Privacy Policy
Last updated: 27 March 2026
1. Who We Are
Cpycat Ltd ("Cpycat", "we", "us") is an AI clone creation platform registered in the United Kingdom. We are the data controller for the personal data processed through cpycat.com.
Contact: privacy@cpycat.com
2. What Data We Collect
2.1 Account Data
Email address, display name, username, date of birth — provided during clone creation or waitlist signup.
2.2 Biometric Data (Special Category — Article 9 UK GDPR)
We collect the following biometric data with your explicit consent:
- Face photographs — captured via face scan or uploaded manually. Used to create your visual clone identity.
- Voice recordings — a 30-second voice sample recorded through your browser. Used to create a voice clone via Fish Speech AI.
This data is classified as biometric data under UK GDPR Article 9. We process it solely on the basis of your explicit consent, obtained before any capture begins.
2.3 Personality Data
Writing samples, AI conversation transcripts, personality questionnaire answers — used to train your clone's personality model via the Anthropic Claude API.
2.4 Optional Data
Place of birth, height, weight, zodiac information — provided optionally to enrich your clone's personality.
2.5 Technical Data
IP address, browser type, device information, cookies — collected automatically for security and analytics.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Create your AI clone (face, voice, personality) | Explicit consent (Art. 9(2)(a)) |
| Provide the Cpycat platform service | Contract performance (Art. 6(1)(b)) |
| Process payments | Contract performance (Art. 6(1)(b)) |
| Send service notifications | Legitimate interest (Art. 6(1)(f)) |
| Improve our service and analytics | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Data Processors
We share your data with the following processors, all under appropriate data processing agreements:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (PostgreSQL) | Database & file storage | All clone data | EU (AWS Frankfurt) |
| Fish Speech / Fish Audio | Voice cloning & TTS | Voice recordings | US |
| Anthropic (Claude API) | Personality analysis & chat | Writing samples, personality data | US |
| Vercel | Website hosting | Technical data | US (Edge) |
| Stripe | Payment processing | Payment details | US/EU |
Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions.
5. Data Retention
- Clone data (photos, voice, personality): retained while your account is active. Deleted within 30 days of account deletion or clone deletion request.
- Account data: retained while your account is active, then 6 months after deletion for legal compliance.
- Payment records: retained for 7 years per UK tax law.
- Waitlist data: retained until launch, then migrated to account data or deleted.
6. Your Rights (UK GDPR)
You have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data
- Erase your data ("right to be forgotten") — including all biometric data
- Restrict processing
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal)
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk
To exercise any right, email privacy@cpycat.com or visit Settings → Account & Privacy. We will respond within 30 days.
Self-service: You can export all your data or delete your account instantly from your Account Settings page. Account deletion removes all data within seconds. Payment records are retained for 7 years per UK tax law.
7. Biometric Data — Specific Protections
Given the sensitive nature of biometric data:
- We obtain explicit, informed, and freely-given consent before any biometric capture
- Consent is granular — you can consent to face photos but decline voice recording
- You can withdraw consent and request deletion at any time
- Biometric data is encrypted at rest and in transit
- Access to biometric data is restricted to essential processing only
- We conduct Data Protection Impact Assessments (DPIAs) for biometric processing
8. Cookies
We use essential cookies only:
- Session cookies — to maintain your logged-in state
- Preference cookies — to remember your settings (e.g., cookie consent choice)
- Analytics cookies — PostHog (GDPR-compliant, no personal data tracking without consent)
No advertising or third-party tracking cookies are used.
9. Security
We implement appropriate technical and organisational measures including: encryption in transit (TLS 1.3), encryption at rest, access controls, audit logging, and regular security reviews.
10. Children
Cpycat is not intended for users under 18. We do not knowingly collect data from minors. If we discover we have collected data from a minor, we will delete it immediately.
11. Changes to This Policy
We will notify you of material changes via email or in-app notification at least 14 days before they take effect.
12. Contact
Data Controller: Cpycat Ltd
Email: privacy@cpycat.com
ICO Registration: Pending