Privacy Policy

1. Who we are

ConeLab is a one-person AI studio. The Service is published under the brand ConeLab and reachable at conelab.ai. For privacy questions, contact hello@conelab.ai.

2. What we collect

Account data. You create a Cone Voice account by entering your email address — either in the Cone Voice desktop app or at conelab.ai. We send a 6-digit verification code to that address; entering the code in the app or on the website signs you in. We do not use passwords. We do not use third-party single-sign-on (such as Google, Apple, or GitHub). The only personal data tied to your account is your email address and a generated account identifier.

Subscription data. If you subscribe to Pro, our payment processor collects your billing information directly on its own servers. We receive a customer reference, your subscription status, the plan you chose, the billing country, and the last four digits of your card (for display on your account dashboard). We never receive or store your full card number, CVC, or expiration date.

Usage data. Each time you use Cone Voice, we record the duration of audio submitted, a timestamp, and the result (success or error code). We use this to enforce your plan's quota and detect abuse. We do not store the content of what you said.

Audio data. When you press the Cone Voice shortcut and speak, the audio is sent over an encrypted connection to our infrastructure on Cloudflare and forwarded to our speech-recognition provider. The audio is processed in memory and discarded immediately after transcription. We do not store, log, or train models on your audio. Cloudflare's edge network routes the audio in transit but does not retain audio content; only standard request metadata (timestamp, status code, and response size) is captured in operational logs.

Diagnostics. If the Service crashes or encounters an error, we may collect anonymized crash reports to improve the Service. You can opt out of diagnostics in the app's settings.

Website cookies and tracking. Our marketing pages (conelab.ai/, /voice, /pricing, /privacy, /terms) do not set any cookies, do not use third-party analytics or advertising trackers, and do not perform browser fingerprinting. Account pages (conelab.ai/login, /dashboard) use a single strictly-necessary first-party session cookie to keep you signed in; this cookie is HttpOnly, Secure, and SameSite, and is exempt from consent requirements under the ePrivacy Directive. Server access logs are kept for 30 days and contain only standard request metadata (IP, user-agent, path, status). The Cone Voice desktop application does not use cookies; authentication tokens are stored in your operating system's secure keyring.

3. How we use your data

• To deliver the Service: transcribe your voice, run your account, enforce your plan
• To process payments and prevent fraud
• To respond to your support requests
• To send essential account messages (login links, billing notices)
• To detect and prevent abuse (rate-limiting, ban evasion)
• To improve the Service through aggregated usage patterns — never individual content

We do not sell your data. We do not use your data for advertising.

Marketing communications. We may, with your prior opt-in consent, occasionally email you about new products or major updates. You can withdraw consent at any time using the unsubscribe link included in every such email, or by emailing hello@conelab.ai. Opting out of marketing does not affect essential service messages (login links, billing notices, security alerts, policy changes) — those are sent regardless of marketing preferences because they are necessary to operate your account.

4. Legal basis (EU/UK/Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your data under the following bases:

• Performance of contract — to deliver the Service you've subscribed to
• Legitimate interest — to detect abuse, prevent fraud, and improve the Service
• Consent — for optional features such as diagnostics
• Legal obligation — for tax records and regulatory compliance

5. Service providers

We share data with the following processors. Each is bound by a data processing agreement and receives only the data necessary to perform their function.

• Cloudflare, Inc. (USA) — hosting, network, edge compute, database storage (Cloudflare D1), and email routing for incoming mail
• Alibaba Cloud (US Virginia region) — speech-to-text processing for Cone Voice
• Creem (Armitage Labs OÜ, Estonia) — subscription billing, payment processing, and tax compliance (acts as our merchant of record). Their data processing agreement is available at creem.io/dpa.
• Resend (USA) — transactional email delivery, including the 6-digit verification codes used to sign in to Cone Voice. Because email is the sole authentication channel for the Service, the security of your email account is essential to protecting your Cone Voice account — see §3 of our Terms of Service for our recommendations.

Authentication and session management are handled by Better Auth, an open-source library running on our own Cloudflare infrastructure. Authentication data (your email address, generated account identifier, and session tokens) is stored in Cloudflare D1, a SQLite-compatible database hosted within Cloudflare's network. Better Auth is software running on our infrastructure — no third-party service processes your authentication data.

6. International transfers

The Service operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where required, we rely on Standard Contractual Clauses or equivalent safeguards approved by data protection authorities.

7. Data retention

• Account data — while your account is active, plus 30 days after deletion
• Subscription records — while your subscription is active, plus 24 months after cancellation, for accounting and dispute resolution. Full tax records and consumer-facing invoices are retained by our payment processor (Creem) as the merchant of record, in accordance with their applicable retention obligations.
• Usage data — 90 days, then aggregated and anonymized
• Audio data — not retained; discarded after processing, typically within seconds
• Server logs — 30 days

You can delete your account at any time from the app's settings or by emailing hello@conelab.ai. Account deletion removes your personal data within 30 days, except where retention is legally required.

8. Your rights

Depending on your jurisdiction, you have the following rights over your data:

• Access — receive a copy of the data we hold about you
• Correction — fix inaccurate data
• Deletion — request that we delete your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdrawal of consent — for processing based on consent
• Restriction — temporarily limit how we process your data
• Complaint — file a complaint with your local data protection authority

To exercise any of these rights, email hello@conelab.ai. We respond within 30 days.

California residents have additional rights under the CCPA, including the right to know what personal information we collect and to opt out of any sale of personal information. We do not sell personal information.

Automated decision making. We do not subject your data to automated decision making or profiling that produces legal effects on you or similarly significantly affects you, within the meaning of Article 22 of the GDPR. Operational mechanics such as quota enforcement, rate limiting, and abuse detection are not profiling and do not produce such effects.

9. Children

The Service is not intended for users under 13 (or 16 in the EU/UK). We do not knowingly collect data from children. If you believe a child has provided us data, contact hello@conelab.ai and we will delete it.

10. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, encrypted storage at rest, and access controls. No system is perfectly secure; we cannot guarantee absolute security but treat security as a first-class concern.

11. Changes to this policy

We may update this policy. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

12. Contact

For any questions about this policy or your data, email hello@conelab.ai.