model training completion, or upon your written request
• Log data and usage metrics are retained for 12 months for security and analytics purposes
• Support correspondence is retained for 3 years after resolution

You may request earlier deletion of your data by contacting us at privacy@prosodyai.ai. Deletion requests will be processed within 30 days, subject to any legal retention obligations.

Depending on your location, you may have the following rights regarding your personal data:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete personal data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to restriction — request that we limit the processing of your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on our legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw it at any time
• Right to lodge a complaint — file a complaint with your local data protection supervisory authority

To exercise any of these rights, please submit a request to privacy@prosodyai.ai. We will respond within 30 days. We may need to verify your identity before processing your request.

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:

• All data in transit is encrypted using TLS 1.3
• All data at rest is encrypted using AES-256
• API keys are stored as SHA-256 hashes; raw keys are never persisted
• Passwords are hashed using bcrypt with a minimum cost factor of 12
• Access to production systems is restricted to authorized personnel via MFA-protected SSH
• We conduct regular security audits and vulnerability assessments
• Our infrastructure is hosted in SOC 2 Type II certified data centers

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. Please report any security vulnerabilities to security@prosodyai.ai.

We use cookies and similar technologies to operate and improve our Services. For a detailed explanation of the cookies we use and how to manage your preferences, please see our Cookie Policy.

In summary, we use:

• Essential cookies — required for authentication and security; cannot be disabled
• Analytics cookies — help us understand how users interact with our Services
• Preference cookies — remember your settings and preferences

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal information, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@prosodyai.ai.

ProsodyAI operates globally. Your personal data may be transferred to and processed in countries other than the country in which you reside, including the United States. These countries may have data protection laws that are different from those of your country.

When we transfer personal data from the European Economic Area (EEA) to countries not recognized by the European Commission as providing an adequate level of data protection, we rely on appropriate transfer mechanisms, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with sub-processors that include appropriate safeguards
• The EU-U.S. Data Privacy Framework where applicable

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all registered users with an active account
• Display a prominent notice within the platform for 30 days following the update

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree to the updated terms, you must discontinue use of our Services.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: