Building voice AI we'd be proud to receive
NOVA places AI-generated calls on behalf of real businesses. Trust is the only reason this category survives. This page is the public, enforceable version of the rules we hold ourselves and our customers to — from the very first sentence of every call.
01AI disclosure policy#
Every NOVA call placed to a phone number in the United States or Canada opens with an explicit, machine-spoken disclosure before any sales content is delivered. The exact opener is:
“Hi, this is an AI-generated voice agent calling on behalf of {company}. This call may be recorded for quality. Are you ok to continue?”
This is a pre-roll consent gate, not a footnote. If the prospect says no — or simply says “no”, “stop”, “remove me”, or “don't call me” — the agent ends the call immediately and the number is added to the customer's suppression list so we will not dial it again.
The disclosure is enforced in code at the agent state machine's first turn: there is no operator override, no “skip the script” flag, and no per-customer toggle. We honour TCPA (47 U.S.C. § 227) and the calling-disclosure rules of states with stricter regimes — including California (B&P Code § 17941, AB 2905), Florida (Fla. Stat. § 501.059), and Minnesota (Minn. Stat. § 325E.30+) — whose requirements feed back into the same enforced-in-code opener.
For calls outside the US/CA, NOVA still discloses that the caller is an AI-generated voice agent whenever the called party asks “is this a real person?” or any close paraphrase. We do not allow customers to instruct the agent to deny being AI.
02Voice cloning consent#
NOVA supports custom synthetic voices via xAI Custom Voices. The rules below are absolute — no exceptions, no enterprise tier, no NDA carve-out.
Whose voice we will clone
- We clone only the customer's own voice — specifically the founder, CEO, or other named officer of the calling organisation — with documented, signed consent on file before training begins.
- We do not clone celebrity voices, public figures, deceased persons, employees who have not personally consented, customers' customers, or any voice the consenting party cannot demonstrably establish as their own.
Source-recording integrity
- Source recordings used for training must be less than 90 days old at the time of submission.
- Every submission is reviewed by a NOVA operator before training is queued. Submissions that look like third-party podcast clips, interview footage, or scraped-from-YouTube material are rejected and the originating account is flagged for re-review.
Watermarking
Cloned voices include an inaudible watermark per the xAI Custom Voices specification. The watermark is preserved through normal telephony codecs and is designed to let downstream auditors fingerprint AI-generated speech back to its source. (Watermark spec and detection tooling are governed by xAI's published documentation; we will keep this page in sync if their spec materially changes.)
Revocation
The consenting party can revoke a cloned voice at any time by emailing ethics@novalabs.ae from a verifiable address. On revocation we purge the cloned voice model and every derived artifact (fine-tunes, cached embeddings, evaluation samples) within 24 hours and confirm completion in writing.
03BYO Twilio & caller-ID integrity#
Customers can place calls from their own Twilio (or other carrier) numbers via NOVA's Bring-Your-Own-Twilio integration. Caller-ID is one of the easiest places for voice-AI products to do harm. Our rules are non-negotiable:
- Legal control. Customers may only place calls from phone numbers they legally control — either purchased via their own Twilio account or ported in with documented ownership.
- SMS-OTP verification. Every BYO number must pass an SMS one-time-password challenge sent to that exact number before it can be used to place an outbound call.
- Outbound caller-ID auditing. Every outbound call's caller-ID is logged, and we run a continuous comparison against the customer's verified-number list. A caller-ID that does not match a verified number is blocked at dial time.
- Suspected spoofing ⇒ instant suspension. If we detect attempts to spoof caller-ID, evade STIR/SHAKEN attestation, or use neighbour-spoofing patterns, we suspend the account immediately and notify the customer with the evidence.
- We do not facilitate caller-ID spoofing, neighbour spoofing, STIR/SHAKEN evasion, or any service designed to obscure the originating organisation from the called party.
04Data handling & retention#
We collect only what is needed to operate the service and prove what happened on a given call. Defaults below are minimums; customers can request shorter retention at any time.
- Call audio — retained 90 days for quality review and abuse investigation, then auto-purged.
- Transcripts — retained 12 months and accessible to the customer through the dashboard.
- Quality scores & LLM-as-judge summaries — retained 12 months alongside the transcript they describe.
- Account & billing records — retained for the life of the account plus regulated periods (e.g., seven-year tax retention in the UAE).
Customers and called parties can request earlier deletion by emailing ceo@novalabs.ae. We honour deletion requests within 30 days, except where a longer retention is mandated by law (for example, an open financial-services compliance audit or regulator-issued litigation hold). When a longer retention applies we tell you why and when it will be released.
All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Production data is hosted on AWS in us-east-1, with a dedicated me-central-1 (UAE) region for customers whose data residency obligations require it.
Full data-collection categories, sub-processors, and rights-exercise procedures are documented in the Privacy Policy.
05Compliance frameworks#
NOVA is designed to operate inside the following frameworks:
- United States. Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227); CAN-SPAM Act for SMS-based notifications; California Consumer Privacy Act (CCPA / CPRA) for California prospects.
- European Union & United Kingdom. GDPR / UK GDPR. We have a designated Data Protection Officer reachable at legal@novalabs.ae; our default lawful basis is legitimate interest for B2B prospects and explicit consent for B2C; a Data Processing Addendum is available on request.
- United Arab Emirates. Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) — including consent management and cross-border transfer disclosures.
- India. Digital Personal Data Protection Act 2023 (DPDP Act) — consent management and data fiduciary obligations as defined under the Act.
We do not operate, market, or accept paying customers in any jurisdiction where outbound voice AI is prohibited by national law. Where a jurisdiction's rules tighten after we launch there, we wind down service in that jurisdiction in an orderly way and notify affected customers.
06Refusal categories — what NOVA will not do#
The following use cases are permanently off-limits. They are blocked at onboarding, refused at runtime by guardrails in the agent state machine, and grounds for immediate account termination if attempted after sign-up:
- Political robocalling — including voter ID, voter persuasion, get-out-the-vote, voter suppression, or any campaign finance-funded outreach.
- Debt collection on contested debts — in line with the Fair Debt Collection Practices Act (FDCPA) and equivalents.
- Healthcare, mental-health, or addiction-services outbound — the regulatory and ethical risk to vulnerable callees is too high for an AI voice product.
- Calls to numbers on the US National DNC Registry without a documented prior business relationship that satisfies TCPA's exemption rules.
- Impersonating a real human. The agent must always disclose it is AI when asked, and must always lead US/CA calls with the disclosure in §1. Customer scripts that instruct the agent to deny being AI are rejected at script-load time.
- Pretexting, social engineering, scams, or fraud — including fake-IRS calls, fake-utility-shutoff calls, gift-card scams, romance scams, or any pattern that materially resembles a known fraud playbook.
07Audit & transparency#
Every NOVA call is logged with a complete audit record:
- Caller-ID (the verified BYO number used to dial out).
- Called number.
- Timestamp, duration, and disposition.
- The full path the agent state machine took, turn by turn.
- The full transcript and the LLM-as-judge quality score.
Audit logs are retained for five years to support regulator-led compliance investigations. Customers can request the audit trail for any specific call from their dashboard. Regulators, law-enforcement, or the called party may request a specific call's audit trail by emailing ethics@novalabs.ae with the phone number called and the approximate timestamp; we honour valid requests within 5 business days.
Annual third-party AI ethics review. NOVA commits to an independent annual review of this policy and our enforcement track record. The first review will be conducted and published by Q1 2027.
08Opt-out & DNC#
- On the call. Any of “remove me”, “don't call me”, “stop”, or a simple “no” in response to the consent prompt ends the call immediately and registers a DNC.
- Suppression scope. The suppression list is global per customer-account — once a number is suppressed for a customer, that customer cannot dial it again from any campaign, number, or sub-user under the same account.
- By email. Anyone — called party, regulator, or third party reporting on behalf of a called party — can email ethics@novalabs.ae with a phone number to request a take-down. We process these within 10 business days.
09Reporting harm#
If you believe a NOVA-placed call was abusive, deceptive, or in any way violated this policy — or if you have concerns about how a voice has been cloned, how a number is being used, or any other AI-safety issue — email ethics@novalabs.ae. We triage every report within 5 business days and respond with the outcome.
Whistleblower protection. NOVA does not retaliate against employees, contractors, or customers who report concerns in good faith. Reports can be made anonymously; if an investigator needs to follow up, we will create a one-way contact channel at your request.
Material AI-safety incident disclosure. If we confirm a material AI-safety incident — e.g., a voice clone used outside its consent envelope, a sustained pattern of undisclosed AI calls, a data exposure that affects called parties — we commit to a public post-mortem within 30 days of confirmation, with enough detail for the ecosystem to learn from it.
10Contact#
Use the most specific address for fastest routing. All inboxes are monitored on UAE business hours (Sunday–Thursday).
Street address available on request to legal@novalabs.ae.