Data Protection & GDPR Disclosure

1. Introduction

This Data Protection Disclosure outlines how QAYANI complies with the General Data Protection Regulation (GDPR) and other international data protection laws. This document supplements our Privacy Policy and provides specific information about your data protection rights.

QAYANI is committed to protecting the fundamental rights of individuals concerning their personal data and ensuring transparent, lawful, and fair processing of all information.

2. Data Controller Information

As the data controller, QAYANI determines the purposes and means of processing your personal data in compliance with GDPR and applicable data protection laws.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following lawful grounds:

3.1 Consent (Article 6(1)(a))

• Voice cloning and AI-powered personality creation
• Processing voice recordings for text-to-speech generation
• Marketing communications and promotional emails
• Analytics and non-essential data collection

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.2 Contract Performance (Article 6(1)(b))

• Creating and managing user accounts
• Providing core platform features (chat, recordings, personalities)
• Processing subscription payments
• Delivering scheduled messages
• Facilitating family sharing and collaboration

3.3 Legitimate Interests (Article 6(1)(f))

• Improving Service quality and performance
• Detecting and preventing fraud and abuse
• Ensuring network and information security
• Internal analytics and business intelligence

3.4 Legal Obligation (Article 6(1)(c))

• Compliance with tax and accounting requirements
• Responding to lawful government requests
• Meeting regulatory obligations

4. Categories of Personal Data Processed

We process the following categories of personal data under GDPR:

4.1 Identification Data

• Full name
• Email address
• User ID (unique identifier)
• Profile photograph

4.2 Biometric Data (Special Category - Article 9)

• Voice recordings: Audio files containing voice biometric characteristics
• Voice clones: AI-generated synthetic voices derived from biometric data

Important: Processing biometric data requires explicit consent under GDPR Article 9(2)(a). By using our voice cloning features, you provide explicit consent for this processing. You may withdraw this consent at any time.

4.3 Communication Data

• Chat messages and conversation history
• Scheduled message content and recipients
• Email correspondence

4.4 Technical Data

• IP address
• Browser type and version
• Device identifiers
• Cookies and tracking data
• Usage logs and analytics

4.5 Financial Data

• Subscription tier and billing status
• Payment method (processed by Stripe; card details not stored by QAYANI)
• Transaction history

5. Your GDPR Rights

Under the GDPR, you have the following data protection rights:

5.1 Right to Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed, and to access your personal data along with information about:

• Purposes of processing
• Categories of personal data
• Recipients or categories of recipients
• Retention periods
• Your rights regarding the data

How to exercise: Email privacy@qayani.com or access your data through account settings.

5.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

How to exercise: Update your profile through account settings or contact privacy@qayani.com.

5.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in the following circumstances:

• Data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• Data has been unlawfully processed
• Erasure is required for compliance with a legal obligation

Exceptions: We may retain data if necessary for:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest

How to exercise: Delete your account through settings or email privacy@qayani.com.

5.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of personal data (during verification period)
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

How to exercise: Email privacy@qayani.com with your restriction request.

5.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

How to exercise: Request a data export by emailing privacy@qayani.com. We will provide your data in JSON format within 30 days.

5.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Opt out of marketing emails via unsubscribe link or email privacy@qayani.com to object to other processing.

5.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent (e.g., voice cloning, marketing), you have the right to withdraw consent at any time.

How to exercise: Email privacy@qayani.com or adjust consent settings in your account.

5.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

EU Users: Contact your local Data Protection Authority (DPA). Find your DPA at:EDPB Member List

6. International Data Transfers

QAYANI processes data globally using third-party services located outside the European Economic Area (EEA). We ensure adequate safeguards for international data transfers:

6.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with all data processors
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Data Processing Agreements: Binding contracts with third-party processors

6.2 Third-Party Service Locations

• Supabase (Database & Storage): AWS infrastructure (US, EU regions available)
• Vercel (Hosting): Global CDN with data residency options
• ElevenLabs (Voice Cloning): US-based with SCCs in place
• OpenAI (AI Services): US-based with data processing agreements
• Stripe (Payments): Global infrastructure, GDPR-compliant

6.3 Your Rights Regarding Transfers

You have the right to obtain information about safeguards in place for international transfers and to object to such transfers. Contact privacy@qayani.com for more information.

7. Data Retention Policy

We retain personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy:

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

8.1 Technical Measures

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Secure password hashing (bcrypt)
• Multi-factor authentication (MFA) available
• Regular security audits and penetration testing
• Automated vulnerability scanning

8.2 Organizational Measures

• Access control policies (role-based access)
• Employee data protection training
• Confidentiality agreements with staff and contractors
• Data breach response procedures
• Regular privacy impact assessments

8.3 Data Breach Notification

In the event of a data breach, we will notify affected users and supervisory authorities within 72 hours as required by GDPR Article 33. Notification will include:

• Nature of the breach
• Categories and approximate number of affected data subjects
• Likely consequences of the breach
• Measures taken to address the breach
• Recommended steps for affected individuals

9. Automated Decision-Making and Profiling

Limited Automated Processing: QAYANI uses AI to generate conversational responses based on personality data. This does not constitute automated decision-making with legal or similarly significant effects.

No Profiling for Marketing: We do not use automated profiling for targeted advertising or marketing purposes.

Your Rights: Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. If you believe we are engaging in such processing, contact privacy@qayani.com.

10. Children's Data Protection

QAYANI does not knowingly process personal data of children under 16 years of age (or the applicable age of digital consent in your jurisdiction).

If we become aware that we have collected data from a child without parental consent, we will delete it immediately. Parents or guardians who believe we may have collected data from a child should contact us at privacy@qayani.com.

11. Response Times for Rights Requests

Under GDPR Article 12(3), we commit to responding to your data protection rights requests:

• Standard Response: Within 30 days of receiving your request
• Complex Requests: Up to 60 additional days (90 days total) with notification of delay
• No Cost: First request is free; excessive or repetitive requests may incur a reasonable fee

We may request additional information to verify your identity before processing your request.

12. Contact & Complaints

For questions about this Data Protection Disclosure or to exercise your GDPR rights:

Supervisory Authority Complaints:

If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. EU residents can find their DPA at https://edpb.europa.eu/about-edpb/about-edpb/members_en