Privacy Policy
Last updated: 2026-05-16. Effective immediately. Version 2.0.
0. At a glance (non-binding)
We collect what we need to run Audexum: your email, password hash, plan, the text you submit, basic usage counters, and your Stripe customer ID. We use one session cookie. We do not run third-party advertising trackers, sell data, or train AI models on your inputs. Our servers are in the EU. The full policy below controls.
Analytics: we use self-hosted Umami for aggregate traffic analytics. No cookies, no cross-site tracking, no IP address storage. All analytics data stays on our EU servers.
1. Who we are; how to contact us
- Controller: Audexum EOOD, a Bulgarian limited liability company (the "Operator", "we", "us").
- Registered seat: [to be inserted on registration]
- UIC / VAT: [to be inserted on registration]
- Privacy contact: [email protected]
- EU Representative (Art. 27 GDPR): not required — controller is established in the EU (Bulgaria).
- DPO: not required under Article 37 GDPR for our current processing; the privacy contact above handles all data-subject inquiries.
2. Scope
This Privacy Policy explains how we process personal data when you visit audexum.com, use the Studio, call the API, sign up, pay, or contact us. It also covers personal data we process on behalf of business customers under our Data Processing Addendum.
3. Personal data we collect
- Account data: email address; bcrypt-hashed password (we never see the plaintext); optional Google account ID and primary email (only if you sign in with Google); email-verification status; plan tier; account creation timestamp.
- API credentials: the prefix and a bcrypt hash of each API Key you generate; an optional label you choose; last-used timestamp; revocation timestamp.
- Billing data: your Stripe customer ID, your subscription status and current period, the amount and currency of invoices, the country we charge VAT in. Card numbers, bank details, and 3-D Secure data are handled directly by Stripe; we do not see, store, or have access to them.
- Submitted text (Inputs): the text content you submit for synthesis, plus voice ID, language code, speed, and steps parameters.
- Generated audio metadata: character count, generation time, audio duration, real-time factor, voice and language used.
- Saved content: presets you create, batch jobs you queue (status, parameters, downloadable result link, completion timestamp), and history entries (text, parameters, metadata).
- Usage counters: characters consumed per calendar month, per Account.
- Chat assistant: the messages you send to the assistant on our website, its replies, which page it offered to take you to, and how long the reply took. Your message is sent to a language model running on our own servers in the EU — it is not sent to any third-party AI provider. You do not need an account to use it; if you are signed in, the exchange is linked to your Account.
- Technical / connection data: IP address, user-agent string, request timestamps, request paths, response status codes, error messages. IP addresses are mainly processed transiently for rate-limiting, fraud prevention, and security incident analysis. Some records do store the originating IP alongside the entry itself — feedback submissions, chat messages, free-tool leads, and the signup / terms-acceptance record — and those are kept for the periods set out in Section 8.
- Email correspondence: the content of emails you send to us and our replies, for as long as needed to resolve the matter.
- Verification codes: short-lived (typically under 24 hours) one-time codes generated to verify your email address or reset your password; deleted automatically once consumed or expired.
- Cookies: see Section 9 and our Cookie Policy.
We do not deliberately collect special categories of personal data (Article 9 GDPR) such as health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, trade-union membership, or sex-life data. Do not submit such data through the Service. We do not collect children's data — see Section 12.
4. Where the data comes from
- directly from you (sign-up, account settings, Inputs, billing forms, support emails);
- from your browser or HTTP client (technical / connection data, cookies);
- from Stripe (subscription events, payment outcomes — never card numbers);
- from Google (if you sign in with Google, the Google account ID and primary email).
5. Purposes and legal bases (Article 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Create and maintain your Account; authenticate sessions and API requests | Performance of a contract — Art. 6(1)(b) |
| Generate Output from your Input; deliver the Service | Performance of a contract — Art. 6(1)(b) |
| Bill you, process payments, manage subscriptions | Performance of a contract — Art. 6(1)(b) |
| Keep invoices, accounting, tax records | Legal obligation — Art. 6(1)(c) (Bulgarian Accountancy Act; Tax-Insurance Procedure Code; VAT Act) |
| Rate-limit, prevent abuse, fraud detection, security monitoring | Legitimate interest — Art. 6(1)(f), to protect the Service and our other users |
| Respond to support emails, handle complaints | Performance of a contract / legitimate interest — Art. 6(1)(b) and (f) |
| Send transactional email (email verification, password reset, billing receipts, security alerts, material policy updates) | Performance of a contract — Art. 6(1)(b) |
| Send marketing email (product updates, newsletters) | Consent — Art. 6(1)(a), where required; withdraw any time via the unsubscribe link or by emailing [email protected] |
| Comply with court orders, regulatory requests, law-enforcement requests | Legal obligation — Art. 6(1)(c) |
| Establish, exercise, or defend legal claims | Legitimate interest — Art. 6(1)(f) |
| Produce aggregate, de-identified analytics about Service usage | Legitimate interest — Art. 6(1)(f) |
We do not use your Input or Output to train, fine-tune, or evaluate machine-learning models. We do not sell personal data, and we do not perform cross-context behavioural advertising.
6. Sub-processors and recipients
We use a small number of carefully selected sub-processors to operate the Service. Each is bound by a written agreement requiring confidentiality, security measures, and processing only on our documented instructions. Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Payment processing, fraud prevention, invoicing | Ireland (EU). Stripe is a controller for its own anti-fraud purposes. |
| Cloudflare, Inc. | DNS, edge proxy, DDoS protection, TLS | Global edge network, EU sub-processor agreement, SCCs in place for any non-EEA transfer |
| Google Ireland Ltd | OAuth sign-in (only if you choose Google) | Ireland (EU) |
| Resend, Inc. | Transactional email delivery (verification, password reset, billing receipts) | United States, SCCs in place; Resend processes only the email address and message body necessary for delivery |
We may also disclose personal data to: our professional advisors (lawyers, accountants, auditors) under duties of confidence; competent authorities where legally required; and an acquirer in connection with a merger, sale, financing, or reorganisation, subject to confidentiality and a continuing privacy commitment at least equivalent to this Policy.
The list of sub-processors may change. We post material changes at least 30 days in advance for business customers under our Data Processing Addendum.
7. International transfers
Our primary infrastructure is in the European Union (Bulgaria). The only sub-processor processing personal data outside the EEA is Resend, Inc. (United States). Transfers to Resend rely on the European Commission's Standard Contractual Clauses (SCCs) for processors (Commission Implementing Decision (EU) 2021/914) and we have completed a transfer impact assessment. You can request a copy of the SCCs (with commercial terms redacted) by emailing [email protected].
Cloudflare may route traffic through edge locations worldwide for performance and DDoS mitigation; this is in-transit routing rather than storage of personal data outside the EU. Cloudflare's DPA includes SCCs.
8. Retention
| Data | Retention |
|---|---|
| Account data (email, password hash, Google ID, plan) | Until you close the Account, then deleted within 30 days, except where retention is required by law (see invoices below) |
| Submitted text (history, batch jobs) | 90 days from creation, then automatically deleted. You may delete entries sooner from the dashboard. |
| Presets you save | Until you delete them or close the Account |
| Generated audio | We do not retain audio after delivery for single synthesize requests. Batch-job audio is held for up to 7 days for download then deleted. |
| Usage counters | Aggregated by calendar month; retained for the current billing year plus 12 months for dispute resolution |
| API key hashes | Until revoked, then 90 days for audit / abuse investigation, then deleted |
| Invoices, tax records, accounting entries | 10 years from the end of the accounting period (Bulgarian Accountancy Act, Art. 12) — required by law and cannot be shortened |
| Chat assistant messages (incl. IP) | 90 days from creation, then automatically deleted |
| Technical / connection logs (incl. IP) | 90 days for security and abuse investigation, then deleted or anonymised |
| Backups | Daily database backups; rolling 14-day retention; deletion requests are honoured in live data immediately and propagate out of backups within 14 days |
| Support email correspondence | 3 years from the last message in the thread |
| Verification codes | Deleted on consumption or within 24 hours of issuance, whichever is sooner |
9. Cookies and similar technologies
We use one first-party session cookie to keep you logged in, plus cookies set by Stripe Checkout for payment processing and fraud detection. We do not use any advertising, analytics, cross-site tracking, fingerprinting, or social-media-pixel cookies. See the Cookie Policy for the full list, duration, and purpose. Because every cookie we use is strictly necessary, we do not display a consent banner.
10. Security measures
- TLS 1.2+ for all web and API traffic;
- passwords stored as bcrypt hashes (cost factor ≥ 12); API keys stored as bcrypt hashes;
- session cookies set with
HttpOnly,Secure, andSameSite=Lax; - network firewall and Fail2Ban on all internet-facing services;
- database encryption at rest; encrypted backups;
- least-privilege access controls; only the Operator's personnel and a limited number of contractors bound by confidentiality can access production systems;
- monitoring and rate-limiting against brute-force, credential-stuffing, and abuse;
- vulnerability disclosure programme — [email protected].
No system is 100% secure. If we suffer a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection (KZLD / CPDP) within 72 hours where required, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Articles 33–34 GDPR).
11. Automated decision-making and profiling
We do not make decisions about you that produce legal or similarly significant effects solely on the basis of automated processing within the meaning of Article 22 GDPR. Stripe may run its own fraud-prevention scoring on your payment; we do not control that scoring, but you can request human review by emailing [email protected].
12. Children
The Service is not directed to anyone under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe we hold data about a child under 16, contact [email protected] and we will delete it promptly.
13. Your rights (GDPR)
Subject to Articles 15–22 GDPR, you have the right to:
- access — get a copy of the personal data we hold about you;
- rectification — correct inaccurate or incomplete data;
- erasure ("right to be forgotten") — delete data, subject to legal exceptions;
- restriction — limit processing in certain circumstances;
- portability — receive structured, commonly used, machine-readable data;
- object — to processing based on legitimate interest, including direct marketing;
- not be subject to a solely automated decision producing legal or similarly significant effects;
- withdraw consent at any time for any processing based on consent, without affecting prior lawful processing;
- lodge a complaint with a supervisory authority, in particular the Bulgarian Commission for Personal Data Protection (KZLD / CPDP), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria, cpdp.bg, or with the authority of your habitual residence or place of work.
To exercise your rights, email [email protected] with the subject "GDPR request". We respond within 30 days of verifying your identity (we may extend this by two further months for complex requests, with notice). There is no fee unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, with notice.
14. AI-generated content; transparency
The Service uses artificial intelligence to generate synthetic speech from your text. Where required by Regulation (EU) 2024/1689 (the AI Act) or other applicable law, you must clearly disclose to listeners and recipients that audio generated through the Service is AI-generated. We may embed machine-readable provenance markers in the Output; you must not strip these markers.
We do not offer voice cloning of identifiable real persons. The preset voices we provide are either fully synthetic or licensed from voice actors who consented to the use. Voice samples used in training or licensing do not constitute personal data of end users.
15. Business customers — Data Processing Addendum
If you use the Service to process personal data of your own end users (for example, submitting customer-facing text through our API), you are the controller and we are the processor under Article 28 GDPR. Our standard Data Processing Addendum is available on request to [email protected] and is incorporated into the Agreement on signature.
16. Changes to this Privacy Policy
We will post material changes here at least 30 days before they take effect and, where you have an Account, send a notification by email. Non-material changes take effect on posting. The "Last updated" date at the top of this page reflects the most recent version.
17. Contact summary
- Privacy / GDPR rights: [email protected]
- Legal / contracts: [email protected]
- Abuse reports: [email protected]
- Security vulnerabilities: [email protected]
- Supervisory authority: KZLD / CPDP, 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria, cpdp.bg