Privacy

Privacy Policy

Alfaaz processes family stories, voice recordings, and account data to run the product. This policy describes, in plain language, what we hold, why, where it lives, how long it stays, and how families can ask for export, correction, or deletion. For anything sensitive or unclear, write to us before sharing an elder's data.

01

Who we are (controller / fiduciary)

Alfaaz is operated by Pulkit Mendiratta, trading as a sole proprietorship (eenmanszaak) under the name "Alfaaz", in Amsterdam, the Netherlands (KvK 42039821).

We are the data controller under the EU General Data Protection Regulation (GDPR) and the Dutch implementation (UAVG), and the data fiduciary under India’s Digital Personal Data Protection Act, 2023 (DPDP Act).

Contact / Grievance Officer: Pulkit Mendiratta — privacy@alfaaz.me. We aim to respond within 30 days.

Because Alfaaz is established in the EU, the GDPR applies to our processing wherever you are located. Because elders are located in India, the DPDP Act also applies to their personal data.

02

The data we collect

  • Account & family data — email, name, family membership, and authentication data (managed by our auth provider). Used for login, notifications, invitations, and access control.
  • Elder information (provided by the family member) — the elder’s name and nicknames, WhatsApp phone number, language, gender (for grammatically correct speech), relationship to the family, and optional context notes ("what lights them up"). Used to run and personalise conversations.
  • Conversation data — incoming voice recordings (the elder’s voice notes), outgoing AI-generated voice notes, transcripts, conversation topic, and session metadata (timestamps, message IDs). Used to hold conversations and preserve stories.
  • Extracted knowledge (AI-generated) — people, places, events, emotional moments, inferred personality traits, life-chapter narratives, an elder profile, and unfinished story threads, derived by AI from transcripts. Used to build and personalise the family’s story archive.
  • Waitlist data — email and language preferences provided on our landing page.
  • Payment data — handled entirely by Stripe. We do not store card numbers or bank details. Payments are one-time and manual — there is no subscription or automatic renewal.
  • Website analytics — limited product analytics (see "Cookies and analytics"). We hash direct identifiers before they leave our servers where we can.

03

Special-category and sensitive data

Life stories naturally include sensitive information — health, religion, caste, political views, or accounts of personal relationships — and voice recordings, which can be sensitive/biometric under some laws.

  • We do not solicit sensitive information, and we do not use it to make any decision about you or the elder.
  • We rely on explicit consent (GDPR Art. 9(2)(a); DPDP consent) as the basis for processing it, given and managed through the family member who sets up the elder (see "How consent works").
  • We do not create voiceprints, speaker-identification profiles, or biometric identifiers. Voice is used to transcribe speech to text and for family playback only.
  • You can ask us to redact specific sensitive content from transcripts and extracted records.

04

Why we process your data, and our legal basis

PurposeDataLegal basis (GDPR)
Holding voice conversationsPhone, name, language, gender, voiceConsent; performance of contract
Preserving storiesTranscripts, extracted entities, life chaptersConsent
Personalising conversationsElder profile, known entities, past contextConsent; legitimate interests
Family notificationsEmail, elder name, session summaryPerformance of contract
Account managementEmail, name, family membershipPerformance of contract
Sensitive content within storiesAs it arises in conversationExplicit consent (Art. 9(2)(a))
Service improvementAggregated, de-identified usage statisticsLegitimate interests
Diagnostics and data-quality review (early access)Affected Content and processing records, minimum necessaryLegitimate interests; explicit consent for sensitive content
Legal complianceAs requiredLegal obligation

Under the DPDP Act, our processing of elder and account-holder data is based on consent for the specified purposes above, which can be withdrawn (see "Your rights").

We do not: sell personal data; use stories for advertising; use conversations to train AI models; or use any Content for marketing without separate, explicit consent.

06

Who we share data with (sub-processors)

We share data only with service providers that help us run Alfaaz, each receiving only what it needs. We do not sell or rent your data. A current, detailed list — including each provider’s purpose, the data it receives, its location, and its retention — is maintained in our Sub-processor list at /sub-processors. In summary, we use providers for: AI conversation and story extraction, AI scoring of stories, voice transcription and synthesis, WhatsApp message delivery, hosting and file storage, the database, authentication, email, payments, and product analytics.

07

International data transfers

Alfaaz is operated from the Netherlands. Elders are in India; account holders and our service providers may be in the EU, the UK, the United States, India, or elsewhere, so your data may be transferred across borders.

Safeguards we rely on, where applicable:

  • Standard Contractual Clauses (SCCs) and, where available, EU-US Data Privacy Framework participation by our providers, for transfers out of the EEA;
  • Data Processing Agreements with providers that act as our processors;
  • under the DPDP Act, transfers to countries not restricted by the Government of India; we monitor the restricted-country list and adjust if required.

08

Voice recordings

  • When an elder sends a voice note, we receive and process that audio to transcribe it and to let the family play it back.
  • Outgoing voice notes are AI-generated (text-to-speech) — they are not the elder’s voice.
  • We do not build voiceprints or use voice to identify anyone.
  • Voice transcription and synthesis are performed by ElevenLabs. Audio sent to ElevenLabs is processed to produce text or speech; retention on ElevenLabs’ side is governed by their policy and the tier we use, and we are working to minimise it (see the sub-processor list for current status). Audio we store for family playback lives in our file storage (Vercel Blob) and is deleted when the elder is deleted.

09

Children’s and third parties’ data

9.1 Alfaaz is for adults. We do not knowingly let anyone under 18 create an account.

9.2 People mentioned in stories. Elders naturally mention others — including children and grandchildren. Records (names, facts) may be created for mentioned people, including minors. This data is derived from the elder’s narrative, not collected from those people. We do not build profiles of, or contact, mentioned individuals. A family member can edit or delete any such record in the dashboard, and any person can ask us to remove information about them at privacy@alfaaz.me.

10

Your rights

Depending on where you live, you have rights over your personal data. To exercise any of them, email privacy@alfaaz.me; we verify identity to prevent unauthorised access, respond within 30 days, and charge no fee.

  • Everyone: access, correction, deletion, withdrawal of consent, and a copy of your data in a portable format. Family members can also edit and delete most data directly in the dashboard.
  • India (DPDP Act): grievance redressal via our Grievance Officer (above); the right to nominate another person to exercise your rights in case of death or incapacity (relevant for elders — contact us to register a nominee); and the right to complain to the Data Protection Board of India.
  • EU/EEA (GDPR): in addition to the above, the rights to restriction and to object, and the right to lodge a complaint with your local Supervisory Authority (in the Netherlands, the Autoriteit Persoonsgegevens).
  • UK (UK GDPR): the equivalent rights, and the right to complain to the Information Commissioner’s Office (ICO).
  • California (CCPA/CPRA): the rights to know, delete, correct, and to limit the use of sensitive personal information; we do not sell or "share" personal information for cross-context behavioural advertising, and we will not discriminate against you for exercising your rights.
  • Canada (PIPEDA): access and correction rights, and the right to complain to the Office of the Privacy Commissioner of Canada.

Exercising rights for an elder: rights can be exercised by the elder directly, by a family member with verifiable family membership on the elder’s behalf, or by a registered nominee.

11

Data retention and deletion

DataRetention
Account data (email, name)Until account deletion
Elder information, voice, transcripts, extracted knowledge, profileUntil the elder is deleted (plus a 14-day grace period for restoration)
Waitlist entriesUntil you unsubscribe or 12 months of inactivity
Application logs~90 days (rolling)
Legal/consent recordsAs long as required to meet a legal obligation

Deleting an elder: a family member deletes the elder; the elder is soft-deleted immediately, a 14-day grace period allows restoration, and after that all voice recordings, conversations, extracted data, and the elder record are permanently deleted, including associated audio files. Deleting your account: email privacy@alfaaz.me; we complete verified deletions within 30 days. Data already sent to AI providers is deleted per their retention policies (see the sub-processor list); we request deletion from other providers as applicable. Short-lived copies may persist in encrypted backups before expiring.

12

Security

  • Encryption in transit (HTTPS/TLS); database and file storage encrypted at rest.
  • WhatsApp messages are end-to-end encrypted by WhatsApp until they reach our processing endpoint.
  • Authentication on all endpoints; family-scoped authorisation so you only see your Family’s data; least-privilege credentials; admin access separated.
  • Webhook signatures verified (HMAC-SHA256 for messaging, Svix for auth, Stripe signatures for payments).
  • Breach notification: we will notify the relevant authority within 72 hours where the GDPR requires it (and as soon as practicable under the DPDP Act), and affected individuals without undue delay where required.

No system is perfectly secure; we cannot guarantee absolute security, and you should not treat Alfaaz as your only copy of anything important (see Terms, Section 10).

13

Cookies and analytics

  • The dashboard uses essential cookies for login (via our auth provider) that cannot be disabled.
  • We use limited product analytics (PostHog) to understand how families use Alfaaz. We do not use advertising cookies or third-party advertising trackers, and we do not sell or share data for behavioural advertising.

14

AI processing disclosure

Alfaaz uses AI to: transcribe the elder’s voice to text; generate conversational questions; synthesise voice responses; extract people/places/events/moments and a story summary from each session; and build life chapters and an elder profile across sessions. AI also scores conversations internally (for example, how moving or shareable a story is) to help surface the right content to the family.

AI does not decide your account access or eligibility, does not create biometric profiles, does not publish your stories anywhere, and is not trained on your conversations. Family members can review, edit, and delete AI-generated Content, and choose conversation topics.

15

Early access: diagnostics and quality review

Alfaaz is in early access, and accounts created before 1 August 2026 form our Early Access Programme. During this period we sometimes need to look at real data to fix real problems. When an error, mis-transcription, failed extraction, or archive inconsistency is reported or detected, authorised personnel may access and review the affected conversation data (voice recordings, transcripts, and extracted records) to diagnose and correct the issue, verify the accuracy of AI-generated output, repair data-quality problems in a family’s archive (for example, de-duplicating people, places, or events), and confirm that our safety and content checks work as intended. This continues to apply to content created by Early Access accounts after the early-access period ends.

  • Review is issue-driven: it happens when something needs fixing or verifying, never as routine monitoring of your conversations.
  • We use the minimum data necessary and work with de-identified or pseudonymised data wherever practicable.
  • What we learn is used only to fix the Service and your archive, never for marketing, advertising, or AI model training (Terms, Sections 8.3 and 8.4).
  • Legal basis: our legitimate interest in providing a reliable and safe Service (GDPR Art. 6(1)(f)); where sensitive content is involved, the explicit consent described in "Special-category and sensitive data"; and, under the DPDP Act, one of the specified purposes you consent to. Questions or objections: privacy@alfaaz.me.

16

WhatsApp

We deliver and receive messages over WhatsApp using a third-party messaging provider (listed in the sub-processor list). WhatsApp itself is operated by Meta under its own privacy policy (https://www.whatsapp.com/legal/privacy-policy).

  • An elder is only contacted after a family member registers them and a conversation is initiated.
  • We use the phone number only for the storytelling service — no marketing, promotions, or ads over WhatsApp.
  • We receive voice-note audio and message metadata (timestamp, message ID). We do not access the elder’s WhatsApp contacts, profile photo, status, or other WhatsApp data.

17

Changes to this policy

We may update this policy. For material changes we will update the date above, take reasonable steps to notify registered users (e.g., by email or in the product), and, where required, give 30 days’ notice before the change takes effect.

18

Contact and complaints

Pulkit Mendiratta (Grievance Officer / data contact), trading as Alfaaz — privacy@alfaaz.me, Wibautstraat 186, Amsterdam, Netherlands.

You may also complain to a regulator: the Dutch Autoriteit Persoonsgegevens (EU/NL), your local EU Supervisory Authority, the UK ICO, the Data Protection Board of India, or the California Privacy Protection Agency, as applicable to you.

Trust & care

Continue reading