This Privacy Notice explains how Carl Sheppard ("we", "us") collects, uses, and protects your personal data when you use the Thazoryn Veyra service ("Service"). We are the data controller for the personal data described below.
1. Personal Data We Collect
- Account data: email address, authentication identifiers, and login credentials.
- Conversation data: the voice transcripts, text prompts, and AI responses generated during your sessions.
- Usage data: features used, voice-minute usage, subscription tier, timestamps, error logs.
- Device & technical data: browser type, operating system, device identifiers, IP address.
- Support communications: messages you send us by email.
- Billing identifiers: Paddle customer ID and subscription metadata (Paddle handles payment card data directly — we do not see or store it).
2. Purposes & Legal Bases
- Provide the Service (account creation, AI responses, voice synthesis) — performance of contract.
- Process payments and manage subscriptions — performance of contract; legal obligation (tax/invoicing).
- Security, fraud prevention, abuse monitoring — legitimate interests.
- Product improvement and analytics (aggregated/anonymised where possible) — legitimate interests.
- Customer support — performance of contract; legitimate interests.
- Marketing communications (if you opt in) — consent, withdrawable at any time.
3. Data Sharing
We share personal data only with the following categories of recipients:
- Hosting and infrastructure providers (database, authentication, edge compute).
- AI model providers (large language model and text-to-speech providers, including ElevenLabs and Lovable AI Gateway) — to generate AI responses and voice audio. Prompts and short transcript context are transmitted to these providers for processing.
- Merchant of Record (Paddle) — for the sale of subscriptions, subscription management, payments, tax compliance and invoicing.
- Professional advisers (legal, accounting) where required.
- Authorities where required by law, court order, or to protect rights and safety.
We do not sell your personal data.
4. International Transfers
Some recipients are located outside the UK/EEA. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or adequacy decisions.
5. Data Retention
We keep personal data only as long as needed for the purposes above:
- Account data — for the lifetime of your account and up to 24 months after closure.
- Conversation data — for the lifetime of your account, or until you delete it from the Service.
- Billing records — as required by tax and accounting law (typically 6–7 years).
- Security logs — up to 12 months.
When data is no longer needed it is deleted or anonymised.
6. Your Rights
Subject to applicable law (including the UK GDPR and EU GDPR), you have the right to:
- access your personal data;
- request correction of inaccurate data;
- request erasure ("right to be forgotten");
- restrict or object to processing;
- data portability;
- withdraw consent at any time where processing is based on consent;
- lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk).
We aim to respond to requests within one month. To exercise your rights, email trinovasoul@gmail.com.
7. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encrypted storage, access controls, and row-level security in our database. No system is perfectly secure; we cannot guarantee absolute security.
8. Cookies & Similar Technologies
We use a small number of cookies and similar storage technologies:
- Essential cookies — required for authentication, session management, and security. These cannot be disabled.
- Functional storage — local storage of your voice settings and conversation history.
- Payment cookies — set by Paddle during checkout for fraud prevention and to complete your transaction.
We do not currently use third-party advertising or marketing cookies. You can clear cookies via your browser settings; doing so will sign you out.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
10. Changes to this Notice
We may update this Privacy Notice from time to time. Material changes will be communicated via the Service or by email.
11. Contact
Data controller: Carl Sheppard.
Contact: trinovasoul@gmail.com.