Section i.Introduction.
i.1 Who we are
Fablr, LLC ("Fablr," "we," "us," or "our") operates Fablr.ai, a voice-powered autobiography service that helps you preserve your life stories through AI-assisted conversations.
i.2 What this policy covers
This Privacy Policy describes how we collect, use, protect, and share information about you when you use our website, mobile applications, and services (collectively, the "Services").
i.3 By using Fablr
By creating an account or using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use our Services.
Section ii.Information we collect.
ii.1 Account information
- Name and email address (required for signup).
- Profile photo (optional, or via Google OAuth).
- Password (hashed and securely stored).
- Google account ID (if you sign in with Google).
ii.2 Voice recordings
When you use our voice conversation features, we collect:
- Audio recordings of your voice conversations.
- Recording duration and timestamp.
- Conversation topic and category.
ii.3 Conversation content
- Transcriptions of your voice conversations.
- Memories and stories you share.
- Dates, places, and people mentioned in your stories.
- Session metadata (date, duration, progress).
ii.4 AI-generated content
- Stories generated from your conversations.
- Memoir book compilations.
- Content labeled as "AI-Generated" or "AI-Assisted."
ii.5 Payment information
Payment information is processed by Stripe, our payment processor:
- We store: Stripe customer ID and subscription status.
- Stripe stores: payment card information (PCI DSS compliant).
- We never see or store your complete credit card number.
ii.6 Usage and technical data
- Pages / features you access.
- Session duration and frequency.
- Device type, browser, and operating system.
- IP address (for WebRTC connections and rate limiting).
- Cookies (see Section ii.7 below).
ii.7 Cookies and tracking technologies
We use the following types of cookies and tracking technologies:
- Strictly necessary cookies: required for the site to function (session management, security tokens, login state). These cannot be disabled.
- Analytics cookies: help us understand how visitors use our site. We use PostHog for product analytics. These cookies are only set with your consent.
When you first visit our site, we will ask for your consent before setting analytics cookies. You can change your cookie preferences at any time by clearing your browser cookies for our site, which will cause the consent banner to reappear on your next visit.
Do Not Track: when you decline analytics cookies through our consent banner, we disable analytics tracking. We also respect your browser's Global Privacy Control (GPC) signal as a valid opt-out request under applicable state privacy laws.
Section iii.How we use your information.
We use your information for the following purposes:
iii.1 Provide and improve services
- Enable voice conversations with our AI biographer.
- Process and transcribe your voice recordings.
- Generate written stories from your conversations.
- Create and deliver memoir books.
- Improve our service features, user interface, and conversation experience — your content is never used to train AI models.
iii.2 Account management
- Create and manage your account.
- Authenticate your identity.
- Communicate with you about your account and services.
- Provide customer support.
iii.3 Payment processing
- Process subscription payments.
- Manage billing and invoices.
- Prevent fraud and unauthorized transactions.
iii.4 Legal compliance
- Comply with applicable laws and regulations.
- Respond to legal requests (court orders, subpoenas).
- Enforce our Terms of Service.
- Protect the rights, property, or safety of Fablr, our users, or others.
Section iv.Voice recording and AI processing.
iv.1 Voice processing pipeline
Here's what happens when you record a conversation:
- Recording: your voice is captured through your browser or mobile app.
- Transmission: audio is securely transmitted via LiveKit WebRTC to our servers.
- AI processing: OpenAI's Realtime API processes your voice in real time.
- Storage: transcripts and stories are saved to our secure database.
- Your control: you can download or delete recordings at any time.
iv.2 Third-party AI services
We use the following AI services:
- OpenAI Realtime API: voice-to-voice conversation processing.
- OpenAI GPT models: story generation and content creation.
- LiveKit: WebRTC infrastructure for real-time voice transmission.
iv.3 AI data retention
- OpenAI: API requests retained for 30 days for abuse monitoring only.
- LiveKit: no permanent storage of voice streams (temporary buffering only).
- Fablr: we store transcripts and stories until you delete them.
iv.4 AI training policy
Your content is not used to train AI models for general use.
We send your content to OpenAI only to provide AI conversation and story features. Fablr does not permit OpenAI to use our API data for model training unless we explicitly opt in.
OpenAI may retain API abuse-monitoring logs that include customer content for up to 30 days under its API data-control policies, unless Fablr later qualifies for and enables a stronger retention control such as Zero Data Retention or Modified Abuse Monitoring. If we enable one of those controls, we will update this policy to describe it.
For more information, see OpenAI's API data controls and OpenAI's Privacy Policy.
Section v.Data sharing and third parties.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act.
v.1 Service providers we use
OpenAI — AI processing
- Services
- Voice processing, transcription, story generation.
- Data shared
- Voice recordings, conversation context.
- Retention
- 30 days for abuse monitoring.
- Training
- Not used to train AI models.
- Policy
- openai.com/privacy
LiveKit — voice infrastructure
- Services
- WebRTC voice transmission.
- Data shared
- Voice streams, session metadata, IP addresses.
- Retention
- Temporary buffering only, no permanent storage.
- Encryption
- DTLS-SRTP for all voice connections.
Stripe — payment processing
- Services
- Payment processing, subscription management.
- Data shared
- Name, email, billing address, payment card.
- Retention
- 7 years for transactions (legal requirement).
- Security
- PCI DSS Level 1 certified.
- Policy
- stripe.com/privacy
Google — OAuth authentication
- Services
- Sign-in with Google.
- Data shared
- Profile info (name, email, photo).
- Scopes
- Profile and email only (minimal).
- Limited use
- Only for authentication, not accessed by staff.
Render.com — hosting
- Services
- Database and application hosting.
- Data shared
- All application data.
- Security
- AES-256 at rest, TLS 1.2+ in transit, SOC 2 Type II certified.
- Policy
- render.com/privacy
PostHog — product analytics
- Services
- Product analytics, user behavior insights, funnel analysis.
- Data shared
- Page views, feature usage, device information, anonymized user identifiers.
- Consent
- Only collected with your consent (via our cookie banner).
- Policy
- posthog.com/privacy
Google Analytics — web analytics
- Services
- Website traffic analysis, page view tracking, user journey optimization.
- Data shared
- Anonymized page views, session duration, device / browser information, referral sources.
- Consent
- Only loaded after you accept analytics cookies via our cookie banner.
Meta Pixel — advertising analytics
- Services
- Advertising measurement, conversion tracking.
- Data shared
- Page visits, button clicks, anonymized conversion events.
- Consent
- Only loaded after you accept analytics cookies via our cookie banner.
v.2 When we share data
- With your consent: when you explicitly authorize sharing.
- Legal obligations: to comply with laws, regulations, or legal processes.
- Business transfers: in connection with a merger, acquisition, or sale of assets. We will notify you via email before your personal information is transferred to a new entity and becomes subject to a different privacy policy.
- Protection: to protect our rights, property, or safety, or that of others.
- Aggregated data: we may share de-identified, aggregated information that cannot reasonably identify you (for example, total number of stories created across all users).
Section vi.Data retention.
We retain different types of data for different periods based on their purpose and legal requirements:
- Voice recordings
- 90 days (default) or until you delete. Playback feature, user control.
- Transcripts & stories
- Account lifetime or until you delete. Core service feature.
- Account data
- Account lifetime + 30 days. Grace period for accidental deletion.
- Payment records
- 7 years. Tax and accounting legal requirement.
- AI processing logs (OpenAI)
- 30 days. Abuse monitoring (OpenAI policy).
- Session metadata
- 90 days. Service improvement, support.
vi.1 Data deletion process
- Immediate: removed from your account when you delete.
- Within 30 days: deleted from production database.
- Within 90 days: purged from all backups.
- Exceptions: payment records (7 years), legal holds, fraud prevention.
Section vii.Your rights and choices.
vii.1 Rights for all users
- Access: view all data we have about you.
- Download: export your data in multiple formats (JSON, PDF, audio).
- Delete: delete recordings, stories, or your entire account.
- Correct: update inaccurate information.
- Opt-out: decline voice recording (use text-only mode).
- Withdraw consent: stop recording or AI processing at any time.
vii.2 EU / EEA / UK residents (GDPR rights)
You have additional rights under GDPR:
- Right to erasure: request deletion of your data (with limited exceptions).
- Right to restriction: limit how we process your data.
- Right to data portability: receive data in a machine-readable format.
- Right to object: object to certain types of processing.
- Right to lodge complaint: file a complaint with a supervisory authority.
- Response time: we respond within 30 days (may extend to 60 days).
vii.3 California residents (CCPA rights)
You have additional rights under CCPA / CPRA:
- Right to know: categories of data collected, purposes, third parties.
- Right to delete: request deletion (with exceptions).
- Right to correct: update inaccurate information.
- Right to opt-out: we do not sell personal information.
- Right to non-discrimination: no penalty for exercising rights.
- Response time: we respond within 45 days (may extend to 90 days).
Additional rights under CPRA (effective January 2023):
- Right to limit use of sensitive personal information: voice recordings and biometric data are considered sensitive personal information. You may request that we limit our use of this data to what is necessary to provide our service.
- Right to opt-out of sharing: we do not share your personal information for cross-context behavioral advertising.
- Authorized agents: you may designate an authorized agent to submit requests on your behalf. We may require written proof of the agent's authorization and verify your identity directly.
vii.4 How to exercise your rights
Contact us:Request form: Privacy rights request form
Email: [email protected]
In-app: Account Settings → My Data
Response time: within 45 days for U.S. state privacy requests
Verification: we verify your identity by confirming your account email address. For requests submitted outside your account, we may ask you to verify your email and provide information matching our records.
vii.5 Residents of other U.S. states
Several U.S. states provide additional privacy rights to their residents, including Virginia, Colorado, Connecticut, Texas, and others. If your state has a comprehensive privacy law, you may have rights to:
- Access and obtain a copy of your personal data.
- Request deletion of your personal data.
- Correct inaccurate personal data.
- Opt out of targeted advertising, sale of personal data, or profiling.
To exercise these rights, contact us at [email protected]. We will respond within the timeframe required by your state's law.
Section viii.Security.
We implement industry-standard security measures to protect your data:
viii.1 Encryption
- In transit: TLS 1.2 or higher for all HTTPS connections.
- Voice transmission: WebRTC DTLS-SRTP for LiveKit connections.
- At rest: AES-256 encryption for database storage.
- Backups: all backups are encrypted.
viii.2 Access controls
- Role-based access: staff access limited by role.
- Least privilege: minimum necessary access only.
- Multi-factor authentication: required for admin accounts.
- Audit logs: administrative changes to user data are logged.
viii.3 Third-party security
- OpenAI: SOC 2 Type II certified.
- Stripe: PCI DSS Level 1 certified.
- LiveKit: enterprise-grade encryption.
- Render.com: SOC 2 Type II and ISO 27001 certified infrastructure.
viii.4 Security limitations
viii.5 Data breach notification
In the unlikely event of a data breach that compromises your personal information, we will notify you by email within 72 hours of confirming the breach. Our notification will describe the nature of the breach, the types of data affected, and the steps we are taking to address the incident and protect your information, as required by applicable state and federal law.
Section ix.Children's privacy.
ix.1 Age restrictions
- You must be 18 years or older to use Fablr, wherever you live.
- By creating an account, you confirm that you are at least 18 years old.
ix.2 Content about children
Your biography may include stories about children. You are responsible for:
- Ensuring you have the right to share information about children.
- Obtaining parental consent before recording children's voices.
- Respecting children's privacy in your stories.
ix.3 Inadvertent collection
If we discover we have collected data from a child under the minimum age, we will promptly delete it. Parents can contact [email protected] to report inadvertent collection.
Section x.International data transfers.
x.1 U.S.-based service
Fablr is designed for users in the United States. Your data is processed and stored on servers located in the United States via Render.com. Our third-party service providers, including OpenAI and LiveKit, may process data on their own U.S.-based infrastructure to provide their respective services.
x.2 International users
If you access our Services from outside the United States, you do so at your own initiative. By using our Services, you consent to the transfer of your data to the United States, where privacy laws may differ from those in your jurisdiction. We require our service providers to protect your data through contractual obligations consistent with this Privacy Policy.
x.3 Appropriate safeguards
We implement appropriate safeguards including encryption and access controls to protect your data. All service providers listed in Section v. are contractually required to protect the data we share with them.
Section xi.Changes to this policy.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.
xi.1 How we notify you
- Email notification for material changes (at least 30 days in advance).
- In-app notification banner.
- Updated "Last updated" date at the top of this policy.
xi.2 Your acceptance
Continued use of our Services after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to changes, you may cancel your account.
Section xii.Contact us.
If you have questions about this Privacy Policy or our data practices, please contact us:
Fablr, LLCPrivacy inquiries: [email protected]
General support: [email protected]
We typically respond within 3–5 business days.