Sabha

Privacy Policy

Last updated: 6 July 2026

1. Who we are

Sabha is operated by Starvox Labs Pvt Ltd (“Vyrel”, “we”). This policy explains what personal data we process, why, and your rights. It is designed to align with India’s Digital Personal Data Protection Act, 2023 (“DPDP”), the EU General Data Protection Regulation (“GDPR”) and the UK GDPR where they apply to you, and other applicable data-protection laws. For the purposes of DPDP, Starvox Labs Pvt Ltd is the Data Fiduciary for account data and a Data Processor acting on your instructions for the meeting content you bring to the Service. For the purposes of the GDPR / UK GDPR, we are the “controller” of account and billing data and a “processor” of that meeting content, which the meeting host controls.

2. Data we collect

Account data: name, email, hashed password (we never store passwords in plain text), and, for social login, the email and name your provider shares. Meeting data: when the AI participant is present — audio, video, shared documents, chat, transcripts, notes, and summaries. Billing data: processed by our payment processor (Razorpay); we do not store full card numbers. Technical data: IP address, device/browser information, and logs used for security, abuse prevention, and reliability.

3. How we use data

To provide and secure the Service; to generate transcripts, notes, summaries, and AI responses; to operate accounts and billing; to prevent fraud and abuse; to comply with law; and to communicate with you about the Service. We process meeting content to deliver the features you invoke. We do not sell your personal data, and we do not use your meeting content to train third-party foundation models.

4. Legal bases and consent

We process personal data where you have consented (including by accepting these terms and enabling the AI participant), where necessary to perform our contract with you, to comply with a legal obligation, or for our legitimate and lawful interests such as security and service improvement. Under the GDPR / UK GDPR these correspond to the Article 6(1) bases: consent (Art. 6(1)(a)), performance of a contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)). Where we rely on consent you may withdraw it at any time. You are responsible for obtaining consent from meeting participants for recording and AI processing as described in our Terms.

5. Sub-processors and international transfers

We share data with vetted providers strictly to operate the Service, including: AI model providers (for transcription, responses, and vision), our cloud/hosting provider (servers located in Mumbai, India), email delivery, and payments. Some providers may process data outside India. Where personal data of individuals in the EEA or UK is transferred outside those regions, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (with the UK Addendum) or an adequacy decision. A current list of sub-processors is available on request at privacy@gosabha.com.

6. Security

We apply industry-standard safeguards: encryption in transit (TLS/DTLS-SRTP for media), hashed credentials (scrypt), httpOnly/secure session cookies, access controls, rate limiting, and least-privilege server configuration. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security. In the event of a personal-data breach that is likely to result in harm, we will notify affected users and the Data Protection Board of India as required by DPDP, without undue delay.

7. Retention

We retain account data while your account is active and as needed for legal, accounting, and security purposes. Meeting content is retained until you delete it or your account, subject to short backup-retention windows. You may request deletion as below.

8. Your rights

Subject to applicable law, you may: access your personal data; correct, complete, or update it; erase or delete it; withdraw consent; and, under DPDP, nominate a representative. Where the GDPR / UK GDPR applies to you, you additionally have the right to restrict or object to processing, to data portability (a machine-readable copy of data you provided), and to lodge a complaint with your local supervisory authority (for example your national Data Protection Authority, or the UK Information Commissioner’s Office). To exercise any right or raise a grievance, contact our Grievance Officer / Data Protection contact at privacy@gosabha.com. We will respond within the timelines required by applicable law. You may also escalate to the Data Protection Board of India (for DPDP) or your supervisory authority (for the GDPR / UK GDPR).

9. Children

The Service is not directed to children under 18 without verifiable parental or institutional consent. Where the Service is used in an educational setting, the institution is responsible for obtaining any consent required for minors before enabling recording, transcription, or the AI participant.

10. Changes and contact

We may update this policy; material changes will be notified via the Service or email. Contact us at privacy@gosabha.com.

This policy is provided for the operation of the Service and should be reviewed by qualified legal counsel before commercial reliance in your jurisdiction.