// Trust & Security Report
LOVO, Inc.
LOVO AI / Genny (AI voice generator, text-to-speech, voice cloning, online video editor, AI writer, AI art, and developer API)
Certifications held
8
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lovo.ai“No SOC 2 claim or report appears on any LOVO-owned page (lovo.ai homepage, privacy policy, terms of service, or the help/docs subdomains), and LOVO publishes no trust center or audit report. A 'SOC 2 Compliant' badge appears only on a third-party aggregator profile (Nudge Security), which is not vendor-published evidence and could not be independently corroborated. Treated as unknown pending a vendor-issued SOC 2 report.”
Verify on lovo.ai“Not mentioned anywhere on LOVO's own site, and no certificate or Statement of Applicability is published by the vendor. An 'ISO 27001 Compliant' badge appears only on the third-party Nudge Security aggregator, which is not vendor-published evidence and could not be independently corroborated.”
Verify on lovo.ai“Not referenced on any LOVO-owned page; this is a consumer voiceover/TTS product with no Business Associate Agreement (BAA) offering mentioned. A 'HIPAA Compliant' badge appears only on the third-party Nudge Security aggregator, with no vendor-domain evidence to corroborate it.”
Verify on lovo.ai“LOVO takes card payments (ToS: 'your payment method will automatically be charged'), so cardholder data is handled, most likely by a third-party payment processor that carries its own PCI scope. LOVO publishes no PCI Attestation of Compliance and makes no PCI claim on its own domain. A 'PCI Compliant' badge appears only on the Nudge Security aggregator, which could not be independently corroborated.”
Verify on security-profiles.nudgesecurity.com“A 'FedRAMP Compliant' badge appears only on the third-party Nudge Security aggregator. FedRAMP is a US federal-government cloud authorization that is highly implausible for a consumer voice/TTS SaaS of this size, is not claimed anywhere on LOVO's own domain, and was not corroborated. Almost certainly aggregator noise; treated as unknown (verify against the FedRAMP Marketplace before relying on it).”
Verify on security-profiles.nudgesecurity.com“A 'CSA STAR Level 1 Compliant' badge appears only on the third-party Nudge Security aggregator. CSA STAR Level 1 is a self-assessment (CAIQ) submitted to the CSA STAR Registry; no such entry is referenced or linked from LOVO's own domain, and the claim could not be independently corroborated. Treated as unknown.”
Verify on lovo.ai“'The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases... Consent (legal basis: Art. 6 para. 1 p. 1 lit. a GDPR/UK-GDPR)... The data subject's consent is especially needed when processing voice samples within our Service.' The privacy policy also states a Data Protection Officer was appointed: 'For the protection of your data we appointed a data protection officer: Tom Lee'.”
Verify on lovo.ai“'California Consumer Privacy Act (CCPA) Privacy Notice... California residents have the following privacy rights... The right to know what Personal Information we have collected... The right to request deletion of your Personal Information... We do not and will not sell your Personal Information.'”
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not stated
Data region
US-based (LOVO, Inc., SkyDeck, 2150 Shattuck Ave, Berkeley, CA; governing law Delaware). Hosting reported on AWS/Vercel via third-party profile. Privacy policy states personal data 'may be transferred to and stored outside the country in which you are located.' No EU/regional data-residency option is documented.
Training on customer-provided data is the default. ToS (Custom Voice Cloning section): 'By using Custom Voice Designing (Cloning) Services offered by LOVO, you grant permission to LOVO and its affiliates to use the data you provided for research and development purposes to further improve the technology, products, and Services they offer. Any data, including sensitive personal information, will not be shared with 3rd parties unless for the purposes of research, development, and enhancement of technology and Services.' The privacy policy lists 'improve our machine learning features and services' as a collection purpose and says uploaded voice recording data is used 'solely to improve our Services provided to you.' No documented opt-out toggle was found. Voice cloning requires that the user warrant they hold consent/rights to the uploaded voice.
// Security controls
Stated security controls
General only: 'LOVO uses standard industry practice (physical, electronic, and procedural) to protect all data collected... We take reasonable steps to protect the Data... from loss, misuse, and unauthorized access... However, no Internet or email transmission is ever fully secure or error-free.' No specifics on encryption-at-rest/in-transit.
lovo.aiBug bounty
None found. No HackerOne or Bugcrowd program or security.txt / vulnerability-disclosure policy located.
lovo.aiSub-processors / DPA
No public sub-processor list or downloadable DPA found; privacy policy references generic 'third-party service providers... providers of hosting services, cloud services' without naming them.
lovo.ai// Products & data scope
data: Account info, payment data, uploaded text/scripts and generated content. Usage data used to improve services and ML features.
Flagship product; 14-day Pro trial; individual and team plans. Marketed at 2,000,000+ users.
data: User-uploaded voice samples / recordings (biometric-adjacent voiceprint data). Explicitly licensed by user to LOVO for R&D and model improvement.
Highest-sensitivity surface. User must warrant they own or hold consent/rights to the voice. Training on this data is a stated default. Subject of an active voice-actor class action.
data: Shared projects in cloud storage; 'Customer' (organization) controls roles per ToS.
ToS defines org-level 'Customer' with admin/role reassignment authority.
data: Programmatic text input and generated audio; same privacy/ToS scope applies.
Developer integration; no separate enterprise data-processing addendum published.
data: Not documented publicly; presumably custom terms.
Referenced in FAQ ('Do you have an enterprise plan?') but no separate security/compliance documentation surfaced.
// What to watch
- CERT DISCREPANCY: A third-party aggregator (Nudge Security) lists LOVO as SOC 2 / ISO 27001 / HIPAA / PCI / FedRAMP / CSA STAR Level 1 / GDPR 'Compliant', but NONE of the enterprise audit certs (SOC 2, ISO 27001, HIPAA, PCI, FedRAMP, CSA STAR) appear on LOVO's own domain, LOVO publishes no trust center or audit report, and the aggregator entry is not vendor-published evidence and could not be independently corroborated. The FedRAMP entry in particular is almost certainly aggregator noise for a vendor of this size and type. Treat all enterprise certs as UNVERIFIED until LOVO publishes reports/certificates or a trust center.
- No trust center, no security.txt, no bug-bounty program, no published penetration-test attestation.
- Trains on customer data by default, including uploaded voice samples used for R&D/model improvement, with no documented opt-out.
- LITIGATION/REPUTATION: Active class-action lawsuit (Lehrman & Sage v. LOVO, SDNY) alleging unauthorized voice cloning; a federal judge allowed breach-of-contract and NY privacy-law claims to proceed. Material for a voice-AI vendor handling biometric-adjacent data.
- Security section of privacy policy is boilerplate ('standard industry practice'); no encryption-at-rest/in-transit specifics.
- No public sub-processor list or self-serve DPA located.
// At a glance
Pricing model
Freemium SaaS subscription (free tier + paid Pro/Team tiers, 14-day Pro trial, no refunds after 24h) plus contact-sales enterprise and usage-based API
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on LOVO, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lovo.ai