Privacy Policy
Last updated: March 2026
This Privacy Policy informs you in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) about how SpokenFeeds processes personal data.
1. Data Controller
Controller within the meaning of the GDPR (Art. 4(7)):
Rainer PerlBergstraße 4
3433 Königstetten
Austria
Email: [email protected]
2. Data We Collect
2.1 Account Data
When you register via an OAuth provider (Google, Microsoft, or Meta), the respective provider transmits the following to us:
- Email address
- OAuth provider ID (unique user identifier of the provider)
- Display name (optional, provided by the provider)
We do not store passwords. Authentication is carried out exclusively via the respective OAuth provider.
2.2 Voice Data (Biometric Data)
For the voice cloning feature, you may upload WAV audio files or provide a voice description. We process:
- Uploaded WAV audio files (stored in normalized form)
- Machine-generated voice samples (based on your description)
- Reference texts associated with the uploaded audio
Important: Voice data is treated as biometric data within the meaning of Art. 4(14) and Art. 9 GDPR. See Section 4.
2.3 Usage Data
- Subscribed RSS feeds (URLs and categories)
- Manually submitted URLs
- Generated audio files (cloud storage path, metadata)
- Subscription status and payment history (via Stripe)
- Optional Telegram chat ID when Telegram delivery is enabled
2.4 Technical Data
- IP address (in server access log files)
- Browser type and operating system (user agent, in log files)
- Time and duration of the session
- Session cookies and CSRF tokens (technically necessary)
3. Legal Basis
3.1 Performance of Contract (Art. 6(1)(b) GDPR)
The processing of your account data, subscribed feeds, and generated audio files is necessary for the provision of the contractually agreed service.
3.2 Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)
The processing of voice data as biometric data is carried out exclusively on the basis of your express consent, which you grant when uploading a voice sample. You may withdraw this consent at any time (see Section 4).
3.3 Legitimate Interest (Art. 6(1)(f) GDPR)
The storage of IP addresses in server log files serves the security of the service, defense against attacks, and error analysis. Our legitimate interest outweighs your interest in non-processing, as the data is only stored for a short period and for a specific purpose.
3.4 Legal Obligation (Art. 6(1)(c) GDPR)
To the extent that we are legally obligated to retain data (e.g., tax-related record-keeping obligations for payment data), processing is carried out on this basis.
4. Biometric Data — Special Notice
SpokenFeeds treats voice samples as biometric data pursuant to Art. 4(14) and Art. 9 GDPR. This category enjoys special protection.
Consent and Purpose
Voice data is used exclusively for personalized text-to-speech synthesis within your own account. It is neither disclosed to third parties nor used for AI model training.
Withdrawal of Consent
You may withdraw your consent to the processing of voice data at any time by deleting the respective voice sample from your account or by deleting your account entirely. After withdrawal, all associated audio files (voice samples and generated audio files using that voice) will be promptly and irreversibly deleted.
Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal (Art. 7(3) GDPR).
Retention Period for Biometric Data
Voice samples are stored as long as your account is active and the voice sample has not been deleted. Upon account deletion or withdrawal of consent, all voice data will be irreversibly deleted within 30 days.
Notice for Users from Illinois, USA (BIPA)
To the extent that the Illinois Biometric Information Privacy Act (BIPA) applies, the following additional notices apply:
- SpokenFeeds collects voiceprints solely for the purpose of personalized speech synthesis within the service.
- Biometric data is not sold, leased, traded, or otherwise disclosed for compensation.
- The retention period ends with the deletion of the voice sample or account deletion, but no later than three (3) years after the last use of the service.
- To exercise your BIPA rights, please contact [email protected].
5. Data Processors and Third-Country Transfers
We use the following data processors. To the extent that data is transferred to third countries (outside the EEA), we rely on the stated safeguards.
| Provider | Purpose | Country | Safeguard (Third-Country Transfer) |
|---|---|---|---|
| Hetzner Cloud GmbH | Server hosting (backend, database) | Germany (EU) | No third-country transfer |
| Cloudflare, Inc. (R2) | Object storage for audio files and voice samples | USA | EU-US Data Privacy Framework (DPF) |
| Google LLC | OAuth login (optional) | USA | EU-US Data Privacy Framework (DPF) |
| Microsoft Corporation | OAuth login (optional) | USA | EU-US Data Privacy Framework (DPF) |
| Meta Platforms, Inc. | OAuth login (optional) | USA | EU-US Data Privacy Framework (DPF) |
| Stripe, Inc. | Payment processing | USA | EU-US Data Privacy Framework (DPF) |
| MiniMax (Hangzhou Baihe Technology) | AI text summarization (article content only, no personal data) | China / Singapore | EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) |
| Telegram FZ-LLC | Audio delivery via Telegram (opt-in only) | United Arab Emirates | EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) |
Note on MiniMax: Only article content (text from publicly accessible RSS feeds and URLs) is transmitted to the AI summarization service. No personal data such as name, email address, or voice data is shared with MiniMax.
Note on Telegram: Telegram delivery is entirely optional. It is only activated when you enter your Telegram chat ID in the settings.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (email, OAuth ID) | Until account deletion |
| Voice data (biometric data) | Until withdrawal of consent or account deletion |
| Generated audio files | 7 days after creation, then automatically deleted |
| Subscribed feeds and usage data | Until account deletion |
| Server log files (IP addresses) | 30 days |
| Payment data (via Stripe) | As required by statutory retention obligation (7 years, Section 212 Austrian Commercial Code (UGB)) |
After account deletion, all personal data will be irreversibly deleted within 30 days, unless a statutory retention obligation requires otherwise.
7. Your Rights
You have the following rights with respect to your personal data:
Rights under the GDPR (Art. 15–22)
- Access (Art. 15): You may request information about the data we process.
- Rectification (Art. 16): You may request the correction of inaccurate data.
- Erasure (Art. 17): You may request the deletion of your data ("right to be forgotten").
- Restriction (Art. 18): You may request the restriction of processing.
- Data Portability (Art. 20): You may receive your data in a machine-readable format.
- Objection (Art. 21): You may object to processing based on legitimate interest.
Withdrawal of Consent (Art. 7(3) GDPR)
To the extent that processing is based on your consent (in particular voice data), you may withdraw it at any time without giving reasons. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. In Austria, this is:
Austrian Data Protection Authority (DSB)Barichgasse 40–42, 1030 Vienna
www.dsb.gv.at
Users in the United Kingdom may contact the Information Commissioner's Office (ICO) .
To exercise your rights, please contact: [email protected]
8. Cookies
SpokenFeeds uses only technically necessary cookies:
| Cookie | Purpose | Retention |
|---|---|---|
.AspNetCore.Session |
Session management (login status) | Session duration |
.AspNetCore.Antiforgery.* |
CSRF protection (security) | Session duration |
We do not use tracking cookies, analytics cookies, or advertising cookies. Cookie consent (cookie banner) is therefore not required, as only technically necessary cookies are used (Austrian Telecommunications Act (TKG) 2021, Section 165(3), exemption for strictly necessary cookies).
9. Contact for Data Protection Inquiries
For inquiries regarding data protection, information about stored data, or to exercise your rights, please contact us exclusively by email at:
We typically respond to data protection inquiries within 30 days. For complex requests, this period may be extended to up to 3 months (Art. 12(3) GDPR); we will inform you in such cases.