Skip to main content
Nestbitt
All legal documents

Privacy Policy

Version 1.0 · Effective May 27, 2026

How Nestbitt Inc. collects, uses, shares, and protects your personal information — including voice and biometric data — and the rights you have under Canada's PIPEDA, Quebec's Law 25, the EU/UK GDPR, and the CCPA/CPRA.

This Privacy Policy explains how Nestbitt Inc. ("Nestbitt", "we", "our", or "us") collects, uses, discloses, and protects personal information when you use our websites, applications, and related services (the "Service"). It is designed to meet our obligations under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, the EU and UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

The data controller (and, under Quebec law, the enterprise responsible for personal information) is Nestbitt Inc., located at Suite C, 16644 - 71 St, Edmonton, AB. T5Z 0N5, Canada. You can reach our privacy contact at privacy@nestbitt.com.

Information We Collect

We collect the categories of personal information below. The amount we hold depends on the features you use; voice and biometric data is only collected if you choose to use voice-cloning features.

Categories of personal information we collect
CategoryExamplesSource
Account informationName, username, email address, password (hashed), planYou, when you register
Usage and technical dataIP address, device and browser type, log and event data, feature usage, approximate locationAutomatically, via the Service and cookies
Voice and biometric dataVoice samples, derived voiceprints, and trained Voice ModelsYou, when you use voice-cloning features
User contentPrompts, lyrics, uploaded audio, generated music, commentsYou, when you create or upload content
Payment dataBilling details and transaction records processed by StripeYou, via our payment processor (we do not store full card numbers)
CommunicationsSupport requests, feedback, survey responsesYou, when you contact us

Biometric and Voiceprint Data

We require explicit consent before collecting biometric data

Voice samples, derived voiceprints, and Voice Models are sensitive biometric data. We collect and process them only with your explicit, informed, opt-in consent, only for the voice-cloning features you choose to use, and never to identify you for any other purpose. You can withdraw consent and delete your Voice Models at any time.

Under the GDPR, biometric data processed to uniquely identify a person is a special category of data under Article 9, and we rely on your explicit consent (Article 9(2)(a)) as the basis for processing it. We apply heightened safeguards, including access controls and encryption, to this data.

Quebec Law 25 — biometric notice to the CAI

Quebec's Law 25 requires advance notice to the Commission d'accès à l'information (CAI) before a biometric system is put into service. Where we operate a biometric system that brings us within scope, we provide that notice to the CAI at least 60 days before bringing the system into service, as required, in addition to obtaining your express consent.

We retain voice samples, voiceprints, and Voice Models only as long as needed to provide the feature and as set out in Data Retention. When you delete a Voice Model, or withdraw consent, we delete the associated voiceprint and samples (and instruct our processors to do the same), subject only to limited retention required by law.

Legal Bases for Processing

Where the GDPR applies, we process personal information on the following bases under Articles 6 and 9:

  • Contract (Art. 6(1)(b)) — to provide the Service you have requested, including your Account and Subscription.
  • Legitimate interests (Art. 6(1)(f)) — to secure, maintain, and improve the Service and prevent fraud and abuse, balanced against your rights.
  • Consent (Art. 6(1)(a), and Art. 9(2)(a) for biometric data) — for voice and biometric processing, optional analytics and marketing cookies, and any AI training on identifiable data.
  • Legal obligation (Art. 6(1)(c)) — to comply with law, including tax, accounting, and lawful requests.

Under PIPEDA and Quebec Law 25, we rely on your consent (express where the information is sensitive) and on the limited statutory exceptions those laws permit. You may withdraw consent at any time, subject to legal or contractual restrictions, as described in Your Rights.

How We Use Your Information

  • Provide, operate, and maintain the Service, including generating music and Voice Models you request.
  • Authenticate you, secure your Account, and prevent fraud and abuse.
  • Process payments and manage Subscriptions through our payment processor.
  • Personalize features, provide recommendations, and remember your preferences.
  • Communicate with you about your Account, support requests, and service changes.
  • Comply with legal obligations and enforce our Terms of Service.

AI training uses only consented or anonymized data

We do not train our AI models on your identifiable User Content, voice samples, or Voice Models unless you have given specific consent. Any model improvement that does not rely on your consent uses data that has been effectively anonymized so it no longer identifies you.

Automated Decision-Making

We use automated processing for certain features, such as content recommendations and automated content moderation that flags potentially policy-violating material. These tools support, but do not solely determine, decisions that have legal or similarly significant effects on you.

Where the GDPR (Article 22) or Quebec Law 25 applies, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, the right to be informed of such processing, and the right to request human review, to express your point of view, and to contest the outcome. To exercise this right, contact privacy@nestbitt.com.

How We Share Information

We do not sell your personal information

We do not sell your personal information, and we do not share it for cross-context behavioural advertising. See the California Privacy Rights section for how this is described under the CCPA/CPRA.

We share personal information only as described here:

  • Service providers — Cloud hosting and storage, our payment processor (Stripe), email delivery, and analytics providers, who process data on our behalf.
  • Legal and safety — Where required by law, to respond to lawful requests, or to protect the rights, safety, and security of users, the public, or Nestbitt.
  • Business transfers — In connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
  • With your direction — When you choose to make Content public or share it.

We engage service providers under written Data Processing Agreements that meet GDPR Article 28 (and equivalent Canadian and Quebec contractual safeguards), requiring them to process personal information only on our instructions, to keep it confidential, and to apply appropriate security measures.

International Data Transfers

We and our service providers may process personal information in countries other than where you live, including Canada, the United States, and the European Economic Area. Where we transfer personal information out of the EEA, the UK, or Canada to a country without an adequacy decision, we rely on appropriate safeguards, principally the Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK International Data Transfer Addendum where applicable), together with supplementary measures where needed. You may request information about these safeguards using the contact details below.

Data Retention

We keep personal information only as long as necessary for the purposes described in this Policy, or as required by law, after which we delete or anonymize it.

Indicative retention periods
Data categoryRetention period
Account informationFor the life of your Account, then deleted within 90 days of closure
Voice samples, voiceprints, and Voice ModelsUntil you delete the Voice Model or withdraw consent, then deleted promptly
User content and generated OutputUntil you delete it or close your Account (residual backups expire within 30 days)
Usage and technical logsUp to 24 months, then deleted or aggregated
Payment and transaction recordsAs required by tax and accounting law (typically up to 7 years)
Support communicationsUp to 36 months after the matter is resolved

Your Privacy Rights

Depending on where you live, you have rights over your personal information. To exercise any right, contact privacy@nestbitt.com. We will respond within the timeframe required by applicable law and may need to verify your identity first. We will not discriminate against you for exercising your rights.

PIPEDA and Quebec Law 25 (Canada)

  • Access — Request access to the personal information we hold about you.
  • Correction — Request correction of inaccurate or incomplete information.
  • Withdrawal of consent — Withdraw consent to processing at any time, subject to legal or contractual limits.
  • Data portability (Law 25) — Request, where technically feasible, a copy of computerized personal information you provided to us in a structured, commonly used technological format.
  • De-indexing and right to be forgotten (Law 25) — Request that we cease disseminating personal information or de-index a link where the conditions of the law are met.

GDPR (EU / UK)

  • Access to your personal data and information about how it is processed.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") in the circumstances the GDPR provides.
  • Restriction of processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller where feasible.
  • Objection to processing based on legitimate interests, and to direct marketing at any time.
  • Complaint — lodge a complaint with your local supervisory authority.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

  • Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
  • Right to delete personal information we have collected from you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of.
  • Right to limit the use of sensitive personal information to what is necessary to provide the Service.
  • Right to non-discrimination for exercising any of these rights.

You may submit a request, including through an authorized agent, by contacting privacy@nestbitt.com. We will verify and respond as required by the CCPA/CPRA.

Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Voice cloning, biometric, and voice-likeness features are restricted to users who are at least 18, or who have verified parental or guardian consent. If we learn that we have collected personal information from a child without the required consent, we will delete it promptly. Parents or guardians who believe a child has provided us information may contact privacy@nestbitt.com.

Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, hashed credentials, and monitoring. Biometric data receives heightened protection. No method of transmission or storage is perfectly secure, but we work to protect your information and will notify you and the relevant authorities of a breach where the law requires.

Cookies and Similar Technologies

We use cookies and similar technologies to operate, secure, personalize, and measure the Service. For details on the specific cookies we use and how to control them, see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the version and effective date shown for this document and, where appropriate, provide additional notice. Please review this page periodically.

Contact Us and Complaints

For privacy questions or to exercise your rights, contact us:

  • By email: privacy@nestbitt.com
  • By mail: Nestbitt Inc., Suite C, 16644 - 71 St, Edmonton, AB. T5Z 0N5, Canada

If you are not satisfied with our response, you may also complain to a regulator: in Canada, the Office of the Privacy Commissioner of Canada (OPC), and for Quebec residents, the Commission d'accès à l'information (CAI); in the EU/EEA or UK, your local data-protection supervisory authority; and in California, the California Privacy Protection Agency or the Attorney General.

This document is provided for transparency and does not constitute legal advice. If a translated version conflicts with the English text, the English version governs.