Privacy Policy

Effective Date: January 1, 2026

jchowlabs, LLC (“jchowlabs,” “Company,” “we,” “us,” or “our”) is a California single-member limited liability company that operates two related business lines:

• jchowlabs.com – an AI and security advisory practice focused on helping businesses accelerate their AI adoption and improve their security posture.
• jchowlabs.chat – an AI voice managed services provider focused on deploying and operating AI voice concierge services on business websites and telephony.

This Privacy Policy explains how we collect, use, disclose, and protect information when you access or use our websites, including:

• https://www.jchowlabs.com
• https://www.jchowlabs.chat
• Demonstration sites operated by jchowlabs, LLC

(collectively, the “Sites”).

Demonstration sites are operated by jchowlabs for illustrative purposes and are governed by this Privacy Policy. They do not represent real businesses and do not process real transactions. If you engage jchowlabs to build and operate a voice concierge on your own branded website, that client site is not covered by this Privacy Policy. Your site will be governed by your own privacy policy, and jchowlabs will act as your service provider under a separate written agreement. See Section 12 for the roles and responsibilities in that relationship.

By accessing or using the Sites, you acknowledge that you have read and understood this Privacy Policy.

1. Eligibility and Age Restriction

The Sites and all associated features are intended solely for individuals 18 years of age or older.

We do not knowingly collect, process, or store personal information, voice data, or any other information from individuals under the age of 18. If we become aware that such data has been collected from a minor, we will promptly delete it.

By using the Sites, you represent and warrant that you are at least 18 years old.

2. Scope and Intended Audience

The Sites are directed at residents of the United States. While the Sites are accessible over the public internet and we do not restrict access by geography for informational content, our services, advisory offerings, and compliance posture are designed for a US-based audience.

If you are accessing the Sites from outside the United States, including from the European Union or European Economic Area, please be aware:

• Your data will be processed and stored in the United States.
• We do not represent compliance with the EU General Data Protection Regulation (GDPR), UK GDPR, or similar non-US data protection frameworks.
• You should independently assess whether accessing and using the Sites is appropriate given the data protection laws applicable in your jurisdiction.

We reserve the right to restrict access to the voice concierge feature from specific jurisdictions where doing so is appropriate in light of applicable biometric or voice-data laws. See Section 10.

3. Categories of Information We Collect

A. Information You Provide Directly

You may voluntarily provide:

• Name or alias
• Email address (for example, when contacting us about advisory or managed services engagements)
• Messages or inquiries submitted through contact forms or email

Providing this information is optional; however, certain features (such as responding to a contact inquiry) may not be available without it.

B. Voice Concierge — Voice and Transcript Data (Optional)

Each of our Sites includes an AI-powered voice concierge that can answer questions about our services, help you navigate the Site, and demonstrate the kind of voice experience we build for clients. The voice concierge on our Sites operates in demonstration mode: it is intended for illustration and does not complete real transactions or book real appointments, even on demonstration sites that resemble a business.

The voice concierge is opt-in:

• The voice concierge is only made available if you accept our privacy notice on your first visit.
• Once available, voice processing does not begin until you affirmatively click the voice button to start a session.
• Before audio is captured, our voice provider presents their own in-widget consent notice informing you that you are being recorded. Recording does not begin until you confirm that notice. This two-step confirmation is designed to satisfy all-party consent requirements under California Penal Code §632 and similar state wiretapping laws.

If you choose to use the voice concierge on our Sites:

• Your voice input is processed in real time by ElevenLabs, our current voice AI provider, which performs speech-to-text, conversational processing, and text-to-speech. We may change voice providers in the future; if we do, we will update this Privacy Policy.
• We have configured our ElevenLabs account so that conversation transcripts and voice audio recordings are retained on ElevenLabs’ infrastructure for no more than 30 days, after which they are deleted in accordance with ElevenLabs’ deletion processes.
• We do not independently store voice recordings or transcripts on our own servers or in our own databases. This data resides on ElevenLabs’ infrastructure for the 30-day window described above.
• As the ElevenLabs account owner, we have access to transcripts and audio from voice sessions during the 30-day retention window. We use this access solely to debug technical issues, monitor quality, respond to user complaints, and investigate suspected abuse. We do not use this data to train AI models, build datasets, or develop new products. We do not share this data with any third party for marketing, advertising, or commercial purposes.
• The voice concierge on our Sites is configured not to solicit your name, email, phone number, or other directly identifying information. If you volunteer such information during a session, it will be captured within the transcript for the 30-day retention window but is not added to any separate customer record or mailing list on our end.
• We do not generate voiceprints, use voice data for speaker identification or verification, use voice data for voice cloning, or use voice data to train AI models.
• ElevenLabs’ handling of voice and transcript data on their infrastructure is governed by their own Privacy Policy. We have contracted with ElevenLabs for the retention and use limitations described above, but we do not independently control ElevenLabs’ systems.

Voice Data and Biometric Privacy Laws

Voice recordings may be considered sensitive personal information under the California Consumer Privacy Act (CCPA/CPRA) and, depending on how they are processed, may be considered biometric information under state laws including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington’s biometric privacy statute.

We treat voice data accordingly:

• We collect voice data only after opt-in acceptance of our privacy notice and affirmative activation of a voice session, followed by confirmation of the in-widget recording notice.
• We use voice data solely to operate the voice concierge — to transcribe your speech, generate a response, and speak that response back to you — and for the limited operational purposes described above (debugging, quality, complaints, abuse investigation).
• We do not generate voiceprints for speaker identification or authentication.
• We do not sell, license, or share voice data for advertising or commercial profiling.
• Voice data and transcripts are deleted on the 30-day cycle described above. This 30-day retention and destruction schedule constitutes our written retention and destruction guidelines for voice data collected through our Sites, for purposes of statutes that require such a schedule to be made publicly available.

If you are a resident of Illinois, Texas, Washington, or another state with a biometric privacy statute, see Section 10 for additional rights.

C. Interactive Security and Identity Content

The jchowlabs.com site may, from time to time, host interactive content and labs that demonstrate identity, authentication, and security concepts. Any such content offered on our Sites is open and publicly accessible — no account or registration is required — and is designed to run entirely in your browser. Specifically:

• Interactive content that uses your device’s camera (for example, liveness detection demonstrations using browser-based APIs) processes all video and image data locally on your device.
• No image, video, facial geometry, or biometric template is transmitted to our servers or to any third-party service.
• No image, video, or biometric data is stored. All processing terminates when you close the page, refresh your browser, or navigate away.
• We do not maintain a database of users, enrollments, or biometric templates for this content.

Your device will typically prompt you to grant camera permission before any interactive content uses the camera. You can decline, and you can revoke camera permission at any time through your browser or device settings.

If we introduce interactive content that requires server-side processing (for example, a lab with a backend hosted on a cloud provider such as AWS), we will update this Privacy Policy to disclose that processing before such content is made available, or the content will be governed by a separate engagement-specific notice if it is offered in the context of a specific client engagement rather than through our public Sites.

D. Contact Forms and Spam Protection

Our Sites include a contact form that you can use to inquire about our advisory or managed services engagements. When you submit the contact form, we collect:

• The information you enter (name, email address, and the topic you need help with)
• A basic timestamp and the IP address of the submitting device

We use this information solely to respond to your inquiry and, if we enter into an engagement, to maintain the resulting correspondence and contract record. We do not use contact form submissions for marketing lists, advertising, or any purpose you did not initiate.

Contact form submissions are processed by Web3Forms, a third-party form backend service, which transmits your submission to us via email. Web3Forms retains submissions on their infrastructure for a limited period in accordance with their own retention practices, which are governed by their Privacy Policy. We do not use Google reCAPTCHA on our contact forms. Spam protection is handled by a server-side honeypot mechanism that does not collect any additional data from your browser.

E. Cookies, Local Storage, and Tracking Technologies

We use a minimal number of cookies and browser storage mechanisms on the Sites. We do not use advertising cookies, retargeting pixels, cross-site trackers, or analytics cookies.

What Is a Cookie?

A cookie is a small text file placed on your device by a website. Local storage is a similar browser mechanism that stores data on your device. Some cookies and storage entries are essential to site functionality; others collect information about how you use the Site.

First-Party Storage We Set

Privacy Notice Preference (localStorage)

• Set by: jchowlabs, LLC (first-party)
• Storage mechanism: Browser localStorage. This entry never leaves your device and is never transmitted to any server.
• Key: cookieConsent (named for historical reasons; the entry records your privacy notice preference).
• Purpose: Remembers your privacy notice selection (accepted or declined), including a timestamp and a version number tied to our current Privacy Policy. This prevents the notice from reappearing on subsequent visits unless we make a material update to this policy.
• Consent required: No — this entry is strictly functional. It is set regardless of whether you accept or decline, solely to honor your privacy choice.
• Retention: Persists until you clear your browser’s site data for the relevant jchowlabs domain. The notice will reappear automatically if we update this policy to a new version.

Third-Party Cookies and Storage

The following third-party services may set cookies or storage entries on your device when their features are loaded:

• ElevenLabs voice concierge widget. When you accept the privacy notice and the voice widget loads, ElevenLabs may set its own cookies or storage entries on your device to operate the widget. If you decline the privacy notice, the voice concierge widget is not loaded and no ElevenLabs cookies or storage entries are set. Governed by the ElevenLabs Privacy Policy.
• Hosting and content delivery providers. Our Sites are served primarily through GitHub (static hosting) and Cloudflare (content delivery, edge routing, and security). These providers may set short-lived, functional cookies necessary for site delivery, security, and abuse prevention. These cookies are not used for tracking or advertising.

Cookies We Do NOT Set

We do not set or permit:

• Advertising or retargeting cookies
• Social media tracking pixels
• Cross-site tracking of any kind
• Analytics or behavioral cookies (we do not use Google Analytics or any equivalent product)

Managing Your Consent Preference

You may change your consent preference at any time by clearing your browser’s site data for the relevant jchowlabs domain (Application → Storage → Clear site data in Chrome DevTools, or equivalent in your browser). Note that clearing cookies alone will not reset your preference — you must clear site data or localStorage specifically. Once cleared, the privacy notice will reappear on your next visit.

4. How We Use Information

We use collected information only to:

• Operate and maintain the Sites, interactive content, and voice concierge
• Respond to advisory and managed services inquiries
• Provide the optional voice concierge feature and investigate technical or abuse issues related to it
• Support educational content and technology demonstrations
• Monitor system performance, detect abuse, and maintain security
• Comply with applicable legal obligations

We do not sell personal information. We do not use personal information for advertising or commercial profiling. We do not use voice data, transcripts, or any other information collected through the Sites to train AI models or to develop new products.

5. Consent

We use layered, purpose-specific consent:

• A privacy notice is displayed on first visit. Declining means the voice concierge is not loaded on the Site.
• Even after you accept the privacy notice, the voice concierge does not record any audio until you click the voice button to initiate a session and confirm the in-widget recording notice presented by ElevenLabs.
• Interactive content is open and does not require consent beyond your operating system or browser’s permission prompt (for example, for camera access).

Declining any layer of consent will not prevent access to informational content on the Sites.

6. Third-Party Service Providers

We use the following third-party providers to operate the Sites:

These providers act as service providers or data processors and are contractually limited in how they may use data on our behalf. Their processing is subject to their respective privacy policies and, where applicable, data processing agreements.

We do not authorize any service provider to use your information for their own independent marketing or commercial purposes.

7. Data Retention

8. Data Security

We implement reasonable administrative, technical, and organizational safeguards, including:

• Secure cloud infrastructure and encrypted connections (TLS) for data in transit
• Restricted administrative access to systems containing any personal data
• Use of reputable, security-reviewed third-party providers (including ElevenLabs) for voice processing
• Minimization: we collect as little information as necessary and rely on client-side processing for interactive content wherever possible

No system can guarantee complete security. In the event of a data breach affecting your personal information, we will notify affected individuals and relevant authorities as required under applicable law, including California Civil Code §1798.82, within the timeframes required by that law.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Access a copy of your personal information
• Correct inaccurate personal information
• Delete your personal information (subject to limited exceptions)
• Limit the use of sensitive personal information (including voice data)
• Non-discrimination for exercising your privacy rights

We do not sell or share personal information as defined under the CCPA/CPRA.

To submit a request: Email privacy@jchowlabs.com with the subject line “California Privacy Request” and a description of your request. We will acknowledge receipt within 10 business days and respond substantively within 45 days. If additional time is required, we will notify you and may extend the response period by up to an additional 45 days as permitted by law.

We will take reasonable steps to verify your identity before processing access or deletion requests. Because we do not link voice concierge sessions to a persistent identifier, deletion requests for voice data require you to provide information (such as approximate date and time of your session) that allows us to locate the associated data on ElevenLabs’ infrastructure.

10. Biometric-Specific State Rights

If you are a resident of Illinois, Texas, Washington, or another state with a biometric privacy statute, you may have additional rights regarding the collection, use, and retention of biometric information. Because voice data may qualify as biometric information under these laws depending on use, we address those rights as follows:

• Written notice: This Section, together with Section 3(B), provides written notice of the collection, purpose, and retention of voice data before any recording occurs.
• Written consent: You provide written consent to voice processing by (i) accepting our privacy notice and (ii) confirming the in-widget recording notice presented by ElevenLabs before a session begins. Both actions are recorded by our systems or by ElevenLabs’ systems respectively.
• Retention and destruction schedule: Voice data and transcripts are retained on ElevenLabs’ infrastructure for no more than 30 days and are then deleted. This Privacy Policy constitutes our publicly available written retention schedule and destruction guidelines for voice data.
• Deletion requests: You may request early deletion of any voice data associated with you by contacting privacy@jchowlabs.com. Because we do not link voice sessions to a persistent identifier, deletion requests require you to provide information (such as approximate date and time of your session) that allows us to locate the associated data on ElevenLabs’ infrastructure.
• No voiceprints or identification: We do not generate, store, or use voiceprints for speaker identification or verification.
• No sale or profit: We do not sell, lease, trade, or otherwise profit from voice data.
• Jurisdictional restrictions: We reserve the right to restrict availability of the voice concierge feature to visitors from specific jurisdictions where doing so is appropriate given applicable biometric or voice-data laws.

We do not currently operate any interactive content or service that collects, stores, or processes facial geometry, fingerprints, retina scans, or other biometric identifiers on our servers or through a third-party biometric processor.

11. International Users

The Sites are operated from the United States. By accessing the Sites from outside the United States, you understand and acknowledge that:

• Your information will be transferred to and processed in the United States
• We do not represent compliance with the GDPR, UK GDPR, PIPEDA, or other non-US data protection frameworks
• US privacy law may provide different protections than those available in your jurisdiction

If you are located in the EU/EEA or another jurisdiction with data transfer restrictions, we recommend you carefully consider whether to use the Sites or submit any personal information.

12. Managed Services and Client Sites

jchowlabs’ managed services business (surfaced through jchowlabs.chat) helps small and mid-size businesses across the United States build websites and deploy AI voice concierge experiences on their own websites and telephony systems. This section clarifies the roles and responsibilities when jchowlabs builds or operates a site or voice concierge on behalf of a client.

Our Role on Client Production Sites

When jchowlabs builds, deploys, or operates a website or voice concierge for a client under a managed services engagement, the client is the business and data controller for personal information collected from their customers, and jchowlabs acts as the client’s service provider under the California Consumer Privacy Act (and as a processor under the Texas Data Privacy and Security Act, Colorado Privacy Act, Virginia CDPA, Connecticut Data Privacy Act, and other applicable state laws).

This means:

• The client is responsible for publishing their own privacy policy covering their customers’ data, including any names, phone numbers, or appointment information collected by a voice concierge deployed on the client’s site.
• jchowlabs processes personal information solely for the purposes set out in our engagement agreement with that client.
• jchowlabs does not sell, share, or use client customer data for our own purposes.
• Each managed services engagement is governed by a written Master Services Agreement and Data Processing Addendum that sets out the respective privacy and security obligations of the parties.
• Subprocessors we engage (including ElevenLabs for voice processing) are flowed down under our agreement with the client.
• If a client production deployment collects phone numbers via the voice concierge for appointment booking or callback, those numbers are used only for the business purpose the caller initiated; we do not use them for marketing, outbound dialing, or text messaging on our own behalf, and our standard agreements require the same of our clients with respect to our role.

This Privacy Policy does not govern data collected on a client’s production site. If you are a customer of one of our clients and wish to exercise privacy rights regarding data collected on that client’s site, please contact the client directly; we will support the client in responding to your request as required under our engagement agreement.

Demonstration Sites We Operate

We operate demonstration sites to showcase the kind of voice concierge experiences we build for clients. These demonstration sites are operated by jchowlabs for illustrative purposes, are not real businesses, and are governed by this Privacy Policy. Voice concierge on our demonstration sites operates in demonstration mode: it does not book real appointments, trigger real callbacks, or create records of names or phone numbers in any booking or customer system, even if you speak such information during a demonstration session.

Where a demonstration site presents a fictional business, we display a disclosure on the site identifying jchowlabs, LLC as the operator and linking to this Privacy Policy, so visitors can readily identify the site’s demonstrative nature and understand whose data practices apply.

Information jchowlabs Collects Directly From Clients

In the course of a managed services or advisory engagement, jchowlabs collects information directly from our client contacts — such as contact details, contract documents, invoicing and payment information, and technical configuration materials. That information is collected by jchowlabs as a business in our own right, and this Privacy Policy governs its handling.

13. Accessibility

We are committed to making the Sites usable by the broadest possible audience, including individuals with disabilities. We design the Sites with accessibility in mind and aim for substantial conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA, recognizing that we are a small operator and that conformance is an ongoing effort rather than a one-time certification.

If you encounter an accessibility barrier on the Sites, or if you need content provided in an alternative format, please contact privacy@jchowlabs.com. We will make reasonable efforts to address the issue or provide the requested content in an accessible alternative.

14. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be posted with a revised effective date.

For non-material changes, continued use of the Sites constitutes acceptance of the updated Policy.

For material changes — particularly those affecting how we collect or use sensitive personal information or voice data — we will provide advance notice and, where required by applicable law, seek fresh consent before the changes take effect. When we update the Policy to a new version, the privacy notice will reappear on your next visit so you can review and confirm your consent preference.

15. Contact Information

jchowlabs, LLC
California, United States
Privacy inquiries: privacy@jchowlabs.com