Privacy Notice
How Deep Voice AI Limited processes personal data in connection with the bridge.deepvoiceai.co website, the DVAI Bridge Contributor Licence Agreement, the DVAI Bridge licence-generator portal, and DVAI Bridge Commercial Licences. Version 1.0 — effective 15 May 2026.
What this notice covers (and doesn't). This Privacy Notice covers personal data processing relating to DVAI Bridge — website visitors at bridge.deepvoiceai.co, contributors signing the Contributor Licence Agreement, users of the licence-generator portal, and parties to a DVAI Bridge Commercial Licence. Processing relating to Deep Voice AI's other services (including the AI Business Agent service for our enterprise Clients) is covered by the Deep Voice AI Privacy Policy, not by this notice.
1. Who we are
This website and the DVAI Bridge project are operated by Deep Voice AI Limited ("DVAI", "we", "us", "our"), a company incorporated in England and Wales with registered number 16743132 and registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
For all processing described in this Privacy Notice, DVAI is the data controller under UK GDPR and (where applicable) EU GDPR.
For data-protection enquiries, contact:
- Email: info@deepvoiceai.co (please mark your message "Data Protection" so we can route it to the right person)
- Postal: Data Protection, Deep Voice AI Limited, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
We have not appointed a statutory Data Protection Officer because we are not required to under Article 37 UK GDPR. Data-protection enquiries are handled by Deep Voice AI Limited internally. Where we are required to maintain an EU representative under Article 27 EU GDPR, details will be published on this page once appointed.
2. What personal data we process, why, and on what lawful basis
We process different categories of personal data depending on how you interact with DVAI Bridge. The sections below set out, for each interaction, the data we process, our purposes, and our lawful basis under Article 6 UK GDPR.
2.1 Website visitors
Categories of data we process: IP address, device and browser information (user agent), pages visited, timestamps, referring URL, country derived from IP address. We do not use third-party advertising cookies and do not build cross-site profiles of visitors.
Purposes: operating the website, ensuring its security and availability, detecting and preventing abuse, producing aggregate analytics about how the website is used.
Lawful basis: Article 6(1)(f) UK GDPR — our legitimate interests in operating, securing, and improving the website. We have balanced these interests against your interests, rights, and freedoms and consider the processing proportionate.
2.2 Licence-generator portal users
Categories of data we process: name, company name, email address, intended use of DVAI Bridge, audience domains, selected platform(s) (iOS / Android / Web), IP address, timestamp of submission, the licence generated, and any subsequent correspondence with you about that licence.
Purposes: issuing a DVAI Bridge Community Licence or initiating discussion of a DVAI Bridge Commercial Licence as you have requested; verifying the accuracy of the information you have provided; maintaining an audit record of licence issuance for the integrity of the dual-licensing model; defending DVAI Bridge and its licensees against any subsequent claim relating to a licence.
Lawful basis: Article 6(1)(b) UK GDPR — performance of a contract to which you are party (or steps taken at your request prior to entering into a contract) for the issuance of a DVAI Bridge licence. For the audit-trail and defence-of-claim purposes, additionally Article 6(1)(f) — our legitimate interests in maintaining accurate, auditable records of licence issuance.
2.3 Contributor Licence Agreement signers (Individual)
Categories of data we process: name, GitHub username, email address, IP address recorded at the time of signature, timestamp of signature, the version of the CLA signed, contributions you make to DVAI Bridge and metadata about those contributions (pull-request identifiers, commit identifiers, dates).
Purposes: identifying you as the licensor of your Contributions; maintaining the audit trail required to evidence the licence grant under the CLA; managing the contribution workflow on GitHub; defending DVAI Bridge and its licensees against any subsequent third-party claim relating to a Contribution.
Lawful basis: Article 6(1)(b) UK GDPR — performance of the Contributor Licence Agreement to which you are party. For the audit-trail and defence-of-claim purposes, additionally Article 6(1)(f) — our legitimate interests in maintaining accurate, auditable records of contribution licensing.
2.4 Contributor Licence Agreement signers (Corporate)
Categories of data we process: corporation name and registered address, name and title of the authorised signatory, email address of the authorised signatory, date and method of signature, the version of the CLA signed, names, GitHub usernames, and email addresses of the Employees identified in the Schedule, dates of addition and removal of Employees from the Schedule, and metadata about Contributions made by those Employees.
Purposes: as in section 2.3, applied to the Corporation and its identified Employees.
Lawful basis: Article 6(1)(b) — performance of the Corporate Contributor Licence Agreement. For the audit-trail and defence-of-claim purposes, additionally Article 6(1)(f) — our legitimate interests in maintaining accurate, auditable records of contribution licensing.
2.5 DVAI Bridge Commercial Licensees
Categories of data we process: company name and registered address, contact name, role, email address, telephone number where provided, the agreed scope and terms of the Commercial Licence, billing and payment information (handled through our payment processor — we do not store full card details), and ongoing correspondence relating to the Commercial Licence.
Purposes: negotiating, entering into, performing, and administering the Commercial Licence; invoicing, payment processing, and credit control; supporting you in your use of DVAI Bridge under the Commercial Licence; complying with our legal obligations (including tax and accounting); defending or pursuing legal claims.
Lawful basis: Article 6(1)(b) — performance of the Commercial Licence; Article 6(1)(c) — compliance with legal obligations (including tax and accounting); Article 6(1)(f) — our legitimate interests in administering the contract, defending claims, and credit control.
2.6 Communications with us
Categories of data we process: any personal data contained in your communication with us — typically name, email address, the contents of the communication, and any attachments you choose to send.
Purposes: responding to your enquiry, support request, complaint, or other communication; maintaining a record of correspondence; improving our services and documentation.
Lawful basis: Article 6(1)(f) — our legitimate interests in responding to enquiries and maintaining a record of correspondence.
2.7 Marketing communications (where you opt in)
We send marketing communications (product updates, community announcements) only to recipients who have actively opted in by ticking a separate optional consent checkbox at the point of CLA signature, licence generation, or via subscription on this website.
Lawful basis: Article 6(1)(a) — your consent. You can withdraw consent at any time using the unsubscribe link in any marketing email or by emailing info@deepvoiceai.co. Withdrawal of marketing consent does not affect any other processing described in this Privacy Notice.
3. How we collect personal data
We collect personal data:
- Directly from you — when you visit the website, complete the licence-generator form, sign the CLA via the CLA Assistant flow, execute a Corporate CLA, enter into a Commercial Licence, or otherwise communicate with us.
- Automatically through your use of the website — IP address, device and browser information, pages visited, referrer, derived country.
- From GitHub — where you authenticate with GitHub to sign the Individual CLA, GitHub provides us your username, email address (if public on your GitHub profile), and the identity of your contributions to the DVAI Bridge repositories.
- Through our CLA workflow running in GitHub Actions — when you sign the Individual CLA by posting the prescribed comment on your pull request, our automated workflow records the data described in section 2.3 at the point of signature into a signatures file stored on a dedicated branch (
cla-signatures) of thedvai-global/dvai-bridgerepository. - From our payment processor — where you are a Commercial Licensee, our payment processor provides us with confirmation of payment, last four digits of the payment card, and similar metadata, but not full card details.
4. Recipients and data processors
We disclose personal data only to the following recipients and only to the extent necessary for the purposes described in this Privacy Notice.
Our data processors (acting on our documented instructions):
- GitHub, Inc. — a US company and wholly-owned subsidiary of Microsoft Corporation, for the hosting of the DVAI Bridge source code repositories, operation of the pull-request workflow, execution of our CLA workflow within GitHub Actions, and storage of the CLA signatures file on a dedicated branch of the
dvai-global/dvai-bridgerepository. - Hosting provider — Akamai Technologies, Inc. (US), operating the Linode cloud infrastructure, for the hosting of the
bridge.deepvoiceai.cowebsite. - Payment processor — where you are a Commercial Licensee.
- Email service providers — for transactional and (where you have opted in) marketing communications.
All of our processors operate under written data-processing agreements that meet the requirements of Article 28 UK GDPR.
Other recipients (acting as independent controllers):
- Professional advisers — including our solicitors, accountants, auditors, and insurers, where necessary for the purposes described in this Privacy Notice.
- Regulators and authorities — where required by law (for example, in response to a lawful request from HMRC, the Information Commissioner's Office, or a court order).
- Successors in title — in the event of a corporate transaction (merger, acquisition, sale of business assets), personal data may be disclosed to the prospective or actual buyer subject to appropriate confidentiality and data-protection obligations.
We do not sell personal data and we do not share personal data with third parties for their own marketing purposes.
5. International transfers
Some of our processors and recipients are located outside the United Kingdom. Where we transfer personal data outside the UK, we rely on one or more of the following safeguards under UK GDPR:
- UK Government adequacy decisions — for transfers to countries that the UK Government has determined provide an adequate level of data protection (including the EEA countries).
- UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, plus, where reasonably available, supplementary technical and organisational measures, for transfers to countries without an adequacy decision (including the United States).
- Article 49 derogations — only in limited circumstances and for non-routine transfers.
The principal country to which we transfer personal data is the United States, in respect of our use of GitHub, Inc. (source-code hosting and CLA workflow infrastructure) and Akamai Technologies, Inc. (Linode cloud infrastructure hosting the bridge.deepvoiceai.co website).
You can request a copy of the safeguards in place for any specific transfer by emailing info@deepvoiceai.co.
6. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, subject to the periods below.
| Category of data | Retention period |
|---|---|
| Website analytics (aggregated) | Up to 25 months |
| Website logs (IP addresses, request data) | Up to 12 months |
| Licence-generator portal submissions | For the lifetime of DVAI Bridge as a project, and not less than 10 years after the relevant licence ceases to be in force |
| Individual CLA signatures and audit trail | For the lifetime of DVAI Bridge as a project, and not less than 10 years after the last update to the CLA text |
| Corporate CLA executed copies and Schedules | As above |
| Commercial Licence contracts and records | For the duration of the contract plus 7 years (UK statutory limitation and tax record-keeping requirements) |
| Correspondence relating to support, enquiries, complaints | Up to 3 years from the close of the correspondence |
| Marketing-consent records and preferences | For as long as the consent remains in force and for 12 months after withdrawal of consent, as proof of withdrawal |
These retention periods reflect the long lifecycle of the DVAI Bridge project and the need to maintain a complete audit trail of who has licensed what, both for the protection of DVAI Bridge and for the protection of its users and licensees. At the end of the applicable retention period we delete or anonymise the relevant personal data.
7. Your rights under UK GDPR
You have the following rights in respect of personal data we hold about you:
- Right of access (Article 15) — to request a copy of the personal data we hold about you, together with information about how we process it.
- Right to rectification (Article 16) — to request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17) — to request deletion of your personal data in certain circumstances. This right is subject to our overriding need to retain personal data for the establishment, exercise, or defence of legal claims (Article 17(3)(e)) — in particular, the CLA audit trail and Commercial Licence records described in section 6 — and other applicable exceptions.
- Right to restriction (Article 18) — to request that we restrict processing in certain circumstances.
- Right to data portability (Article 20) — to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller, where the processing is based on consent or contract and is carried out by automated means.
- Right to object (Article 21) — to object to processing based on legitimate interests, including processing for direct marketing purposes. Where you object to processing for direct marketing we will cease that processing without exception. Where you object to processing based on other legitimate interests, we will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.
- Right to withdraw consent (Article 7) — where processing is based on your consent (currently, marketing communications only), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint — with the Information Commissioner's Office (the UK supervisory authority) at ico.org.uk, or with the supervisory authority of your country of residence if you are based in the EEA.
You may exercise any of these rights by emailing info@deepvoiceai.co. We will respond within one month of receipt of your request, extendable by up to two months for complex requests under Article 12(3) UK GDPR. We do not charge for responding to rights requests unless they are manifestly unfounded or excessive.
We will need to verify your identity before responding to a rights request. We will request the minimum information necessary to do so.
8. Automated decision-making
We do not carry out any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 UK GDPR.
The licence-generator portal may apply automated rules to your submission (for example, to determine whether your stated use case falls within the Community Licence or requires a Commercial Licence). Any such automated processing is informational and does not produce legal or similarly significant effects — a Commercial Licence is only entered into through a separate written contract signed by you and us.
9. Cookies and similar technologies
We do not currently set cookies on this website, and we do not use Google Analytics or any other third-party analytics service.
Our web servers and our hosting processors maintain limited operational logs as described in section 2.1 (Website visitors). These logs are necessary for the security, availability, and abuse-prevention of the website. They are not used to track individuals across visits or sessions and are deleted in line with the retention periods set out in section 6.
If we introduce cookies or similar technologies in the future, or if we add a third-party analytics service, we will update this Privacy Notice and — where required by the Privacy and Electronic Communications Regulations (PECR) — present a cookie-consent banner before setting any non-essential cookies.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (HTTPS / TLS) for all communications with the website and the CLA Assistant flow.
- Encryption at rest for data stored in our hosting infrastructure and processor systems.
- Role-based access controls limiting access to personal data to authorised personnel.
- Logging and monitoring of access and unusual activity.
- Periodic review of our processors' security practices under our data-processing agreements.
- Staff training on data protection.
No system can be guaranteed to be entirely secure. If we become aware of a personal-data breach affecting your data we will notify you and the Information Commissioner's Office as required by Articles 33 and 34 UK GDPR.
11. Children
DVAI Bridge is a developer tool intended for use by professional and adult users. The website is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact info@deepvoiceai.co and we will delete it.
12. Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our processing, the law, or guidance from supervisory authorities. The version number and effective date at the top of this page identify the current version.
Material changes to lawful bases, recipients, international transfers, or retention periods will be notified to known data subjects (where reasonably practicable) and announced on this website at least 30 days in advance of taking effect.
Minor clarifications and corrections do not require advance notice.
Archived prior versions are available on request from info@deepvoiceai.co.
13. Contact and complaints
For any questions about this Privacy Notice, to exercise your rights, or to raise a complaint:
- Email: info@deepvoiceai.co
- Postal: Data Protection, Deep Voice AI Limited, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Postal: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are based in the European Economic Area you also have the right to lodge a complaint with the supervisory authority of your country of residence.
Version 1.0 · Effective 15 May 2026 · Deep Voice AI Limited · Company No. 16743132, registered in England and Wales · Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ.