Privacy Policy — Zapim Labs

The short version. We collect what's needed to run voice and conversation AI agents on your behalf. We don't sell your data. We don't train shared models on your customer audio without an opt-in. You can ask for a copy, a correction, or a deletion at any time.

GDPR aligned DPDP Act 2023 · India UAE PDPL aligned Data residency: IN · EU · US SOC 2 Type II in audit

Who we are
What this policy covers
What we collect
How we use it
Lawful bases
Who we share with
Where we store it
How long we keep it
International transfers
Your rights
AI training & voice cloning
Cookies & analytics
Security
Children
Changes to this policy
Contact & complaints

1. Who we are

Zapim Labs is a voice and conversation AI platform operated by an operator group that includes Icon Global Services Limited (United Kingdom), Vesper Telecom (United Arab Emirates), and Well Information Technologies. For the purposes of data-protection law:

When you use the Zapim Labs platform under your own account, we act as a data processor on your behalf — you are the data controller of the end-user data flowing through your agents.
When we collect data about you as a Zapim Labs customer or website visitor — your account info, billing details, support correspondence — we act as a data controller.

Contact our privacy team at founders@zapimlabs.ai.

2. What this policy covers

This policy applies to:

The Zapim Labs website (zapimlabs.ai and aayush-zapim-labs.vercel.app) and any subdomains
The Zapim Labs dashboard, APIs, SDKs, and dashboard at app.zapimlabs.ai
Marketing communications we send you
Customer support interactions

It does not cover third-party services you connect to Zapim Labs (e.g. your Salesforce CRM, your Twilio account, your ElevenLabs voice provider via BYOK). Those have their own privacy policies and you should read them.

3. What we collect

We collect the minimum necessary to run the service. Specifically:

Category	Examples
Account information	Your name, work email, company name, role, password hash, profile photo if you upload one.
Billing & tax	Billing address, VAT/GST number, payment-method token (we don't store full card numbers; our payment processor does), invoice history.
Usage telemetry	Calls placed, messages sent, minutes consumed, error rates, latency metrics. Aggregated where possible.
Agent configuration	Workflow definitions, prompts, voice/model settings, webhook URLs, integration credentials (encrypted).
Call & message content	Audio recordings (when enabled), transcripts, conversation metadata, end-user phone numbers / handles.
Support & correspondence	Tickets, emails, Slack messages, screenshots you send us.
Device & network	IP address, user-agent, browser type, OS, timezone, referrer, basic device fingerprint.
Cookies & analytics	Session IDs, feature-flag assignments, anonymised page-view metrics. See §12.

4. How we use it

Provide the service. Authenticate you, run your agents, route calls, deliver messages, store transcripts.
Bill and account. Meter usage, raise invoices, collect payments, send statements.
Support and operate. Respond to tickets, investigate incidents, monitor uptime, debug errors.
Secure. Detect abuse, fraud, brute-force attempts; rate-limit; investigate suspicious activity.
Improve. Aggregate usage patterns to find product gaps. We do not use your end-user audio to train shared models without your explicit, granular, revocable opt-in (see §11).
Communicate. Send service notices, security alerts, product updates, and — only with consent — marketing.
Comply with law. Respond to lawful regulator requests, court orders, and statutory obligations (e.g. tax record-keeping).

5. Lawful bases

Where data-protection law requires a lawful basis (GDPR, DPDP Act, UAE PDPL, and similar regimes), ours typically are:

Contract. To provide the service you've signed up for.
Legitimate interest. To operate, secure, and improve the service in ways a reasonable customer would expect.
Consent. For marketing emails, optional analytics cookies, and any opt-in voice-cloning data contribution.
Legal obligation. To keep records, respond to regulators, file taxes.

We share data with a small set of trusted third parties — only what's necessary, only under contract:

Telephony carriers (Twilio, Telnyx, Vonage, Cloudonix, Vobiz, Asterisk-based aggregators) — to deliver calls and SMS.
Cloud infrastructure (AWS, Cloudflare) — to host the service.
AI model providers (only where you've configured BYOK, e.g. OpenAI, ElevenLabs, Sarvam, Cartesia, Deepgram) — to run inference you've configured.
Payment processors — to process card transactions.
Analytics (Sentry for error tracking, PostHog for product analytics, New Relic for performance) — to debug and improve the service.
CRM & marketing tools you authorise — to send data to your Zoho / Salesforce / HubSpot / WebEngage / MoEngage account.
Group companies (Icon Global Services, Vesper Telecom, Well Information Technologies) — for shared back-office functions (HR, finance, security) under intra-group data-sharing agreements.

A current sub-processor list is available on request — email founders@zapimlabs.ai.

We do not sell your data. We do not share it with ad networks or data brokers.

7. Where we store it

You can pin your tenant's data residency to one of three regions:

India — AWS ap-south-1 (Mumbai). Default for India-headquartered customers.
European Union — AWS eu-central-1 (Frankfurt). Default for EU-headquartered customers.
United States — AWS us-east-1 (N. Virginia). Available on request.

Customer Data (call audio, transcripts, embeddings, contact records, configuration) stays in the region you choose. Some back-office systems — billing, support tickets, telemetry — may be processed in additional regions under appropriate safeguards. On-premise deployment is available for enterprise contracts.

8. How long we keep it

We keep data only as long as we need it:

Account data — for the life of your account, plus seven (7) years for tax / statutory record-keeping after closure.
Call audio & transcripts — per the retention setting you configure in the dashboard (default: 90 days). Hard-deleted after that.
Billing records — seven (7) years for statutory record-keeping.
Support tickets — two (2) years after closure.
Marketing emails — until you unsubscribe.
Backup snapshots — rolled off within 35 days of deletion from the live system.

9. International transfers

Where data flows across borders (e.g. an India-resident agent calls a UAE-resident end-user), we rely on the following safeguards:

EU / UK transfers — Standard Contractual Clauses (SCCs) and Transfer Risk Assessments where appropriate.
India transfers — compliance with DPDP Act 2023 cross-border rules; transfers limited to jurisdictions not on the restricted list.
UAE transfers — adequacy assessments under UAE PDPL.
Sub-processor flow-down — every sub-processor is contractually bound to equivalent or stronger protections.

10. Your rights

Depending on where you live and which regime applies, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete data (subject to retention requirements above).
Restrict processing in certain circumstances.
Port your data to another provider.
Object to processing based on legitimate interest, including profiling.
Withdraw consent at any time where processing is consent-based.
Lodge a complaint with your local data-protection authority (e.g. the ICO in the UK, your state DPA in the EU, the Data Protection Board of India, the UAE Data Office).

To exercise any of these rights, email founders@zapimlabs.ai. We aim to respond within thirty (30) days. If you are an end-user of one of our customers (rather than a Zapim Labs customer yourself), please contact that customer first — they are the controller of your data.

11. AI training & voice cloning

This deserves its own section because we know it matters.

Default. We do not use your end-user audio, transcripts, or agent configurations to train models that are shared across customers.
Your own tuning. Fine-tuning of a model that's private to your account — using only your own data — is offered as a paid service. The resulting model is keyed to your account and is not shared.
Voice cloning. Cloning a real human voice requires you to (a) upload a 30-second reference clip and (b) certify that you have a signed release from the person being cloned. Cloning without consent violates these terms and applicable law.
Opt-in data contribution. If we ever invite you to contribute training data to shared models, the opt-in will be granular (per workflow), explicit, and revocable. Contribution is never required to use the service.

12. Cookies & analytics

We use a small set of cookies and similar technologies:

Strictly necessary — session cookies, CSRF tokens, load-balancer routing. Cannot be disabled.
Functional — remembers your dashboard preferences (theme, recently-viewed workflows).
Analytics — anonymised page-view metrics via PostHog. Opt-out available in your account settings.
Performance — Sentry error tracking, New Relic real-user monitoring. Opt-out available.

We do not run advertising cookies. We do not track you across third-party sites.

13. Security

We follow industry-standard practices:

TLS 1.3 in transit, AES-256 at rest with per-tenant encryption keys.
SOC 2 Type II in audit; ISO 27001 aligned.
Role-based access control with four standard roles (owner / admin / member / viewer).
Append-only audit log covering every mutating action — including platform-staff impersonation.
HMAC-SHA256 signed webhooks; SSRF-guarded outbound; idempotency keys.
Regular third-party penetration testing.
Annual incident-response and disaster-recovery drills.

No security control is perfect. If you find a vulnerability, please report it responsibly to founders@zapimlabs.ai.

14. Children

The Zapim Labs platform is a business service and is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has used the service, contact us and we will delete the data.

You — as our customer — are responsible for ensuring your agents do not inappropriately engage with minors. Where your use case involves any contact with minors (e.g. an ed-tech application), you must obtain appropriate parental consent and apply additional safeguards.

15. Changes to this policy

We may update this policy from time to time to reflect changes in the service, our practices, or applicable law. Material changes will be notified to active customers at least thirty (30) days before they take effect, either by email or via a banner in the dashboard. The "Last updated" date at the top of this page is always the latest version.

Historical versions are available on request.

16. Contact & complaints

For any privacy question — access requests, deletion requests, complaints, or just to ask what we know about you — email:

founders@zapimlabs.ai

Subject

Please include "Privacy" or "DPO" in the subject line.

Response time

We aim to acknowledge within 5 business days and resolve within 30 days. Where the law requires faster, we'll meet that timeline.

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your jurisdiction.

Need a DPA? Enterprise customers can request a signed Data Processing Addendum aligned with their preferred standard (GDPR SCCs, UAE PDPL, DPDP Act). Email founders@zapimlabs.ai with "DPA" in the subject line.

Contents

1. Who we are

2. What this policy covers

3. What we collect

4. How we use it

5. Lawful bases

6. Who we share with

7. Where we store it

8. How long we keep it

9. International transfers

10. Your rights

11. AI training & voice cloning

12. Cookies & analytics

13. Security

14. Children

15. Changes to this policy

16. Contact & complaints