Privacy Policy

Viola Voice Assistant

Version: 3.6

Effective Date: 2026-01-08

Last Updated: 2026-05-29

1. Introduction

Jihad Shkoukani ("we", "us", "our", "Company", or "Viola") operates the Viola voice assistant desktop application, local-first desktop features, account and subscription features, and the cloud service at api.useviola.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Service. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy is incorporated into our Terms of Service.

Our Core Principle: Viola is designed to keep device-only data on your device. Account, subscription, managed AI, phone, sync, telemetry, and other hosted features use cloud services only as described in this Policy.

2. Data We Collect

2.1 Voice Audio

• Processing: Voice audio is processed locally on your device for wake word detection and speech recognition.
• Temporary Storage: When you speak a voice command, audio is temporarily saved to a local file for transcription processing. This temporary file is automatically deleted immediately after transcription completes. No voice audio is retained on disk after processing.
• Cloud Speech-to-Text (Opt-In): If you configure cloud-based speech-to-text (e.g., OpenAI Whisper API), your voice audio may be transmitted to that third-party provider for transcription. This is opt-in and disabled by default; local transcription is the default mode. See Section 4.2 for the applicable provider's privacy policy.
• Transmission to Our Servers: Ordinary desktop voice audio is not transmitted to Viola servers by default. Voice audio may be transmitted only when you use a feature that requires it, such as cloud phone mode, call recording storage, or cloud speech-to-text. Wake-word audio is processed locally and is not uploaded to Viola servers.
• No Biometric Profiling: We do not create voice prints, speaker identification profiles, or any biometric identifiers from your voice audio. Ordinary voice commands and custom wake-word creation do not enroll your identity, and voice data is not retained for profiling purposes.

2.2 Music Preferences

• Listening History: On the desktop, your queue and playback history are stored locally by default. Spotify OAuth tokens stay as desktop-only Tier-3 device-only credential data. If you explicitly enable cloud sync or hosted music-session features, allowlisted queue, playlist, rating, liked-song, track metadata, and session state for launch-supported music sources may be stored in Viola cloud under your account.
• Preferences: Settings like preferred volume, voice mode, and audio device are stored locally by default. Syncable preferences move through Viola cloud only when you enable the relevant sync or hosted feature.
• No Advertising Tracking: We do not use what you listen to for advertising profiles, cross-context tracking, or sale/sharing.

2.3 Authentication Tokens

• External Account Tokens: Long-lived OAuth tokens for external accounts are Tier-3 device-only data. They are stored in encrypted local credential storage on your device, using the operating-system keyring where supported.
• API Keys: Any API keys you provide (for example, OpenAI or Anthropic BYOK credentials) are stored in encrypted local credential storage.
• No Cloud Credential Sync: Long-lived OAuth tokens and BYOK API keys are not synced to Viola servers. Viola cloud account sign-in uses GoTrue identity sessions, and GoTrue may hold transient OAuth flow-state during a provider sign-in or connect flow; stale flow-state is garbage-collected hourly. When you use BYOK, your device sends the key only to the third-party model provider you selected so that provider can process your request under your account.

2.4 Settings and Preferences

• Local Storage: Desktop settings are stored locally on your device in the application settings file and local databases. Sensitive fields are stored in encrypted local credential storage rather than plaintext settings.
• No Cloud Sync by Default: Settings remain on your device unless you explicitly enable cloud sync. When cloud sync is enabled, only allowlisted sync-worthy preferences are sent to Viola cloud.
• Personalization Profile and Learned User Model: If personalization is enabled, Viola may store profile fields you provide for form filling, learned preferences, non-sensitive learned facts, interaction patterns, queued suggestion metadata, and per-user preference settings. These records are stored locally by default and are scoped to the signed-in or local desktop user. Profile and learned-model records are synced through Viola cloud only when you enable cloud sync or another hosted feature that requires account-backed sync.
• Weekly Review and Proactive Suggestions: Weekly review is opt-in. When enabled, Viola may summarize recent local interaction, memory, and learned-model data to produce weekly review artifacts, profile updates, and queued suggestions. Suggestion and weekly-review logs are retained as local personalization data unless cloud sync or a hosted feature is explicitly enabled.

2.5 Hosted and Optional Cloud Features

Viola separates hosted features into independently controlled paths. You control which optional hosted features you use.

2.5.1 Cloud AI execution path

• BYOK (Bring Your Own Key): You configure your own OpenAI or Anthropic API key. Prompts are sent directly from your device to the provider under your account. Viola does not proxy or log these prompts.
• Managed Viola access: The default AI source is Viola-managed access to OpenAI's API services. In this mode, Viola holds an OpenAI API account and is the contracting party with the provider; under that business arrangement your inputs and outputs are not used to train the provider's models by default. Aggregate usage metrics (token counts, not prompt content) are processed by our billing system to enforce spend caps.
• Local LLM: If you configure a local inference backend such as Ollama, no prompts leave your device.

2.5.2 Account and billing

• Account Information: Email address, optional display name, hashed password (if you create a Viola account)
• Identity Service: Viola cloud accounts use a self-hosted GoTrue identity service, the open-source Supabase Auth service, for account creation, login, sessions, password storage, email verification, and identity lifecycle events.
• Subscription Status: Plan type, renewal date, billing status (processed by Stripe and optionally BTCPay Server or another disclosed Bitcoin payment flow)
• Usage Meters: Aggregate request counts, token counts, plan allowance use, and phone minute counts used to enforce subscription limits; these are metrics, not command content
• Sync Data: Settings, device registry entries, and preferences (if you enable cross-device sync, multi-device, or multi-room cloud features)

2.5.3 Phone features

• If you enable phone features, call metadata (phone numbers, timestamps, durations) is processed through Telnyx and, in cloud phone mode, through the api.useviola.com bridge.
• Phone calling places outbound calls only. It is available for United States/NANP phone numbers only, and that limit is enforced in the application.
• Phone Settings include three user controls: call recording (default on), transcript retention (default on), and proactive AI announcement (default off).
• If recording or transcript retention is active, Viola includes the applicable disclosure in the opening greeting. Recording and retained transcripts are auto-deleted after 30 days.
• Viola answers truthfully if a called party asks whether it is automated, will not claim to be human, and will not impersonate you. Lawful use is your responsibility (see Terms Section 5A.2).

2.5.4 Telemetry and error reporting

• Telemetry and error reporting are disabled by default and require configuration plus explicit consent.
• If enabled, telemetry may send a random telemetry install identifier plus operational counters and health metrics such as app version, operating system, plan tier, command category counts, latency percentiles, feature names used, error code counts, multi-room drift buckets, agent approval counts, messaging counters, and LLM token/cost counters.
• Telemetry does not send command text, voice audio, message content, file contents, screenshots, prompts, secrets, or payment details. If telemetry is not enabled, no telemetry server URL is configured, or error-reporting consent is not granted, telemetry transmission fails closed.

2.6 Agent and Desktop Automation (Opt-In Only)

When agent mode is enabled, Viola can access and interact with data on your device on your behalf. Agent mode is disabled by default and must be explicitly enabled in settings.

• Screen Reading — Read the contents of application windows on your desktop, including text, UI element names, and window titles
• Text Typing — Type text into application windows; payment, outbound send, destructive, or other high-risk outcomes are separately approval-gated
• Button and Element Clicking — Click buttons, menu items, and other UI elements; purchase submission, outbound sends, destructive changes, and other high-risk outcomes require approval gates
• Keyboard Shortcuts — Send keyboard shortcuts to applications; destructive or high-risk shortcuts require approval or are blocked
• Shell Command Execution — Run shell commands on your system only after explicit approval; commands that safety policy classifies as unsafe may still be blocked
• File System Access — Read and search files, and write or delete files only after explicit approval; protected system and credential paths are blocked
• Browser Automation — Navigate websites, extract content, take screenshots, and click elements in an automated browser session
• Web Search — Search the web and retrieve results on your behalf

When the agent acts on a third-party website, it uses the browser session available to that task, and you remain bound by those sites' own terms. Launch-supported connected-account features such as Calendar where enabled use their own OAuth tokens; cloud browser tasks do not receive your desktop browser profile, local payment vault, or unrelated OAuth tokens. Desktop agent actions are processed locally by default. If you enable cloud browser, cloud vision, managed AI routing, messaging, Calendar where enabled, phone, or other hosted agent features, the relevant page content, screenshots, browser input events, messages, prompts, call context, or task metadata may be transmitted to Viola servers or the configured third-party provider as needed to provide that feature. Read-only and routine confirm-tier actions may run inside an enabled agent task under the configured autonomy mode and audit gates. Actions classified as dangerous or high-impact require explicit approval before execution and are denied when no interactive approval channel is available.

2.7 Phone Calls (Opt-In Only)

When you enable phone calling, Viola can make outbound calls on your behalf via the Telnyx telephony service. Viola does not answer inbound calls. Phone calling requires acceptance of a separate Phone Calling Terms of Service before first use, and is available for United States/NANP phone numbers only (enforced in the application).

Data collected when phone calling is enabled:

• Phone numbers: The numbers you call are stored locally for call history and billing purposes.
• Call recordings: Recording is on by default and can be turned off in Phone Settings. Calls may be recorded locally as WAV files; in cloud mode, recordings may be stored in cloud storage (S3-compatible). Recording does not begin until the opening disclosure has been spoken. Recordings are auto-deleted after 30 days.
• Call transcripts: Real-time speech-to-text is used so the AI agent can listen during the call. Transcript retention is on by default and can be turned off in Phone Settings. Retained transcripts are disclosed in the opening and auto-deleted after 30 days; when transcript retention is off, transcripts are ephemeral and not stored.
• Call metadata: Duration, timestamps, and call status are logged locally and used for per-plan minute tracking.

Opening disclosures: Viola constructs one natural opening that identifies Viola as calling for you, includes any active recording/transcript disclosure, and then states the purpose of the call. If recording only is active, the disclosure says the call may be recorded for your records. If transcript retention only is active, it says the call may be transcribed for your records. If both are active, it says the call may be recorded and transcribed for your records.

AI identity: Proactive AI self-identification is controlled by a Phone Settings toggle and is off by default. When it is on, the opening identifies Viola as your automated assistant. When it is off, Viola does not proactively add that clause, but if the called party asks whether Viola is a person, robot, AI, or automated system, Viola answers truthfully that it is an automated assistant calling on your behalf. Viola will not claim to be human or impersonate you.

Third-party call data: The people Viola speaks with on a call did not agree to Viola's terms. We use call recordings and transcripts only to complete the task you asked for, to give you a record of what your assistant did, to keep the service secure, and to comply with law. We never sell this data, never use it for advertising, and never use it to train AI models.

Opt-out by called parties: Called parties can request to be added to Viola's do-not-call list, and Viola will not place further calls to opted-out numbers.

Rate limits and use limits: Phone calling is rate-limited per user and may be blocked for prohibited or unsafe use. You may not use phone calling for telemarketing, sales outreach, political calls, fundraising, debt collection, surveys, mass/proactive calling, emergency services, harassment, calls to numbers on the National Do Not Call Registry, or calls where required consent has not been obtained.

2.8 Google Account and Calendar Access (Opt-In Only)

The public launch supports Google account sign-in and may offer a separate Google Calendar connection where the launch build enables it. Gmail read access, Drive, Chat, and broader Google Workspace restricted-scope features are not included in this public launch.

Data handling:

• Email and Workspace content: Gmail read access, Drive, Chat, and broader Google Workspace restricted-scope data are not part of this public launch. Viola does not request those restricted scopes for launch features.
• Calendar events: Where Google Calendar is enabled and connected, event titles, times, attendees, descriptions, and locations are processed for the requested calendar action. Viola's always-on local calendar stores events in a per-user local calendar database until you delete them or uninstall the app. If provider sync is unavailable, a per-user local fallback queue may keep pending calendar writes until they are replayed to an available provider or deleted.
• OAuth scopes: Public launch Google OAuth is limited to account sign-in and any separately enabled Calendar scopes. You can review and revoke Google permissions at any time in your Google Account settings.
• Credentials: OAuth tokens for connected Calendar or other external accounts are stored as Tier-3 device-only credentials in encrypted local credential storage (see Section 7.1). GoTrue holds the Viola identity session for cloud account sign-in and may briefly hold OAuth flow-state during sign-in or connection; stale flow-state is cleared hourly. Tokens are not exposed to the LLM as plain text.
• Google Limited Use: Viola's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train generalized or foundational AI/ML models, we do not transfer Google user data to data brokers, and Google user data is used only to provide or improve the Google account features you have enabled.

2.9 Purchase and Payment Activity (Opt-In Only)

When agent mode is enabled, Viola can browse e-commerce websites and complete purchases on your behalf (e.g., ordering food, buying products).

Data handling:

• Payment card data: If you add payment cards to Viola's local vault, the card number, expiration date, and security code (CVV) are encrypted at rest on your device and are stored on your device only. This card data is never transmitted to Viola's servers. Its safety depends on the security of your device. The full card number is never exposed to the AI model — the model only sees last-4 confirmations. The local payment vault is separate from Stripe subscription billing and never enters Viola's payment-processor environment.
• Virtual-card recommendation: Storing a card security code on your device may increase exposure if your device is compromised. Where your bank or a virtual-card provider offers a merchant-locked or spend-limited virtual card, we recommend using one for agent-assisted purchases — it limits the impact of any device compromise.
• Purchase history: Records of purchases made through the agent are stored locally.
• Payment form interaction: When Viola fills payment forms on websites, card data flows directly from the local vault to the browser DOM. It does not pass through LLM processing or network transmission to Viola servers.

2.10 Device Information

We collect minimal device information:

• Operating system and version: Used for compatibility and support purposes.
• Device identifier: A random device-based identifier is generated locally for rate limiting and session management. This is not a hardware fingerprint and can be reset by the user.
• IP address: When connecting to Viola cloud services, your IP address is processed for rate limiting and security (brute-force protection). IP addresses are personal data; we use them only for service operation and security, and we do not store them long-term or use them for tracking.

2.11 Public Website Contact and Launch Notices

If you submit the public contact form, join a launch-notification list, or email a public Viola contact address, we collect the information you choose to provide, such as your name, email address, subject, message, submission timestamp, and source. We use this information only to answer your request, handle support/security/legal intake, send the launch notice you requested, prevent abuse, and maintain records needed to honor export or deletion requests. Contact-form notifications may be sent to the Viola support mailbox through the configured email delivery provider.

Public waitlist and contact records are matched by email for account export and account deletion when the same email address belongs to a Viola account. Non-account holders may request export or deletion by contacting privacy@useviola.com.

If you submit in-app feedback or a manual bug report, Viola stores the message, redacted diagnostic context, timestamp, type, generated feedback ID, and your account identifier in the local feedback store. These entries are used for support, debugging, security, and product improvement, and are included in account export and deletion.

2.12 Messaging Integrations (Opt-In Only)

Viola can connect to expressly enabled messaging channels to send and receive messages on your behalf. The desktop public launch supports Telegram setup with a bot token you provide. Each enabled integration is opt-in. Message content may be processed locally, by Viola cloud for hosted messaging, by the selected messaging provider, and by the configured LLM provider as needed to provide the channel. Hosted channel conversation records may be stored to maintain context, sync state, and support account export/deletion.

Browser push notifications are an opt-in account feature. If enabled, Viola stores a browser push endpoint, random device identifier, public encryption keys, user agent, and timestamps so it can deliver notifications to that browser. Notification title, body, and data fields are sent from Viola cloud through the browser or operating-system push service selected by your browser vendor, such as Apple, Google, Mozilla, or Microsoft. You can revoke browser push delivery by unsubscribing the browser/device or deleting your account.

Account SMS is a separate opt-in flow. If you enable it, Viola stores your mobile number, verification state, consent status, consent timestamp, consent text version, verification-send metadata, and inbound SMS text needed to thread and audit the conversation.

SMS opt-in data, consent status, and mobile numbers are not sold, rented, or licensed for third-party marketing or promotional purposes. We may share this information with service providers, carriers, and messaging vendors only as needed to deliver and manage Viola SMS.

2.13 Telemetry and Analytics

Application telemetry and error reporting are disabled by default and require configuration plus explicit consent (see Section 2.5.4).

The useviola.com marketing website uses Cloudflare Web Analytics — a cookieless, privacy-preserving edge analytics service. It records aggregate page-view counts and basic visit metrics. It does not set cookies, does not use a cross-site identifier, and does not build an advertising or behavioral profile of you. Desktop application telemetry remains governed by the consent controls described above and in Section 7.3.

If you enable error reporting (Sentry integration), scrubbed error stack traces and diagnostic context may be sent to Sentry for production monitoring. Sentry initialization and event sending are gated by consent_error_reporting; request bodies, secrets, tokens, cookies, session material, and sensitive fields are scrubbed or dropped before transmission.

If you enable pipeline telemetry and configure a telemetry server URL, aggregate usage metrics may be sent to Viola's telemetry endpoint at /api/telemetry/ingest. The telemetry reporter sends a random telemetry install identifier plus operational counters and health metrics such as app version, operating system, plan tier, wake-word model, room count, command category counts, latency percentiles, cache hit counts, feature names used, error code counts, multi-room drift buckets, agent approval counts, messaging counters, and LLM token/cost counters. It does not send command text, voice audio, message content, file contents, screenshots, prompts, secrets, or payment details. Counters are bucketed or noise-adjusted where practical. If telemetry is not enabled, no telemetry server URL is configured, or consent_error_reporting is not granted, telemetry transmission fails closed.

3. Data We Do NOT Collect

We explicitly do not collect:

• Persistent Voice Recordings: Temporary command-audio files are deleted immediately after transcription and are never transmitted to our servers. Wake-word audio is processed locally and is not uploaded to Viola servers. If you opt in to cloud STT, audio is transmitted to the third-party STT provider but not retained by us.
• Unconsented Phone Recordings: Phone calls are not recorded or stored unless phone calling and recording are enabled as described in Section 2.7.
• Listening History for Advertising: We do not collect listening history for advertising profiles, sale, or sharing. Desktop playback history stays local by default; cloud sync or hosted music-session features may store allowlisted music state only if you enable them, as described in Section 2.2.
• Unrequested Personal Information: We collect account, billing, contact, launch-notification, and support information only when you provide it or use the related hosted feature. We do not collect unrelated personal information just because you visit the website or run the desktop app.
• Precise Location Data: No GPS tracking. IP addresses are processed transiently for security but not stored for location tracking.
• Behavioral Advertising Profiles: We do not build advertising or marketing profiles, and we do not sell data to advertisers.
• Biometric Data: No voice prints, speaker identification profiles, or fingerprints are stored or created.
• Desktop Content by Default: Desktop content read by local agent features is processed locally by default. It may be transmitted only if you enable a cloud/hosted agent feature or a configured LLM provider path that requires that context.
• User Content for AI Training: We do not use your content to train AI or machine-learning models (see Section 3.2 below for the full, scoped statement).

3.1 No Sale or Sharing of Your Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under California law. We do not build advertising or marketing profiles about you. We use limited technical and operational information to run, secure, bill for, and improve the Service, and we use aggregate, population-level statistics — which do not identify you, your household, your device, your account, or anyone you contact — to understand and improve the product. If we ever change these practices, we will tell you in advance and give you a meaningful choice before the change applies to data we already hold; we will also add a "Do Not Sell or Share My Personal Information" link if it ever becomes applicable.

3.2 No AI Training on Your Content

We do not use your content — voice commands, conversations, prompts, messages, files, call audio or transcripts — to train AI or machine-learning models. This is our default and it does not change unless you take a separate, explicit opt-in action. Your prompts and related context are processed by third-party AI providers to answer you; under our business arrangements with those providers, your inputs and outputs are not used to train their models by default, but those providers' own terms govern their processing — see Section 4.2. Data about people other than you that Viola encounters while acting for you — for example, parties on a phone call, email recipients, or people visible on your screen — is never used to train models.

3.3 De-Identified and Aggregate Data

We may use aggregate or de-identified operational data to understand reliability, feature usage, latency, cost, fraud, abuse, and service health. We maintain de-identified data in de-identified form and do not try to re-identify it unless required by law or needed to investigate security abuse. Aggregate or de-identified data is not used to build advertising profiles and does not include raw voice audio, call recordings, message content, Google user data or Google-derived content, payment card numbers, OAuth tokens, API keys, screenshots, or file contents.

4. Third-Party Services

4.1 Music Providers

When you use a launch-supported music source, such as local files, Spotify in the Windows desktop app, or YouTube/Google music paths where available:

• The provider's own privacy policy and terms apply to your use of their service.
• If the provider requires account sign-in, you authenticate directly with that provider, and any long-lived token is stored as Tier-3 device-only credential data.
• Viola processes playback requests and track metadata needed to provide the music feature. If you explicitly enable cloud sync or hosted music-session features, allowlisted music metadata such as title, artist, provider ID or URL, playlist membership, liked status, and ratings may sync to Viola cloud under your account.
• Spotify works in the Windows desktop app. Embedded browser playback is not offered, and Spotify OAuth tokens stay as desktop-only Tier-3 device-only credential data.

Provider Terms and Privacy Policies:

• YouTube Terms of Service

4.2 AI Providers (Optional)

If you enable cloud AI features, which provider receives your prompts depends on the execution path you selected in Settings (see Section 2.5.1):

• OpenAI (BYOK, managed OpenAI API access, or cloud STT): Your transcribed commands, prompts, tool context, relevant profile fields, learned preferences/facts, suggestion context, or cloud STT audio (if cloud STT is enabled) may be sent to OpenAI for processing. See OpenAI Privacy Policy.
• Anthropic (BYOK): Your transcribed commands, prompts, tool context, and relevant profile or learned-model context may be sent to Anthropic for processing. See Anthropic Privacy Policy.
• Google/Gemini: Your prompts, relevant profile or learned-model context, or vision/agent context may be sent to Google/Gemini when that provider path is configured. See Google Privacy Policy.
• Additional OpenAI-compatible BYOK providers: If you configure OpenRouter, Groq, Together, Mistral, Perplexity, DeepSeek, Fireworks, xAI, Cohere, or a custom OpenAI-compatible endpoint, your prompts, tool context, and relevant profile or learned-model context may be sent to that selected provider. Those are direct user-provider integrations; review the provider's own terms and data-use settings before enabling them.
• Viola-managed OpenAI API access (paid plans): Paid plans may route prompts through Viola's managed OpenAI API account. OpenAI's privacy policy and API data-use terms apply to those prompts; under the API business arrangement, inputs and outputs are not used to train OpenAI's models by default.
• Local providers: Local providers such as Ollama run on your device; prompts do not leave your device through Viola for those providers.
• Cloud speech-to-text providers: If you enable cloud transcription, selected audio may be sent to OpenAI Whisper or Deepgram for speech-to-text.
• Note: Raw microphone audio is transmitted only when you enable a feature that requires audio transmission, such as cloud STT or cloud phone mode.

4.3 Payment Processing

If you subscribe to a paid plan:

• Stripe: Credit/debit card payments are processed by Stripe. We do not store your full credit card information on our servers; Stripe handles subscription card data directly. See Stripe Privacy Policy.
• BTCPay Server: If you choose cryptocurrency payment, transactions are processed through a self-hosted BTCPay Server instance. We control this infrastructure and no card data is involved; BTCPay processes invoice identifiers and wallet/payment metadata.
• Local Payment Vault: If you add payment cards to Viola's local vault for agent-assisted purchases (see Section 2.9), the card number, expiration, and security code are stored locally on your device in encrypted form and never transmitted to Viola's servers. This is separate from Stripe subscription billing.

4.4 Telephony Provider

If you enable phone calling:

• Outbound calls are placed via Telnyx. Telnyx processes the phone numbers you call, call metadata, and audio streams during the call.
• See Telnyx Privacy Policy.

4.5 Email Delivery and Operational Alerts

• Transactional emails (account verification, notifications) may be sent via Resend. Resend processes email addresses and message content for delivery.
• Operational or security alerts to the Viola operator may be sent through Cloudflare Email Service, PagerDuty, Pushover, Telegram, Telnyx SMS, or a configured webhook provider. These alerts contain operational metrics, incident summaries, and status details, not user content.
• See Resend Privacy Policy.

4.6 Third-Party Data Processors

The following third-party services may process data on our behalf:

Note: Music providers are not our data processors when you use them directly; you have a direct relationship with them. Viola may process playback requests and allowlisted track metadata to provide the music feature. Cloud music metadata sync happens only when you explicitly enable the relevant cloud sync or hosted music-session feature; Spotify OAuth tokens stay as desktop-only Tier-3 device-only credential data.

For a complete list of data processors and DPA status, see our Third-Party Processors document.

We will notify users via email or in-app notification at least 30 days before adding new processors that materially change data handling.

4.7 Other Disclosures

We may disclose personal information outside the processor relationships above only in these limited situations:

• At your direction: when you connect a third-party account, approve an agent action, send a message, place a phone call, or otherwise ask Viola to share information with another person or service.
• Legal and safety requests: when required by law, subpoena, court order, or valid legal process; to protect the rights, safety, privacy, or property of users, called parties, Viola, or the public; or to detect and prevent fraud, abuse, security incidents, or unlawful activity.
• Business transfers: if Viola is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be reviewed in diligence and transferred to a successor as part of that transaction, subject to the commitments in this Policy.
• Professional advisers: to attorneys, accountants, auditors, insurers, or other advisers who need the information to provide professional services to us and are bound by confidentiality obligations.

5. Data Storage Tiers

Viola separates user data by storage tier:

• Tier 1: Cloud account data: Account identity, subscription records, usage counters, hosted-feature state, and related service records are stored in cloud Postgres for account-backed and hosted features.
• Tier 2: Cloud-synced data with consent: Settings, preferences, personalization profile records, learned user-model records, and other syncable data move through cloud services only when you enable the relevant sync or hosted feature.
• Tier 3: Desktop-only data: Local payment-vault contents, BYOK API keys, desktop integration tokens in encrypted local credential storage, local browser profiles, task traces, trace-decrypt audit logs, agent audit logs, weekly-review artifacts, and personalization audit logs stay on your device and are not sent to Viola's cloud service. Hosted features may process their own account/session records, and GoTrue may hold transient OAuth flow-state during sign-in or connection.
• Offline-capable local use: Core local desktop features can operate without a Viola account. Hosted features, managed AI, subscription services, phone calling, and cloud sync require network access and account-backed services where offered.

6. Your Rights

6.0 Privacy Controls

Most Viola privacy controls are available directly in the application:

• Local data and consent toggles: Settings > Privacy & Data lets you manage usage reports, cloud sync, weekly review, and error reporting. Account > Cloud Consents lets signed-in cloud users view and revoke cloud consent records. Feature-specific controls let you disconnect accounts, change AI routing, manage phone recording/transcript/AI-announcement settings, and delete saved phone call data where exposed.
• Connected accounts: You can disconnect launch-supported music, Google Calendar where available, Microsoft, messaging, AI-provider, and other optional integrations from Settings or revoke access in the third-party provider's account controls.
• AI routing: You can switch between local, BYOK, and Viola-managed model paths in Settings; the active path is shown in the application.
• Phone data: Phone Settings control call recording, transcript retention, and proactive AI announcement. Saved call recordings and retained transcripts can be deleted before the automatic 30-day retention period ends.
• Telemetry and error reporting: These remain off unless configured and consented to. You can withdraw consent for telemetry or error reporting at any time.
• Broader export or deletion requests: For local or cloud data not exposed through an in-app control, including personalization profile/model data, weekly-review artifacts, and personalization audit records, contact privacy@useviola.com.

6.1 GDPR Rights (European Economic Area)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

Right of Access (Article 15)

• You have the right to obtain confirmation of whether we process your personal data and to request a copy.
• Since most data is stored locally, you have direct access to it on your device.
• For cloud accounts: Contact us to request a data export within 30 days.

Right to Rectification (Article 16)

• You have the right to correct inaccurate personal data.
• Local data: You can edit your settings and profile directly in the application; learned model, weekly review, suggestion, and personalization audit data are included in export/deletion handling where supported.
• Cloud accounts: Contact us or use in-app profile editing to correct account information.
• AI outputs can be inaccurate and may contain personal information about you generated by a third-party model or local model. If you believe a hosted Viola record contains inaccurate personal information about you, contact us and we will address the request within the limits of the data we control and the technical capabilities of the relevant model path.

Right to Erasure (Article 17)

• You have the right to request deletion of your personal data.
• Local data: Delete the app, use the feature-specific deletion controls exposed in the application, or contact privacy@useviola.com for help with broader local data deletion.
• Cloud accounts: Contact us or use in-app account deletion; data is removed within 30 days.
• Some records may be retained longer where required or permitted by law, including tax and billing records, security logs, fraud and abuse prevention records, records needed to resolve disputes or enforce the Terms, legal holds, and an audit record showing that we handled your deletion request.

Right to Restriction of Processing (Article 18)

• You have the right to restrict processing of your personal data in certain circumstances (e.g., while we verify accuracy of data you have contested).
• Contact us at privacy@useviola.com to request restriction.

Right to Data Portability (Article 20)

• You have the right to receive your data in a structured, commonly used, machine-readable format.
• Local data is stored in a standard database format, directly accessible on your device.
• Cloud data: Contact us for JSON export.

Right to Object (Article 21)

• You have the right to object to processing based on legitimate interests.
• If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Contact us at privacy@useviola.com to object.

Right to Withdraw Consent (Article 7)

• You can withdraw consent for any consent-based processing at any time.
• Disable cloud features, revoke cloud consents from Account > Cloud Consents, disable phone calling, or turn off other opt-in features in Settings.
• Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Right to Lodge a Complaint

• You have the right to lodge a complaint with your local Data Protection Authority if you believe we have violated your data protection rights.
• A list of EU/EEA Data Protection Authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

6.2 CCPA/CPRA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to Know

• You have the right to know what personal information we collect, use, and disclose.
• You may request this information up to twice in a 12-month period.
• See Section 2 above for complete details of data we collect.

Categories of Personal Information Collected

In the preceding 12 months, we may have collected the following categories of personal information (only when you opt in to the relevant features):

• Identifiers: Email address, account name, device identifiers, IP address
• Commercial information: Subscription plan, payment history, purchase records
• Internet or electronic network activity: Browsing history (agent mode only, processed locally), interaction with the application
• Audio information: Voice commands are processed transiently. Wake-word audio is processed locally and is not uploaded to Viola servers.
• Geolocation data: IP-derived approximate location (transient, for security only)

Right to Delete

• You have the right to request deletion of your personal information.
• Contact us at privacy@useviola.com or use the feature-specific deletion controls exposed in the application.
• We may retain limited records when an exception applies, such as completing a transaction you requested, detecting security incidents, preventing fraud or abuse, complying with law, resolving disputes, maintaining tax and billing records, or keeping a deletion-request audit record.

Right to Correct

• You have the right to correct inaccurate personal information.

Right to Opt-Out of Sale or Sharing

• See Section 3.1 — we do not sell or share your personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.
• If this changes in the future, we will provide a "Do Not Sell or Share My Personal Information" link.

Right to Limit Use of Sensitive Personal Information

• We process sensitive personal information (account login credentials, precise geolocation if applicable, voice data) only as necessary to provide the Service.

Right to Non-Discrimination

• We will not discriminate against you for exercising your CCPA/CPRA rights, including by denying services, charging different prices, or providing a different quality of service.

Authorized Agent

• You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority.

Shine the Light (California Civil Code Section 1798.83)

• California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

6.3 Virginia VCDPA, Colorado CPA, and Connecticut CTDPA Rights

If you are a resident of Virginia, Colorado, or Connecticut, you have similar rights under your state's privacy law, including the right to access, correct, delete, and obtain a copy of your personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling. We do not engage in targeted advertising, sale of personal data, or automated profiling that produces legal or similarly significant effects.

To exercise these rights, contact us using the methods in Section 6.4 below. You may appeal our decision regarding your request by contacting privacy@useviola.com with the subject line "Privacy Rights Appeal."

6.4 How to Exercise Your Rights

To exercise any of these rights:

• Email: privacy@useviola.com
• In-App: Settings > Privacy & Data and Account > Cloud Consents for consent controls, plus feature-specific deletion/export controls where exposed

Verification: We will verify your identity before fulfilling your request. For account holders, we verify via your logged-in session or account email. For non-account holders, we may ask for information sufficient to verify your identity.

Response Time: We will acknowledge your request within 10 business days and respond substantively within 30 days (45 days for CCPA requests, extendable by an additional 45 days with notice). GDPR requests are fulfilled within 30 days, extendable by up to 60 days for complex requests with notice.

7. Data Security

7.1 Encryption

• Authentication tokens: Long-lived external-account OAuth tokens are stored in encrypted local credential storage on your device. Where supported, Viola uses the operating-system keyring for the master key. GoTrue identity sessions and transient OAuth flow-state are handled by the cloud identity service and stale flow-state is garbage-collected hourly.
• API keys: Encrypted at rest in local credential storage; the per-user API-key vault uses operating-system-keyed encryption.
• Local payment vault: Card data encrypted at rest on your device; never transmitted to Viola servers.
• Local database: Standard file system permissions (user-only access).

7.2 Access Controls

• Only the Viola application can access your local data.
• No remote access to local data.
• Cloud data (if enabled) protected by account authentication.

7.3 Desktop Application Network Access

• At idle with the default desktop configuration, the Viola desktop application makes no analytics or telemetry calls.
• Application telemetry and error reporting require explicit consent (see Section 2.12).
• Desktop network access is used for launch-supported music streaming paths and the hosted features you use.
• The useviola.com website uses Cloudflare's cookieless Web Analytics for aggregate page-view metrics, as disclosed in Section 2.12 and Section 9A.

8. Children's Privacy (COPPA Compliance)

• Minimum Age: Viola is not intended for children under 13 years of age (or the minimum age required by applicable law in your jurisdiction). Users under 18 must have parental or guardian consent. Users in the European Economic Area must be at least 16 years old unless a lower age (no younger than 13) has been set by their EU member state.
• Age Verification: Account registration requires age confirmation. Users who indicate they are under the minimum age are blocked from creating an account.
• No Knowing Collection: We do not knowingly collect, use, or disclose personal information from children under 13. We do not knowingly allow children under 13 to create accounts or use cloud features.
• Parental Rights: Parents or legal guardians who believe their child has provided personal information to Viola may contact us at privacy@useviola.com to request access to, deletion of, or cessation of further collection of the child's personal information.
• Response: We will respond to verified parental requests within 30 days and delete the child's information promptly.
• Discovery: If we discover that we have collected personal information from a child under 13 without verified parental consent, we will delete that information as quickly as possible.

9. Data Retention

9.1 Local Data

• Retained until you delete it or uninstall the application.
• You have full control over local data retention.

9.2 Cloud Data (If Enabled)

• Account data: Retained while account is active; deleted within 30 days of an account deletion request.
• Subscription records: Retained for 7 years for tax/legal compliance.
• Deletion-request audit records and legal-hold records: Retained only as long as needed to prove compliance, resolve disputes, prevent abuse, or satisfy legal obligations.

9.3 Data Retention Schedule

9A. Cookies and Website Analytics

9A.1 What We Use

9A.2 Cookies

• The Viola desktop application does not use tracking, analytics, or advertising cookies.
• The useviola.com website uses Cloudflare Web Analytics, which is cookieless — it does not set cookies and does not use a cross-site tracking identifier. It records aggregate page-view metrics so we can understand site traffic; it does not build a behavioral or advertising profile of you.
• We do not use advertising cookies or sell data to advertisers.

9A.3 Third-Party Service Cookies

When you authenticate with launch-supported web music providers or other third-party services, those providers may set cookies in your browser according to their own policies.

9B. Security Breach Notification

9B.1 Our Commitment

In the unlikely event of a security breach affecting your personal data, we will follow a structured incident response process to contain the breach, assess the impact, and notify affected parties in accordance with applicable law, including the EU General Data Protection Regulation (GDPR) and applicable U.S. state breach notification laws.

9B.2 Internal Incident Response

Upon discovery or credible report of a potential breach, we will:

1. Triage (0-4 hours): Acknowledge the report, classify severity, and activate the incident response process.

2. Contain (0-24 hours): Isolate affected systems, revoke compromised credentials, and prevent further unauthorized access.

3. Investigate (0-48 hours): Determine the root cause, scope of data affected, number of users impacted, and whether data was exfiltrated or merely exposed.

4. Remediate (24-72 hours): Patch the vulnerability, restore systems from clean backups if necessary, and implement safeguards to prevent recurrence.

5. Document: Maintain a written record of the incident, response actions taken, timeline, and findings. This record is retained for a minimum of 5 years.

9B.3 Notification to Supervisory Authorities

• Within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority (Data Protection Authority) in accordance with GDPR Article 33.
• The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
• If full details are not available within 72 hours, we will provide information in phases without further undue delay.

9B.4 Notification to Affected Users

• We will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34.
• Notifications will be sent via email to the address on file and, where possible, via in-app notification.
• Our notification will include: a plain-language description of the breach, the types of personal data involved, the likely consequences, measures we have taken, the steps you can take to protect yourself, and contact information for our privacy team.

9B.5 Reporting a Security Concern

If you believe you have discovered a security vulnerability or suspect a breach of Viola systems, please report it immediately:

• Security email: security@useviola.com
• Privacy inquiries: privacy@useviola.com

We take all reports seriously. You will receive an acknowledgment within 24 hours and a substantive response within 72 hours.

9B.6 Scope of Breach Procedures

Viola's data-handling design limits the user data held in hosted systems:

• Data stored only on your device is not accessible through Viola's hosted infrastructure.
• Hosted features, account services, telemetry, and third-party integrations are the primary systems covered by these breach-response procedures.

10. International Data Transfers

• Device-only use: Data stored only on your device is not transferred internationally by Viola.
• Hosted features: If you use account, subscription, managed AI, cloud sync, cloud phone, telemetry, or other hosted features and are outside the United States, your data may be transferred to servers located in the United States.
• Safeguards for EEA/UK/Swiss Transfers: Before processing personal data from the EEA, UK, or Switzerland through a given processor, we put a Data Processing Agreement in place with that processor and rely on the Standard Contractual Clauses adopted by the European Commission for the transfer to the United States, supplemented by additional technical and organizational safeguards where appropriate. Where a processor is certified under the EU-U.S. Data Privacy Framework, we may also rely on that certification. Our processor-agreement status is tracked in our Third-Party Processors document.
• Your Consent: By enabling cloud features, you acknowledge and consent to the transfer of your data to the United States, which may have data protection laws that differ from those in your country.
• Third-Party Processor Locations: Most current third-party processors are located in the United States; some operate globally. We will update this section if we engage processors in other jurisdictions.

11. Changes to This Policy

• We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.
• Material changes (new categories of data collection, new third-party processors that materially change data handling, changes to data-sharing practices, or changes to your rights) will be communicated at least 30 days in advance via email (to the address on file) and in-app notification.
• Non-material changes (clarifications, formatting) may be made without advance notice.
• For processing based on consent, we will seek renewed consent where required by applicable law before applying material changes to consent-based processing.
• Continued use of the Service after the effective date of a modified Privacy Policy constitutes acceptance for processing activities not based on consent.
• Previous versions of this Privacy Policy are available upon request at privacy@useviola.com.

12. Contact Us

For privacy questions or to exercise your rights:

• Email: privacy@useviola.com
• Security: security@useviola.com
• Website: https://useviola.com/privacy
• Response Time: We will respond to requests within 30 days.
• Data Controller: Jihad Shkoukani is the data controller for personal information processed under this Policy.

Mailing Address:

Jihad Shkoukani

Attn: Privacy

Milwaukee, Wisconsin, United States

13. Legal Basis for Processing (GDPR)

14. Commercial Email (CAN-SPAM Compliance)

We may send you transactional emails related to your account (verification, password reset, subscription confirmations, security alerts). These are not marketing communications and do not require opt-in.

If we send promotional or marketing emails in the future:

• Each email will clearly identify us as the sender and include our physical mailing address.
• Each email will include a clear and conspicuous unsubscribe mechanism.
• We will honor unsubscribe requests within 10 business days.
• We will not use deceptive subject lines or misleading header information.
• We will not sell or transfer email addresses to third parties for their marketing purposes.

15. Data Protection Impact Assessments (GDPR Article 35)

For processing activities likely to require a Data Protection Impact Assessment under GDPR Article 35 or similar laws, including where applicable voice processing, agent-mode desktop automation, phone call recording and transcription, and browser automation involving payment-card handling, we assess the requirement before enabling or materially expanding that processing in the jurisdiction where the law applies. When a DPIA is required and completed, we maintain the record internally and make it available to supervisory authorities where required by law.

16. Changelog