GDPR Policy

Effective date: July 11, 2026
Last updated: July 11, 2026

This GDPR Policy supplements the Read Aloud Text Privacy Policy and explains how we handle personal data when the European Union General Data Protection Regulation (“GDPR”) or substantially similar European data-protection law applies.

1. Controller

The controller is:

Hasitha Chandrasekara
Operator of Read Aloud Text
Sri Lanka
Email: support@readaloudtext.com
Website: https://readaloudtext.com

We have not appointed a Data Protection Officer because our current scale and processing activities do not require one. Privacy matters are handled through the email address above.

2. Scope

This Policy applies where GDPR covers our processing, including where an individual in the European Economic Area uses the Service and GDPR’s territorial requirements are satisfied. The Service is operated from Sri Lanka and has no establishment in the EEA.

3. Data and purposes

Processing activityDataPurposeLegal basis
Account creation and loginEmail, display name, Google profile data, account ID, authentication dataCreate, authenticate, and secure an accountPerformance of a contract; legitimate interests in security
Text-to-speech generationSubmitted text, voice settings, generated audio, timestampsProvide the generation requested by the userPerformance of a contract
Documents and projectsUploaded documents, extracted text, project settings, generation historyExtract, generate, organize, save, and retrieve contentPerformance of a contract
Audio sharingShare identifier, audio, associated text, highlighting dataPublish an unlisted page at the user’s requestPerformance of a contract; user’s explicit action
Voice cloningVoice sample, consent confirmation, voice model or identifier, generated audioCreate and maintain a requested synthetic voicePerformance of a contract; explicit user request and consent where required
Subscriptions and creditsPlan, transaction IDs, entitlement, credit use, renewal and refund statusAdminister paid access and accountingPerformance of a contract; legal obligation
Security and abuse preventionIP address, device and log data, usage patterns, account eventsPrevent fraud, impersonation, unauthorized voice use, and attacksLegitimate interests; legal claims; legal obligation where applicable
AnalyticsCookie identifiers, device and interaction dataUnderstand and improve the ServiceConsent where required; otherwise legitimate interests where lawful
SupportEmail, message, attachments, support historyRespond to requests and resolve problemsContract; legitimate interests; legal obligation
Required recordsTransaction, refund, tax, security, and dispute recordsMeet legal duties and defend claimsLegal obligation; legitimate interests; legal claims

We do not use personal data for solely automated decisions that produce legal or similarly significant effects. Automated speech generation and document extraction perform the content-processing task requested by the user; they do not make eligibility, employment, credit, insurance, or similar decisions about a person.

4. Voice data

Voice samples and cloned voice models can be personal data. We process them only when the user actively requests voice cloning and confirms authority to use the voice. The feature is restricted to adults.

We do not use voice data to authenticate or uniquely identify people on behalf of customers. If a provider performs speaker verification to protect consent or service integrity, it may generate a technical voice signature for that limited purpose under its applicable terms.

The user must be the speaker or have informed, legally valid permission from the adult speaker. We may request proof of authority and may remove a model where consent is disputed.

5. Recipients and processors

We use providers for hosting, authentication, storage, networking, analytics, payments, email, text-to-speech, and voice cloning. Current providers include Google Firebase and Google Cloud, Cloudflare, Google Analytics, Creem, ElevenLabs, Microsoft Azure, Cartesia, and Zoho Mail.

Provider roles depend on the activity. Some act as processors on our instructions, while others, such as Creem for checkout and payment compliance, may act as independent controllers. We seek contractual and organizational safeguards appropriate to the processing.

6. AI training

We do not use Customer Content to train our own generalized AI models. Where a voice or speech provider offers a data-training opt-out, we enable it or obtain an agreement that prohibits generalized training before sending production Customer Content. Providers may process data to deliver the requested feature, maintain a user-specific voice, secure the service, prevent abuse, or comply with law.

7. Retention

Our principal retention periods are:

Longer retention may apply to fraud, security incidents, legal obligations, disputes, or legal claims. Full details are in the Privacy Policy.

8. International transfers

Personal data may be transferred from the EEA to Sri Lanka, the United States, and other countries where our providers operate. Where required, we rely on safeguards such as the European Commission’s Standard Contractual Clauses, an adequacy decision, or another lawful transfer mechanism. You may request information about applicable safeguards by contacting us.

9. Your GDPR rights

Subject to conditions and exceptions in the GDPR, you may request:

Send requests to support@readaloudtext.com. We may request information necessary to confirm identity and protect other people’s data. We normally respond within one month, subject to lawful extension for complex or numerous requests. Requests are generally free, although a reasonable fee or refusal may apply to manifestly unfounded or excessive requests as permitted by law.

10. Children

Users must be at least 16 to create an account and at least 18 to use voice cloning. A minor below the age of legal majority must have permission from a parent or guardian.

Children under 16 may use a listener-only link supplied by a teacher, parent, or guardian under adult supervision, but may not create an account, upload content, purchase a plan, or provide personal data. We do not offer a parental-consent workflow at this time.

11. Cookies

Essential cookies are used for login, sessions, preferences, and security. Google Analytics and other non-essential analytics are used only with consent where GDPR or applicable ePrivacy rules require it. Consent can be withdrawn without affecting essential Service functions, although disabling all cookies may prevent login.

12. Security and breaches

We apply measures appropriate to the risk, including encrypted transport, access controls, restricted administration, provider security controls, monitoring, and backups. If a personal-data breach creates a notification obligation, we will notify the appropriate authority and affected individuals as required.

13. EEA representative

We are established in Sri Lanka and have not yet appointed an EEA representative. Before specifically targeting or routinely offering the Service in the EEA in circumstances requiring a representative under GDPR Article 27, we will appoint one and publish the representative’s contact details here. Until then, GDPR requests should be sent directly to support@readaloudtext.com.

14. Updates and contact

We may update this Policy as processing or law changes. Material changes will receive additional notice where required.

Contact: support@readaloudtext.com