Privacy Policy

Last updated: 2026-04-19

This document is a Claude-adapted template (based on free legal generators including Stripe Atlas and PrivacyPolicies.com). Professional attorney review is planned post-launch (see our risk ledger). For takedowns or disputes, email legal@iconicvoices.example.

We split this policy into two halves so you can tell what we do today apart from what we plan to do when our subscription billing goes live. Only Section A applies right now. Section B describes what will apply after Phase 4.

Section A — Data we collect today (waitlist only)

What we store

• Your email address (required to join the waitlist)
• Your first name (optional — used to personalize launch emails)
• Your preferred author from the catalog modal (optional — used to decide which titles to produce first)

Where it's stored

Waitlist entries are stored on our servers in a Supabase Postgres database hosted in the EU (Ireland) region. Access to this database is limited to the founder using service-role credentials managed via GitHub Actions secrets; the public anon key cannot read the leads table.

Retention: we keep waitlist entries until launch; after launch they are kept for 6 months unless you request deletion.

Your rights (GDPR / CCPA): you can request access, correction, or deletion of your data at any time by emailing privacy@iconicvoices.io. We respond within 30 days.

Why

We use your email to notify you when new titles launch and when the beta opens to paying customers. We do not sell your data.

Third parties (Section A)

Today, the waitlist path has NO third-party tracking. No Meta, TikTok, or Google analytics scripts fire unless you explicitly grant consent via our cookie banner. No social login, no session tracking, no ad-retargeting cookies.

Your rights (Section A)

• Access: email legal@iconicvoices.example with subject "Export my data" to receive everything we have on you within 72 hours.
• Deletion: email the same address with subject "Delete my data". We remove you from the waitlist and confirm within 72 hours.
• Rectification: reply to any launch email with corrections.
• Portability: today your data is a single email row — an export is trivial.

Section B — Data we'll collect when billing launches (Phase 4 plan)

This section describes the data processing we intend to add once subscription billing goes live (planned Phase 4 of the roadmap). None of this is active today. We document it here so you know what's coming; we will email waitlist members for re-consent before any of this is activated.

Account data

• Email address + password hash (handled by Supabase Auth; region to be decided — EU or US)
• Optional profile fields: display name, preferred language

Subscription data

• Stripe customer ID, subscription status, billing history (handled by Stripe)
• Billing address as required for VAT compliance (handled by Stripe Tax)
• Transaction records retained for 7 years per tax-audit requirements

Usage data

• Listening progress per title (stored in Supabase; user-scoped)
• Bookmarks you create
• Session tokens (needed to keep you logged in)

Third-party processors (Section B — planned)

• Supabase — Postgres + Auth + Edge Functions (region TBD)
• Stripe — subscription billing + Stripe Tax
• Cloudflare R2 — audio file storage and delivery
• Resend — transactional email
• Plausible or Umami — privacy-first analytics (we use these without personal-data cookies; see Cookie Policy)
• Meta Pixel — ad measurement (fires only if you grant marketing-cookie consent)
• TikTok Pixel — ad measurement (same consent gate as Meta)

Cross-border transfers

For EU/UK users, data transfers to US-based processors (Stripe, possibly Supabase US region) will rely on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses where the processor participates. Privacy Shield is deprecated; we do not rely on it.

Cross-references

• Cookie Policy — exactly which cookies we use today and when
• Voice Rights Disclosure — EU AI Act Art. 50 and right-of-publicity
• Terms of Service — rules governing use of the service
• Data Subject Request workflow — see LEGAL/GDPR-DSR-FLOW.md (referenced by email; Phase 3 will implement in-app self-service)

Standards we follow

We aim to comply with:

• GDPR (EU 2016/679) — users in the EU
• CCPA / CPRA — users in California
• CalOPPA — California online privacy disclosure
• EU-US Data Privacy Framework (DPF) — for Phase 4 cross-border transfers (Privacy Shield is deprecated and not relied upon)

Changes to this policy

If we make material changes, we will notify waitlist subscribers by email at least 14 days in advance and update "Last updated" above. If we activate Section B (billing launch), we will require explicit opt-in.

Contact

Privacy questions or data requests: legal@iconicvoices.example. We respond within 72 hours (GDPR timeline).