NaturalTTS Privacy Policy

Last updated: 18 April 2026

This Privacy Policy explains how NaturalTTS (“we”, “us”, “our”) collects, uses, stores, and shares personal data when you use https://naturaltts.org/and our related services (the “Services”).

This policy covers our obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Family Educational Rights and Privacy Act (FERPA), and the Children’s Online Privacy Protection Act (COPPA).

1. Who We Are

NaturalTTS is a software platform providing text-to-speech services for educational, accessibility, and professional use.

We have not yet designated a formal Data Protection Officer (DPO). If your jurisdiction requires one and you need to reach the data privacy function, contact privacy@naturaltts.org.

2. Age Restriction , Children’s Privacy (COPPA / GDPR Art. 8)

NaturalTTS is not directed to children under 13 (or under 16 where required by local law). We do not knowingly collect personal data from children below these ages without verifiable parental or school consent.

Users must confirm they are 13 or older when creating an account. If you are a school or university deploying NaturalTTS for students who may be under these ages, your institution is responsible for obtaining any required consent under COPPA, FERPA, or applicable local law before allowing those students to use the Services.

If we become aware that we have collected personal data from a child without appropriate consent, we will delete it promptly. Contact privacy@naturaltts.org.

3. Information We Collect

Account Information

  • name
  • email address
  • hashed password (never stored in plain text)
  • institution or organization name
  • role or title
  • age confirmation (boolean)

Workspace and Subscription Information

  • plan type and status
  • seat and character usage
  • billing-related metadata
  • transaction and invoice references

Content You Submit

  • text entered into the converter
  • files uploaded for conversion (PDF, DOCX)
  • generated audio file references
  • saved conversion history and project titles

Communications

  • support messages and thread history
  • EDU Pilot requests
  • academic partnership requests
  • emails and communications with us

Technical and Usage Information

  • IP address (hashed where stored for consent records)
  • browser type and version
  • device information
  • server log data
  • approximate location derived from IP
  • cookies and similar technologies (see Section 14)
  • analytics and product usage events (only with your consent)

Consent Records

We record your cookie consent choices (analytics yes/no, marketing yes/no) along with the policy version and a hashed IP address. This is required to demonstrate lawful basis.

4. How We Use Information

We use information to:

  • provide, maintain, and improve the Services
  • create and manage user accounts and workspaces
  • process text-to-speech requests
  • store conversion history and generated content metadata
  • enforce usage limits and seat controls
  • provide support and respond to inquiries
  • evaluate EDU Pilot and partnership requests
  • send transactional and service-related communications
  • send marketing emails where you have given explicit consent (see Section 5)
  • monitor security, detect abuse, and prevent fraud
  • comply with legal obligations
  • analyze service performance and product adoption (only with analytics consent)

We do not use submitted text, files, or audio to train AI or machine learning models.

5. Marketing Emails

What we send

If you have chosen to receive marketing emails from us, we send three categories of messages:

  • Product updates— announcements of new features, improvements, and changes to NaturalTTS that we think will be useful to you.
  • Educational content— articles, guides, and practical resources on text-to-speech, accessibility, and related topics.
  • Promotions— occasional offers, such as discounts on paid plans, early access to new programs, or invitations to events.

You can choose which of these categories you want to receive at any time through your email preferences pageor the “Email preferences” link in your account settings.

Marketing emails are separate from transactional emails. Transactional emails — password resets, account confirmations, EDU Pilot approvals, billing receipts, plan-change notifications, and service-critical announcements — are sent regardless of your marketing-email preferences, because they are necessary to provide the service you have signed up for.

Legal basis for processing

We process your email address and related data for marketing purposes on the basis of your explicit consent, as required by Article 6(1)(a) of the GDPR for users in the European Economic Area and the United Kingdom.

For users outside the EEA and the UK, we rely on the legal basis applicable in your jurisdiction (for example, express consent under CASL in Canada, and opt-in requirements under applicable US state privacy laws).

We do notrely on “legitimate interest” as a legal basis for sending marketing emails, and we do not email existing users about marketing offers unless they have explicitly opted in.

What data we process

For marketing emails, we process:

  • Your email address.
  • Your name (if you have provided one), used to personalize the email greeting.
  • Your preferences (which categories of email you have opted in to).
  • The timestamp and method of your opt-in (what page or flow you used to consent).
  • Engagement data: whether emails were delivered, opened, clicked, bounced, or marked as spam.
  • Your country, where we have this information from billing, to comply with regional regulations.

We do not use the content of documents you upload to NaturalTTS, or the audio we generate for you, for any marketing purpose.

How we send marketing emails

Marketing emails are sent from the subdomain mail.naturaltts.org, using Resend as our email delivery provider. Resend acts as a data processor on our behalf and is contractually obligated to process your data only according to our instructions. This is a separate sending path from our transactional emails, which helps protect the deliverability of service-critical messages regardless of marketing activity.

Because Resend is a US-based service, sending marketing email to EEA or UK residents involves a transfer of personal data outside the EEA/UK. This transfer is governed by Standard Contractual Clauses (SCCs) between us and Resend. See Section 15 for more on international transfers.

How long we keep this data

  • Consent records (when you opted in, how, and any subsequent changes) are retained for as long as your account exists, plus up to three years after your account is closed, to allow us to demonstrate compliance in the event of a regulatory inquiry.
  • Engagement data (opens, clicks, bounces, complaints) is retained for 24 months for deliverability analysis, after which it is aggregated and anonymized.
  • If you unsubscribe or delete your account, we retain a record of your opt-out to ensure we do not accidentally email you again in future campaigns.

Your rights regarding marketing email

You can, at any time and without giving a reason:

  • Unsubscribefrom all marketing emails by clicking the unsubscribe link at the bottom of any marketing email, by using Gmail’s or Outlook’s one-click unsubscribe, or by visiting your email preferences page.
  • Change which categories you receive through the email preferences page.
  • Request a copy of the marketing data we hold about you by emailing contact@naturaltts.org.
  • Request deletion of your marketing data by emailing contact@naturaltts.org.
  • Object or restrict processing under GDPR Articles 18 and 21. Unsubscribing already satisfies most objection requests; for broader requests, contact us directly.
  • Lodge a complaintwith a supervisory authority if you believe your data has been handled unlawfully. For users in the EU, this is the data protection authority in your country of residence. For users in the UK, it is the Information Commissioner’s Office.

We aim to respond to data-subject requests within 30 days, as required under GDPR.

How we obtain consent

We obtain marketing consent through one of the following paths, and we record which path was used:

  • Signup checkbox— an unticked opt-in box on our signup form, which you actively check before creating your account. This box is never pre-filled.
  • Preference center — you can opt in to marketing at any time through your email preferences page, logged in to your account.
  • Re-permission email— for users who signed up before this policy took effect, we send a one-time email asking whether they would like to receive marketing from us. Clicking “Yes, keep me subscribed” in that email constitutes consent.

We do not bundle marketing consent with other agreements such as Terms of Service or this Privacy Policy. You can use NaturalTTS fully without opting in to marketing, and you can use NaturalTTS fully if you later opt out.

Contact for marketing email questions

  • Email: contact@naturaltts.orgwith “Privacy” in the subject
  • Postal: ⚠ [TODO — legal company address required by CAN-SPAM — confirm final address with legal before publishing]

For users in the EEA, our representative under GDPR Article 27 is: ⚠ [TODO — confirm with legal whether an Article 27 EEA representative is required given NaturalTTS's operating jurisdiction; if required, list name and contact here]

6. Legal Bases (EU GDPR / UK GDPR)

Where required by applicable law, we rely on one or more of the following legal bases:

  • Performance of a contract , providing the Services you signed up for
  • Legitimate interests , security, abuse prevention, product improvement
  • Compliance with legal obligations , tax, fraud, regulatory requirements
  • Consent , analytics cookies, and marketing email communications (see Section 5)

7. FERPA (US Educational Institutions)

Where NaturalTTS is used by a US educational institution and student education records are submitted to the Services, we act as a “school official” with a legitimate educational interest as defined under FERPA (20 U.S.C. § 1232g).

  • We will not disclose education records to third parties except as required to provide the Services or by law.
  • We will not use student data for advertising or to build profiles for non-educational purposes.
  • Institutions may request deletion of student data at any time by contacting privacy@naturaltts.org.
  • Institutional customers requiring a FERPA-compliant Data Processing Agreement (DPA) should contact us at contact@naturaltts.org.

8. Payments and FastSpring

If you purchase a paid subscription, payments are processed by FastSpring, who acts as Merchant of Record. Billing and transaction data is processed by FastSpring for payment processing, tax handling, subscription management, receipts, cancellations, and refund handling. FastSpring’s privacy policy applies to data they collect.

9. Sub-processors

We share personal data with the following categories of sub-processors:

Sub-processorPurposeLocation
Cloudflare R2Audio file and document storageUS / EU
OpenAIText-to-speech generationUS
ResendTransactional and marketing email delivery (separate sending paths)US
FastSpringPayment processing (Merchant of Record)US / global
Google AnalyticsProduct analytics (consent-gated)US
Vercel / hostingApplication hosting and CDNUS / EU
Neon / Supabase / PostgreSQL hostDatabase hostingUS / EU

We enter into Data Processing Agreements (DPAs) with sub-processors where required. To request an updated sub-processor list, email privacy@naturaltts.org.

10. How We Share Information

We may share information with:

  • sub-processors listed above, under contractual data protection obligations
  • legal, regulatory, or law-enforcement bodies where required by law
  • a successor entity in the event of a merger, acquisition, or asset sale (users will be notified)

We do notsell personal data for money. Under CCPA/CPRA, we do not “sell” or “share” personal information for cross-context behavioral advertising.

11. Content Processing

Text and files submitted to NaturalTTS are processed solely to provide speech generation and related functionality. Content is transmitted to our TTS provider (OpenAI) for audio generation and stored temporarily on Cloudflare R2. We do not use your content to train AI models.

You should only upload or submit content you are authorized to use and process.

If you use NaturalTTS through a school, university, or organization, that institution remains responsible for assessing whether the data it submits is appropriate for processing under its own policies and applicable law.

12. Data Retention

We retain personal data as follows:

  • Account data: for the duration of your account plus up to 90 days after deletion to allow recovery from accidental deletion
  • Conversion jobs and audio: for the duration of your subscription; audio files may be purged sooner to manage storage
  • Support threads: up to 2 years after the thread is resolved
  • Billing records: up to 7 years as required by tax and accounting law
  • Audit and security logs: up to 1 year
  • Consent records (cookie and marketing): up to 3 years as evidence of lawful processing; see Section 5 for marketing-specific retention
  • Email logs: up to 1 year
  • Marketing engagement data (opens, clicks, bounces): 24 months, then aggregated and anonymized

You may request early deletion at any time. See Section 16 for your rights and how to exercise them.

13. Security

We use reasonable technical and organizational measures to protect personal data, including:

  • passwords stored as bcrypt hashes (never in plain text)
  • HTTPS / TLS for all data in transit
  • pre-signed, expiring URLs for file access
  • role-based access controls
  • server-side rate limiting and abuse detection
  • audit logging for administrative actions

No online service can guarantee absolute security. In the event of a personal data breach we will notify affected users and the relevant supervisory authority as required by applicable law.

14. Cookies and Similar Technologies

We use the following categories of cookies:

  • Strictly necessary: Authentication session cookies set by NextAuth. These are required for the Services to function and do not require consent.
  • Analytics (consent required):Google Analytics (GA4) to understand how users interact with the product. These are only loaded after you accept analytics cookies via our cookie banner. You can withdraw consent at any time by clicking “Reject analytics” in the cookie banner (accessible by clearing your browser cookies and revisiting the site).

You can manage cookies through your browser settings. Note that disabling strictly necessary cookies will prevent login from working.

15. International Transfers

Your data may be processed in countries outside your own, including the United States. Where we transfer personal data from the EU/EEA or UK to third countries, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) where applicable
  • adequacy decisions where available

This includes transfers to Resend for email delivery (both transactional and marketing). Resend processes data in the United States under SCCs.

16. Your Rights

Depending on your location, you may have the following rights. To exercise any of them, contact privacy@naturaltts.org. We will respond within 30 days.

EU GDPR and UK GDPR rights

  • Art. 15 , Access: request a copy of your personal data
  • Art. 16 , Rectification: correct inaccurate data
  • Art. 17 , Erasure: request deletion of your account and data. You can also do this directly from Settings → Delete account.
  • Art. 18 , Restriction: restrict processing in certain circumstances
  • Art. 20 , Portability: download your data as JSON from Settings → Download my data.
  • Art. 21 , Objection: object to processing based on legitimate interests
  • Art. 7(3) , Withdraw consent: withdraw analytics consent via the cookie banner, or withdraw marketing email consent via the email preferences page, at any time
  • Lodge a complaint: you may lodge a complaint with your local supervisory authority

California rights (CCPA/CPRA)

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information (submit via Settings or email us)
  • Right to correct inaccurate personal information
  • Right to opt-out of the sale or sharing of personal information (we do not sell or share data)
  • Right to non-discrimination for exercising your rights

California residents may submit requests to privacy@naturaltts.org. We do not discriminate against users who exercise their privacy rights.

17. Supervisory Authorities

If you are in the EU/EEA and believe we have not handled your data lawfully, you may lodge a complaint with the data protection authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.

If you are in the United Kingdom, you may contact the Information Commissioner’s Office (ICO): ico.org.uk · 0303 123 1113.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The revised version will be posted on https://naturaltts.org/privacy with an updated date. For material changes we will notify registered users by email or via an in-app notice.

If we change the categories of marketing email we send, the legal basis for processing, or any material aspect of how we handle marketing data, we will update Section 5 and notify active subscribers by email before the changes take effect.

19. Contact

For privacy questions, requests, or to exercise your rights: