TALKING SCRIPTS

Consumer App Privacy Policy

26 May 2026

At a glance

This is the short version. The detailed sections below set out the same points in more depth.

•       We are Talking Scripts Ltd, a UK-incorporated company. This Privacy Policy applies to people who use the Talking Scripts consumer iOS app.

•       Your scripts never leave your device. We do not upload them, and we do not store copies on our servers.

•       To generate audio, the specific lines you ask us to generate are sent through our backend to our voice provider, ElevenLabs. The generated audio is returned to your device. Neither we nor our voice provider stores a copy of your script or the generated audio on our systems after generation.

•       Apple processes your payments. Apple holds your card details. We see only an opaque transaction identifier.

•       We do not use cookies, IDFA, or cross-app tracking in the App.

•       We do not use your content to train any AI model.

•       You have rights over your personal data under UK GDPR. We fulfil data-subject requests by hand.

1. Who we are

Talking Scripts Ltd (“we”, “us”, “Talking Scripts”) is a company registered in England and Wales with company number 12447998 and registered office at 3rd Floor, 207 Regent Street, London, England, W1B 3HH. We are the data controller for the personal data described in this policy. You can contact us about privacy at contact@talkingscripts.com.

This policy applies only to the Talking Scripts consumer iOS app. It does not cover the Talking Scripts Studio platform used by film and TV studios, which has its own privacy commitments.

2. What data we collect

We collect only the data we need to provide the App. Each category below is followed by where it comes from and what we use it for.

Account information

When you create an account, we collect your email address and how you signed up (with Apple or with email and password). If you sign up with Apple, we receive the limited account information Apple chooses to share with us. Source: directly from you and from Apple Sign-In. Purpose: to give you an account and to authenticate you when you sign in.

Subscription and credit state

We keep a record of your subscription tier, your monthly page allowance, your remaining credits, and your usage history within the App. Source: derived from your activity in the App. Purpose: so that the App can show you what you have left and what you are entitled to.

Purchase records

When you buy a subscription or a top-up, Apple sends us a signed receipt that confirms the purchase, the product, and an opaque transaction identifier. We do not see your card number, your Apple ID, or your billing address. Source: from Apple. Purpose: to make sure you receive what you paid for, to keep an internal record of transactions for accounting and tax, and to support refund and dispute handling.

Device push token

If you allow notifications, we store the Firebase Cloud Messaging token your device gives us. Source: from your device, with your consent to notifications. Purpose: to send you push notifications about your account, for example when your monthly allowance refreshes.

A persistent device identifier

We generate a persistent device identifier (a UUID) and store it in your device's secure keychain. This identifier survives reinstalls. We do not share it with advertisers or analytics networks outside our own systems. Source: generated on your device. Purpose: to make push registration and analytics more reliable across reinstalls.

Usage and analytics events

We collect usage events through Firebase Analytics — things like screens you opened and actions you took in the App. We do not collect the contents of your scripts. Source: generated automatically as you use the App. Purpose: to understand how the App is used so we can improve it.

Crash and error reports

If the App crashes or hits an error, our error monitoring tool (Sentry) records technical details, a trail of in-app actions before the crash, and your user identifier so we can correlate reports for the same user. Source: generated automatically when something goes wrong. Purpose: to find and fix bugs.

What we do not collect

•       We do not collect or store the contents of your scripts. They live on your device. See section 3.

•       We do not use the iOS Advertising Identifier (IDFA) and we do not show the App Tracking Transparency prompt because we do not track you across apps.

•       We do not use cookies in the App. The App does not use embedded web content that would set cookies on you.

•       We do not collect payment card information at any point. Apple handles that.

3. Your scripts stay on your device

This is the most important paragraph in this policy. We have written it carefully to be accurate as well as direct, because the privacy story matters.

Your scripts never leave your device. When you import a script into the App, it is saved locally to your device and is never uploaded to us or to our voice provider.

To generate audio, we send the specific lines you ask us to generate to our voice provider, ElevenLabs, via our backend infrastructure. ElevenLabs acts as a data processor acting strictly on our instructions. The line text is processed for the single purpose of producing audio, and the generated audio is sent back to your device. Neither we nor our voice provider stores a copy of your script or the generated audio on our systems after generation.

We do not use your content to train AI models. We and our voice provider minimize any retention of generated content to only what is strictly required to provide the service. We do not retain copies of your generated audio or scripts on our systems for any other purpose.

Generated audio is cached on your device only. We do not keep a copy of it on our servers.

4. How we use your data

Under UK GDPR, we rely on the following lawful bases.

•       Performance of a contract with you (UK GDPR Article 6(1)(b)) — to provide the App and the Services you have signed up for. This covers account creation and authentication, holding your subscription and credit state, sending the lines you ask us to generate for processing by our voice provider, and supporting purchases and refunds.

•       Our legitimate interests (UK GDPR Article 6(1)(f)) — to keep the App working well and secure. This covers crash and error reporting, basic analytics on how the App is used (in aggregate), and abuse prevention. You can object to processing on this basis at any time.

•       Consent (UK GDPR Article 6(1)(a)) — where we need it, for example to send you push notifications. You can withdraw consent at any time in your device settings.

•       Compliance with a legal obligation (UK GDPR Article 6(1)(c)) — for example, retaining transaction records for tax purposes.

5. Where your data is stored

We use a small set of well-known providers to run the App. The full sub-processor table is in section 7.

Most of the data we hold about your account, your subscription and your usage is stored with Google's Firebase platform in the United States (specifically the us-east1 region of Google Cloud Platform). Our crash and error monitoring is provided by Sentry, which processes that data in the European Economic Area (Germany).

6. International transfers

Your data may be processed in the United Kingdom and the European Economic Area (EEA). The UK and the EEA recognise each other's data protection regimes as adequate, so no additional safeguards are required for those transfers.

Some of your data is also processed in the United States, because that is where Firebase and ElevenLabs operate. For those transfers, we rely on the UK GDPR Standard Contractual Clauses together with the UK International Data Transfer Addendum, which provide a contractual safeguard recognised under UK law.

7. Sub-processors

We use the following sub-processors to provide the App.

Sub-processor

Purpose

Data category

Region

Transfer mechanism

Apple

App distribution, Sign-In with Apple, in-app purchases (subscriptions and top-ups), refunds.

Apple ID, billing details (held by Apple), purchase records (we receive only an opaque transaction identifier).

Apple-managed.

Apple's own terms apply.

Google (Firebase)

Authentication, Firestore database, Cloud Functions, push messaging, analytics, App Check, Remote Config.

Account identifier, email, sign-in method, subscription and credit state, usage events, device push tokens.

United States (GCP us-east1).

UK GDPR Standard Contractual Clauses and UK International Data Transfer Addendum.

ElevenLabs

AI voice synthesis. The lines you ask us to generate are sent for processing and the audio is returned to your device.

The line text you request and a voice identifier. No TS user identifier, email or Firebase user ID is sent in the request body. See the soft caveat in section 3.

United States.

UK GDPR Standard Contractual Clauses and UK International Data Transfer Addendum.

Sentry

Crash and error reporting from the App.

User identifier, breadcrumbs of in-app actions for crash correlation, device metadata.

European Economic Area (Germany, de.sentry.io).

Processed in the EEA — see section on international transfers below.

We do not use Stripe in the consumer iOS App. We do not use AWS, Auth0, SendGrid, or Slack for consumer users. These are used elsewhere in our business but are not part of the consumer iOS data flow.

8. Tracking technologies

The App does not use cookies, the iOS Advertising Identifier (IDFA), or cross-app or cross-session fingerprinting. We do not show the App Tracking Transparency prompt because we do not track you across other apps or websites.

The only persistent identifier we use is a UUID we generate on your device and store in your device's secure keychain. This is described under “A persistent device identifier” in section 2.

Our cookie policy, which covers the Talking Scripts marketing website, is published separately.

9. Your rights under UK GDPR

You have the following rights over your personal data:

•       access — to ask for a copy of the personal data we hold about you;

•       rectification — to ask us to correct data that is wrong or incomplete;

•       erasure — to ask us to delete your data, subject to limits where the law requires us to keep something;

•       portability — to receive certain of your data in a structured, commonly used and machine-readable format;

•       objection — to object to processing we carry out on the basis of legitimate interests;

•       restriction — to ask us to limit how we use your data while a question about it is resolved;

•       withdrawal of consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing;

•       complaint — you can complain to the Information Commissioner's Office (https://ico.org.uk) if you believe we are not handling your data properly. We would prefer the chance to put things right first.

To exercise any of these rights, email us at [PLACEHOLDER — Stefan to resolve before publication; recommended privacy@talkingscripts.com]. We will respond within one month of receiving your request, extendable by up to two further months for complex requests; we will tell you if that applies.

Today we fulfil these requests by hand. We extract the relevant records from our systems and provide them to you directly. We are building a one-click data export to make this faster, but until that lands, manual fulfilment is how it works.

10. Data retention

We keep different categories of data for different lengths of time, as set out below.

•       Account-level data — your account identifier, email, subscription and credit state, and analytics events — we delete from our active systems within 90 days of your account being deleted.

•       Crash and error reports — retained by Sentry on our behalf for a rolling period set by us, currently 90 days, after which they are deleted.

•       Purchase records — we retain anonymised transaction records (with personal identifiers removed) for as long as required by UK tax law and to reconcile with Apple. These are not deleted on account deletion.

•       Scripts and generated audio — these live on your device and never on our systems. When you delete the App, or remove an item within the App, it is removed from your device locally. There is nothing for us to delete.

11. Children

The App is not directed at, nor intended for, anyone under the age of 16. Our Terms of Service require all users to be 16 or older. We do not knowingly collect personal data from anyone under 16. If we become aware that we have unknowingly collected personal data from a person under the age of 16, we will take reasonable steps to delete it as quickly as possible.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make a change that materially affects how we handle your personal data, we will tell you in advance — by email, by an in-App notification, or both — and we will update the effective date below.

Effective date: 25/05/2026.

13. Contact us

For privacy questions, email contacty@talkingscripts.com]. For general questions about the App, email contact@talkingscripts.com.

By post: Talking Scripts Ltd, 3rd Floor, 207 Regent Street, London, England, W1B 3HH].

You can complain to the Information Commissioner's Office at https://ico.org.uk if you are unhappy with how we have handled your data, although we would always prefer the chance to address it ourselves first.

End of policy

Talking Scripts — Consumer App Privacy Policy — Draft v3 — 12 May 2026