GDPR Policy

Effective: 6 April 2026

1. Introduction

SpeechMe is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR). This policy explains how we collect, process, store, and protect your personal data when you use the SpeechMe application.

2. Data controller

The data controller for SpeechMe is Eric Deaville trading as Apps n SaaS. For data protection enquiries: support@appsnsaas.com

3. Lawful bases for processing

We process personal data under the following lawful bases:

• Contract (Article 6(1)(b)) — Processing necessary to deliver the speech-writing service you have purchased.
• Consent (Article 6(1)(a)) — You provide explicit consent before your speech inputs are sent to Anthropic's AI service. This consent is recorded with a timestamp, version number, and the exact consent text shown to you.
• Legitimate interests (Article 6(1)(f)) — Analytics, fraud prevention, and service improvement, balanced against your rights. We have assessed that our legitimate interests do not override your rights and freedoms.
• Legal obligation (Article 6(1)(c)) — Tax records, transaction logs, and responding to lawful requests.

4. Personal data we collect

• Account data — Email address, display name, locale preference, authentication tokens (managed via Supabase Auth).
• Speech input data — Names, anecdotes, relationships, tone preferences, and other information you provide to generate a speech.
• Generated content — The AI-generated speech text and version history.
• Payment data — Transaction references and purchase history. Full payment card details are handled exclusively by Paddle and are never stored by SpeechMe.
• AI consent records — Timestamp, consent version, consent text, user agent, and IP address at the time consent was given.
• Audio data — Text-to-speech audio files generated via Google Cloud TTS, stored in secure cloud storage.
• Technical data — Browser type, device information, and usage patterns.

5. Third-party data processors

We share personal data with the following processors, each under appropriate safeguards and data processing agreements:

• Supabase Inc. — Database hosting, authentication, file storage, and edge function execution.
• Anthropic PBC — Your speech inputs are sent to Anthropic's Claude AI model for speech generation. Data sent to Anthropic is used solely to generate your speech and is not used to train AI models.
• Google Cloud (Text-to-Speech) — Speech text is sent to Google Cloud TTS to generate audio previews, processed under their Cloud Data Processing Addendum.
• Paddle.com Market Limited — Payment processing, invoicing, and tax compliance. Paddle acts as the Merchant of Record.
• Cloudflare — Bot protection (Turnstile) and CDN delivery.

Where data is transferred outside the UK/EEA, appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.

6. Data retention

• Account data — Retained for the lifetime of your account. Deleted upon account deletion request.
• Speech data and inputs — Retained while your account is active. You can delete individual speeches at any time. Unpurchased speeches are automatically deleted after 30 days.
• AI consent records — Retained for 6 years after the consent event for legal compliance and audit purposes, even if the associated speech is deleted.
• Payment records — Retained for 7 years as required by UK tax law (managed by Paddle).
• Audio files — Retained while the associated speech exists. Deleted when the speech is deleted.
• Technical logs — Retained for up to 90 days for debugging and security purposes.

7. Your rights

Under UK GDPR, you have the following rights:

• Right of access (Article 15) — Request a copy of all personal data we hold about you.
• Right to rectification (Article 16) — Request correction of inaccurate data.
• Right to erasure (Article 17) — Request deletion of your personal data. You can delete your account directly within the app, which triggers deletion of your profile, speeches, inputs, and audio files.
• Right to restrict processing (Article 18) — Request that we pause processing of your data.
• Right to data portability (Article 20) — Request your data in a structured, machine-readable format.
• Right to object (Article 21) — Object to processing based on legitimate interests.
• Rights related to automated processing (Article 22) — The right to information about any automated processing that significantly affects you. Our AI generation does not constitute significant automated decision-making as you retain full review and control throughout the process.

To exercise any of these rights, contact support@appsnsaas.com. We will respond within 30 days at no charge. We may ask you to verify your identity before processing the request.

8. Security measures

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted (AES-256 via Supabase/AWS)
• AI and audio API calls are made from server-side edge functions — API keys are never exposed client-side
• Row-level security (RLS) is enforced at the database level
• Cloudflare Turnstile protects against automated abuse
• Anonymous authentication is used until payment, minimising personal data collected at onboarding

9. Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

10. International transfers

Some of our third-party processors operate outside the UK/EEA (Anthropic and Google in the USA). All transfers are protected by Standard Contractual Clauses (SCCs) approved by the ICO, the processor's compliance with applicable data protection frameworks, and supplementary technical measures including encryption in transit and at rest.

11. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113

If you are based in the EU, you may also contact your local supervisory authority.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the app or email. The effective date at the top of this document will be updated accordingly.

13. Contact

Data protection enquiries: support@appsnsaas.com