Privacy Policy

Effective date: 2026-05-29 · Last updated:2026-05-29 · Version 1.0

1. Who we are

Acts 2 is a generative-AI translation and voice-cloning service operated by iKingdom LLC(“Acts 2,” “we,” “us,” or “our”), a Delaware limited liability company. This Privacy Policy describes how we collect, use, store, disclose, and protect personal information from visitors to acts2.io and customers of the Acts 2 family of products (Acts 2 Free, Acts 2 Pro, Acts 2 Business, and Acts 2 Gov).

For any privacy-related question, request, complaint, or to contact our Data Protection Officer (DPO), email contact@acts2.iowith “Privacy” in the subject line.

2. What data we collect

We collect only the data we need to deliver translation, transcription, dubbing, and voice-cloning services and to operate our business. Categories of data:

• Account data: name, email address, organization name, role (e.g., pastor, professional, business administrator, government contact), country, and password hash. Optional: phone number, denomination, ministry affiliation.
• Billing data: Stripe customer ID, subscription tier, last four digits of payment card (we never store full card numbers ourselves), billing address, tax identifier where applicable. Full card data is held by Stripe under PCI DSS.
• Voice biometric data (special category):audio recordings you upload or stream, derived voice embeddings (“voiceprints”) used to clone your voice, the resulting cloned-voice model artifacts, and synthesized audio output. See Section 3 for the special handling that applies.
• Customer content: source audio chunks, transcripts, translations, captions, generated dubs, and metadata you provide (e.g., language tags, speaker labels, session names).
• Usage data: rows in our usage_event table recording feature usage, language pair, audio duration, model version, and timestamps. Used for billing, fair-use enforcement, and internal analytics.
• Technical data: IP address, user agent, browser language, device type, referrer URL, session identifiers (the pk_session first-party cookie), and the timestamps of your interactions with the service.
• Consent and audit records: records of voice-consent affirmations, signed terms, opt-ins, and other consent metadata (timestamp, IP address, user agent, voice-sample hash). See our Terms of Service for the voice-consent clause.
• Support data: any information you share when you contact support (emails, screenshots, chat transcripts).

3. Voice biometric data — special handling

Voice biometric data is treated as sensitive personal informationunder multiple regimes, including GDPR Article 9 (special category), the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act as amended by TRAIGA, Brazil's LGPD Article 11, Mexico's LFPDPPP (as amended in 2025), and India's Digital Personal Data Protection Act, 2023.

For voice biometric data we maintain the following commitments:

1. Explicit, written, informed consent— before any voice sample is processed to build a voiceprint or cloned voice model, you must affirm a typed consent checkbox warranting that you are the speaker or have the speaker's express, written, informed consent. We do not accept implied consent.
2. Voice provenance log— for every clone we record, and retain in an audit-grade log, the consent affirmation text, the IP address, user agent, timestamp, voice-sample hash, sample duration, sample rate, language, and the resulting model version.
3. No model training— we do not use your audio, voiceprint, or cloned voice to train, fine-tune, or improve any foundation voice model without a separate, opt-in, written authorization from you. This is a hard rule, designed in part to comply with BIPA and to reduce the litigation exposure illustrated by the May 2025 Illinois class actions against ElevenLabs and other major voice-AI providers.
4. No biometric identification. Voiceprints generated for cloning are not used by Acts 2 to identify or authenticate individuals.
5. Retention. Voice clones are retained for 30 days from last use on the Free tier; for paid tenants, voice clones are retained for the duration of the subscription plus a 30-day grace period after termination, after which they are cryptographically deleted unless a longer retention is contractually agreed.
6. Watermarking and provenance. Synthesized audio carries an inaudible watermark and a C2PA-style content credentials manifest identifying the output as AI-generated, in alignment with the EU AI Act Article 50 (effective 2 August 2026) and California SB 942 (as amended by AB 853, effective 2 August 2026).
7. Revocation. You may withdraw consent and request deletion of a voice clone at any time by emailing contact@acts2.io.

4. How we use data

We process your data only for these defined purposes:

• Delivering the service: running transcription, translation, voice cloning, dubbing, captioning, and live broadcast features you request.
• Billing and accounting: taking payment via Stripe, managing subscriptions, calculating taxes, retaining financial records for the legally required 7 years.
• Service operations: reliability, security monitoring, abuse prevention, audit logging, customer support.
• Communication: transactional emails (receipts, security alerts, service announcements). Marketing emails only with your opt-in.
• Legal compliance: responding to lawful requests (subpoenas, court orders), enforcing our Terms, defending claims.

We do not sell your personal information. We do not share it with advertising networks or data brokers. We do not use your voice biometric data, audio recordings, transcripts, or translations to train foundation models for any third party.

5. Lawful basis for processing (GDPR / UK GDPR)

For customers in the European Economic Area, United Kingdom, and Switzerland, our lawful bases under GDPR Articles 6 and 9 are:

• Article 6(1)(b) — contract: processing necessary to deliver the service you signed up for.
• Article 6(1)(c) — legal obligation: tax, accounting, and law-enforcement compliance.
• Article 6(1)(f) — legitimate interest: security, fraud prevention, internal analytics that do not override your rights. A balancing test is on file with our DPO.
• Article 6(1)(a) + Article 9(2)(a) — explicit consent: for voice biometric processing, in line with the European Data Protection Board's March 2025 reaffirmation that consent for biometric processing must be freely given, specific, informed, unambiguous, and explicit.

6. Where we store data

Acts 2 operates from infrastructure located primarily in the United States. Our primary data store and authentication provider is Supabase (us-east region). Voice synthesis is performed at ElevenLabs (US infrastructure). Real-time transcription is performed at Deepgram (US). Live audio routing uses LiveKit Cloud (US). Recorded audio assets are stored at Mux (US). Stripe holds billing data in accordance with PCI DSS.

On request, Enterprise and Gov customers may negotiate alternative regions, including EU residency, subject to a separate contract.

7. Subprocessors

The named subprocessors below process customer data on our behalf:

• Supabase, Inc.— database, authentication, file storage (US).
• ElevenLabs, Inc.— voice cloning and text-to-speech (US).
• Deepgram, Inc.— speech-to-text transcription (US).
• Mux, Inc.— video and audio hosting, delivery, and analytics (US).
• LiveKit, Inc.— real-time audio routing for live broadcast (US).
• Anthropic, PBC— translation via Claude (US).
• OpenAI, L.L.C.— optional transcription via Whisper (US).
• Stripe, Inc.— payment processing (US, PCI DSS).
• Vercel, Inc.— web hosting, edge compute, speed insights (US).
• Resend, Inc.— transactional email delivery (US).

We maintain a Data Processing Agreement or equivalent with each named subprocessor. A current list (including any additions or replacements) is reflected in our Data Processing Addendum. We will give at least 30 days' notice before adding or replacing a subprocessor that materially affects how customer data is processed.

8. International transfers

Because we operate primarily in the United States, personal data originating in the EEA, UK, Switzerland, or other jurisdictions with cross-border-transfer restrictions will be transferred to and processed in the United States. For such transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. A Transfer Impact Assessment (TIA) is available to customers on request via our Data Processing Addendum.

9. Your data-subject rights

Depending on where you live, you may have the following rights. We respect these rights for all customers regardless of jurisdiction.

• Right of access (GDPR Art. 15; CCPA Right to Know; LGPD Art. 18): we will respond within 30 days (45 days under CCPA, extendable by another 45 with notice).
• Right to rectification (GDPR Art. 16; DPDPA s. 12): you can correct inaccurate personal data from your account settings or by emailing us. We will respond within 30 days.
• Right to erasure / deletion (GDPR Art. 17; CCPA Right to Delete; LGPD Art. 18; DPDPA s. 12): includes deletion of voiceprints and cloned voice models. We will respond within 30 days. Some data may be retained where we have a legal obligation (e.g., tax records for 7 years) or a litigation hold.
• Right to restrict processing (GDPR Art. 18).
• Right to data portability (GDPR Art. 20; LGPD Art. 18): we will provide a machine-readable export of your account data and your customer content within 30 days.
• Right to object (GDPR Art. 21):in particular to direct marketing, which you can also opt out of via any marketing email's unsubscribe link.
• Right not to be subject to solely automated decision-making (GDPR Art. 22): we do not make legally-significant decisions about you using solely automated processing.
• Right to lodge a complaintwith your supervisory authority (EU/UK), the California Attorney General (CCPA), Brazil's ANPD (LGPD), India's Data Protection Board (DPDPA), or any other competent authority.

To exercise any of these rights, email contact@acts2.iowith “Data Request” in the subject line. We may need to verify your identity before responding.

10. Retention

We retain data only as long as needed for the purposes above:

• Voice clones (Free tier): 30 days from last use, then automatic deletion.
• Voice clones (paid tiers): duration of subscription plus a 30-day grace period, then deletion unless a longer term is contractually agreed.
• Captions and transcripts: 30 days, unless you download/export them.
• Synthesized audio outputs: 30 days in our cache, unless attached to a Mux asset under a longer-retention plan.
• Usage event rows: 12 months for billing reconciliation and product analytics.
• Consent and audit records: 7 years for clones, to support BIPA/TRAIGA/LFPDPPP/DPDPA defensibility.
• Account data: for as long as your account is open, and 12 months after deletion for fraud and security purposes.
• Payment records: 7 years (US tax and accounting requirements).
• Security logs: 12 months hot, up to 7 years cold (tamper-evident) for incident response.

11. Security

We protect your data with industry-standard administrative, technical, and physical safeguards, including:

• TLS 1.2 or higher in transit; AES-256 at rest.
• Row-Level Security (RLS) on our Supabase Postgres database, plus scoped API keys for service-to-service calls.
• Single sign-on and multi-factor authentication for all production access by our personnel.
• Audit logs of administrative access, retained 12 months hot and up to 7 years cold.
• Monthly vulnerability scans and a 30-day SLA for critical patch deployment.
• Background checks on employees with production access; quarterly access reviews.
• Annual incident-response tabletop exercise; documented breach notification procedures.
• SOC 2 Type II readiness in progress [verify with counsel].

No system is perfectly secure. We will notify affected users and regulators of any personal-data breach in accordance with applicable law (e.g., GDPR Art. 33: within 72 hours; HIPAA: within 60 days; CCPA: without unreasonable delay).

12. Children

Acts 2 is not directed to children. We do not knowingly collect data from children under 13 (US, COPPA) or under 16 (EEA / UK, GDPR Art. 8). If you believe we have collected data from a child, please contact us and we will promptly delete it.

13. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you specific rights:

• Right to Know what personal information we have collected, the sources, and the purposes.
• Right to Delete your personal information, subject to legal-retention exceptions.
• Right to Correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — Acts 2 does not sell or share personal information (as those terms are defined under the CPRA) for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information— including voice biometric data. We use such data only for the service you requested.
• Right to Non-Discrimination for exercising any of these rights.

California residents may also designate an authorized agent. Submit requests via contact@acts2.io. We will respond within 45 days.

14. Brazil residents (LGPD)

If you are in Brazil, Brazil's General Data Protection Law (Lei Geral de Proteção de Dados, Law No. 13,709/2018) provides you with rights including access, correction, anonymization, blocking, deletion, portability, and revocation of consent (LGPD Article 18). Voice biometric data is sensitive personal data under LGPD Article 11 and we process it only with your specific and prominent consent.

Our LGPD inquiry channel is contact@acts2.io. You may also complain to the National Data Protection Authority (ANPD, www.gov.br/anpd). Brazilian customers using Acts 2 in connection with judicial proceedings should also review CNJ Resolution 615/2025, which governs AI use in the Brazilian judiciary.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email (for active customers) or by a conspicuous banner on acts2.io at least 30 days before they take effect, except where a shorter period is required by law. Each version is dated; older versions are available on request.

16. Contact

Acts 2 / iKingdom LLC
Delaware, United States
Email: contact@acts2.io

For EU/UK customers requesting an EU representative or UK representative under GDPR Art. 27 / UK GDPR Art. 27, please email us and we will appoint one upon request [verify with counsel before relying].