PRIVACY POLICY

Voice Soul is an AI-enabled voice, image and language assistance platform that enables users to record, upload, translate, process and receive audio, image-based, contextual and language-related outputs through artificial intelligence and third-party processing systems (the “Services”). The Services are owned and operated by Sohofi Global Technologies, a partnership firm based in India, with its registered office at Flat No. 203, 23/1, J R Makwoods Apartments, Old Mangammanapalya Road, Popular Colony, Mangammanapalya, Bengaluru, Bengaluru Urban, Karnataka, 560068 (“SOHOFI”, “Company”, “we”, “us” or “our”). This Privacy Policy (“Policy”) explains how we collect, use, disclose, retain and protect Information/Data when you use the Voice Soul mobile application, website, web application, APIs, interfaces, software, tools, content and related services (the “Platform”). For AI Processing features, Input Data is intended to be processed on a one-time, transient basis to generate the requested AI Output and is then deleted, de-identified or retained only in limited form as described in this Policy.

This Policy is provided electronically and should be read with the Terms and Conditions, consent notices, cookie notices, feature-specific notices and in-app disclosures. Nothing in this Policy limits any mandatory rights available to you under Applicable Laws.

In this Policy, “you” / “your” / “yourself” means the person using the Platform and/or the person on whose behalf you are acting. We process Personal Information/Data, Sensitive Data, third-party information and other Information/Data only for the relevant features and purposes described in this Policy and in accordance with Applicable Laws.

Please read this Policy carefully before using the Platform. By accessing or using the Platform or Services, you acknowledge that you have read this Policy. Where consent or a specific permission is required, we will request it through an appropriate mechanism. If you accept this Policy on behalf of another person or legal entity, you represent that you have authority to do so.

This Policy describes the categories of Information/Data we collect, the purposes for which we use it, the broad grounds on which processing may occur, the persons with whom it may be shared, the retention approach for transient AI Processing, your rights and choices, our security measures and our contact details.

We may update this Policy from time to time. Changes become effective when posted on the Platform or on another notified date. Where a change materially affects processing of Personal Information/Data, we will provide notice or take other steps required by Applicable Laws.

1. CONSENT

By using the Platform, you acknowledge that you have read and understood this Policy. We do not treat use of the Platform as blanket consent to all processing. Where Applicable Laws require consent, express consent or a specific permission, we may obtain that consent electronically through account creation, in-app prompts, device permissions, feature activation, preference controls, click-wrap acceptance, affirmative settings or other legally recognized mechanisms. Depending on the context, we may rely on consent, performance of the Terms and Conditions, compliance with legal obligations, protection of rights and safety, fraud prevention, cybersecurity, platform integrity, our legitimate business interests where recognized, or any other lawful basis or permission recognized under Applicable Laws. If you do not agree, please do not use the Platform.

Consent” means a freely given, specific, informed and unambiguous indication of your wishes by clear affirmative action, including electronic consent where recognized under Applicable Laws. Consent may be requested on an account, feature, device-permission, content-category, processing-purpose, advertising, AI, voice, image, location or Cross-Border Transfer basis, depending on the Service and applicable jurisdiction.

Where required under Applicable Laws, separate or explicit consent may be obtained for Sensitive Data, Biometric Data, voice processing, facial-image processing, precise location processing, targeted advertising, AI Processing, Cross-Border Transfers or other processing requiring a heightened consent standard. Where the Platform transmits your Input Data, voice recordings, images, prompts or other Content to a third-party AI service for processing, we will request your permission before doing so through an in-app prompt, feature activation gate, device permission request or another legally recognised mechanism, as applicable to the relevant feature and jurisdiction. Consent may be requested before enabling a feature, at the time of collection, through device permissions, through in-app settings or through another legally recognized electronic method.

You may withdraw consent through the controls made available for the relevant feature or by contacting us, subject to technical availability and Applicable Laws. Withdrawal does not affect processing undertaken before withdrawal and may limit the relevant Service, feature, Coin-related functionality, Offer Wall activity, AI functionality or Third-Party Service. We may continue processing where required or permitted by Applicable Laws, including for legal compliance, government cooperation, cybersecurity, fraud prevention, dispute resolution, record-keeping, enforcement or protection of rights and safety.

2. APPLICABILITY

This Policy applies to Information/Data collected through the Platform and Services, including account creation, app usage, voice-to-voice translation, image-to-voice functionality, contextual image assistance, language mapping, location-based language configuration, customer support, Coins, Premium Membership Plans, advertisements, Offer Wall activities and Third-Party Services. It is intended to apply across Middle East and GCC jurisdictions in which the Platform or Services are made available, including the United Arab Emirates (mainland; DIFC and ADGM free zones maintain separate data protection frameworks and this Policy does not apply to processing governed exclusively by those frameworks), Saudi Arabia, Qatar, Kuwait, Bahrain, Oman, Turkey and Egypt, subject to mandatory local requirements. Availability of the Platform or Services in any jurisdiction subject to applicable international sanctions, export controls, cloud-provider restrictions or AI-vendor restrictions, including Iran and Iraq, is subject to those requirements, and the Company makes no representation that the Platform or Services are available or lawfully accessible in any such jurisdiction.

Certain Services, AI functionalities, cloud-processing features, advertising systems, Offer Wall activities, analytics capabilities or third-party integrations may be restricted, modified or unavailable in certain jurisdictions due to legal, regulatory, cybersecurity, infrastructure, cloud-provider, sanctions or operational requirements.

This Policy does not apply to independent third-party applications, app stores, payment gateways, AI vendors, cloud providers, analytics providers, advertising partners, Offer Wall providers, survey providers, game providers, external websites or other Third-Party Services that process Information/Data for their own purposes. Where a third party processes Information/Data on our behalf, we seek to apply appropriate contractual, technical and organizational safeguards.

If you submit or process Content relating to another person, including voice, image, likeness, biometric information, personal information, confidential information or sensitive information, you are responsible for ensuring that you have all required rights, notices, consents, permissions and lawful grounds under Applicable Laws and the Terms and Conditions.

Applicable Laws” means all applicable laws, regulations, regulatory guidance, governmental directions, orders and legally binding requirements relating to privacy, data protection, cybersecurity, telecommunications, electronic transactions, consumer protection, AI governance, anti-cybercrime, cloud-computing, digital platforms and related matters in jurisdictions where the Platform or Services are offered, accessed or used, including without limitation: (a) in the UAE (mainland), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and Cabinet Decision No. 111 of 2023 (Executive Regulations), as issued by the UAE Data Office; (b) in Saudi Arabia, the Personal Data Protection Law (Royal Decree No. M/19, 2021, as amended by Royal Decree No. M/148, 2023) and its Implementing Regulations, as enforced by the Saudi Data and AI Authority (SDAIA), fully in force from 14 September 2024; (c) in Qatar, Law No. 13 of 2016 on Personal Data Privacy Protection (PDPPL) and the NDPO’s regulatory guidelines; (d) in Bahrain, the Personal Data Protection Law (Law No. 30 of 2018) and its Regulations; (e) in Kuwait, Decree-Law No. 20 of 2014 on Electronic Communications and applicable privacy requirements; (f) in Oman, the Personal Data Protection Law (Royal Decree No. 6/2022) and its Executive Regulations (issued February 2024); (g) in Turkey, Law No. 6698 on the Protection of Personal Data (KVKK, 2016) as administered by the Personal Data Protection Authority (KVKK Board); (h) in Egypt, the Personal Data Protection Law (Law No. 151 of 2020) and its Executive Regulations (Ministerial Decision No. 816/2025), with the one-year compliance grace period expiring November 2026; and (i) all other applicable cybersecurity, telecommunications, electronic transactions, consumer protection and AI governance laws in the relevant jurisdiction, together with Indian laws mandatorily applicable to the Company as its place of incorporation. Where a jurisdiction does not have comprehensive standalone privacy legislation, the Company will endeavor to implement reasonable privacy, security and data protection practices consistent with applicable legal obligations and industry standards. Where more than one law applies, we will apply the mandatory requirement applicable to the relevant user, jurisdiction or processing activity, while preserving the Company’s operational rights to the maximum extent permitted by Applicable Laws.

3. DEFINITIONS

a) Personal Information/Data” means information relating to an identified or identifiable natural person, including information treated as personal data, protected personal data, personal information or similar regulated information under Applicable Laws, such as identifiers, contact details, device or online identifiers, usage information, location-related information, voice, image, likeness, account information, payment-related metadata, prompts, Content, AI Outputs and similar information.

b) Sensitive Personal Data or Information” or “Sensitive Data” means Personal Information/Data receiving heightened protection under Applicable Laws, including health information, genetic data, biometric identifiers, voice, facial-image or location data where regulated, information relating to children, financial or identity information and other protected categories recognized by applicable privacy, cybersecurity or related laws.

c) Data Subject” means the identified or identifiable individual to whom Personal Information/Data relates and includes, where applicable, a parent, lawful guardian or authorized representative.

d) Controller” means the person that determines the purposes and means of processing Personal Information/Data.

e) Processor” means a person processing Personal Information/Data on behalf of a Controller, including service providers, vendors, contractors and other processors engaged by us.

f) Processing” means any operation performed on Personal Information/Data, including collection, recording, storage, use, disclosure, transmission, restriction, erasure or destruction.

g) Content” means audio, voice recordings, speech, images, image links, prompts, text, metadata, feedback, files, messages, names, likenesses, instructions and other material submitted, uploaded, recorded or transmitted through the Platform.

h) AI Outputs” means translations, audio responses, transcriptions, descriptions, contextual responses, language-related outputs, image-related outputs, text, voice outputs or other outputs generated or assisted by artificial intelligence, translation, speech, computer-vision or related systems.

i) AI Processing” means processing of Content, Personal Information/Data, device information, technical data, prompts, voice recordings, images, metadata and other inputs by or through AI systems, machine-learning models, translation engines, speech systems, computer-vision systems, safety tools and related Third-Party Services. Unless stated otherwise, raw Input Data is intended to be processed temporarily for the requested Service.

j) Input Data” means prompts, audio, voice recordings, images, image links, text, instructions, metadata, files, feedback and other information provided to the Platform for processing by a Service or AI system. Input Data used to generate an AI Output is not retained as permanent history by default.

k) Model Improvement Data” means data used to monitor, test, evaluate, debug or improve the quality, reliability, safety, latency, usability or performance of the Platform, Services, AI Outputs and related systems. We seek to use aggregated, anonymized, de-identified or minimized data wherever reasonably practicable.

l) Human Review” means review by authorized personnel, contractors or service providers for limited operational, support, quality, safety, abuse-prevention, legal, security or rights-protection purposes, subject to safeguards. Human Review may not be available where raw Input Data has been processed transiently and deleted.

m) Biometric Data” means voiceprints, facial geometry, biometric identifiers, image-derived identifiers, speech-derived identifiers or other biological, physiological or behavioral characteristics that are used or capable of being used for identification, verification, authentication, classification or similar processing where regulated under Applicable Laws.

n) Cross-Border Transfer” means any processing, access, transfer, storage, hosting, support, remote access or disclosure of Information/Data in or from one jurisdiction to another, including through cloud infrastructure, AI infrastructure, vendor systems, support tools or globally distributed processing environments.

o) Localization Requirements” means legal or regulatory obligations requiring local storage, mirroring, access restrictions, regional routing, local hosting, local processing, restricted remote access or regionalized processing for certain Information/Data, systems, logs or services.

p) Coins”, “Offer Wall”, “Premium Membership Plan”, “Third-Party Services”, “User” and “Visitor” shall have the meanings assigned to them in the Terms and Conditions.

Aggregated or anonymized information that cannot reasonably identify an individual is not treated as Personal Information/Data for purposes of this Policy. De-identified or pseudonymized information may remain subject to Applicable Laws where it can reasonably be linked back to an individual.

4. INFORMATION WE COLLECT

We collect only Information/Data reasonably necessary for the purposes described in this Policy, the Terms and Conditions, consent notices or feature-specific notices. Depending on your use of the Platform, we may collect the following categories:

a) Information You Provide to Us

i) Account Information: Name, username, account ID, profile information, email address, mobile number, language preferences, country or region selection, authentication information and other account details provided by you.

ii) Content and AI Processing Information: Voice recordings, audio clips, speech, language inputs, translations, transcriptions, prompts, typed text, uploaded images, image links, camera inputs, contextual questions, metadata, feedback, files, messages, AI Outputs and other Content submitted through the Services. Raw Content submitted for AI Processing is intended to be processed transiently and then deleted, de-identified or retained only in limited form under this Policy.

iii) Communication Information: Contact details, communication content and related records when you contact us through email, in-app support, phone, grievance channels or other means.

iv) Payment, Subscription, Coins and Offer Wall Information: Subscription status, invoice or transaction identifiers, payment-provider confirmations, refunds, Coin balances, usage deductions, reward history, Offer Wall status, attribution identifiers, anti-fraud checks and related records.

v) Any Other Information: Additional Information/Data voluntarily provided in connection with the Platform or Services.

b) Information We Collect Through Automated Means

When you use the Platform or Services, we may collect device identifiers, advertising identifiers where permitted, app instance identifiers, IP address, operating system, browser type, app version, device model, network information, network metadata, crash logs, diagnostics, usage patterns, cookies, SDK data, analytics data, session analytics, attribution information, app permission status, device trust scores, fraud indicators, security telemetry, cybersecurity logs, suspicious activity indicators, sanctions screening records, regional compliance indicators and similar technical, security and operational logs.

The Platform may request device permissions such as microphone, camera, photo library, file access, storage, location and notifications. You may manage permissions through device or Platform settings, subject to feature limitations.

c) Information We Collect from Other Sources

We may receive Information/Data from app stores, payment providers, Advertising Partners, Offer Wall providers, survey providers, game providers, AI vendors, cloud providers, analytics providers, fraud-prevention providers, sanctions-screening providers, cybersecurity providers, support tools and other Third-Party Services, where permitted under Applicable Laws.

Certain categories of Information/Data may constitute Sensitive Data, Biometric Data, protected personal data, protected information or regulated cybersecurity information under applicable Middle East privacy, cybersecurity, telecommunications or related laws, depending on the relevant jurisdiction, feature, context and use case.

5. HOW WE USE YOUR INFORMATION

We may use Information/Data for the following purposes, depending on the relevant feature, your choices, regional availability, our operational requirements and any lawful basis, consent, permission, exception or obligation available under Applicable Laws:

a) To create, authenticate, maintain, secure and administer your account and provide account-related support.

b) To provide and maintain the Services, including voice-to-voice translation, image-to-voice functionality, contextual image assistance, language mapping, location-based language configuration and customer support.

c) To process Content, prompts, voice recordings, images, metadata and other inputs through AI, translation, speech, computer-vision and related third-party systems to generate AI Outputs on a one-time and transient basis.

d) To allocate, deduct, verify and administer Coins, Usage Charges, Premium Membership Plans, subscriptions, Offer Wall rewards, refunds, disputes and account balances.

e) To display, measure, attribute and manage advertisements, rewarded advertisements, Offer Wall tasks, surveys, games, promotions and other monetization features, subject to your choices and Applicable Laws.

f) To detect, prevent, investigate, monitor and respond to fraud, abuse, spam, unauthorized recordings, unlawful surveillance, impersonation, biometric misuse, payment fraud, Offer Wall manipulation, security incidents, suspicious activity, malware, cyber-risk, infrastructure threats, account compromise, sanctions risk and other prohibited conduct.

g) To protect Platform security and infrastructure integrity, including platform security, infrastructure protection, fraud monitoring, abuse prevention, account protection, bot detection, cyber-risk mitigation, threat monitoring, vulnerability management, incident response and security-event analysis.

h) To improve, maintain, test, monitor, debug and develop the Platform, Services, safety systems, language quality, translation accuracy, performance and user experience, using minimized or de-identified data where reasonably practicable.

i) To communicate with you about account activity, service updates, security alerts, support, policy changes, subscriptions, rewards, offers, marketing communications and administrative matters, subject to your choices.

j) To comply with Applicable Laws, court orders, governmental directions, regulatory requirements, telecommunications obligations, anti-cybercrime obligations, lawful interception obligations, national-security obligations, sanctions compliance, cybersecurity reporting, audit, taxation, accounting, record-keeping and law-enforcement requests.

k) To support regulatory, telecommunications, electronic-transactions, anti-cybercrime, lawful-interception, national-security, sanctions, consumer-protection, digital-platform, content-moderation and related compliance obligations where applicable.

l) To support AI governance, safety and quality operations, including hallucination mitigation, content moderation, safety systems, AI abuse prevention, unsafe-output reduction, synthetic-media detection, model-routing controls, misuse detection and review of high-risk prompts or outputs.

m) To address Localization Requirements, regional routing, jurisdictional filtering, storage compliance, cloud-region selection, restricted-access controls, service availability controls and other region-specific technical or operational requirements.

n) To enforce the Terms and Conditions, this Policy and other applicable terms, and to establish, exercise or defend legal claims.

o) To create aggregated, anonymized or de-identified analytics, statistics and service-improvement insights that do not reasonably identify an individual.

Unless expressly disclosed in a consent notice, feature-specific notice or applicable setting, we do not use your voice recordings, images, prompts or Content containing Personal Information/Data to train third-party public foundation models, and we do not retain raw Input Data for model training by default.

The Company may implement moderation, filtering, intervention, escalation, Human Review, regional routing or other review systems to comply with legal, regulatory, cybersecurity, public-interest, cultural or safety obligations and to protect users, third parties, the Platform, AI systems and the Company’s legitimate operational interests.

6. DISCLAIMER

WHERE THE PLATFORM PROVIDES VOICE, IMAGE OR LANGUAGE ASSISTANCE, SUCH ASSISTANCE IS AN AUTOMATED AID AND NOT A GUARANTEED DESCRIPTION, TRANSLATION OR ASSESSMENT. USERS REMAIN RESPONSIBLE FOR INDEPENDENT JUDGMENT AND HUMAN ASSISTANCE WHERE ACCURACY OR SAFETY MATTERS.

THE PLATFORM IS NOT A SUBSTITUTE FOR PROFESSIONAL TRANSLATORS, INTERPRETERS, LAWYERS, DOCTORS, FINANCIAL ADVISERS, EMERGENCY SERVICES, GOVERNMENT AUTHORITIES OR OTHER QUALIFIED PROFESSIONALS, AND MUST NOT BE RELIED UPON FOR REGULATED, SAFETY-CRITICAL, LIFE-CRITICAL OR HIGH-RISK DECISIONS.

AI OUTPUTS MAY CONTAIN ERRORS, MISTRANSLATIONS, OMISSIONS, HALLUCINATIONS, INCORRECT IMAGE OR TEXT INTERPRETATIONS, MISSED NUANCE, BIAS, OFFENSIVE CONTENT OR OTHER LIMITATIONS. YOU SHOULD VERIFY AI OUTPUTS BEFORE RELYING ON THEM.

AI OUTPUTS ARE GENERATED ALGORITHMICALLY AND MAY VARY BASED ON MODELS, THIRD-PARTY SYSTEMS, LANGUAGE SETTINGS, PROMPTS, SAFETY FILTERS, NETWORK CONDITIONS, REGIONAL AVAILABILITY, DEVICE SETTINGS OR PRODUCT CONFIGURATION.

7. AI PROCESSING, MODEL OPERATIONS AND OUTPUTS

The Platform is an AI-enabled service. When you use AI features, the following categories of data may be transmitted to Company systems and Third-Party Services to provide the Service: (a) voice recordings and audio clips; (b) images and camera inputs; (c) text prompts and typed inputs; (d) translations and transcriptions; (e) session metadata (such as language settings, device type and app version); and (f) Content you submit through the relevant feature. Third-Party Services that may receive such data include speech-processing providers, translation engines, computer-vision systems, safety and abuse-prevention tools, and cloud-hosting providers required to provide the Service. AI systems may operate using globally distributed cloud infrastructure, regional routing systems, third-party AI vendors, speech-processing providers, translation engines, computer-vision systems and related processing environments. The categories of third parties to whom Input Data may be sent include: (i) large-language-model and generative-AI providers; (ii) automatic-speech-recognition and text-to-speech vendors; (iii) machine-translation engine providers; (iv) computer-vision and image-analysis providers; (v) cloud-computing and storage infrastructure providers; and (vi) safety, moderation and abuse-prevention service providers. Where we are permitted to identify specific vendors, we will do so in the relevant in-app disclosure, feature notice or updated version of this Policy. Unless stated otherwise, this processing is intended to be one-time, session-based and limited to generating the AI Output requested by you.

Certain AI functionalities may be restricted, modified, suspended or unavailable in specific jurisdictions due to Applicable Laws, telecommunications requirements, cybersecurity requirements, cloud-provider restrictions, sanctions, cultural or public-interest considerations, safety requirements, infrastructure limitations or operational requirements.

We may maintain test prompts, benchmark outputs, safety cases, abuse signatures, fraud indicators, sanctions indicators, cybersecurity indicators and quality metrics. We do not maintain raw Input Data as evaluation datasets by default, and any Personal Information/Data used for these purposes is subject to this Policy and Applicable Laws.

Feedback, corrections, ratings, suggested translations, quality comments, support tickets and similar inputs may be used to evaluate, debug, improve and develop the Platform, Services and AI Outputs. Please avoid including unnecessary Personal Information/Data, Sensitive Data or confidential information in feedback.

Where Personal Information/Data is used for model improvement, evaluation or quality review, we will do so only where permitted under this Policy, a relevant notice, user settings or Applicable Laws, and with heightened care for Sensitive Data, children’s data and similarly protected information.

We may use aggregated, anonymized, de-identified or non-personal information to improve, test and monitor the Platform, Services, AI Outputs, safety systems, performance, language quality, routing logic, abuse-prevention systems and user experience.

Unless expressly disclosed, we do not use your Content containing Personal Information/Data to train third-party public foundation models. We seek to use configurations, contractual restrictions or technical controls that limit third-party AI vendors’ use of Input Data to providing and supporting the relevant Services.

8. MODEL IMPROVEMENT, TRAINING AND EVALUATION

We distinguish service-delivery processing from model improvement, evaluation or training. Service delivery includes receiving Input Data, routing it, generating AI Outputs, maintaining temporary session state, applying safety filters, performing abuse checks, regional routing, localization controls, calculating Coin deductions, resolving technical errors and limiting retention after processing.

Location-related processing may include approximate location derived from IP address, settings, selected region, app-store region or network information, and precise location only where enabled and required by a feature. Location may support language configuration, regional experiences, fraud prevention, compliance settings, attribution, Offer Wall eligibility and security.

You should avoid submitting unnecessary personal details, identity documents, payment information, passwords, health information, children’s information, precise location information, confidential business information, legal documents, medical documents or other sensitive content unless required and lawful. The Platform is not intended to be a secure vault or permanent repository for sensitive records.

You must not record, upload, process or submit another person’s voice, image, likeness, biometric information, confidential information, personal information or sensitive information unless you have all required notices, consents, permissions and lawful grounds.

We do not seek to identify individuals through biometric processing unless expressly disclosed and lawfully permitted. We do not seek Biometric Data unless a feature expressly requires voice, image or other identifier processing for the Service you choose, and such processing does not mean that the Company seeks to uniquely identify a person unless that functionality is expressly disclosed and handled under Applicable Laws.

9. VOICE, IMAGE, BIOMETRIC AND LOCATION-RELATED PROCESSING

The Services may process voice recordings, speech, speech patterns, accents, dialect, language patterns, background audio, images, facial images, faces, facial geometry where generated by a feature, objects, text within images, image metadata, places, signs, documents, metadata and location-related settings. Voice recordings, speech patterns, facial images, image metadata, facial geometry or similar identifiers may constitute Biometric Data, Sensitive Data or protected information under Applicable Laws depending on context and jurisdiction.

Certain voice, image or biometric functionalities may require additional consent, separate notices, regional restrictions, localized processing, restricted retention, access controls or other safeguards depending on Applicable Laws, feature configuration, user location, cloud availability and the category of Information/Data involved. In jurisdictions where biometric data receives heightened statutory protection — including Saudi Arabia (PDPL and SDAIA Implementing Regulations classify voiceprints and facial geometry as Sensitive Data requiring explicit consent and prior SDAIA authorisation for certain large-scale processing), the UAE (UAE PDPL Cabinet Decision 111/2023 treats biometric identifiers as Sensitive Personal Data requiring separate consent), and Turkey (KVKK Art. 6 classifies biometric data as a special category of personal data requiring explicit consent and, where applicable, an adequacy measure for transfer) — we will obtain the required consent, apply the required safeguards, and seek any required regulatory authorisation before enabling such features for users in those jurisdictions.

We may use safety filters, moderation rules, rate limits, routing controls, regional filtering, child-safety controls, sensitive-content filters, intervention, escalation or review systems and other safeguards. These controls may limit processing or AI Outputs where necessary or appropriate for legal, regulatory, cybersecurity, public-interest, cultural, safety, rights-protection, misuse-reduction or Platform-integrity obligations.

Where an automated process materially affects your account, access, Coins, rewards, subscription status or rights under Applicable Laws, you may contact us through the grievance mechanism. We will review such concerns in accordance with Applicable Laws and available safeguards.

The Platform may use automated systems to detect abuse, fraud, malware, unlawful content, manipulation of Coins, payment issues, suspicious device behavior, account compromise, unsafe prompts, harmful outputs or circumvention attempts. We do not make solely automated decisions that produce legal or similarly significant effects on individuals without human involvement, except where: (a) required or expressly permitted by Applicable Laws; (b) the Data Subject has given explicit consent under Applicable Laws; or (c) the decision is necessary for performance of a contract with the Data Subject. Where we do make such decisions, we will implement the safeguards required under Applicable Laws, including: under the Saudi PDPL, providing the Data Subject with the right to contest an automated decision affecting them; under the UAE PDPL, providing the Data Subject with the right to request human review of automated decisions producing significant effects; and under Turkey’s KVKK, ensuring the automated decision does not produce an adverse legal effect on the Data Subject without an available right to object.

Human Review will be limited to personnel or service providers with a need to access relevant information for a permitted purpose, subject to safeguards. Where raw Input Data has been deleted after transient processing, review may rely on retained logs, metadata, support records or information separately provided by you.

10. HOW WE SHARE AND DISCLOSE YOUR INFORMATION

We may share Information/Data in the following ways, where permitted for the relevant purpose and subject to appropriate confidentiality, security, processor, transfer and purpose-limitation safeguards where required:

a) Affiliates and group companies: to operate, administer, support, secure and improve the Platform and Services.

b) Service providers and Processors: with hosting, cloud, AI, translation, speech, computer-vision, analytics, security, cybersecurity, regional routing, localization, customer-support, communication, payment support, fraud-prevention, audit, professional advisory and other service providers acting for us.

c) App stores, payment providers and subscription partners: to process subscriptions, verify payments, issue refunds, resolve disputes and administer Premium Membership Plans.

d) Advertising Partners and Offer Wall providers: to display, measure, attribute and verify advertisements, rewarded advertisements, offers, eligibility, anti-fraud checks and Coin credits, subject to your choices and Applicable Laws.

e) Third-Party Services selected or used by you: where you choose to access, connect, interact with or complete activities through a linked or integrated Third-Party Service.

f) Protection of rights and interests: to prevent fraud or abuse, protect security and integrity, enforce terms, protect rights and safety or respond to misuse.

g) Business transfers: in connection with a merger, acquisition, investment, financing, restructuring, sale of assets, insolvency, reorganization or transfer of all or part of our business, subject to appropriate safeguards.

h) Legal, regulatory, security and governmental purposes: where required or permitted by Applicable Laws, court order, governmental direction, legal process, investigation, cybersecurity reporting obligation, lawful interception obligation, anti-cybercrime obligation, national-security request, sanctions compliance, regulatory direction or rights-protection need.

i) Public, governmental and regulatory authorities: with telecommunications authorities, cybersecurity regulators, data-protection or privacy authorities, law-enforcement agencies, courts, governmental authorities, sanctions authorities, national-security authorities or other competent authorities where required or permitted by Applicable Laws or legally binding directions.

j) With your consent or instruction: where you authorize disclosure to a specified recipient.

We do not sell Personal Information/Data or disclose it for unrelated monetary consideration. Third-Party Services processing information for advertising, attribution, rewards or monetization are subject to this Policy, their own policies, your choices and Applicable Laws.

We may change vendors, models, cloud providers, speech engines, translation engines, computer-vision tools, analytics providers, safety systems or other processing tools from time to time. Where a material change requires notice or other action under Applicable Laws, we will take the required steps.

Where a provider acts as our Processor or service provider, we seek to impose obligations relating to confidentiality, purpose limitation, security, access controls, retention, incident notification, rights assistance, deletion or return of data, transfer safeguards and restrictions on unauthorized use of Input Data. In particular, where a third-party AI service receives your Input Data, voice recordings, images, prompts or other Content, we seek to ensure, through contractual arrangements, data processing agreements or equivalent measures, that such third party provides the same or equivalent level of data protection as we are required to provide under this Policy and Applicable Laws. We do not knowingly share your Personal Information/Data with third-party AI services that are unable or unwilling to maintain such protections.

Providers may process Input Data, Content, metadata, device data, logs, AI Outputs or other Information/Data on our behalf or independently, depending on their role and terms. Transfers outside your country or region will be handled using safeguards or lawful transfer arrangements where required.

The Company may disclose Information/Data where required or permitted for cybersecurity compliance, lawful interception obligations, anti-cybercrime obligations, national-security requests, sanctions compliance, governmental investigations, court proceedings, emergency response, prevention of unlawful activity or legally binding regulatory directions.

Disclosure obligations, government-cooperation requirements, review thresholds and available safeguards may vary across jurisdictions and may be subject to confidentiality, secrecy, national-security, public-order or similar restrictions under Applicable Laws.

11. CROSS-BORDER TRANSFERS

Information/Data may be processed, accessed, transferred, disclosed, hosted or stored in jurisdictions outside your country of residence, including jurisdictions that may have different levels of data protection, cybersecurity, government-access, cloud-computing or regulatory requirements.

Cross-Border Transfers may involve the Company, affiliates, cloud providers, AI infrastructure providers, speech-processing vendors, translation engines, computer-vision systems, analytics providers, security vendors, customer-support providers, professional advisers and globally distributed systems used to operate, secure, improve, support and provide the Platform and Services.

Where required under Applicable Laws, the Company will implement reasonable safeguards for international transfers, which may include contractual protections, technical controls, access controls, vendor due diligence, encryption or similar measures appropriate to the relevant transfer, feature, vendor, jurisdiction and risk. The following jurisdiction-specific requirements apply in addition to the general approach described in this section: (a) UAE PDPL: transfers outside the UAE must be subject to a contractual framework providing an adequate level of protection, or must fall within a category approved by the UAE Data Office; (b) Saudi PDPL: personal data may only be transferred outside Saudi Arabia where required to fulfil a contractual obligation to the Data Subject, where the Data Subject has consented, or where the transfer is necessary for the public interest, subject to SDAIA approval or applicable exception; (c) Oman PDPL: cross-border transfers require the recipient jurisdiction to be assessed as providing adequate protection or the transfer to be subject to binding contractual commitments; and (d) Turkey KVKK: transfers to third countries require either an adequacy decision issued by the KVKK Board or the recipient’s binding undertaking accepted by the KVKK Board, or the Data Subject’s explicit consent in the absence of adequate protection. The Company will take steps to comply with the applicable transfer mechanism required in each jurisdiction.

12. DATA LOCALIZATION AND REGIONAL PROCESSING

Certain jurisdictions may impose Localization Requirements, mirroring, restricted-access, local-hosting, regional routing, access-approval, cybersecurity-review or regional processing obligations for certain categories of Information/Data, logs, cloud workloads, AI Processing, telecommunications data or regulated services. By way of specific illustration: (a) Saudi Arabia: SDAIA’s Implementing Regulations require that personal data of Saudi residents be stored and processed within Saudi Arabia unless an approved exception or transfer mechanism applies; certain critical national data may be subject to additional localisation obligations under the Saudi Cybersecurity Framework; (b) UAE: the UAE PDPL requires that Sensitive Personal Data of UAE residents must be stored within the UAE unless a transfer is made under an approved safeguard, and certain telecommunications and financial data are subject to localisation under sectoral regulations; and (c) Kuwait: Ministerial Decision No. 6 of 2023 on Cloud Computing Services imposes storage restrictions for certain categories of government-related and regulated data, which may affect cloud-based AI Processing for users in Kuwait. Where such localisation obligations apply to the Company’s processing of your data, the Company will implement the required regional cloud configuration, localized storage or access restriction measures.

The Company may implement technical, organizational or contractual measures to address Localization Requirements, including regional cloud configuration, localized processing, access restrictions, local support arrangements, data minimization, routing controls, retention controls, vendor commitments or feature restrictions, where required or operationally appropriate.

13. HOW DO WE RETAIN YOUR INFORMATION

We retain Information/Data only for as long as reasonably necessary for the purposes for which it was collected or processed, unless longer retention is required or permitted by Applicable Laws, governmental or regulatory preservation requirements, cybersecurity evidence retention, investigation holds, fraud logs, compliance archives, contractual or operational requirements, accounting, fraud prevention, security, dispute resolution, enforcement or legal claims. Different categories may have different retention periods, and retention periods may vary depending on jurisdiction and legal obligations. In accordance with the specific requirements of Applicable Laws: (a) under the Saudi PDPL and SDAIA Implementing Regulations, personal data of Saudi residents will not be retained for longer than is necessary for the purpose of collection, and in no event for more than ten (10) years from the date of creation, unless the Data Subject has consented to a longer period or a specific law requires otherwise; (b) under the UAE PDPL and its Executive Regulations, personal data will be deleted or anonymised upon fulfilment of the collection purpose or expiry of the applicable retention period, and regulated data categories may be subject to specific retention periods set by the UAE Data Office or applicable sectoral laws; and (c) where applicable telecommunications, financial or governmental regulations in any covered jurisdiction prescribe a minimum mandatory retention period, the Company will comply with that minimum period.

Account, profile and contact information is generally retained while your account remains active and for a reasonable period thereafter. Coin, subscription, payment, Offer Wall and transaction records may be retained for accounting, tax, audit, anti-fraud, chargeback, refund, verification and legal purposes.

Voice recordings, images, prompts, transcripts, AI Outputs and session Content submitted for AI Processing are processed transiently and, by default, deleted, de-identified or subject to limited retention after completion of the requested processing or shortly thereafter. They are not retained as permanent history unless you save them, a feature provides for retention, you submit them for support or feedback, or retention is required for safety, debugging, fraud prevention, legal compliance or another purpose described in this Policy.

For AI Processing, raw audio, raw images and prompts are intended to be deleted or de-identified after transient processing by default. Limited metadata, safety logs, abuse-prevention logs, Coin records, model-routing records, quality metrics, error logs and support records may be retained longer where necessary and minimized where reasonably practicable.

We may retain regulatory preservation records, cybersecurity evidence, investigation holds, fraud logs, sanctions-screening logs, audit trails, compliance archives, support records and other records where required or permitted for legal, security, operational, accounting, dispute-resolution, enforcement or government-cooperation purposes.

Where feasible, we may separate Content from account identifiers, apply access restrictions, pseudonymize or de-identify records, aggregate metrics, minimize raw Content retention or use sampling techniques for quality review.

Deletion may not immediately remove all backup copies, caches, logs, legal records, security records, payment records, Offer Wall verification records or data retained by independent Third-Party Services, but we will apply deletion, de-identification, anonymization or retention controls in accordance with Applicable Laws and our practices.

Deleted, expired, transient or non-retained conversations, translations, recordings, images, prompts, AI Outputs, Coins, sessions or logs may not be recoverable.

When retention is no longer necessary, we will delete, de-identify, anonymize or aggregate Information/Data in accordance with Applicable Laws and our internal retention practices.

14. HOW WE PROTECT YOUR INFORMATION

We implement reasonable security practices and appropriate technical and organizational measures designed to protect Information/Data from unauthorized access, disclosure, alteration, destruction, loss, misuse and accidental damage. Measures may include access controls, authentication, encryption or similar safeguards, logging, threat intelligence, vulnerability testing, intrusion detection, security-event monitoring, incident escalation, regionalized access controls, network monitoring, abuse detection, vulnerability management, vendor controls, incident response, confidentiality obligations, data minimization, retention controls and periodic review.

No method of transmission, storage or processing is completely secure. You are responsible for maintaining account credentials, securing your device and notifying us of suspected unauthorized access or misuse.

Where a security incident or personal data breach triggers a reporting obligation, we will take steps required by Applicable Laws, which may include notifying affected individuals and competent privacy, cybersecurity or regulatory authorities. Breach notification timelines vary by jurisdiction. By way of illustration, under the UAE PDPL, breaches likely to cause serious harm must be notified to the UAE Data Office without undue delay, generally within 72 hours of discovery; under the Saudi PDPL, breaches affecting personal data must be notified to SDAIA within 72 hours and affected Data Subjects without undue delay; under the Oman PDPL and its Executive Regulations, the controller must notify the competent authority and affected persons within 72 hours of becoming aware of a qualifying breach; and under Turkey’s KVKK, the KVKK Board must be notified within 72 hours. Where notification to affected individuals is required, we will provide it within the timeframe prescribed by the relevant Applicable Law.

AI-related security measures may include prompt-abuse monitoring, rate limiting, anomaly detection, access logging, vendor-access controls, restrictions on employee access to raw Content and review of incidents involving unintended disclosure, prompt injection, model misuse, excessive data exposure or unauthorized access. Where required under Applicable Laws, including under the Saudi PDPL Implementing Regulations, the UAE PDPL and Cabinet Decision 111 of 2023, the Oman PDPL Executive Regulations and Turkey’s KVKK secondary legislation, we conduct or seek to conduct Privacy Impact Assessments or Data Protection Impact Assessments before undertaking processing activities that are likely to result in high risk to the rights and freedoms of individuals, including large-scale processing of Sensitive Data, biometric data, voice recordings or AI-driven automated decision-making. The findings of such assessments inform the safeguards and controls applied to the relevant processing.

Security measures may vary depending on infrastructure availability, cloud-provider capabilities, jurisdiction, feature availability, applicable legal requirements, Localization Requirements, regional access restrictions and the relevant threat environment.

You must not attempt prompt injection, model extraction, scraping, automated abuse, circumvention of safety filters, unauthorized access to AI systems or any activity intended to expose non-public Platform, model, security or user information.

15. THIRD-PARTY LINKS AND FEATURES

The Platform may include Third-Party Services, advertisements, rewarded advertisements, Offer Wall tasks, surveys, games, links, SDKs or integrations provided by third parties that may act as our processors or as independent providers depending on the feature and processing activity.

When you interact with a Third-Party Service, the third party may collect information directly from you or your device, including device identifiers, IP address, advertising identifier, interaction data, reward eligibility and offer completion status. Their privacy policy and terms govern independent processing.

We may receive confirmation, attribution, verification, anti-fraud and reward-status information from Third-Party Services to credit Coins, verify eligibility, prevent manipulation and resolve disputes.

The Platform may use cloud infrastructure, AI vendors, analytics providers, support tools, payment partners, Advertising Partners and other Third-Party Services located in India, Middle East jurisdictions, globally distributed cloud regions or other jurisdictions. Cross-Border Transfers will be undertaken in accordance with Applicable Laws and reasonable safeguards where required.

Where a feature permits you to save, download, export, share or reuse AI Outputs, you are responsible for reviewing those AI Outputs and handling any Personal Information/Data, confidential information, third-party content or sensitive information lawfully.

Deletion or erasure requests will be assessed under Applicable Laws and may not affect AI Outputs already delivered or shared, information retained for legal, operational or security purposes, anonymized information, backups or caches awaiting deletion, or information retained by independent Third-Party Services.

Subject to technical availability and Applicable Laws, you may limit certain AI Processing through Platform, device, browser or account controls, including microphone, camera, photo, location, notification, advertising, cookie and marketing preferences.

16. USER RIGHTS AND CHOICES

Subject to Applicable Laws, users may have certain rights regarding their Information/Data. Such rights differ by jurisdiction and may be subject to verification, legal, operational, cybersecurity, fraud-prevention, public-interest, national-security, technical, confidentiality, rights-protection and other lawful limitations.

a) Access to information: to request confirmation of whether we process your Personal Information/Data and access to information about such processing where provided by Applicable Laws.

b) Correction or updating: to request correction, completion or updating of inaccurate, misleading or incomplete Personal Information/Data where provided by Applicable Laws.

c) Deletion or erasure: to request deletion, erasure or destruction of Personal Information/Data in circumstances recognized by Applicable Laws, subject to permitted retention and lawful limitations.

d) Restriction, objection or cessation: to request restriction of processing, object to certain processing or request cessation of processing where such rights apply under Applicable Laws.

e) Copy or portability: to request a copy of certain Personal Information/Data or portability in a structured format where Applicable Laws expressly provide such right and technically feasible.

f) Automated-processing safeguards: to request applicable review, explanation or safeguards where a solely automated process produces legal or similarly significant effects concerning you and Applicable Laws provide such right.

g) Consent and preference choices: to withdraw consent where processing is based on consent and to manage non-essential marketing, notifications, cookies, advertising identifiers, app permissions and feature consents, subject to technical availability and lawful limitations.

You may submit a request through the CONTACT section. We may verify your identity and may decline or limit a request where permitted by Applicable Laws, including where compliance would affect others’ rights, security, cybersecurity, fraud prevention, legal obligations, governmental requests, legal claims, confidential information, anonymized data or data processed transiently and not retained.

Where Platform, device, browser, consent-management or cookie-preference tools are available, you may use them to manage, review or withdraw consent, subject to technical availability and Applicable Laws.

17. SENSITIVE PERSONAL INFORMATION AND CHILDREN'S PRIVACY

Sensitive Data may include health information, biometric data, genetic data, children’s data, voice, facial-image, precise-location, identity, financial or other protected information and other categories recognized under Applicable Laws. Voice recordings, images, photographs, facial images, prompts or other Content may contain Personal Information/Data or Sensitive Data depending on context. Enhanced safeguards may apply to biometric, voice, facial, children’s, health or sensitive personal data. We process such information only for the purposes described in this Policy and where permitted by Applicable Laws.

The Platform is intended for individuals legally competent to use the Services and at least 18 years of age or the age of majority in their jurisdiction, whichever is higher, unless a specific Service lawfully permits otherwise. Under the Saudi PDPL, processing of a minor’s personal data (persons under 18) requires the consent of a parent or legal guardian, and the Company will not knowingly collect or process the personal data of Saudi-based minors without such consent. Under the UAE PDPL, processing of data relating to persons under 18 requires parental or guardian consent. Under Oman’s PDPL, the consent of a parent or legal guardian is required for processing personal data of minors. Under Turkey’s KVKK, where the legal basis for processing is explicit consent, consent given by a minor must be supported by the consent of their legal representative.

We do not knowingly permit children to create accounts or use the Services unless permitted by Applicable Laws and supported by required parental or guardian consent or authorization. If we learn that a child’s Personal Information/Data was collected without required consent, we will take appropriate steps to delete or restrict it, subject to legal and safety requirements.

Where Applicable Laws require enhanced safeguards for children, we will comply with those requirements, including restrictions on detrimental processing, profiling, tracking, behavioral monitoring or targeted advertising directed at children, to the extent applicable.

18. EXERCISING RIGHTS:

You can exercise privacy rights by submitting a request through sohofi@sohofi-global.com or contacting the Grievance Officer / Data Protection Contact listed in the CONTACT section. We may request information to verify your identity and may be unable to honor a request if verification is not possible.

We will endeavor to acknowledge and resolve requests and grievances within the timelines prescribed under Applicable Laws, subject to any permitted extension, fee, refusal or limitation.

If dissatisfied, you may have the right to lodge a complaint with a competent privacy, cybersecurity or regulatory authority or approach another competent regulator, court or forum available under Applicable Laws.

19. USER RESPONSIBILITIES

You are responsible for ensuring that Information/Data you provide is accurate and lawful. You must not impersonate another person, submit false information, raise false grievances, or use the Platform for unlawful surveillance, unauthorized recordings, biometric misuse, illegal data collection, harassment, stalking, doxxing, identity theft, infringement of privacy or publicity rights, violation of privacy laws or other prohibited activity.

If you process another person’s Personal Information/Data, including voice, image, likeness, biometric information, confidential information or sensitive information, you represent that you have provided all notices and obtained all consents, authorizations and legal grounds required under Applicable Laws and the Terms and Conditions.

Your use of the Platform, Content, AI Outputs, Coins, Offer Wall, advertisements and Third-Party Services remains subject to the Terms and Conditions, including user undertakings, prohibited conduct, disclaimers, limitation of liability and indemnification provisions, to the maximum extent permitted by Applicable Laws.

20. PROHIBITED AI AND DATA USES

If Content, AI Outputs, account behavior, Offer Wall activity, payment activity or Platform use creates legal, security, safety, privacy, reputational, operational, regulatory, sanctions, cybersecurity or commercial risk, we may restrict processing, refuse outputs, suspend features, withhold rewards, preserve records where lawful, report unlawful activity, cooperate with authorities, implement regional filtering, block prohibited jurisdictions or take other action permitted under the Terms and Conditions and Applicable Laws.

You must not submit Content that includes malware, unlawful instructions, exploit code, phishing content, hate speech, child sexual abuse material, unlawful sexual, terrorist or violent content, threats, blackmail, extortion, unlawfully obtained personal data, unauthorized Sensitive Data, unlawful biometric data, unauthorized confidential information, political manipulation, disinformation, sanctions circumvention, unlawful surveillance instructions, unauthorized biometric analysis or other unlawful content.

You must not use the Platform to create or distribute deepfakes, misleading or unlawful synthetic media, disinformation, political manipulation, unlawful impersonations, deceptive audio, fraudulent translations, forged transcripts, fabricated evidence, unlawful surveillance materials, sanctions-circumvention materials, biometric identification tools, unauthorized biometric analysis or outputs that violate rights or Applicable Laws.

You must not use the Platform or AI Outputs to identify, profile, track, monitor, surveil, target, harass, deceive, defame, impersonate, manipulate or discriminate against any person, or infer sensitive characteristics of another person, except where expressly lawful and authorized.

21. UPDATE TO THE PRIVACY POLICY

The most current version of this Policy will govern our use of your Information/Data and can be found on the Platform. We may update this Policy at any time and will provide notice or take other steps required by Applicable Laws where a material change requires it. We advise you to review the Policy at regular intervals.

22. CONTACT

For questions, requests or inquiries regarding protection of your Information/Data or this Policy, including requests under Applicable Laws, you can contact SOHOFI’s Grievance Officer / Data Protection Officer / Data Protection Contact / Representative (as applicable under the Applicable Laws of your jurisdiction):

Addressed To:

Name / Designation: SM/ Support Contact

Company: Sohofi Global Technologies

Address: Flat No. 203, 23/1, J R Makwoods Apartments, Old Mangammanapalya Road,

Popular Colony, Mangammanapalya, Bengaluru, Bengaluru Urban, Karnataka, 560068

E-mail: sohofi@sohofi-global.com

Platform: Voice Soul

For users located in Saudi Arabia: the processing of personal data of Saudi residents by organisations not established in Saudi Arabia is subject to SDAIA’s requirements regarding designation of a local correspondent or representative, where required by the Saudi PDPL Implementing Regulations. Where required, the Company’s designated contact for Saudi data subjects is the Data Protection Officer / Grievance Officer identified in this section. We will address your request in accordance with Applicable Laws and ordinarily free of charge, except where a fee or limitation is permitted by law. We may verify your identity before acting. If unsatisfied, you may lodge a complaint with a competent privacy, cybersecurity or regulatory authority or approach another competent regulator, court or forum available under Applicable Laws.

23. GOVERNING LAW AND JURISDICTION

This Policy and disputes relating to the Platform, Services, Coins, subscriptions, AI Outputs, advertisements, Third-Party Services or the relationship between you and the Company shall be governed by the laws of India for contractual and general legal matters, without regard to conflict-of-law principles. Nothing in this Policy limits non-waivable rights available under applicable privacy, cybersecurity, telecommunications, consumer-protection or related laws.