Privacy Policy

CloneOS is operated by UgenticAI, Inc. (“UgenticAI”, “we”). For the purposes of GDPR and similar laws, we are the data controller for the personal data you provide directly when you sign up, subscribe, and use the Service. For business customers using CloneOS to process the personal data of their own end users, we are a data processor and the customer is the controller — that arrangement is governed by our Data Processing Addendum.

This Privacy Policy applies to data we collect through cloneos.com and cloneos.app, the mobile and desktop applications, our APIs, and any related services (collectively, the “Service”).

We collect the following categories of personal data:

Account information. When you sign up we collect your email address, your chosen handle and display name, and (if you sign in via Google or Apple) the basic profile information those providers return — typically name and avatar URL. We do not receive your social provider password.

Billing information. When you subscribe, our payment processor Stripe collects your payment card or bank details and returns to us a customer reference plus the last four digits of your card and its country of issue. We do not store your full payment card number on our servers.

Profile and onboarding answers. Niche, audience, 90-day goal, persona answers, and other prompts you complete during onboarding so the Service can tailor your clone.

Training data for your clones. Voice samples you record or upload for ElevenLabs voice cloning, photos for your Replicate-trained image LoRA, and knowledge-base documents you upload for retrieval-augmented generation.

Generated content. Text, images, audio, and videos produced by the AI tools at your request, plus the prompts and parameters that produced them.

Community and messaging. Posts, comments, reactions, direct messages between members, and live-session attendance you create on the platform.

Usage and device data. IP address, browser and OS, approximate location derived from IP, the pages and features you use, timestamps, error reports, and performance metrics. This is logged by our hosting provider Vercel and our error monitor Sentry.

Cookies and similar technologies. Strictly necessary cookies for authentication and session management; first- party functional cookies for preferences. We do not use third-party advertising cookies. See the Cookies section below.

We use your data to (a) provide the Service you signed up for — authenticate you, train your clones, generate content on demand, deliver community and messaging, host live sessions, run lessons; (b) bill you and detect fraud; (c) send transactional emails (signup, password resets, billing receipts, training-complete alerts, weekly digests) and, with your opt-in, marketing emails; (d) respond to support requests; (e) keep the Service secure and reliable, including detecting abuse; and (f) improve the Service using aggregated, anonymized analytics.

Our legal bases under GDPR are: contract performance (to deliver the Service you bought), legitimate interest (security, fraud prevention, product analytics in aggregate), legal obligation (tax, accounting, regulator response), and consent (marketing emails, optional analytics, voice and image cloning where local law requires explicit consent). You can withdraw consent at any time without affecting prior processing.

We do not sell your personal data in the meaning of CCPA or comparable laws, and we do not use your identifiable User Content to train shared foundation models.

We rely on the following sub-processors to deliver the Service. Each is bound by a data processing agreement with appropriate security commitments. The current list (which may be updated; see the DPA for change notification rules):

• Supabase — primary database, authentication, and object storage (USA region).
• Vercel — application hosting, edge runtime, and request logs.
• Stripe — payment processing and subscription management.
• ElevenLabs — voice cloning and text-to-speech.
• Replicate — image generation and LoRA training for your image clone.
• Mux — live-stream ingest, low-latency delivery, and replay storage.
• Resend — transactional email delivery.
• DeepSeek — large language model inference for chat-style features.
• OpenAI — embeddings for semantic search over your knowledge base.
• Sentry — application error monitoring.

Where you connect optional integrations (e.g., Beehiiv newsletter, social platforms) those providers receive only the data necessary for the integration and are governed by their own privacy policies.

Primary data storage is in the United States (Vercel and Supabase regions). Some sub-processors operate in additional regions: Mux and ElevenLabs operate globally for content delivery; Stripe operates globally for payment processing; Replicate runs inference in U.S. data centers.

Data in transit is encrypted with TLS 1.2+. Data at rest in Supabase is encrypted using AES-256. Object storage (avatars, voice samples, generated media) is encrypted at rest. Backups are encrypted and access is restricted.

We retain personal data only for as long as we have a legitimate purpose:

• Account data — for the life of your account. When you request deletion (Settings → Export & delete) we permanently delete your profile, your AI artifacts, and your content within 30 days, unless we are legally required to retain specific records (e.g., billing records for tax purposes).
• AI training data — voice samples and training photos are kept for the life of the corresponding clone; deleting the clone deletes the inputs.
• Generated outputs — kept for the life of the account; you can delete individual artifacts at any time.
• Application logs — 90 days, then aggregated and the personal identifiers are removed.
• Admin audit logs — 24 months, for security and compliance.
• Billing records — 7 years, to comply with tax and accounting law in the United States.

Depending on where you live, you have some or all of the following rights:

• Access. Request a copy of the personal data we hold about you. Use Settings → Export & delete.
• Portability. Receive your data in a structured, machine-readable format (JSON). Use the same export flow.
• Correction. Update inaccurate data. Most fields are editable in Settings → Profile and Settings → Account.
• Deletion. Request deletion of your account and associated data. Use Settings → Export & delete or write to privacy@cloneos.com.
• Restriction. Ask us to pause processing while we resolve a dispute about accuracy or legitimacy.
• Objection. Object to processing based on legitimate interest, including direct marketing. We will stop unless we have an overriding legitimate basis.
• Withdraw consent. Withdraw consent for processing that relies on consent (such as marketing emails or optional analytics) at any time.
• Complain. Lodge a complaint with your local supervisory authority. EU residents may contact their national data-protection authority. UK residents can contact the ICO. CA residents can contact the California AG.

To exercise rights that aren’t available in-app, write to privacy@cloneos.com. We will respond within 30 days. We may require identity verification before fulfilling certain requests.

CloneOS is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, contact privacy@cloneos.com and we will delete it.

Personal data may be transferred to and processed in countries other than the one in which you live. When we transfer data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or another lawful transfer mechanism. The current version of the SCCs is annexed to our Data Processing Addendum.

We use cookies and similar technologies for the following categories of purposes only:

• Strictly necessary. Authentication, session management, and CSRF protection. Without these the Service cannot function.
• Functional. Theme, language, and notification preferences you have set.
• First-party analytics. Aggregated, anonymized usage analytics through Vercel Analytics (which uses no third-party identifiers).
• Payment processing. Stripe sets cookies to detect fraud during checkout, in accordance with their privacy policy.

We do not use third-party advertising cookies, do not run retargeting pixels, and do not share data with adtech vendors.

We protect your data with administrative, technical, and physical measures including TLS in transit, AES-256 at rest, role-based access control, audit logging of administrative actions, multi- factor authentication for staff, and routine vulnerability scanning. No system is perfectly secure; if you believe an incident has occurred contact security@cloneos.com.

In the event of a personal data breach affecting your data we will notify affected users and applicable supervisory authorities within the timeframes required by law (no later than 72 hours after becoming aware where GDPR Article 33 applies).

We may update this policy from time to time. The current version will always be at /legal/privacy with a “Last updated” date. For material changes we will give 30 days’ advance notice via email and an in-app banner. Continued use after the effective date is acceptance.

For privacy questions or to exercise your rights, write to privacy@cloneos.com. For all other support, support@cloneos.com. For abuse reports, abuse@cloneos.com. Our mailing address is available on request.

Our Data Protection Officer can be reached at privacy@cloneos.com with subject line “DPO”.