Privacy Policy

Entity: 1534583 B.C. LTD. d/b/a "JVO" ("JVO," "we," "us," "our")
Contact: hi@jvo.io

This Privacy Policy explains how JVO collects, uses, discloses, and protects personal information when you access our websites, apps, APIs, and tools that generate or process AI-based lip-sync videos, images, and other content (the "Services").

By using the Services, you acknowledge that you have read this Policy. If you do not agree, please do not use the Services.

1) Scope, Roles & Applicability

Scope. This Policy applies to personal information we process about visitors, account holders, organizational customers, and end users whose content is uploaded to the Services.

Controller vs. Processor.

Jurisdictions. We describe rights under British Columbia PIPA, Canada's PIPEDA, EU/UK GDPR, and certain U.S. state privacy laws (e.g., California CPRA). Additional local rights may also apply.

2) Information We Collect

A. Information You Provide

Account & Profile: name, email, password, organization/role, preferences, and communications with us.

Payment: billing address and limited payment details (processed by our PCI-compliant payment processor; we do not store full card numbers).

User Content: videos, images, audio, prompts, text, captions, project names, and any metadata you upload (e.g., timestamps, camera settings).

Likeness/Voice Materials: content depicting an identifiable person (including you) and any permissions you supply (e.g., model releases or parental/guardian consents).

Support & Safety: reports of abuse, consent documentation, takedown notices, and correspondence.

B. Information Collected Automatically

Usage & Log Data: IP address, device/OS/browser type, app version, pages viewed, referring/exit pages, timestamps, crash logs, API usage metrics, feature toggles, and diagnostics.

Cookies/Similar Technologies: cookies, local storage, and SDKs for authentication, session integrity, analytics, and (if enabled) marketing measurement. See §10 Cookies.

C. Information from Third Parties

Single Sign-On/Integrations: if you connect third-party accounts (e.g., storage or editing tools), we receive data that service shares per its settings.

Vendors: fraud prevention, analytics, payment processors, and Third-Party AI model providers may send back technical results (e.g., job IDs, moderation flags).

Public/Shared Sources: public posts or materials you or collaborators choose to import.

D. Special Notes on Face/Voice Data and "Biometrics"

3) How We Use Information (Purposes & Legal Bases)

A. Provide and Improve the Services

Operate accounts, authenticate users, process uploads, generate content, deliver outputs, maintain infrastructure, and provide support.

Legal bases (GDPR/UK GDPR): Contract (Art. 6(1)(b)), Legitimate Interests (reliable, secure operation), and Consent where required (e.g., cookies, certain marketing).

B. Safety, Security & Integrity

Detect/prevent abuse, fraud, malware, non-consensual or unlawful synthetic media (including CSAM reporting to NCMEC), and violations of our Terms.

Debugging, monitoring, incident response, enforcing rights, and protecting users and the public.

Legal bases: Legitimate Interests, Legal Obligation, and, where required, Public Interest.

C. Business Operations

Billing, accounting, service announcements, and changes to terms/policies.

Analytics to understand product performance (typically in aggregated or de-identified form).

Legal bases: Legitimate Interests, Legal Obligation.

D. Research & Model Improvement (Your Choice)

E. Marketing (Optional)

With your consent where required, we may send product updates and educational content. You can unsubscribe at any time.

4) Disclosure of Information

We disclose personal information only as described below:

Service Providers/Processors: cloud hosting, storage/CDN, analytics, logging, crash reporting, email delivery, customer support, payment processing, fraud prevention, and Third-Party AI model providers who transform your content per your request.

Enterprise Customers: if you use an organization account, admins may access project/workspace data.

Legal, Safety & Rights: to comply with law, court orders, lawful requests; to enforce our Terms; to protect users or the public (e.g., reports of CSAM or imminent harm).

Business Transfers: in mergers, acquisitions, financings, or similar transactions, data may be transferred subject to ongoing protections.

With Your Direction: sharing or publishing Outputs per your settings, embedding on third-party platforms, or integrating with external tools you select.

5) International Data Transfers

We are based in British Columbia, Canada and may process information in Canada, the U.S., the EU/UK, and other countries. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses (SCCs) and, if applicable, UK Addendum) and conduct transfer assessments. Copies of relevant SCCs can be made available to enterprise customers under NDA.

6) Your Choices

Account & Profile: You may update certain details in your account settings.

Content Controls: You may upload, edit, or delete User Content/Outputs within the product (subject to §8 Retention and backups).

Training Opt-In: You can opt in/out of model improvement use at any time (opt-out applies prospectively).

Communications: Unsubscribe links are included in non-transactional emails.

Cookies: Manage preferences via our cookie banner or your browser settings; see §10 Cookies.

7) Your Privacy Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, restrict, or object to processing; and to withdraw consent where processing is based on consent.

How to Exercise: Email hi@jvo.io with "Privacy Request" and specify your request. We will verify your identity (and authority if you are an agent) and respond within timelines required by law.

Appeals (U.S. states that require it): If we deny your request, you may appeal by replying to our decision with "Appeal," and we will review and respond within the applicable statutory period.

Complaints: You may lodge a complaint with your local data protection authority. In B.C., contact the Office of the Information and Privacy Commissioner (OIPC); in Canada, the Office of the Privacy Commissioner (OPC); in the EU/UK, your competent supervisory authority.

We will not discriminate against you for exercising rights.

8) Retention & Deletion

We retain personal information only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical periods:

Account Data: retained for the life of the account plus up to 24 months (for records, auditing, fraud prevention, and legal claims).

User Content/Outputs (workspace storage): retained until you delete them or your account is closed, subject to enterprise contract terms.

Processing Artifacts (e.g., face/voice embeddings, intermediate files): retained ephemerally for processing and troubleshooting, then deleted, typically within 7–30 days, unless a longer period is legally required or reasonably necessary for abuse investigations.

Backups/Logs: may persist for an additional 30–90 days (access strictly limited).

When deletion is requested or executed, data may persist in backups until their scheduled purge; we will isolate such data from active use.

9) Security

We use reasonable administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls, environment segregation, and monitoring. No system is perfectly secure; you are responsible for maintaining the security of your devices, credentials, and third-party accounts integrated with the Services. We will notify you of a data breach where required by law.

10) Cookies & Similar Technologies

We use:

Strictly Necessary Cookies (authentication, session management, fraud prevention).

Functional/Analytics (product metrics, crash and performance logs, de-identified usage analytics).

Marketing Measurement (only if enabled and with consent where required).

You can manage preferences via our website banner or your browser. Blocking cookies may impair functionality. We currently do not respond to "Do Not Track" signals. If we ever "sell" or "share" personal information under CPRA, we will honor Global Privacy Control (GPC) signals for opt-outs.

11) Children & Minors

The Services are not directed to children and may not be used by anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us at hi@jvo.io and we will delete it. Absolutely no sexualized content involving minors is permitted.

12) Synthetic Media, Likeness & Consent

You are responsible for ensuring you have all necessary rights and consents to upload media and to create and distribute synthetic content (including lip-sync and voice transformations). Where required by law or platform policy, you must disclose that content is synthetic or materially edited. We may request proof of consent and may remove content or suspend accounts for violations.

13) Third-Party Model Providers & Integrations

To provide requested features, we may send your content to Third-Party AI model providers and infrastructure partners. We select providers that agree to appropriate confidentiality and security commitments and prohibit them from using your content for their own training unless you or we explicitly consent under a separate agreement. Some providers may process data in other countries (see §5 Transfers). A current list or description of categories of subprocessors is available upon request; enterprise customers may receive prior notice of material changes per our DPA.

14) Enterprise Processing & DPA

For enterprise customers, JVO offers a Data Processing Addendum (including SCCs where applicable). The DPA governs processing on your instructions, subject to security measures, audit rights (where applicable), and deletion/return of data at termination.

15) Law Enforcement & Legal Requests

We may preserve and disclose information in response to valid legal processes, subject to applicable law. Where permitted, we will provide advance notice to affected customers before producing their information. We report CSAM to NCMEC and may report imminent threats to safety to appropriate authorities.

16) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or in-product notice and update the "Effective Date." Your continued use of the Services after the effective date constitutes acceptance.

17) How to Contact Us

18) California Notice at Collection (CPRA) & State-Specific Disclosures

Categories Collected (last 12 months):

Identifiers (e.g., name, email, IP address, account ID)
Customer Records (billing address, transaction history)
Commercial Information (purchases, subscription tier)
Internet/Network Activity (usage logs, device data)
Audio/Visual Content (User Content/Outputs)
Professional/Employment Info (if provided in enterprise context)
Inferences (limited product analytics, not for profiling individuals)

Sources: You; your devices/browsers; enterprise admins; service providers and model providers; integrations you connect.

Business/Commercial Purposes: As described in §3.

"Sale"/"Sharing": We do not sell and do not share personal information for cross-context behavioral advertising.

Sensitive Personal Information: We do not use or disclose SPI to infer characteristics beyond what is necessary to provide the Services (e.g., authentication or security).

Rights: Access, delete, correct, portability, limit SPI (where applicable), and opt-out rights (if sale/share begins). Submit requests at hi@jvo.io. Authorized agents may act on your behalf with proof of authority. We do not retaliate for exercising rights.

Colorado/Connecticut/Virginia/Utah, etc.: You may have similar rights; submit requests at hi@jvo.io. Appeals are available as noted in §7.

19) Definitions (Selected)

Personal Information / Personal Data: Information that identifies, relates to, describes, or could reasonably be linked to an individual.

Processor/Service Provider: An entity that processes personal information on behalf of a controller/business.

De-identified Data: Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, provided we maintain and use it in de-identified form.

Short Summary (Non-binding)