Privacy Policy

01 Who we are

This policy applies to your use of MABA (ಮಾಭಾ), operated by CK Studio — a sole proprietorship registered in India, based in Coorg, Karnataka.

Under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act"), CK Studio is the Data Fiduciary for the personal data we process through MABA. You, the user, are the Data Principal.

If you have any privacy question or want to exercise your rights, contact our grievance officer — see §14.

02 What we collect

Here's everything we collect, grouped by type.

Account & identity

Content you give us

Payment

We do not store full card numbers, CVVs, or UPI PINs. Payment is processed by Razorpay — see §5.

Technical & usage data

• IP address (logged on each request)
• Device and browser (User-Agent string)
• Approximate location from IP (country / city level only)
• Pages visited, features used, timestamps
• Errors and crash reports

WhatsApp

If you use our WhatsApp bot, we receive the phone number you messaged from, the content of your messages to us, and metadata from the WhatsApp Business API. Standard WhatsApp rules apply to the messages you send us.

03 Why we collect it

We collect the things we do for specific, narrow purposes:

• To deliver the Service — process your videos, generate dubs, let you download results, respond to your messages.
• To bill you — charge your plan, send receipts, comply with tax law.
• To keep your account secure — log-in alerts, fraud detection, rate limiting.
• To communicate — service updates, billing notices, replies to your support requests. We will not send marketing emails without your opt-in.
• To improve the Service — aggregated, anonymised usage analytics (which features get used, which languages are popular, error rates). We do not train our own AI models on your content without explicit opt-in.
• To comply with the law — responding to lawful requests from Indian authorities, tax compliance, grievance redressal.

04 Legal basis

Under the DPDP Act, we process personal data on these grounds:

• Consent — for voice cloning (the most sensitive step). You consent during the dub flow before we produce a voice embedding.
• Performance of contract — for everything else needed to deliver the Service you signed up for (storage, processing, billing, delivery).
• Legitimate use (Section 7 of DPDP) — for security, fraud prevention, and legal compliance.

You can withdraw consent at any time — see §8 — though withdrawing consent for essential processing may mean we can't continue to provide the Service.

05 Who we share it with

MABA is a pipeline — the dub you get is produced by stitching together several specialised services. We share only what each provider needs, and only for the purpose of delivering your dub.

Who we do not share it with

• Advertisers. We don't sell your data. We don't have targeting pixels feeding ad networks.
• Data brokers. Never.
• AI training consortiums. Not without your explicit opt-in for specific datasets.

Legal requests

If Indian law requires us to share data — for example, a court order, a lawful request under Section 91 of the CrPC, or compliance with the IT Act — we will comply. We'll challenge overbroad requests where we reasonably can, and will notify you unless we're legally prohibited from doing so.

06 Cross-border transfers

Some of our processors (ElevenLabs, Google, Cloudflare) operate servers outside India. Under the DPDP Act, personal data can be transferred to any country not on the Central Government's restricted list. We use standard contractual safeguards with all our processors to protect your data during transit and at the destination.

If the government's restricted list changes in a way that affects our operations, we'll update this policy and notify you.

07 How long we keep it

We keep data only as long as we need it. Defaults:

Deletion means we overwrite the data, remove it from live databases, and purge it from backups within the next backup rotation cycle (typically 30 days).

08 Your rights under DPDP

As a Data Principal, you have these rights under the DPDP Act. We'll honour them within 30 days of a valid request.

• Right to access — request a summary of the personal data we hold about you and what we're doing with it.
• Right to correction and completion — fix incorrect data or complete incomplete data.
• Right to erasure — ask us to delete your data, subject to our legal obligations (e.g., tax records).
• Right to withdraw consent — withdraw consent you previously gave, including for voice cloning. We'll stop processing based on that consent. This doesn't undo processing already done lawfully.
• Right to grievance redressal — file a complaint with our grievance officer, and escalate to the Data Protection Board of India if you're not satisfied.
• Right to nominate — nominate another person to exercise your rights in the event of your death or incapacity.

How to exercise these rights

Email privacy@heymaba.com from the email address registered with your account. Include:

• Which right you're exercising;
• Your registered email and/or phone;
• Any specific details (e.g., "delete the dub titled XYZ" or "correct my name to …").

We'll respond within 30 days. If we need to extend, we'll tell you why.

09 Children

MABA is not intended for children under 18. Under the DPDP Act, processing a child's data requires the verifiable consent of a parent or lawful guardian, and we do not currently process such data.

If you believe a child has created an account or uploaded content without guardian consent, email privacy@heymaba.com and we'll delete the account and associated data.

10 Cookies & analytics

We use a small number of cookies and similar technologies:

• Essential cookies — log-in sessions, CSRF tokens, theme preference. These can't be disabled without breaking the site.
• Analytics — a self-hosted PostHog instance to count visits, funnel steps, and feature usage. No cross-site tracking. We respect the Do Not Track header.

We do not use third-party advertising cookies, tracking pixels, or retargeting tags.

You can clear cookies from your browser settings at any time. Doing so will log you out.

11 Security

We take reasonable technical and organisational measures to protect your data:

• Encryption in transit — TLS 1.3 for all requests between you and our servers, and between our servers and our processors.
• Encryption at rest — disk-level encryption on all servers hosting user data.
• Access control — only the minimum set of team members have production access. All access is logged. No one has casual read-access to user videos.
• Secrets management — API keys are stored in environment variables, not in code. Rotated regularly.
• Vulnerability monitoring — dependency scanning, OS security updates applied within 7 days of release.
• Backups — encrypted daily backups, retained 30 days.

No system is perfectly secure. If you discover a vulnerability, please report it to security@heymaba.com.

12 Data breach notification

If a personal data breach occurs that is likely to result in harm to you, we'll notify the Data Protection Board of India and affected users without undue delay, in the manner and within the timelines required by the DPDP Act and its rules.

13 Changes to this policy

We may update this Privacy Policy from time to time — for example, when we add a new processor, change retention periods, or respond to a change in law. When we do, we'll update the "Last updated" date at the top and, for material changes, notify you by email and in-app at least 14 days before the change takes effect.

14 Grievance officer & contact

Under Section 8(9) of the DPDP Act and Rule 3 of the IT Rules, 2021, here are our designated contacts.

This Privacy Policy works together with our Terms of Service and Refund Policy.