GDPR Policy
Effective date: July 11, 2026
Last updated: July 11, 2026
This GDPR Policy supplements the Read Aloud Text Privacy Policy and explains how we handle personal data when the European Union General Data Protection Regulation (“GDPR”) or substantially similar European data-protection law applies.
1. Controller
The controller is:
Hasitha Chandrasekara
Operator of Read Aloud Text
Sri Lanka
Email: support@readaloudtext.com
Website: https://readaloudtext.com
We have not appointed a Data Protection Officer because our current scale and processing activities do not require one. Privacy matters are handled through the email address above.
2. Scope
This Policy applies where GDPR covers our processing, including where an individual in the European Economic Area uses the Service and GDPR’s territorial requirements are satisfied. The Service is operated from Sri Lanka and has no establishment in the EEA.
3. Data and purposes
| Processing activity | Data | Purpose | Legal basis |
|---|---|---|---|
| Account creation and login | Email, display name, Google profile data, account ID, authentication data | Create, authenticate, and secure an account | Performance of a contract; legitimate interests in security |
| Text-to-speech generation | Submitted text, voice settings, generated audio, timestamps | Provide the generation requested by the user | Performance of a contract |
| Documents and projects | Uploaded documents, extracted text, project settings, generation history | Extract, generate, organize, save, and retrieve content | Performance of a contract |
| Audio sharing | Share identifier, audio, associated text, highlighting data | Publish an unlisted page at the user’s request | Performance of a contract; user’s explicit action |
| Voice cloning | Voice sample, consent confirmation, voice model or identifier, generated audio | Create and maintain a requested synthetic voice | Performance of a contract; explicit user request and consent where required |
| Subscriptions and credits | Plan, transaction IDs, entitlement, credit use, renewal and refund status | Administer paid access and accounting | Performance of a contract; legal obligation |
| Security and abuse prevention | IP address, device and log data, usage patterns, account events | Prevent fraud, impersonation, unauthorized voice use, and attacks | Legitimate interests; legal claims; legal obligation where applicable |
| Analytics | Cookie identifiers, device and interaction data | Understand and improve the Service | Consent where required; otherwise legitimate interests where lawful |
| Support | Email, message, attachments, support history | Respond to requests and resolve problems | Contract; legitimate interests; legal obligation |
| Required records | Transaction, refund, tax, security, and dispute records | Meet legal duties and defend claims | Legal obligation; legitimate interests; legal claims |
We do not use personal data for solely automated decisions that produce legal or similarly significant effects. Automated speech generation and document extraction perform the content-processing task requested by the user; they do not make eligibility, employment, credit, insurance, or similar decisions about a person.
4. Voice data
Voice samples and cloned voice models can be personal data. We process them only when the user actively requests voice cloning and confirms authority to use the voice. The feature is restricted to adults.
We do not use voice data to authenticate or uniquely identify people on behalf of customers. If a provider performs speaker verification to protect consent or service integrity, it may generate a technical voice signature for that limited purpose under its applicable terms.
The user must be the speaker or have informed, legally valid permission from the adult speaker. We may request proof of authority and may remove a model where consent is disputed.
5. Recipients and processors
We use providers for hosting, authentication, storage, networking, analytics, payments, email, text-to-speech, and voice cloning. Current providers include Google Firebase and Google Cloud, Cloudflare, Google Analytics, Creem, ElevenLabs, Microsoft Azure, Cartesia, and Zoho Mail.
Provider roles depend on the activity. Some act as processors on our instructions, while others, such as Creem for checkout and payment compliance, may act as independent controllers. We seek contractual and organizational safeguards appropriate to the processing.
6. AI training
We do not use Customer Content to train our own generalized AI models. Where a voice or speech provider offers a data-training opt-out, we enable it or obtain an agreement that prohibits generalized training before sending production Customer Content. Providers may process data to deliver the requested feature, maintain a user-specific voice, secure the service, prevent abuse, or comply with law.
7. Retention
Our principal retention periods are:
- guest generation content: not retained in our primary application storage after the request completes;
- Free registered content: 72 hours;
- Lite content: one month;
- Plus and Premium content: until user or account deletion;
- application and security logs: generally up to 12 months;
- analytics user-level event data: up to 14 months;
- support records: generally up to 24 months after closure;
- billing and tax records: at least five years; and
- backups containing deleted data: generally overwritten within approximately 90 days.
Longer retention may apply to fraud, security incidents, legal obligations, disputes, or legal claims. Full details are in the Privacy Policy.
8. International transfers
Personal data may be transferred from the EEA to Sri Lanka, the United States, and other countries where our providers operate. Where required, we rely on safeguards such as the European Commission’s Standard Contractual Clauses, an adequacy decision, or another lawful transfer mechanism. You may request information about applicable safeguards by contacting us.
9. Your GDPR rights
Subject to conditions and exceptions in the GDPR, you may request:
- Access: confirmation and a copy of personal data;
- Rectification: correction of inaccurate or incomplete data;
- Erasure: deletion where there is no overriding lawful reason to retain data;
- Restriction: limitation of processing in specified circumstances;
- Portability: personal data you supplied in a structured, commonly used, machine-readable format where processing is automated and based on consent or contract;
- Objection: objection to processing based on legitimate interests, including an absolute right to object to direct marketing;
- Withdrawal of consent: withdrawal at any time without affecting earlier lawful processing; and
- Complaint: a complaint to the supervisory authority in your country of residence, work, or the alleged infringement.
Send requests to support@readaloudtext.com. We may request information necessary to confirm identity and protect other people’s data. We normally respond within one month, subject to lawful extension for complex or numerous requests. Requests are generally free, although a reasonable fee or refusal may apply to manifestly unfounded or excessive requests as permitted by law.
10. Children
Users must be at least 16 to create an account and at least 18 to use voice cloning. A minor below the age of legal majority must have permission from a parent or guardian.
Children under 16 may use a listener-only link supplied by a teacher, parent, or guardian under adult supervision, but may not create an account, upload content, purchase a plan, or provide personal data. We do not offer a parental-consent workflow at this time.
11. Cookies
Essential cookies are used for login, sessions, preferences, and security. Google Analytics and other non-essential analytics are used only with consent where GDPR or applicable ePrivacy rules require it. Consent can be withdrawn without affecting essential Service functions, although disabling all cookies may prevent login.
12. Security and breaches
We apply measures appropriate to the risk, including encrypted transport, access controls, restricted administration, provider security controls, monitoring, and backups. If a personal-data breach creates a notification obligation, we will notify the appropriate authority and affected individuals as required.
13. EEA representative
We are established in Sri Lanka and have not yet appointed an EEA representative. Before specifically targeting or routinely offering the Service in the EEA in circumstances requiring a representative under GDPR Article 27, we will appoint one and publish the representative’s contact details here. Until then, GDPR requests should be sent directly to support@readaloudtext.com.
14. Updates and contact
We may update this Policy as processing or law changes. Material changes will receive additional notice where required.
Contact: support@readaloudtext.com