Privacy Policy
Last updated: 24 April 2026
Orpheus ("we", "us", "our") is operated by Multimodal Solutions (Athens, Greece). This policy explains what personal data we collect when you use Orpheus at orpheus.multimodalsolutions.gr, useorpheus.com, or any Orpheus-branded URL we operate ("the Service"), why we collect it, and the rights you have over it.
1. Who controls your data
The data controller is Multimodal Solutions. You can reach our privacy contact at [email protected]
2. What we collect
Account data
- Your email address and chosen username (required to create an account).
- A cryptographic hash of your password (we never store the password itself).
- Account creation timestamp.
Content data
- Text you submit for text-to-speech synthesis. Sent to the voice engine that serves your selected language (see Section 5) and stored in your generation history.
- Audio files we generate from your text. Stored so you can re-download them from your history.
- Per-generation metadata: language, voice, speed/pitch, character count, timestamp.
- Voice clone reference recordings (Pro tier only) — the audio sample plus its transcript that you upload to create a personal voice clone. Stored encrypted-at-rest on our server. Used solely to drive synthesis on your behalf. Never shared, never used to train models, never used for any user other than you.
Payment data
- All card details are handled by Stripe via Stripe Checkout; they never reach our servers. We store only the Stripe customer ID, subscription status, and expiry timestamp returned by Stripe's webhook.
Usage signals
- Daily character counter (for fair-use cap enforcement) — stored in Redis, auto-expires after 48 hours.
- IP address (of the real client, extracted from
CF-Connecting-IP) for rate-limit bucketing. Not persisted beyond the rate-limit window. - Authentication tokens (JWT) stored in your browser's
localStorageto keep you signed in. A browser-only UI-language preference is also stored there. We do not use third-party analytics cookies.
3. Why we process it (lawful basis)
- To provide the Service (Art. 6(1)(b) GDPR — performance of a contract): account auth, speech generation, history, subscription lifecycle.
- Fraud prevention, rate-limiting, fair-use enforcement (Art. 6(1)(f) — legitimate interests): keeping the Service available to legitimate users.
- Accounting obligations (Art. 6(1)(c) — legal obligation): we keep payment records for the minimum retention period required by Greek and EU tax law.
4. How long we keep it
| Data | Retention |
|---|---|
| Account (email, username, hashed password) | Until you delete the account |
| Generation history (text + audio metadata) | Until you delete the account |
| Audio files on disk | Rolling — files older than 24 hours are cleaned up automatically |
| Voice clones (reference audio + transcript) | Until you delete the clone or the account. Clones are not auto-deleted with subscription expiry. |
| Payment/subscription records | As required by applicable tax and accounting law (typically 5–10 years in Greece) |
| Rate-limit counters and daily quota | 48 hours |
| JWT session token | 24 hours (then you must sign in again) |
5. Who we share it with (sub-processors)
Orpheus uses third-party services to deliver the product. Each processes data only for the stated purpose, under its own DPA.
| Service | Purpose | Data shared |
|---|---|---|
| Google Cloud Text-to-Speech (US/EU) | Speech synthesis for 16 of 18 languages | Text you submit (language-routed); returned audio |
| Stripe (Ireland, US) | Payment processing | Email, payment details (card stays on Stripe) |
| Cloudflare (global) | CDN, tunnel, DDoS protection | IP address, request metadata |
We do not sell your data and we do not share it with advertising networks.
6. International transfers
Google Cloud and Stripe may process data in data centres located outside the EEA. Both are covered by the EU–US Data Privacy Framework and the EU Standard Contractual Clauses where required.
7. Your rights (GDPR)
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data ("right to be forgotten") — we execute account deletion within 30 days on request.
- Port your data to another service (in a machine-readable format).
- Object to processing based on legitimate interests.
- Withdraw consent where we rely on it.
- Lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).
Email [email protected] to exercise any of these.
8. Security
We store passwords using bcrypt. Traffic is served over HTTPS via Cloudflare with automatic TLS. Payment credentials never touch our servers — Stripe Checkout collects them directly. We apply rate limits on authentication and payment endpoints to blunt credential-stuffing and abuse.
9. Changes to this policy
Material changes will be announced on this page with an updated "Last updated" date. Continuing to use the Service after a change constitutes acceptance of the updated policy.
10. Contact
Multimodal Solutions
Athens, Greece
Email: [email protected]