Privacy Policy

Effective 2026-05-08

ShooshTTS ("we", "us") is operated by 1MA, LLC, a US limited liability company. We provide the text-to-speech service at shooshtts.com. This policy explains what data we collect, why, how long we keep it, and who we share it with. We try to keep it short and readable rather than padding it with legal boilerplate.

This is a pre-launch policy. If you have questions, reach out via the support form in your dashboard.

1. Data we collect

Account data (you provide via OAuth)

Platform identity: your Twitch, YouTube, or TikTok user ID, username, display name, channel handle, and profile picture / avatar URL. We use this to connect to your chat and identify you inside the service. Profile pictures are rendered in the dashboard so you can confirm at a glance which account is connected.
Google identity (user ID, email, display name, profile picture) when you sign in via YouTube — YouTube OAuth runs through Google, so a Google identity is created as a side effect of that flow. We do not offer a standalone Google sign-in.
OAuth access + refresh tokens for connected platforms. Stored encrypted (AES-256-GCM) and used only to read your live chat. You can revoke access at any time from the platform's account settings.
Email address (Twitch and YouTube OAuth) — used to contact you about service issues and for billing receipts. TikTok OAuth does not expose an email address.

Billing data (LemonSqueezy)

Subscription status, plan tier, and billing email as reported by LemonSqueezy webhooks. Card details are handled entirely by LemonSqueezy and never touch our servers.
A per-user audit trail of billing events (subscription created, payment succeeded, refund, cancellation) for support + reconciliation.

Usage data

Daily message counts and character counts per user, for cap enforcement, cost accounting, and the analytics dashboard.
Chat messages from connected platforms that flow through the TTS pipeline. Filtered, normalized, synthesized to audio, and broadcast to your overlay. Messages are not persisted beyond in-memory processing — we do not store your chat history.
Generated TTS audio files are written to a temporary directory on the server, emitted to your browser, and deleted on a short rotation. We do not archive audio.

Support data

Support ticket contents (your description + our replies) when you submit a report from the dashboard. An auto-attached diagnostic snapshot of your client state may be included — sensitive fields are redacted before it leaves your browser.

Analytics (see section 4)

Page views, feature interactions, and optional session replays via PostHog. Controlled by the consent banner on public pages.

2. Third-party processors

We use the following processors. Each handles a specific piece of the service and is bound by their own privacy policy.

LemonSqueezy — subscription and one-time credit-pack payments. Handles all card data.
Google Cloud Text-to-Speech — synthesizes your chat messages into audio. Text is sent to Google per-message and not retained by us beyond the synthesis step.
PostHog — product analytics and session replay (opt-in via consent banner for public pages; authenticated users are opted in under the service relationship — see section 4).
Twitch, Google / YouTube, and TikTok — OAuth identity providers and chat APIs for the platforms you connect.
Hetzner Cloud — our hosting provider (Ashburn, Virginia, USA).
Cloudflare — DNS and HTTPS termination.

3. Google user data

Google user data — meaning data we receive via the Google identity layer that YouTube OAuth runs through (your Google profile and email, your YouTube channel ID and active broadcast video ID, and the chat-message text on your active YouTube Live broadcast) — is controlled by 1MA, LLC, the operator of ShooshTTS. ShooshTTS does not offer a standalone “Sign in with Google” option; Google identity data only flows in when you choose to sign in via YouTube. We share Google user data only with the following service providers, and only to the extent strictly necessary to operate the service:

Hetzner Cloud— encrypted-at-rest storage of your account record on our PostgreSQL database (Ashburn, Virginia, USA), plus encrypted off-site backups.
Cloudflare— DNS resolution and TLS termination on network transit; no payload visibility.
Google Cloud Text-to-Speech— receives only the text body of individual chat messages for synthesis. We do not send channel identifiers, OAuth tokens, email, or profile data to Google Cloud TTS.

PostHog, LemonSqueezy, Twitch, TikTok, and any other processor listed in section 2 do not receive Google user data.

We may disclose Google user data only (a) with your explicit prior consent, (b) to comply with valid legal process served on 1MA, LLC, or (c) in the event of a merger, acquisition, or sale of assets, with prior notice to affected users.

We do not sell, rent, trade, or otherwise transfer Google user data to third parties for their own use.

4. TikTok user data

TikTok user data — meaning data we receive via TikTok Login Kit OAuth (your TikTok open_id, union_id, avatar URL, display name, username, and profile_deep_link) and the chat-message text on your active TikTok Live broadcast — is controlled by 1MA, LLC, the operator of ShooshTTS. We share TikTok user data only with the following service providers, and only to the extent strictly necessary to operate the service:

Hetzner Cloud— encrypted-at-rest storage of your account record (TikTok identity fields and AES-256-GCM-encrypted OAuth tokens) on our PostgreSQL database (Ashburn, Virginia, USA), plus encrypted off-site backups.
Cloudflare— DNS resolution and TLS termination on network transit; no payload visibility.
Google Cloud Text-to-Speech— receives only the text body of individual chat messages from your TikTok Live broadcast for synthesis. We do not send TikTok identity fields, OAuth tokens, or profile data to Google Cloud TTS.

PostHog, LemonSqueezy, Twitch, Google, YouTube, and any other processor listed in section 2 do not receive TikTok user data.

We may disclose TikTok user data only (a) with your explicit prior consent, (b) to comply with valid legal process served on 1MA, LLC, or (c) in the event of a merger, acquisition, or sale of assets, with prior notice to affected users.

We do not sell, rent, trade, or otherwise transfer TikTok user data to third parties for their own use.

5. Analytics and cookies

Public pages (landing, commands, login) show a consent banner before enabling analytics. If you click Decline, no analytics events fire and no PostHog cookies or local storage are set. Your choice is persisted in a first-party cookie (shooshtts_analytics_consent) for one year.

Authenticated users (logged into the dashboard) are automatically opted in to analytics under the service relationship — we need to see how the product is being used to debug issues, track billing events, and improve the service. What we capture:

Page navigations + button clicks (PostHog autocapture) on authenticated pages.
Custom events: signup, platform OAuth linked, overlay URL copied, first TTS message, trial expired, usage cap hit, upgrade clicked, upgrade completed, cancellation.
Session replays of dashboard interactions. Input values are masked before leaving your browser — we see layout and clicks but not what you type into support tickets, pronunciation entries, or filter lists.

Session replay is not enabled on your OBS overlay page, so viewer chat content rendered on that page is never recorded to PostHog.

We have IP masking enabled at the PostHog project level — client IPs are discarded on ingest (after approximate country geolocation) and not stored with events.

Essential cookies (session cookie for authentication, consent cookie for your analytics preference) are set regardless of consent choice — without them the site cannot function.

6. How long we keep data

Account data: kept while your account is active. If you close your account, we soft-delete the record (flag it, exclude from live queries) while retaining a minimal audit trail for billing + abuse investigation.
Chat messages: processed in memory only. Not persisted. Typical lifetime: under 60 seconds from platform to your overlay.
TTS audio files: written to server tmp, deleted on a short rotation (hours, not days).
Usage counters: per-day aggregates kept indefinitely for cap enforcement and billing reconciliation.
Analytics events in PostHog:subject to PostHog's retention policy (currently 1 year for events, 30 days for session replays on their default plan).
Support tickets: kept while your account is active plus 90 days after closure.

7. Your rights

You can request a copy of all account data we have on you, have it corrected, or request deletion. EU residents have explicit rights under GDPR (access, rectification, erasure, restriction, portability, objection). California residents have analogous rights under CCPA. Both reach us via the support form in your dashboard — we respond within 30 days.

You can revoke platform OAuth access (Twitch, YouTube, TikTok) at any time from the platform's own account settings. Revoking YouTube also revokes the underlying Google OAuth grant since YouTube OAuth issues both. Doing so disconnects the chat feed but does not delete your ShooshTTS account.

You can withdraw analytics consent at any time by clearing your cookies — the consent banner will reappear on your next visit to a public page.

8. Security

OAuth tokens are encrypted at rest with AES-256-GCM. Communication between your browser and our servers is always over HTTPS (Cloudflare-managed TLS). Session cookies are HTTP-only, Secure, SameSite=Lax, and signed.

We are a small team. If you discover a security issue, please contact us via the support form — a public bug bounty is not yet offered but responsible disclosure is appreciated.

9. Contact

Submit a request through the dashboard support form. We aim to respond within 72 hours; statutory rights (GDPR/CCPA) are answered within their legally mandated windows.

10. Changes

If we materially change this policy, we'll update the effective date at the top and, where the change affects existing users, notify through the dashboard. The current effective date is shown at the top.