1. Overview
This Privacy Policy explains how Genesis Vanguard Pty Ltd (ABN
registered, trading as
Torpenhow Technologies, “we”,
“us”, “our”) collects, holds, uses, and
discloses personal information in connection with the AltSpeak
text-to-speech service (“the Service”).
We are bound by the Privacy Act 1988 (Cth) and the
Australian Privacy Principles (APPs 1–13). This
policy is written to satisfy our obligations under those principles
and to give you a clear, plain-language account of our data practices.
2. Information We Collect (APP 3)
We collect only the information necessary to operate the Service,
prevent abuse, and fulfil our billing obligations. The table below
lists every category of personal information we hold.
2.1 Account and Identity Information
Email address
Collected from your OAuth provider (Google, GitHub, or Discord) at
sign-in. Used as your primary account identifier and for
transactional communication.
Display name
Your name or username as returned by your OAuth provider.
Displayed in the application interface.
Profile picture URL
Avatar URL returned by your OAuth provider. Displayed in the
application header.
OAuth provider and account ID
The name of the authentication provider (Google, GitHub, or
Discord) and your unique account identifier on that platform. Used
to authenticate you on subsequent logins without storing a
password.
2.2 Technical and Security Information
Signup IP address
Your IP address at the time you create your account. Retained for
abuse prevention, rate limiting, and fraud detection. Not linked
to individual requests after signup.
Browser fingerprint
A device fingerprint generated client-side using ThumbmarkJS
immediately after you authenticate. The fingerprint is a hash
derived from browser attributes (screen resolution, timezone,
installed fonts, canvas rendering, and similar signals). It does
not identify you personally but is used to detect accounts created
to circumvent the one-time free credit limit (credit farming). The
raw fingerprint hash is stored on our servers linked to your
account.
Approximate country
Derived from your IP address at signup using the ipinfo.io
geolocation API. Only the country name or code is stored; the full
IP address used for this lookup is not retained beyond the signup
event.
2.3 Billing and Subscription Information
Subscription data
Your current plan (Free, Starter, Creator, or Pro), billing period
(monthly or annual), and subscription status. Managed and stored
by CREEM, our payment processor. We receive and store the plan
type and status in our database; full payment card details are
never transmitted to or stored by us.
Credit balance and transaction history
Your current character credit balance and a log of every credit
transaction (grants, deductions, and resets) including the amount,
reason, and timestamp. Used for billing accuracy and dispute
resolution.
2.4 Usage and Generated Content
Generated audio files
Audio files produced by the text-to-speech engine on your behalf.
Stored temporarily in Cloudflare R2 object storage. Files are
served to you immediately after generation and are not retained
indefinitely; they are deleted from cloud storage when you delete
your account.
Generation history
A record of each generation request including: the voice used, the
first 100 characters of the submitted text (as a preview), and the
timestamp. The full text of your input is not stored.
Usage logs
Structured logs of each API call including: number of characters
billed, voice identifier used, audio encoding format requested,
and the endpoint invoked. Used for billing verification, abuse
detection, and service improvement.
Voice ratings
Per-voice ratings you submit through the application interface.
Stored linked to your account and used to personalise your
experience and inform product decisions.
Favourites and cloned voices
Voice identifiers you have saved as favourites, and any custom
voice clones you have created via the voice cloning feature.
Stored on your account so they persist across sessions.
2.5 Optional Submissions
Feedback reports
If you submit a feedback report through the application, we
collect: your email address, the feedback category, the
description you provide, and basic browser information included
automatically at the time of submission. Submission is voluntary.
Newsletter subscription
Your email address, if you choose to subscribe to our newsletter.
Newsletter subscriptions are independent of your AltSpeak account
and managed separately.
2.6 Marketing Attribution
UTM attribution data
If you arrive at AltSpeak via a tracked marketing link, we capture
UTM parameters from the URL (source, medium, campaign, term,
content) along with the landing page URL. This data is associated
with your account at the time of signup and used solely for
marketing analytics to understand which channels drive sign-ups.
It is not shared with third-party advertisers.
3. How We Use Your Information (APP 6)
We use personal information only for purposes that are related to, or
directly associated with, the reason it was collected. The primary
purposes are:
-
Authentication and account management — to
verify your identity, create and maintain your account, and remember
your preferences between sessions.
-
Credit-based billing and subscription management
— to track credit consumption, grant plan credits, process
subscription events received from CREEM, and handle upgrades,
downgrades, and cancellations.
-
Text-to-speech audio generation — to transmit
your input text to the appropriate TTS provider (Google Cloud or
Inworld AI) and return the synthesised audio to you.
-
Fraud prevention and abuse detection — to
detect duplicate free-tier accounts using browser fingerprints and
signup IP addresses, enforce rate limits, and protect paying
customers from service degradation caused by abuse.
-
Service improvement and error monitoring — to
identify errors, diagnose failures, and improve reliability. Error
monitoring is handled by Sentry; no personally identifiable
information is transmitted to Sentry.
-
Marketing attribution — UTM attribution data
is used internally to measure the effectiveness of marketing
campaigns. It is not used to build advertising profiles or shared
with ad networks.
We do not sell your personal information. We do not use your data to
train machine learning models. We do not serve third-party
advertising.
4. Third-Party Processors and Cross-Border Transfers (APP 8)
To deliver the Service, we share specific personal information with
the processors listed below. Many of these processors are located
outside Australia. By using the Service you consent to these
cross-border transfers. We take reasonable steps to ensure each
processor provides privacy protections broadly equivalent to the APPs.
| Processor |
Location |
Purpose |
What we share |
| Railway |
United States |
Application hosting, PostgreSQL database, Redis session cache
|
All account and usage data stored in our database |
| Cloudflare |
Global |
CDN, DDoS protection, DNS resolution, R2 object storage for
generated audio files
|
Audio files; all web traffic passes through Cloudflare network
|
| Google Cloud |
United States |
Text-to-speech synthesis (Chirp3-HD voices) |
The text you submit for synthesis when using Google voices
|
| Inworld AI |
United States |
Text-to-speech synthesis (Inworld voices) |
The text you submit for synthesis when using Inworld voices
|
| CREEM |
See CREEM policy |
Subscription billing and payment processing |
Email address, plan selection; CREEM collects payment card
details directly from you under their own privacy policy
|
| Google / GitHub / Discord |
United States |
OAuth authentication |
OAuth token exchange only; we receive name, email, avatar, and
account ID from the provider
|
| ipinfo.io |
United States |
IP geolocation at signup (country only) |
Your signup IP address is queried once; only the country result
is retained by us
|
| Sentry |
United States |
Application error monitoring and diagnostics |
Error stack traces and application state; personally
identifiable information is scrubbed before transmission
|
5. Data Retention and Deletion (APP 13)
We retain personal information only for as long as it is needed for
the purpose for which it was collected, or as required by law.
Account deletion
You can permanently delete your account at any time from
Settings > Deactivate Account. Deletion is
immediate and irreversible. On deletion we remove the following from
our systems:
-
Your user record (name, email, avatar, OAuth identifiers)
- All credit transaction history
- All usage logs linked to your account
- Your generation history
- Browser fingerprint records
-
Voice ratings, favourites, and cloned voice configurations
- UTM attribution data
- Generated audio files in cloud storage
Abuse prevention retention
After account deletion, we retain a minimal anti-abuse record
containing: a one-way hash of your email address, your OAuth provider
name, and the date of deletion. This record cannot be used to
re-identify you and exists solely to prevent the same email from
creating new accounts to claim additional free credits (credit
farming). It does not include your name, avatar, or any usage data.
Feedback reports
Feedback reports you submitted before account deletion are retained
for service improvement purposes, but the reference linking the report
to your account is removed. The report content (category and
description) may be retained without any user identifier.
Newsletter subscriptions
Newsletter subscriptions are managed independently of your AltSpeak
account. Deleting your AltSpeak account does not automatically
unsubscribe you from the newsletter. To unsubscribe, use the
unsubscribe link in any newsletter email.
6. Your Rights (APPs 12 and 13)
Under the Privacy Act 1988, you have rights to access, correct, and
seek deletion of personal information we hold about you.
-
You can download a copy of all personal data we hold about your
account by navigating to
Settings > Export My Data. The export is
provided in a machine-readable format.
-
Your name, email address, and profile picture are sourced from your
OAuth provider and are refreshed each time you sign in. To update
this information, update it with your OAuth provider (Google,
GitHub, or Discord) and it will sync automatically on your next
login.
-
You may permanently delete your account by navigating to
Settings > Deactivate Account. Deletion takes
effect immediately. See Section 5 for details of what is removed and
what minimal information is retained for abuse prevention.
-
If you believe we have handled your personal information in a way
that does not comply with the Privacy Act 1988, please contact us at
[email protected] in
the first instance. If you are not satisfied with our response, you
may lodge a complaint with the
Office of the Australian Information Commissioner (OAIC)
at
oaic.gov.au.
7. Security (APP 11)
We take reasonable steps to protect personal information from misuse,
interference, loss, and unauthorised access, modification, or
disclosure. Our technical safeguards include:
HTTPS / TLS
All data transmitted between your browser and our servers is
encrypted in transit over TLS.
Session cookies
Authentication cookies are set with Secure, HttpOnly, and SameSite
attributes to prevent interception and cross-site request forgery.
CSRF protection
All state-changing requests require CSRF tokens. Webhook endpoints
are verified by HMAC-SHA256 signature.
Rate limiting
All public endpoints are rate-limited to prevent brute-force attacks
and automated abuse.
Content Security Policy
A strict CSP header with per-request nonces is applied to all pages
to mitigate cross-site scripting risks.
Non-root containers
Our application runs in Docker containers as a non-root user in
production to limit the impact of any compromise.
No method of transmission over the internet is completely secure.
While we implement industry-standard controls, we cannot guarantee
absolute security.
8. Cookies and Local Storage
We use a single server-side session cookie to maintain your
authenticated session. We do not use tracking cookies or third-party
advertising cookies.
We use browser localStorage to remember your selected
theme and other UI preferences. This data is stored only on your
device and is not transmitted to our servers.
9. Children’s Privacy
The Service is not directed at persons under the age of 13. We do not
knowingly collect personal information from children under 13. If you
believe a child under 13 has created an account, please contact us at
[email protected]
and we will delete the account and any associated data promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes
to the Service, our data practices, or applicable law. When we make
material changes, we will update the “Last updated” date
at the top of this page. Continued use of the Service after changes
are published constitutes acceptance of the updated policy. We
encourage you to review this page periodically.
11. Contact Us
For any privacy-related questions, requests to access or correct your
information, or complaints, please contact: