Skip to content
Spelo
Get started

Legal

Privacy Policy

Last updated: May 2026

1. Who we are

Spelo is operated by Neurobit, a sole proprietorship registered in India in the name of Sayed Zakriya. References to "Spelo", "we", "our", or "us" in this policy mean Neurobit, trading as Spelo. Spelo provides an embeddable AI voice agent for websites and the supporting dashboard, APIs, and infrastructure. This policy explains what data we collect, why we collect it, and how we handle it.

2. Data we collect

  • Account data: name, email, business name, billing details, and authentication tokens you provide at signup.
  • Site configuration: site IDs, allowed domains, voice prompts, knowledge-base documents, and any database connection strings you configure. Sensitive fields are encrypted at rest.
  • Usage data: voice minutes consumed, API call volumes, error logs, and performance metrics. Used for billing and reliability.
  • Visitor voice audio: when a visitor talks to your Spelo widget, audio is streamed in real time between the visitor's browser and the voice model provider (OpenAI or Google) over an encrypted connection. Audio is processed transiently to generate a response and is not stored by us by default.
  • Transcripts and recordings: off by default. If you (the site owner) enable transcripts or call recordings in your dashboard, we store them for up to 30 days unless you configure a longer retention.
  • Lead data: if you enable lead capture, the contact details collected during a voice conversation (name, phone, email, custom fields) are stored in your account and forwarded to any CRM or webhook you configure.
  • Cookies and analytics: on spelo.ai we use Google Analytics 4 with consent (under the EU Consent Mode v2 framework). The Spelo widget installed on customer sites does not set advertising cookies.

3. How we use data

  • To operate the service, bill accurately, and respond to support requests.
  • To detect abuse, fraud, and security incidents.
  • To improve reliability, latency, and accuracy of the voice agent.
  • To meet legal obligations under applicable Indian, EU, UK, and US data-protection law where it applies to us.

We do not sell your data. We do not use your customers' voice audio or transcripts to train AI models, ours or anyone else's.

4. Subprocessors

We use a small set of infrastructure providers to deliver the service:

  • OpenAI: voice model (Realtime API), under their zero-data-retention enterprise agreement where applicable.
  • Google: alternate voice model (Gemini Live), used when a site is configured to use Gemini.
  • Managed real-time voice transport: carries audio between visitor browsers and the voice model.
  • Supabase: authentication, database, and file storage.
  • Razorpay: payment processing and subscription billing.
  • Vercel: hosting for the marketing site, dashboard, and API.
  • Cloudflare: DNS, edge security, and DDoS protection.

We will give written notice before adding or replacing a subprocessor that handles your customers' personal data.

5. Cross-border transfers

Spelo is operated from India. Some subprocessors (OpenAI, Google, our voice infrastructure provider, Vercel, Cloudflare) operate globally and may process data in the United States, the European Union, or other regions. We rely on standard contractual clauses and the subprocessors' own compliance frameworks to safeguard those transfers.

6. Data retention

  • Account data: retained while your account is active, plus 90 days after deletion for legal and billing reasons.
  • Transcripts and recordings (if enabled): default 30 days, configurable.
  • Lead data: retained until you delete it from your dashboard.
  • Usage logs: retained 12 months for support, security, and billing audits.

7. Your rights

You may request access, correction, export, or deletion of your data, including under the GDPR (EU/UK), CCPA (California), and India's Digital Personal Data Protection Act where applicable. Email hello@spelo.ai and we will respond within 30 days.

8. Security

Data in transit is protected by TLS 1.2 or higher. Data at rest is encrypted using provider-managed encryption (Supabase, Vercel, Cloudflare). Production access is limited to the operator and authorised contractors using two-factor authentication. We do not yet hold a SOC 2 or ISO 27001 attestation; if your organisation requires one, contact us before purchasing.

9. Children

Spelo is intended for businesses and is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has used the service, contact us and we will delete the data.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to account owners and posted on this page with a new "last updated" date.

11. Contact

Questions about this policy? Email hello@spelo.ai.