Security

Your voice exists in mello’s systems for one purpose only: real-time transcription. The audio stream is processed as it arrives and discarded within 60 seconds of your call ending. There is no audio file, no recording, and no way to replay your voice — not even by us.

This is an architectural decision, not a policy one. Audio storage was deliberately excluded from the data model.

Every facility on mello is a separate tenant. We enforce isolation at the database layer using Row-Level Security (RLS) in PostgreSQL via Supabase. Every query is scoped to a single facility_id— a facility’s admin dashboard, API calls, and analytics can only ever see that facility’s own data.

Facility A cannot see Facility B’s callers, bookings, or transcripts — even though they share the same database instance. This is enforced at the query level, not the application level.

• In transit — all connections use TLS 1.2 or higher. This covers Twilio → mello, mello → Sarvam AI, mello → Supabase, and the WhatsApp delivery leg.
• At rest — all data stored in Supabase is encrypted with AES-256 at the storage layer.
• Payment data— mello never stores card numbers, UPI IDs, or payment credentials. Payment links are created via Razorpay’s API and delivered directly to the caller over WhatsApp. We store only the amount and link status.

All caller data — transcripts, bookings, call logs — is stored in India using Supabase’s India region. Data never leaves India for storage purposes.

Speech processing (STT, LLM, TTS) is handled by Sarvam AI, an Indian AI company, keeping the full call pipeline within India.

• Facility admins authenticate via Supabase magic-link email — no passwords to leak. Sessions are short-lived and stored in secure HTTP-only cookies.
• Management API — internal API endpoints require a Bearer token. No endpoint that reads or writes facility data is publicly accessible without authentication.
• Caller identity— the caller’s phone number is supplied by Twilio directly to the server, never by the AI model. This means the model cannot be prompted to impersonate another caller.

Every sensitive operation is recorded in an immutable audit log: data deletions, transcript purges, admin logins, and right-to-delete requests. The log records who did what, when, and on which facility.

Transcript purges run automatically every 24 hours, deleting records older than 90 days. Each purge cycle is audited with the count of records removed.

Callers can request immediate deletion of all their data at any point during a call by saying “delete my data.” Mello will erase the transcript, tool-call records, and booking history for that caller at that facility and confirm verbally.

Facility admins can trigger a full data purge for any caller from the dashboard. All deletions are recorded in the audit log.

Found a security issue? Please email hello@mello.ai with a clear description. We will acknowledge within 48 hours and aim to resolve confirmed vulnerabilities within 14 days. Please do not publicly disclose until we have had a chance to investigate.