Privacy Policy

Plain summary: this policy applies to every user of Fluento AI in India — on our mobile app, website, or API — and to anyone outside India who interacts with our India-based services.

This India-specific section of our Privacy Policy is published by Fluento AI Technologies Private Limited (Fluento AI), a company incorporated under the Companies Act, 2013, with its principal place of operations in Bengaluru, Karnataka. It explains how we collect, use, store, share, retain and erase your personal data in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules 2021”).

This section applies to:

• All users who access the Fluento AI mobile application (Android or iOS) from within India.
• All users who access our website, landing pages, or support portal from within India.
• Users outside India whose personal data is processed on Indian infrastructure or by our India-based teams.
• Parents and lawful guardians of minors (persons under 18) and persons with disability who provide consent on behalf of a Data Principal.

Where a specific provision of the DPDP Act has not yet been notified and brought into force, we will continue to comply with the pre-existing SPDI Rules, 2011, until notification, at which point we will transition to the DPDP-first regime without any reduction in your rights.

Plain summary: we are the Data Fiduciary. You are the Data Principal. Trusted third parties (like our cloud and AI vendors) are Data Processors acting on our written instructions.

Data Fiduciary

Fluento AI Technologies Private Limited — the entity that determines the purpose and means of processing your personal data (DPDP Act Sec. 2(i)). We are responsible for compliance and accountable to you.

Data Principal

You — the individual to whom the personal data relates (DPDP Act Sec. 2(j)). If you are a child, “Data Principal” includes your parent or lawful guardian. If you are a person with disability with a lawful guardian, it includes that guardian.

Data Processor

Third-party service providers we engage who process personal data on our behalf and under a written contract (DPDP Act Sec. 2(k)) — for example, our speech, language-model, payment and storage vendors. A full list of sub-processors is in the “Sub-processors” section of this policy.

Guardian / Parent

The person entitled under Indian law to give verifiable consent on behalf of a child or a person with disability (DPDP Act Sec. 9).

Personal Data

Any data about an individual who is identifiable by or in relation to such data (DPDP Act Sec. 2(t)).

Processing

A wholly or partly automated operation on personal data — including collection, recording, organisation, storage, retrieval, use, disclosure, erasure, or destruction (DPDP Act Sec. 2(x)).

Plain summary: we only process your personal data when we have a clear legal basis — either your consent, or a “legitimate use” listed in the DPDP Act itself.

Under Sec. 4 of the DPDP Act, personal data may only be processed on one of two grounds: (a) the free, specific, informed, unconditional and unambiguous consent of the Data Principal, with clear affirmative action (Sec. 6), or (b) one of the “certain legitimate uses” explicitly listed in Sec. 7. The table below maps each category of data we handle to its ground of processing.

Where the law or a competent authority obligates us to process data (for example, responding to a lawful court order, or retaining GST records), we rely on Sec. 7(g) — compliance with any judgment, decree, order or law for the time being in force.

Plain summary: we collect only what we genuinely need to teach you English. For each category below we tell you what it is, why we need it, and whether it is mandatory or optional.

Data we deliberately do not collect

To minimise risk, we never collect the following — even though some competitors do:

• Biometric data (we process voice for ASR/TTS; we do not store voiceprints or biometric templates)
• Precise geolocation (GPS)
• Contacts or phonebook
• Photos or videos
• SMS or call logs
• Files outside the app sandbox
• Health or medical data
• Sexual orientation or gender identity
• Political opinions or religious beliefs
• Trade union membership

Plain summary: we ask for consent in plain English before we use your voice, send marketing, or turn on analytics. You can say no at any time — and we will keep honouring your choice.

What consent looks like under Sec. 6(1)

Every request for your consent from Fluento AI is: (a) free — never conditioned on you providing data you don’t need; (b) specific — one purpose per consent; (c) informed — with a clear explanation of what you’re agreeing to; (d) unconditional; (e) unambiguous, through a clear affirmative action (a tick box or a dedicated “Allow” button — never a pre-ticked box).

Notice at or before consent (Sec. 5)

Every time we seek your consent, we show you a notice containing: (i) the itemised list of personal data we propose to collect; (ii) the specific purpose of processing; (iii) the manner in which you can exercise your rights under Sec. 11–14; (iv) the manner in which you can lodge a grievance with the Data Protection Board of India.

Languages (Sec. 5(3))

This privacy notice is presently available in English. In line with Sec. 5(3) of the DPDP Act, we are rolling out the same notice in all 22 languages listed in the Eighth Schedule to the Constitution of India; Hindi, Tamil, Telugu, Bengali, Marathi, Kannada, Gujarati and Malayalam versions are scheduled for publication within 12 months of the effective date of this policy. Until then, any Data Principal may request the notice in any Eighth Schedule language by emailing privacy@fluentoai.com; we will respond with a verified translation within 30 days.

Right to withdraw consent (Sec. 6(4))

You may withdraw your consent at any time with the same ease with which you gave it. Specifically:

• To revoke microphone consent: Settings → Privacy → Revoke microphone access, or toggle it in your device OS settings.
• To stop marketing emails: use the unsubscribe link in any email, or Settings → Notifications → Marketing.
• To stop analytics: Settings → Privacy → Analytics → Off.
• To revoke all consents and erase your account: visit /privacy/delete-my-data or email privacy@fluentoai.com.

Consequences of withdrawal (Sec. 6(5))

Withdrawing consent does not make prior lawful processing unlawful. Going forward, we will stop the processing that relied on that consent within 72 hours. If the consent was essential to a feature (e.g. microphone for voice practice), that feature will stop working; the rest of the service will remain available to you.

Consent Manager (Sec. 6(7))

If and when the Central Government notifies a Consent Manager regime, we will register with an accredited Consent Manager so you can give, manage, review and withdraw consent from a single dashboard of your choice.

Plain summary: you have the right to know, correct, erase, complain and nominate. We must answer — and we’ve made each one a single click or email away.

We will acknowledge every rights request within 24 hours and resolve it within 15 days (IT Rules 2021 Sec. 3(2)(b)). If we need longer for a complex request, we will tell you the reason and a realistic timeline within that 15-day window.

Plain summary: if you are under 18 or have a lawful guardian, we require verifiable consent from your parent or guardian before we process your personal data. We do not advertise to children. We do not profile children. Ever.

Verifiable parental consent

Under Sec. 9(1) of the DPDP Act, we must obtain verifiable consent from the parent or lawful guardian before processing the personal data of a child. Our current age threshold is 13; however, for every user who self-declares as under 18, we trigger our parental-consent flow.

Our verification mechanism works like this:

• At sign-up, every user self-declares their date of birth.
• If the declared age is under 18, the account is placed in a restricted state: voice features, marketing, analytics and any profiling are disabled.
• We generate a one-time parental-consent link sent to the parent or guardian email that the user provides.
• The parent or guardian (a) reviews this policy, (b) provides their own full name, relationship to the child, phone number and email, and (c) confirms consent via OTP and e-signature.
• We maintain a tamper-evident record of the parental consent, including timestamp, IP, e-signature hash and the verifier used.
• Until parental consent is received, the account remains restricted. If consent is not received within 30 days, the account and all data associated with it are automatically deleted.
• We are evaluating stronger age-assurance mechanisms (including DigiLocker Aadhaar-based age token and the MeitY age-gating framework) and will upgrade to one of them once notified by the Central Government.

Prohibitions we follow (Sec. 9(3))

Persons with disability with a lawful guardian

Where a Data Principal has a lawful guardian appointed under the Mental Healthcare Act, 2017, the Rights of Persons with Disabilities Act, 2016, or the National Trust Act, 1999, all consent is obtained from and all rights are exercisable by that guardian. Our grievance officer can assist in adapting our processes for accessibility; please email grievance@fluentoai.com.

Plain summary: we treat children’s data as the most sensitive category we handle. Our defaults lock it down.

• We run zero advertising inside Fluento AI — to anyone, ever. There is no ad SDK in our app.
• We do not profile children for advertising, look-alike modelling, or any behavioural targeting.
• If a child signs up without verified parental consent and we later discover this, we will delete the account — and all derived data — within 30 days.
• We do not knowingly sell any personal data of any user, and we do not offer personal data of children for any commercial consideration, at any price.
• Children's voice recordings are auto-deleted after 90 days (same policy as adults) and the derived transcripts are used only for the child's own feedback.
• When the Central Government notifies Significant Data Fiduciary thresholds or whitelists exemptions under Sec. 9(4)/(5), we will reassess and publicly update this section within 30 days of notification.

Plain summary: we have a named Grievance Officer in India. Write to them, and we’ll acknowledge within 24 hours and resolve within 15 days.

Name

Rinny Jacob

Role

Grievance Officer

Email

grievance@fluentoai.com

Address

Fluento AI Technologies Pvt Ltd, Bengaluru, Karnataka, India

Acknowledgement SLA

24 hours of receipt

Resolution SLA

15 days from acknowledgement (IT Rules Sec. 3(2)(b))

What you can raise with the Grievance Officer

• Complaints about our collection, processing, sharing, retention or erasure of your personal data.
• Complaints about a data breach that affects you.
• Complaints about content on Fluento AI that violates the IT Rules 2021 (e.g., unlawful content, impersonation, defamatory material).
• Any alleged non-compliance with this policy or with the DPDP Act.
• Requests under your DPDP rights (Sec. 11–14) that were not resolved by our standard flow.

Escalation ladder

If you are not satisfied with our Grievance Officer’s response, Indian law gives you an escalation path. We will not retaliate against you or restrict your account for exercising any of these options.

• Step 1. Grievance Officer — grievance@fluentoai.com. Acknowledgement within 24 hours; resolution within 15 days.
• Step 2. Data Protection Officer — dpo@fluentoai.com. Re-review within 7 working days.
• Step 3. Data Protection Board of India (“DPB”, DPDP Act Sec. 18–26). You may file an online complaint with the DPB once it is operationalised by the Central Government.
• Step 4. Appellate Tribunal — the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) is the appellate tribunal under Sec. 29 of the DPDP Act.
• Step 5. Constitutional remedies — writ jurisdiction of the jurisdictional High Court under Article 226 of the Constitution of India, and ultimately the Supreme Court of India under Article 32 / 136.

Plain summary: Sec. 10 mandates a DPO only for Significant Data Fiduciaries. Fluento AI has not been classified as one, but we appoint a DPO voluntarily — so you always have a senior privacy contact.

Sec. 10 of the DPDP Act requires a Data Protection Officer only for entities that the Central Government designates as “Significant Data Fiduciaries” (SDFs), based on volume and sensitivity of data, risk to Data Principals, potential impact on sovereignty, and related factors. We are not currently a designated SDF. We have nevertheless voluntarily appointed a DPO to supervise our privacy programme, liaise with the DPB, and act as a single escalation point for Data Principals.

Role

Data Protection Officer

Email

dpo@fluentoai.com

Address

Fluento AI Technologies Pvt Ltd, Bengaluru, Karnataka, India

Response SLA

within 7 working days (urgent) / 30 days (standard)

Plain summary: we protect your data with industry-standard encryption, least-privilege access, logging, and a tested incident response plan.

Sec. 8(5) of the DPDP Act obliges every Data Fiduciary to implement “appropriate technical and organisational measures” and “reasonable security safeguards” to prevent personal data breaches. The SPDI Rules, 2011 further require us to adopt a documented, auditable security programme (Rule 8). Our controls include:

• AES-256 encryption at rest for all voice audio and derived data (Cloudflare R2 object storage).
• TLS 1.3 (or TLS 1.2 with strong ciphers) for every network connection; HSTS with preload on our web domain.
• Role-based access control (RBAC) with the principle of least privilege; multi-factor authentication mandatory for all admin access.
• Secret management through a managed secrets store; no plaintext credentials in source code or CI logs.
• Immutable, tamper-evident audit logs retained for 180 days for every admin action on user data.
• Continuous dependency vulnerability scanning and a documented patch SLA.
• Annual penetration test by an independent CERT-In empanelled auditor (from Year 2 onwards).
• Encrypted, geo-redundant backups; backups purged after 35 days.
• An incident response plan aligned with CERT-In reporting guidelines and DPDP Act Sec. 8(6).
• Vendor security review before onboarding any sub-processor; written DPAs with SCCs for every processor.
• Employee background checks, signed confidentiality agreements, and annual privacy training.

Plain summary: the DPDP Act also places a few duties on you. These exist to keep the complaint system honest, and they matter.

Sec. 15 of the DPDP Act sets out duties that every Data Principal in India must observe. These are:

• You must comply with the provisions of all applicable laws while exercising your rights under the DPDP Act.
• You must not register a false or frivolous complaint or grievance with us, the Grievance Officer, or the Data Protection Board.
• You must not impersonate another person while providing personal data to us for a specified purpose.
• You must not suppress any material information while providing personal data for any document, unique identifier, proof of identity or proof of address, issued by the State or any of its instrumentalities.
• You must furnish only such information as is verifiably authentic when exercising the right to correction or erasure (Sec. 12).

Plain summary: we delete data as soon as we no longer need it — or the moment you ask us to, unless the law requires otherwise (e.g. tax records).

Sec. 8(7) requires us to erase personal data once the purpose for which it was collected is no longer being served. Sec. 8(8) requires the same on withdrawal of consent. Our retention schedule (below) matches our code-level cleanup jobs and is reviewed every quarter.

Automatic vs. user-triggered deletion

• Automatic: voice recordings are deleted 90 days after upload by a scheduled job; inactive accounts are purged after 24 months of inactivity following two email warnings.
• User-triggered: when you request erasure via /privacy/delete-my-data or email privacy@fluentoai.com, we delete your account and derived data within 72 hours; backups that include your data roll off within 35 days.
• Retention beyond deletion: only records we are legally required to keep (e.g., GST invoices, tax records) remain, and they are moved to a locked archive accessible only for audit or regulatory response.

Plain summary: we keep as much data as possible inside India. When we must send data abroad, we use standard legal contracts and strong encryption — and we will honour any country-restriction the Government notifies under Sec. 16.

Sec. 16 of the DPDP Act permits transfer of personal data outside India to any country or territory, except to those that the Central Government may, by notification, restrict. Our approach is India-first:

• Primary processing region: Central India (Microsoft Azure — Pune / Chennai) for speech services where available.
• Primary storage region: Cloudflare R2 — India and Asia edge locations, with AES-256 at rest.
• International sub-processors we use today: Groq, Inc. (USA) for LLM inference on de-identified text; ElevenLabs, Inc. (USA) for AI voice synthesis of reply text; Twilio (USA) for SMS OTP; Sentry (EU/USA) for error monitoring; PostHog (EU) for pseudonymous analytics.
• For every international transfer we require: (a) a written Data Processing Agreement with Standard Contractual Clauses (SCCs) approved by the EU / ICO (as a proxy until a notified Indian SCC exists); (b) encryption in transit and at rest; (c) audit and deletion rights; (d) breach notification within 24 hours of the processor becoming aware.
• We do not store voice audio on any USA-based processor. Voice stays in India / Asia; only de-identified transcripts reach overseas LLM or TTS providers where strictly necessary to generate a reply.
• We will comply, without delay, with any country-restriction notified by the Central Government under Sec. 16 of the DPDP Act, and will migrate affected workloads to a permitted region.

The complete sub-processor list — purpose, country, data transferred and DPA reference — is in the Sub-processors section of this policy.

Plain summary: if there’s a breach, we won’t hide it. We tell the Data Protection Board and every affected user within 72 hours, in plain language, with the facts and the fix.

Sec. 8(6) of the DPDP Act obliges a Data Fiduciary to notify the Data Protection Board of India and every affected Data Principal in the event of a personal data breach, in the form and manner prescribed. We also follow the Indian Computer Emergency Response Team (CERT-In) Directions, 2022, which mandate certain incident reporting within 6 hours of detection.

Our breach response protocol

• T+0 — Detection & containment: on detection, our on-call engineer isolates the affected system, preserves forensics, and kicks off the incident response plan.
• T + 6 hours — CERT-In: where CERT-In Directions require it, we file the incident report with the Indian Computer Emergency Response Team.
• T + 72 hours — DPB + users: we notify the Data Protection Board of India and every affected Data Principal via email, in-app notification and, if the impact is material, SMS.
• T + 30 days — Post-incident review: we publish (at least internally) a root-cause analysis and a list of remediations. We are committed to publishing a public post-mortem for any incident that affected more than 1,000 users.

What the user notification will contain

• The nature and scope of the breach, including the categories of personal data affected.
• The approximate number of Data Principals affected and an estimate of the data records involved.
• The likely consequences for you (e.g., risk of impersonation, credential reuse).
• The remediation steps we have taken and the steps you can take to protect yourself (e.g., reset password, enable MFA).
• Contact details of the Grievance Officer and the DPO for further questions.

Plain summary: our mobile app does not use cookies. Our website uses only what is strictly necessary, plus optional analytics that are off by default.

The Fluento AI mobile apps (Android / iOS) do not use browser cookies. On our website (https://fluentoai.com) we use a minimum set of first-party cookies to keep you signed in, remember your language preference, and mitigate abuse. We do not use third-party advertising cookies. A dedicated /cookies page provides the full itemised list, purpose, duration and the opt-out controls, and is available from the footer of every page.

Fluento AI does not see your card number. We never store card data, CVVs, OTPs, or UPI PINs — ever. All money movement is handled by Razorpay, an RBI-authorised Payment Aggregator, under PCI-DSS Level 1 controls. This section explains exactly what they do, what we receive, how long we keep it, and how to get a refund or raise a dispute.

1. Who processes your payments

We are a merchant. The actual charging of your UPI handle, card, netbanking account, or wallet is performed by a third-party Payment Aggregator (PA) authorised by the Reserve Bank of India under the Payment and Settlement Systems Act, 2007.

When you tap Pay in Fluento AI, you are handed off to Razorpay’s hosted checkout (Standard Checkout on web / native SDK on iOS & Android). The checkout surface shows you: UPI (intent or VPA), Credit & Debit Cards, Netbanking, Wallets, and EMI where available. What happens on that screen is governed by Razorpay’s privacy policy, not ours.

2. What we see vs. what Razorpay sees

3. PCI-DSS scope

The Payment Card Industry Data Security Standard (PCI-DSS) is the global card-data protection standard maintained by the PCI Security Standards Council.

• Razorpay is certified PCI-DSS Level 1 — the highest tier, applicable to processors handling more than 6 million card transactions per year.
• Fluento AI is out of scope for PCI-DSS because we never see, store, process, or transmit cardholder data. We use Razorpay’s hosted Standard Checkout (web) and their official iOS + Android SDKs — we do not operate a custom card form.
• Our server logs, our application logs, our crash reports, and our analytics events are scrubbed of any payment-instrument data. We log only the Razorpay order_id and payment_id — which are useless to anyone outside the Razorpay × Fluento AI merchant relationship.

4. RBI card-on-file tokenisation (effective October 2022)

The Reserve Bank of India, under circular DPSS.CO.PD No.1343/02.14.003/2020-21 and subsequent guidelines, prohibits merchants and Payment Aggregators from storing card-on-file data (the full Primary Account Number and CVV) except as a network token.

• If you choose to save a card for later, Razorpay provisions a network token (issued by the card network — Visa, Mastercard, RuPay) that is bound to our specific merchant ID and your device.
• We never store the actual PAN. We store only a reference ID to the network token, held inside Razorpay’s PCI-scoped vault.
• These tokens are useless outside Fluento AI. A token stolen from us cannot be used at any other merchant, on any other network, or by any other actor.
• You can delete saved payment methods at any time from Settings → Payments → Saved methods inside the app, or directly from Razorpay’s customer portal. Deletion is propagated to the tokenisation vault within the network’s standard window (typically 24 hours).

Reference: RBI circular DPSS.CO.PD No.1343/02.14.003/2020-21 — Guidelines on Card-on-File Tokenisation (CoFT).

5. Subscription billing

When you buy the Pro monthly plan (₹199/month) or the Annual plan (₹1499/year), auto-renewal is powered by Razorpay Subscriptions and sits on top of RBI-regulated recurring-payment rails — UPI AutoPay (for UPI) or an e-mandate (for cards and netbanking).

• First transaction: fully authenticated by you — UPI PIN, OTP, or 3-D Secure — and simultaneously registers the mandate.
• Subsequent debits: capped at ₹15,000 per transaction on UPI AutoPay and ₹15,000 per debit on card / netbanking e-mandate, per RBI rules. Debits above the cap require Additional Factor of Authentication (AFA) from you on every transaction.
• 24-hour pre-debit notification: RBI mandates that you receive a notification at least 24 hours before any recurring debit. Razorpay (via your bank / UPI app) sends this on our behalf.
• Cancellation: any time, from Settings → Manage subscription in the app, or from Razorpay’s customer portal, or by emailing billing@fluentoai.com. No future debits will be attempted; paid access continues until the end of the current paid period.

The lifetime plan (₹4999 once) is a one-time charge and does not involve any recurring mandate.

6. How long we keep payment records

Indian tax law requires us to keep financial books for long periods, regardless of whether you delete your Fluento AI account. We keep only the minimum required for tax and audit — never card data.

Payment records

7 years (Income Tax Act, Section 44AA & Rule 6F). Required by the Income Tax Act, Section 44AA read with Rule 6F of the Income Tax Rules. We hold for 7 years (statutory 6 + 1 safety buffer).

GST invoices

8 years (CGST Act, Section 36). Required by Section 36 of the CGST Act, 2017 — every registered person must keep accounts and records for 72 months from the due date of filing the annual return; we keep 8 years to cover the outer limit.

What we retain

order_id, payment_id, amount, GST breakdown, invoice number, invoice date, payer email, payer name, and payment method (e.g. “UPI” or “Card ending 4242”). Nothing more.

After account deletion

Even if you exercise your right to erasure under the DPDP Act, 2023, the above tax records are legally exempt from deletion under DPDP Sec. 17 read with the sectoral tax statutes. All other personal data tied to your account is deleted per our main retention schedule.

7. GST & invoices

• Fluento AI charges Goods and Services Tax as per CGST/SGST/IGST rules. Place of supply is determined by the buyer state you declare at checkout (or the GSTIN’s state, for B2B purchases).
• A GST-compliant tax invoice is issued within 30 days of successful payment (Rule 47, CGST Rules 2017 — 30-day limit for supply of services).
• Our GSTIN — TBD — to be added post GST registration — is printed on every invoice along with HSN/SAC codes, tax breakdown, and place-of-supply.
• Invoices are emailed to the payer and are downloadable any time from Settings → Billing → Invoices in the app.
• For Teams / B2B customers: provide your GSTIN at checkout to receive a B2B invoice eligible for input tax credit. GSTIN on an invoice cannot be added or changed after issue — tax rules prohibit post-facto amendment beyond statutory credit notes.

8. Refund policy

To request a refund, email billing@fluentoai.com from the email address on the account, with your order_id or payment_id. You will get an acknowledgement within 72 hours. Approved refunds are processed back to the original payment instrument only — we cannot redirect refunds to a different card, UPI, or bank account (RBI requirement).

Bank settlement times vary: UPI typically 1–3 working days, cards 5–7 working days, netbanking up to 10 working days depending on the issuing bank.

9. Chargebacks & disputes

• Chargebacks (card network disputes) are managed by Razorpay’s dispute system end-to-end.
• When a chargeback is raised, we provide evidence — your service logs, session access records, IP / device metadata, invoice — to the issuing bank within its response window (typically 7–14 days from notification).
• Excessive or demonstrably fraudulent chargebacks may result in suspension of the account pending review.

10. Fraud prevention

• Razorpay applies network-level and proprietary fraud detection on every attempted payment.
• On top of that we run app-level signals: device mismatch, velocity checks (payments-per-minute / per-IP), and geo anomalies. A failed signal may prompt a step-up challenge, not a silent block.
• We will never deduct money without an authenticated payment — every debit requires your active consent (UPI PIN, OTP, 3-D Secure, or an explicitly registered e-mandate/AutoPay).

11. Cross-border transactions

Today Fluento AI accepts INR-only payments from India only. We do not charge foreign currency, we do not process FX, and we do not accept cards issued outside India. When we expand to international billing, additional disclosures (FEMA, FIRC, GST on OIDAR services, international tax withholding) will be added here and the Effective date at the top of this policy will be updated.

12. Dispute resolution & RBI Ombudsman

If a payment issue is not resolved to your satisfaction, escalate in this order:

Step 1 — Us

Email billing@fluentoai.com or support@fluentoai.com. SLA for first response: 72 hours. Resolution: 15 days from acknowledgement (IT Rules Sec. 3(2)(b)).

Step 2 — Razorpay Grievance Cell

Per Razorpay’s published policy, write to their grievance officer (contact details on razorpay.com/privacy).

Step 3 — Card network (for card disputes)

Visa / Mastercard / RuPay dispute filed through your issuing bank.

Step 4 — RBI Ombudsman

Integrated Ombudsman Scheme, 2021. File a complaint at cms.rbi.org.in after 30 days of un-resolved escalation to us and to Razorpay.

Step 5 — Legal forum

Consumer Forum of competent jurisdiction, or arbitration seated at Bengaluru, Karnataka, per our Terms of Service. Governing law: laws of India.

Questions about this section? Write to billing@fluentoai.com for billing, privacy@fluentoai.com for privacy, or grievance@fluentoai.com for regulatory grievances (IT Rules 2021 Sec. 3(2)(a)).

Fluento AI is an India-first service. We do not actively market to residents of the European Union, the United Kingdom, or the State of California. If you happen to use Fluento AI from one of those regions, the additional rights in this section apply to you.

Nothing in this section reduces the rights of Indian residents under the Digital Personal Data Protection Act 2023 or the IT Rules 2021 — those are covered in the India-specific sections of this policy.

GDPR / UK GDPR — legal bases (Art 6)

Where GDPR (Regulation (EU) 2016/679) or the UK GDPR applies, we rely on the following legal bases to process your personal data:

Your GDPR / UK GDPR rights (Art 15–22)

You can exercise any of the rights below by writing to dpo@fluentoai.com or through the in-app Settings → Privacy → Manage my data screen.

We will respond within 30 days (Art 12(3)). For factually or legally complex requests we may extend by a further 60 days and will tell you within the first 30.

International transfers (Art 44–49)

Your personal data is primarily stored in India (Microsoft Azure Central India; application database on GCP ubikon-web). For the sub-processors listed below, onward transfers to the United States or to global edge networks may occur.

• EU → US transfers (Groq, ElevenLabs, Sentry, Twilio): new-module EU Standard Contractual Clauses per Commission Decision (EU) 2021/914, plus supplementary measures — AES-256 encryption in transit and at rest, least-privilege access controls, and per-request de-identification where feasible.
• UK → US transfers: UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
• Transfer Impact Assessments: a TIA is on file for each US-based sub-processor and is reviewed annually.

CCPA / CPRA — California residents

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code Sec. 1798.100 et seq.) gives you the rights below. Fluento AI does not sell or share personal information for cross-context behavioural advertising, and has not done so in the preceding 12 months.

Categories of personal information we collect

Your California rights

• Right to know what PI we collect, use, disclose, and for what purpose.
• Right to delete PI we collected from you (with statutory exceptions).
• Right to correct inaccurate PI.
• Right to opt out of sale or sharing — not applicable, we do neither.
• Right to limit use and disclosure of sensitive PI (voice audio).
• Right to non-discrimination for exercising any of the above.
• To exercise any of these rights: email privacy@fluentoai.com with subject “CCPA Request” or use the in-app self-service privacy controls. We will verify your identity before responding.

Cookies & similar technologies

The Fluento AI website uses the minimum set of cookies and client-storage required to function. The Fluento AI mobile app does not use cookies at all — it uses platform secure-storage and Dio interceptors to carry auth tokens.

EU/UK visitors see a consent banner on first load. Indian visitors see a one-time DPDP consent notice. You can clear cookies at any time from your browser settings.

Do Not Track (DNT) and Global Privacy Control (GPC)

• We honour the Global Privacy Control signal. When a compliant browser sends Sec-GPC: 1, we treat it as a universal opt-out of any sale or sharing of personal information for cross-context behavioural advertising (which we do not engage in anyway).
• We honour the legacy DNT: 1 header by disabling non-essential analytics for that session.
• Strictly necessary cookies (sign-in, CSRF) are unaffected by DNT or GPC, as they are required to deliver the service you requested.

Sub-processors

The following third parties process personal data on our behalf. Each is bound by a Data Processing Agreement (DPA) with appropriate safeguards for international transfers where relevant.

This list is updated whenever a sub-processor is added, removed, or changed. To subscribe to change-notifications, email privacy@fluentoai.com with the subject “Subscribe — subprocessor updates”.

AI / LLM disclosures

Fluento AI uses Large Language Models and speech models to power conversation practice. You should understand how your inputs are handled and where the limits of AI lie.

Model used

Conversation replies are generated by Groq’s llama-3.3-70b-versatile model, invoked over Groq’s inference API. Voice transcription and synthesis use Microsoft Azure Speech Services and, for some characters, ElevenLabs.

Training on your data

Groq does not train on API-submitted data per its API terms. We also do not use your voice or text to train Fluento AI’s own models. If that ever changes, we will request explicit opt-in consent, and any training corpora will be de-identified.

Input and output retention at Groq

Up to 30 days, per Groq's policy, for abuse-prevention and debugging. Fluento AI retains no more than necessary for the feature you used.

Accuracy & hallucinations

AI-generated content may be inaccurate or fabricated. Do not rely on it for legal, medical, financial, or other consequential advice. You are responsible for verifying any factual claim before acting on it.

Automated decision-making (GDPR Art 22 / CCPA)

We estimate your CEFR level (A1–C2) from voice samples. This is an educational assessment, not a decision with legal or similarly significant effect, and you can manually override it at any time. We do not use profiling for targeted advertising or any binding decision.

Data protection by design & default (Art 25)

• Minimisation — we collect only what a feature strictly requires.
• Private by default — new accounts start with the most protective settings.
• Regular review — retained data is audited against documented retention periods.

Changes to this policy

• Material changes (new categories of data, new purposes, new sub-processors, reduced retention protections) — we will give at least 30 days’ advance email notice before the change takes effect.
• Non-material changes (typo fixes, clarifications, contact details) — reflected by an updated effective date and a change-log entry at the bottom of this policy.
• We will never retroactively weaken rights you already hold under an earlier version.

Contact for international queries

• EU / UK representative (GDPR Art 27 / UK Rep): where legally required, we will appoint and publish a representative here. Until then, please contact our Data Protection Officer at dpo@fluentoai.com.
• California residents: email privacy@fluentoai.com with subject “CCPA Request”.
• General privacy queries: privacy@fluentoai.com.