Privacy Policy

1. Introduction

TTSAudit ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our text-to-speech quality assurance service, including our website, dashboard, and REST API (collectively, "the Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

Account Information: When you create an account, we collect your email address, display name, and authentication provider (email/password or Google). If you enable multi-factor authentication (MFA), we collect the phone number you provide for verification. This information is managed through Firebase Authentication.

Payment Information: When you purchase credits, payment processing is handled entirely by Stripe. We receive and store your Stripe customer identifier, transaction records (amount, currency, timestamps), and receipt URLs. We do not receive, process, or store your credit card numbers, bank account details, or other sensitive payment instrument data. If you enable Auto Top-Up, we store a reference to your Stripe payment method identifier.

Audio Content: When you submit audio files for analysis, those files may be temporarily stored in our cloud storage infrastructure (Cloudflare R2) for the duration of an audit session. Supported formats include MP3, WAV, OGG, FLAC, MP4, M4A, AAC, and Opus. Audio files may also be fetched from URLs you provide and processed in memory.

Analysis Results: We store the results of your audio analyses, including anomaly scores, classification labels, confidence levels, speaker consistency matrices, quality metrics, pace measurements, and associated metadata.

API Usage Data: We log API requests including timestamps, request parameters (accuracy level, analysis types selected, file counts), credit consumption, API key hashes (not the raw keys), and response status codes.

Device and Browser Information: We collect standard web analytics data through Google Analytics, including browser type and version, operating system, device type, screen resolution, referring URLs, pages visited, session duration, and interaction events (such as page views, signups, and audit completions).

Network Information: We collect IP addresses for rate limiting, abuse prevention, and security monitoring. IP addresses are logged with API requests and authentication events.

Authentication Protection Data: Signup and authentication flows are protected by Firebase Authentication safeguards, including Google-managed anti-abuse controls and risk signals to prevent automated account creation and credential abuse.

3. How We Use Your Information

Service Delivery: To create and manage your account, authenticate your identity, process your API requests, perform audio analysis, deliver results, and manage your credit balance.

Payment Processing: To process credit purchases, manage Auto Top-Up billing, generate receipts, and maintain transaction history.

Security and Abuse Prevention: To protect the Service and its users through rate limiting, bot detection, fraud prevention, and monitoring for unauthorized access or suspicious activity.

Service Improvement: To analyze aggregated, anonymized usage patterns to improve the Service's performance, reliability, and features. We do not use your audio content for model training or improvement.

Communications: To send you important service notifications, security alerts, billing confirmations, and updates about material changes to the Service or these policies. We do not send marketing emails unless you explicitly opt in.

Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

4. Audio Data Handling

The Service is designed exclusively for synthetic (text-to-speech) audio. You must not submit recordings of natural human speech. By submitting audio, you represent that it is synthetically generated. See our Terms of Service (Section 7) for full details on this requirement.

Audio files that you upload directly to the Service are stored in Cloudflare R2 cloud storage under your audit session for the purpose of enabling result review and audio playback. These files are accessible only through time-limited presigned URLs (valid for 1 hour) and are associated with your user account.

Audio files processed via URL are fetched from the provided source, analyzed in GPU memory, and not persisted to our storage unless associated with a saved audit session.

We do not use your audio files to train, fine-tune, or evaluate our machine learning models. Your audio content is processed solely to fulfill the analysis you requested.

Audio files associated with audit sessions are retained for at least 90 days. You may delete individual audit sessions and their associated files at any time through the dashboard. When an audit session is deleted or archived, the associated audio files are removed from storage.

Audio analysis is performed using neural speaker embedding models (SpeechBrain ECAPA-VoxCeleb), automatic speech recognition (faster-whisper), and digital signal processing algorithms. These models generate numerical feature vectors for comparison and transcription purposes. Because the Service processes only synthetic audio, these feature vectors do not constitute biometric data of any identifiable natural person. Processing occurs on GPU infrastructure provided by Modal. Audio data is held in memory during processing and is not persisted on GPU infrastructure.

5. Cookies and Local Storage

Firebase Authentication: Firebase may set cookies and use browser storage mechanisms to manage authentication sessions and maintain your signed-in state.

Google Analytics: We use Google Analytics (Measurement ID: G-QTXQRPL8M3 in production) which sets cookies to distinguish unique users, track sessions, and measure site interactions. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Local Storage: The Service stores the following data in your browser's local storage: your API key (key: tts_audit_api_key) for convenience when using the dashboard, and raw API key data (key: tts_raw_keys) for key management. These values are stored locally on your device and are not transmitted to third parties.

We do not use advertising cookies or third-party tracking cookies beyond those described above.

6. Third-Party Service Providers

We share data with the following third-party service providers who assist in operating the Service. Each provider processes data only as necessary to perform their function:

Google Cloud Platform / Firebase: Provides authentication services (Firebase Authentication), database storage (Cloud Firestore), cloud functions, and application hosting. User account data, audit session metadata, API key hashes, usage records, and credit transaction records are stored in Firestore. Google's privacy policy: https://policies.google.com/privacy

Stripe: Processes all payment transactions including credit purchases and Auto Top-Up charges. Stripe receives your payment information directly; we only receive transaction confirmations and identifiers. Stripe's privacy policy: https://stripe.com/privacy

Cloudflare: Provides content delivery, DDoS protection, DNS, web application firewall, and R2 object storage for audio files. Cloudflare processes network request data under their privacy policy: https://www.cloudflare.com/privacypolicy/

Modal: Provides GPU compute infrastructure for running audio analysis workloads. Audio data is transmitted to Modal for processing and is held in memory during analysis. Modal's privacy policy: https://modal.com/privacy

Sentry: Provides error monitoring and performance tracking. Sentry may receive error details, stack traces, and request metadata when errors occur. Sentry's privacy policy: https://sentry.io/privacy/

Google Analytics: Provides web analytics to help us understand how users interact with the Service. Google Analytics collects anonymized usage data as described in the Cookies section. Google's privacy policy: https://policies.google.com/privacy

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

7. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All communication between your browser/application and our servers is encrypted using TLS 1.3. API requests, audio file uploads, and all data transfers occur exclusively over HTTPS.

API Key Security: API keys are hashed using SHA-256 before storage. We do not store raw API keys and cannot recover them after initial creation. Each account is limited to 10 active API keys.

Authentication: User authentication is managed by Firebase Authentication, which supports secure password hashing, session management, and optional multi-factor authentication.

Infrastructure Security: The Service runs on Google Cloud infrastructure with SOC 2 and ISO 27001 compliance. All infrastructure is provisioned with least-privilege IAM policies. Secrets and credentials are managed through environment variables and are never exposed in client-side code.

Access Controls: Firestore security rules enforce that users can only read their own data. Administrative operations require a separate authentication mechanism. Account data, credit balances, and transaction records cannot be modified directly by users.

While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Data Retention

Account Data: Your account information (email, display name, authentication details) is retained for as long as your account is active.

Audit Sessions and Results: Analysis results and session metadata are retained indefinitely for as long as your account is active. Associated audio files are retained for at least 90 days. You may manually delete sessions at any time.

Credit and Transaction Records: Purchase history, credit transactions, and billing records are retained for the lifetime of your account and for up to 7 years after account deletion for tax and legal compliance purposes.

Usage Logs: API request logs, including timestamps, IP addresses, and request metadata, are retained for 90 days for security monitoring and debugging.

Account Deletion: When you delete your account through the dashboard, all associated data - including your profile, API keys, audit sessions, audio files, and analysis results - is permanently purged within 30 days. Transaction records may be retained longer as required by law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of Access: You may request a copy of the personal data we hold about you. Account data, usage history, and analysis results are accessible through the dashboard and API.

Right to Rectification: You may update your account information (display name, email) through the dashboard at any time.

Right to Deletion: You may delete your account and all associated data through the dashboard. You may also request deletion by contacting us at hi@ttsaudit.com.

Right to Data Portability: You may export your analysis results in JSON format via the dashboard or API.

Right to Object: You may object to certain processing of your data. If you object to processing that is essential to the Service, you may need to stop using the Service.

Right to Restrict Processing: You may request that we limit the processing of your personal data under certain circumstances.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do not sell personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

To exercise your CCPA rights, contact us at hi@ttsaudit.com. We will verify your identity before processing your request.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

Legal Bases for Processing: We process your personal data based on the following legal grounds: (a) performance of a contract (to provide the Service); (b) legitimate interests (security, abuse prevention, service improvement); (c) consent (for analytics and optional features); (d) legal obligations (tax and regulatory compliance).

Data Transfers: Your data may be transferred to and processed in the United States and other countries where our service providers operate. These transfers are governed by Standard Contractual Clauses or other approved transfer mechanisms.

You may exercise your GDPR rights by contacting us at hi@ttsaudit.com. You also have the right to lodge a complaint with your local data protection authority.

12. International Data Transfers

The Service is operated from the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States and potentially other countries where our infrastructure providers maintain data centers.

Our primary infrastructure providers (Google Cloud, Cloudflare, Stripe) maintain data centers globally and implement appropriate safeguards for international data transfers, including Standard Contractual Clauses and adherence to relevant data protection frameworks.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions as described in this Privacy Policy.

13. Children's Privacy

The Service is not directed to children under the age of 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete that information as promptly as possible.

If you believe that a child has provided us with personal information, please contact us at hi@ttsaudit.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We may notify registered users of material changes via email or through a prominent notice on the Service, but are not obligated to provide advance notice.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

The "Last updated" date at the top of this page indicates the most recent revision.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: hi@ttsaudit.com

You may also reach us through the contact form on our website at https://ttsaudit.com/contact.

We will respond to privacy-related inquiries within 30 days.