Privacy Policy

Velluto Last updated: 4 июня 2026 г.

This Privacy Policy explains how Ilia Kazakov ("Velluto", "we", "us") collects, uses, shares, and protects your personal data when you use https://velluto.io, the Velluto desktop and mobile applications, and the Velluto API (the "Services").

If you have questions, contact us at privacy@velluto.io.

1. Controller

The controller of your personal data is:

Ilia Kazakov (natural person) Address: Phuoc Long 159, Nha Trang, 650000, Viet Nam Privacy contact: privacy@velluto.io

We have not appointed a Data Protection Officer because we are not required to do so under GDPR Article 37. For any data-protection question, write to privacy@velluto.io and we will respond within thirty (30) days.

2. Personal data we collect

We collect the following categories of personal data:

2.1. Account data

  • Name (if provided)
  • Email address
  • Telegram user ID (if you sign in via Telegram)
  • Password (stored as a salted hash; we never see the plaintext)
  • Hardware identifier (HWID) of the device on which you install the desktop application — used solely to bind the licence to your device and to prevent account sharing
  • Account preferences (language, theme)

Source: directly from you. Legal basis (GDPR Art. 6): performance of contract.

2.2. Subscription and billing data

  • Plan, billing cycle, subscription status
  • Last four digits of payment card, card brand, country of issue
  • Billing address (where required for tax purposes)
  • Transaction history

Source: from you and from our payment processors (Lava.top, CryptoCloud — see Subprocessors). We do not store full payment card numbers or cryptocurrency wallet credentials; cards are handled by PCI-DSS compliant processors and crypto payments by external custodial services.

Legal basis: performance of contract; compliance with tax law.

2.3. Content and Output

  • Text you submit for synthesis
  • Audio you upload (for voice cloning, voice changes, or other features)
  • Voice Models created from uploaded audio
  • Generated audio output
  • Generation parameters and history

Source: directly from you. Legal basis: performance of contract.

2.4. Voice and biometric data (special category — GDPR Art. 9)

When you upload audio to create a Voice Model, we process voice characteristics (timbre, pitch, prosody) that constitute biometric data under GDPR Article 4(14).

Legal basis: your explicit consent under GDPR Article 9(2)(a), captured at the time of upload through a dedicated consent gate. You may withdraw this consent at any time, in which case we delete the Voice Model.

2.5. Usage data and technical data

  • IP address (truncated for analytics after 30 days)
  • Country (derived from IP)
  • Browser type, operating system, device type
  • Pages viewed, features used, time spent
  • API requests and response codes
  • Crash logs and performance metrics
  • Application version

Source: automatically collected when you use the Services. Legal basis: legitimate interest (Art. 6(1)(f)) — ensuring security, preventing abuse, improving the Services. You may object under Section 9.

2.6. Communications data

  • Messages you send to support
  • Notification preferences

Source: from you. Legal basis: performance of contract; legitimate interest.

2.7. Cookies and similar technologies

See Cookie Policy. Legal basis: consent for non-essential cookies; legitimate interest for strictly necessary cookies.

3. Purposes of processing

We process personal data for the following purposes:

Purpose Data used Legal basis
Provide the Services (account, synthesis, voice cloning, billing) Account, Content, voice, billing Contract
Authenticate you and bind licence to device Account, HWID Contract
Process payments and prevent fraud Billing, IP, device Contract; legal obligation; legitimate interest
Communicate with you (transactional, security, support) Account, communications Contract; legitimate interest
Send marketing emails (if you opt in) Email, usage Consent (you can withdraw any time)
Improve the Services (aggregated/de-identified analytics) Usage, technical Legitimate interest
Detect, prevent, and respond to abuse, fraud, and AUP violations Account, Content, usage, IP Legitimate interest; legal obligation
Comply with legal obligations (tax, law enforcement requests) All Legal obligation
Resolve disputes and enforce agreements All Legitimate interest

We do not use your Content or your Voice Models to train general-purpose AI models without your separate explicit opt-in. Aggregated, de-identified telemetry (response times, error rates) is used for performance improvement.

4. Sharing and disclosure

We share personal data only as follows:

4.1. Subprocessors

We use a limited set of trusted third parties to operate the Services. The current list, with the data processed and location, is published at https://velluto.io/subprocessors (also reproduced in subprocessors.md). We give at least thirty (30) days' prior notice of any addition or change.

4.2. Payment processors

Lava.top (card and supported payment methods) and CryptoCloud / Trybit (cryptocurrency payments) process your billing data as independent controllers under their own privacy policies.

4.3. Legal disclosures

We may disclose personal data when required by law, court order, or governmental request, and to protect the rights, property, or safety of Velluto, our users, or others (including responding to verified voice-clone abuse complaints).

4.4. Corporate transactions

In connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, personal data may be transferred to the acquirer, subject to this Privacy Policy or a substantially similar one.

4.5. With your consent

We share personal data with any other party only with your specific consent.

We do not sell personal data to third parties. We do not engage in "cross-context behavioural advertising" as defined under the California Consumer Privacy Act.

5. International transfers

We are established in the Republic of Kazakhstan. Subprocessors are located in the European Union, the United Kingdom, the United States, and other jurisdictions.

Where we transfer personal data outside of the European Economic Area or the United Kingdom, we rely on:

  • the European Commission's Standard Contractual Clauses (2021/914), Module 2 (controller-to-processor), with the UK International Data Transfer Addendum where applicable; and/or
  • the EU-US Data Privacy Framework, where the subprocessor is certified; and/or
  • your explicit consent, where appropriate.

You may request a copy of the transfer-impact assessment for any subprocessor by writing to privacy@velluto.io.

6. Retention

We retain personal data for as long as needed for the purposes described above, and in any event no longer than:

Category Retention
Account data For the life of the Account + 30 days after closure
Subscription and billing For 7 years after the last transaction (tax law)
Content (text, generated audio) For the life of the Account + 90 days after closure (or earlier on your deletion request)
Voice Models and uploaded voice audio Until you delete the Voice Model, and in any event no later than 3 years after your last interaction with that Voice Model; we automatically delete dormant Voice Models
Usage and technical logs 12 months from collection (IP truncated after 30 days)
Communications with support 24 months
Backups Up to 90 days after the original record is deleted
Records required for legal compliance or for the resolution of disputes For the duration of the limitation period (typically 3-7 years depending on jurisdiction)

After the retention period, data is securely deleted or irreversibly anonymised.

7. Security

We apply technical and organisational measures appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256) for Content and credentials
  • Hardware-bound device licensing
  • Hashed passwords (Argon2 / bcrypt)
  • Role-based access controls; least-privilege principle
  • Audit logging of administrative actions
  • Network segmentation and firewalling
  • Vendor due diligence and contractual security obligations on subprocessors
  • Regular backups
  • Vulnerability scanning and patch management
  • Incident-response procedures with breach notification within 72 hours where required by GDPR Article 33

No system is perfectly secure. You are responsible for keeping your credentials and devices safe.

8. Children

The Services are not directed to, and may not be used by, persons under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18. If you believe we have collected personal data from a person under 18, contact privacy@velluto.io and we will delete it.

9. Your rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Access — request confirmation of whether we process your data and a copy
  • Rectification — correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") — request deletion in certain circumstances
  • Restriction — limit how we process your data in certain circumstances
  • Portability — receive your data in a structured, commonly used, machine-readable format
  • Objection — object to processing based on legitimate interests, including profiling
  • Withdraw consent — at any time, where processing is based on consent (without affecting prior lawful processing)
  • Not be subject to solely automated decisions that produce legal or similarly significant effects
  • Lodge a complaint with a supervisory authority

You can exercise most rights directly from your Account settings or by emailing privacy@velluto.io. We will respond within thirty (30) days; complex requests may take up to ninety (90) days, in which case we will explain the delay.

We may need to verify your identity before responding, to prevent fraudulent requests.

Voice Owner-specific rights: If you are not a user but your voice has been cloned by a user of the Services, you have an independent right to demand deletion of the Voice Model. Contact abuse@velluto.io. We honour verified requests within thirty (30) days.

9.1. Supervisory authorities

Region Authority
EEA the data protection authority of your country of residence (list at https://edpb.europa.eu/about-edpb/about-edpb/members_en)
UK Information Commissioner's Office (ico.org.uk)
Switzerland Federal Data Protection and Information Commissioner (edoeb.admin.ch)
Other jurisdictions The competent data-protection authority of your country

10. Region-specific notices

10.1. European Economic Area, United Kingdom, Switzerland

  • Legal bases are listed in Sections 2 and 3.
  • You have the rights listed in Section 9 under GDPR / UK GDPR / nFADP.
  • Our EU representative under GDPR Article 27 (where applicable): contact privacy@velluto.io; we will provide details on request.
  • The EU AI Act applies to AI-generated voice output. Where required by Article 50, our Output may include machine-readable markers indicating that it is AI-generated.

10.2. California (CCPA / CPRA)

  • Categories collected: identifiers, commercial information, internet activity, audio/visual information (your audio uploads and Output), inferences. See Section 2.
  • Sources: directly from you; automatically; from payment processors.
  • Purposes: see Section 3.
  • We do not sell personal information and do not share it for cross-context behavioural advertising as defined under CCPA.
  • You have the rights of access, deletion, correction, and to limit use of sensitive personal information (your voice). Exercise them at privacy@velluto.io.
  • You may designate an authorised agent to make a request on your behalf.

10.3. Russian Federation and the Republic of Belarus

The Services are not offered to residents of the Russian Federation or the Republic of Belarus. We do not knowingly process personal data of residents of these jurisdictions. If you are a resident of one of them and have inadvertently accessed the Services, please discontinue use and contact privacy@velluto.io for account deletion.

11. Automated decision-making

We do not make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects concerning you. Automated systems may flag suspected AUP violations or fraud for human review; final enforcement decisions are made by a human.

12. Changes to this Policy

We may update this Policy from time to time. For material changes, we will give at least thirty (30) days' prior notice by email or in-product banner. The "Last updated" date at the top reflects the latest version. Continued use of the Services after the effective date constitutes acceptance.

13. Contact

For any privacy question or to exercise your rights:

Email: privacy@velluto.io Postal: Ilia Kazakov, Phuoc Long 159, Nha Trang, 650000, Viet Nam

Questions about this document? legal@velluto.io.