Privacy Policy

Last updated: February 16, 2026

Palabra.AI LTD is a company incorporated under the laws of the United Kingdom with registered number 15047379 and having its registered office at 86-90 Paul Street, London EC2A 4NE (“Palabra”, “we”, “our”, or “us”).

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Policy (“Privacy Policy”) explains what personal data we collect, how we use and share it, and what rights and choices you have.

This Privacy Policy applies only where Palabra acts as a data controller under applicable data protection laws and to personal data processed in connection with our website at palabra.ai (“Website”) and any services we provide you (“Services”). We’re registered with the United Kingdom (UK) data protection authority (the Information Commissioner’s Office, or ICO) under registration number ZC087866.

Our Website and Services are governed by the Terms of Use and, where applicable, a separate written agreement.

Where Palabra provides Services to business or enterprise customers and processes personal data on their behalf, Palabra acts as a data processor. In such cases, the processing of personal data is governed by the Data Processing Agreement entered into with the relevant customer, and not by this Privacy Policy.

We may update this Privacy Policy from time to time. The most recent version will always be available on our website, and we will notify you of material changes where required.

1. What personal data we collect

We collect personal data when you use the Website and the Services. This includes personal data you provide directly, data we collect automatically, and, in some cases, data we receive from third parties.

Information you provide to us

You may provide personal data directly to us when you interact with our Services, including when you register an account or use our features. This may include:

  • Account Data, such as your name and email address;
  • User Content, including Input (any text, audio, custom glossaries, reference materials, and other content you choose to share with us) and Output (generated translations, captions, transcripts, audio output, or other results based on the Input);
  • Voice Data, such as audio samples you provide when using voice-related features.

Information we collect automatically

When you use our Website, we and our third-party partners may automatically collect certain information using cookies, pixel tags, SDKs, or similar technologies (“Cookies”). The categories of information we may collect using Cookies include:

  • Technical Data, such as IP address, browser type, and device information;
  • Usage Data, such as pages visited, time spent on the Website, and interactions with Website elements;
  • Analytics Data, including information generated through analytics tools to understand how visitors use the Website.

For details about our use of Cookies, please read our Cookie Policy.

Information we receive from third parties

From time to time, we may receive personal data about you from third-party websites or services, such as authentication or account providers (for example, LinkedIn, Google, or Apple), as well as from billing and payment service providers where you have ordered or contracted with us for our Services, or from other people or companies that interact with us in connection with our Services.

Sensitive personal data

We do not intentionally collect or process special categories of personal data (as defined under applicable law, including the GDPR “special categories”), such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or health data. Where our Services involve the processing of audio or text content provided by users, any personal data contained in such content is processed solely for the purpose of delivering the Services and not for the purpose of identifying individuals or inferring sensitive characteristics. We also do not use Voice Data for biometric identification or for any secondary purposes.

2. How we use your personal data

Data protection laws require us to have a legal basis to use personal data.
Depending on the context, we rely on one or more of the following legal bases.

Contractual duty

We process personal data where it is necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes:

  • create and manage user accounts;
  • deliver our Services to prospects and customers;
  • process requests and interactions made through the Services;
  • process Input and Output, User Content, and any personal data contained in them solely for the purpose of delivering the Services;
  • provide voice-related features, including voice-cloning functionality, where you choose to use them.

If you do not wish to provide us with your personal data in this way, you will be unable to use our Services.

Legitimate interests

We process personal data where it is necessary for our legitimate interests, provided that such interests are not overridden by your rights and freedoms. This includes:

  • operating, maintaining, and improving our Website;
  • understanding how our Website is used, diagnosing technical issues, and enhancing user experience;
  • monitoring, securing, and protecting our Website and Services;
  • preventing misuse, fraud, and security incidents, and investigating technical or security issues.

Legal obligation

We may process personal data where necessary to comply with our legal and regulatory obligations, including record-keeping, accounting, tax, and compliance requirements, or to respond to lawful requests from public authorities.

Consent

Where required, we rely on your consent to process personal data, including for direct marketing communications. You can withdraw your consent at any time, and you may opt out of receiving marketing communications whenever you choose.

Important Note on AI Training: we do not use user data or any personal data contained in your User Content to train, improve, or otherwise develop our AI models. Where users choose to provide linguistic reference materials (such as glossaries, terminology lists, or similar resources), which typically do not contain personal data, only those materials may be used for language-specific or terminology-related improvements to the Services.

3. Information we share with third parties

Here we mean companies that help us provide Services you use and need to process details about you for this reason. We do not sell your personal data; we only share it when necessary to run our business, provide our Services, or as required by law.

Service providers

We may share personal data with third-party service providers that perform services on our behalf and help us operate, secure, and deliver our Website and Services. These include providers of:

  • Cloud hosting and infrastructure services: used to store your account details and process translations.
  • Payment processing: to handle your B2B subscription and billing securely.
  • Analytics and performance monitoring: to ensure our website stays fast and functional.
  • Customer communications and email delivery: to send you necessary account alerts or support responses.
  • Security, compliance, and operational support: to protect the platform from fraud or cyber-attacks.

These third parties process personal data only on our instructions and solely for the purposes of providing services to Palabra. They are contractually bound by data protection obligations consistent with applicable data protection laws and do not use personal data for their own independent purposes.

Communications and marketing

On occasion, we may use third-party service providers to send you communications on our behalf, including information about our products, services, and events. You can opt out of marketing communications at any time.

Legal and regulatory disclosures

We may disclose your information to law enforcement, government authorities, or third parties if we believe it is necessary to comply with a legal obligation, protect our rights, or prevent fraud.

Other disclosures you request or authorise

We may share your personal data with third parties when you have given us your explicit consent or have directed us to do so. This includes instances where you connect our Service with a third-party application or integration.

Aggregated data

We may generate and share aggregated data about our Website, including usage trends and performance metrics. This information does not identify individuals and may be shared with partners or service providers for analytical, marketing, or promotional purposes.

4. How your personal data is stored, transferred, and secured

We design our Services to minimize data storage and to keep personal data secure at all times.

Ephemeral processing

By default, we do not store User Content. Personal data processed through the Services is:

  • handled in real time for the purpose of providing the requested translation services;
  • temporarily cached for up to one minute solely to enable processing; and
  • continuously overwritten, meaning that full conversations or sessions are never retained and cannot be recovered.

Voice-cloning functionality

If you explicitly request the creation of a synthetic copy of your voice, we may store a voice sample (Voice Data) solely for the purpose of providing the requested voice-cloning functionality. Such storage is:

  • limited to what is necessary to provide the feature;
  • subject to appropriate technical and organizational safeguards; and
  • not used for biometric identification, model training, or any secondary purposes.

Storage

We primarily store and process personal data within the United Kingdom and the European Economic Area (EEA) in order to ensure a high level of data protection. As part of providing the Services, personal data may also be processed or transferred outside the UK or the EEA, including where we rely on third-party service providers to support the operation, scalability, or performance of our Services. In such cases, we ensure that an adequate level of protection is maintained in accordance with applicable data protection laws.

International data transfers

When transferring personal data outside the UK and the EEA, we take appropriate safeguards, which may include:

  • verifying that the transfer complies with applicable data protection requirements;
  • implementing Standard Contractual Clauses (SCCs);
  • applying technical and organisational measures (TOMs); and
  • enforcing internal policies, role-based access controls, and staff training to ensure that access to personal data is limited to authorised personnel only.

Security

We implement the following technical and organizational measures (TOMs) to keep your personal data secure and to protect it against unauthorized access, loss, misuse, alteration, or disclosure:

  • Access control – access to personal data is restricted to authorised personnel on a strict need-to-know basis.
  • Data minimisation – we do not store any customer audio or text beyond the immediate real-time translation session, unless the user explicitly chooses to store a voice sample for voice-cloning purposes.
  • Encryption – all data in transit is encrypted using industry-standard protocols; encryption keys are managed securely.
  • Logging – only operational metadata is logged (we do not log user content). Logs are stored separately from processing systems.
  • Infrastructure security – our hosting providers maintain industry-standard security certifications such as ISO 27001 and SOC 2 Type II.
  • Training – all team members undergo mandatory privacy and security training appropriate to their role.
  • Incident management – we maintain breach detection and response procedures and will notify users or customers of a personal data breach when required by applicable law.
  • Sub-processor controls – where we use third-party service providers, they are bound by contractual obligations to implement appropriate security measures.

Retention

We’ll retain your Personal Data for only as long as we need in order to provide our Services to you for the purposes described in section 2 of the Privacy Policy and in line with applicable legal obligations. If you would like us to delete your personal data, please contact us using the email specified in section 7 of the Privacy Policy.

5. Your rights

You have the following rights under applicable data protection laws:

  • Access – to obtain confirmation of whether we process your personal data and to receive a copy of that data.
  • Rectification – to request the correction or updating of inaccurate or incomplete personal data.
  • Erasure – to request the deletion of your personal data, subject to applicable legal exceptions.
  • Restriction of processing – to request that we limit the processing of your personal data in certain circumstances.
  • Notification of rectification or erasure – we will inform you when your data has been corrected or deleted, unless doing so is impossible or would require disproportionate effort.
  • Data portability – to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller when technically feasible. Please note that User content cannot be provided under data portability, as we do not store them.
  • Objection to processing – to object to our processing of your personal data where it is based on legitimate interests, and to object to the use of your data for direct marketing at any time.
  • Withdrawal of consent – where we rely on your consent to process personal data, you may withdraw that consent at any time.
  • Automated decision-making – to not be subject to a decision based solely on automated processing, including profiling, where such a decision produces legal or similarly significant effects.

Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, we will provide you with a date when the information will be provided. If for some reason access is denied, we will provide an explanation as to why access has been denied. For questions or complaints concerning the processing of your personal data, you write to us using the email specified in section 7 of the Privacy Policy.

6. Children’s data

Our Services are intended only for individuals who are 18 years of age or older, and we do not knowingly collect, store, or process personal data from children under the age of 18.
If you are under 18, you are not permitted to use the Services.
If we discover that a minor has provided us with personal data, we will take appropriate steps to delete the information, and suspend or terminate the associated account. Additionally, all users are strictly prohibited from uploading, transmitting, emailing, or otherwise making Voice Data or any other personal data from children under the age of 18 available to us or using them for any of our Services.
If you believe we may have inadvertently processed such personal data, please contact us so we can take the necessary action.

7. Contacts for privacy matters

If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at: support@palabra.ai. We aim to process data protection requests within 30 days, SAR responses are usually free, but we reserve the right to charge for excessive or unfounded requests. We fully comply with the applicable data protection laws and will assist in any investigation or request made by the appropriate authorities.

If you remain dissatisfied, then you have the right to apply directly to your local data protection authority. You can find the list here. If you are located in the United Kingdom, you may also refer your complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection matters. For more information, please visit the ICO’s website.

Our Article 27 Representative

We have appointed an EU Representative under Article 27 of the EU GDPR. Our nominated EU Representative is:
Instant EU GDPR Representative Ltd.
Adam Brogden contact@gdprlocal.com
Tel +35315549700
INSTANT EU GDPR REPRESENTATIVE LTD
Office 2,
12A Lower Main Street, Lucan Co. Dublin
K78 X5P8
Ireland