Skip to content
How It Works Why Viola Phone Pricing
Download

Privacy Policy

Last updated: April 25, 2026 · Version 2.1

Our Core Principle: Private by default. Cloud only when you say so. Viola is a local-first application: by default, all processing happens on your device. Cloud features exist, are useful, and are strictly opt-in. For a capability-by-capability breakdown of what runs where and what leaves your device, see the Privacy Ledger.

1. Introduction

Jihad Shkoukani ("we", "us", "our", "Company", or "Viola") is committed to protecting your privacy. This Privacy Policy explains how we handle your personal information when you use the Viola desktop application, local-first features, account and subscription features, and cloud service at api.useviola.com.

2. Data We Collect

2.1 Voice Audio

  • Processing: Voice audio is processed locally on your device for wake word detection and speech recognition.
  • Temporary Storage: When you speak a voice command, audio is temporarily saved to a local file for transcription processing. This temporary file is automatically deleted immediately after transcription completes. By default, no voice audio is retained on disk after processing.
  • Transmission: Ordinary desktop voice commands are not transmitted to Viola servers by default. Voice audio may be transmitted only when you enable a feature that requires it, such as cloud phone mode, call recording storage, cloud speech-to-text, or wake-word contribution. If you opt into cloud AI services, transcribed text and relevant agent context may be sent to the configured AI provider for command processing.

2.2 Music Preferences

  • Listening History: Your queue and playback history are stored locally only.
  • Preferences: Settings like preferred volume, voice mode, and audio device are stored locally.
  • No Tracking: We do not track what you listen to or share this information with anyone.

2.3 Authentication Tokens

  • Music Provider Tokens: OAuth tokens for YouTube Music, Spotify, Apple Music, and Tidal are stored in your device's encrypted keyring.
  • API Keys: Any API keys you provide (OpenAI, Anthropic) are stored locally in encrypted storage.
  • No Transmission: Your tokens and API keys are never transmitted to Viola servers.

2.4 Settings and Preferences

  • Local Storage: All application settings are stored in a local SQLite database on your device.
  • No Cloud Sync by Default: Settings remain on your device unless you explicitly enable cloud sync.

2.5 Optional Cloud Features (Opt-In Only)

Viola separates cloud features into three independently controlled paths. You pick the path per feature; we do not bundle them.

2.5.1 Cloud AI execution path

  • BYOK (Bring Your Own Key): You configure your own OpenAI or Anthropic API key. Prompts are sent directly from your device to the provider under your account. Viola does not proxy or log these prompts.
  • Managed Viola subscription: When you subscribe to a paid plan, you may route prompts through Viola's managed access to OpenAI's ChatGPT backend (internally called Codex routing) or a managed OpenAI API endpoint. In this mode, Viola is the contracting party with the provider, and aggregate usage metrics (token counts, not prompt content) are processed by our billing system to enforce spend caps.
  • Local LLM: If you configure a local inference backend such as Ollama, no prompts leave your device.

2.5.2 Account and billing

  • Account Information: Email address, optional display name, hashed password (if you create a Viola account)
  • Subscription Status: Plan type, renewal date, billing status (processed by Stripe and optionally BTCPay Server or another disclosed Bitcoin payment flow)
  • Usage Meters: Aggregate request counts, token counts, plan allowance use, and phone minute counts used to enforce subscription limits; these are metrics, not command content
  • Sync Data: Settings, device registry entries, and preferences (if you enable cross-device sync, multi-device, or multi-room cloud features)

2.5.3 Phone features

  • If you enable phone features, call metadata (phone numbers, timestamps, durations) is processed through Telnyx and, in cloud phone mode, through the api.useviola.com bridge. Call recording is off by default; when enabled, recordings are stored as configured (locally or in a configured cloud storage bucket).
  • All-party-consent jurisdictions: Viola's disclosure helper announces recording where required, but lawful use is your responsibility (see Terms § 2.4).

2.5.4 Contributor Mode

  • Off by default. When enabled, Viola uploads consented wake-word samples to help improve detection accuracy. Disabling Contributor Mode stops further uploads; previously uploaded samples follow the retention schedule in the Data Retention section.

2.5.5 Telemetry and error reporting

  • Telemetry and error reporting are disabled by default and require configuration plus explicit consent.
  • If enabled, telemetry may send operational counters and health metrics such as app version, operating system, plan tier, command category counts, latency percentiles, feature names used, error code counts, multi-room drift buckets, agent approval counts, messaging counters, and LLM token/cost counters.
  • Telemetry does not send command text, voice audio, message content, file contents, screenshots, prompts, secrets, or payment details. If telemetry is not enabled, no telemetry server URL is configured, or error-reporting consent is not granted, telemetry transmission fails closed.

Agent and Desktop Automation: Data Access Disclosure

When agent mode is enabled, Viola can access and interact with data on your device. This section discloses what data the agent features can access:

  • Screen Content: The agent can read the contents of application windows on your desktop, including text, UI element names, and window titles.
  • File System: The agent can read, write, search, and delete files on your device. Write and delete operations require your explicit approval.
  • Shell Commands: The agent can execute shell commands on your system, which may access or modify any data accessible to your user account. Each command requires your explicit approval.
  • Browser Content: The agent can navigate websites, read page content, extract links, and take screenshots in an automated browser session.
  • Keyboard and Mouse Input: The agent can type text, click UI elements, and send keyboard shortcuts to applications. These actions require your explicit approval.

Desktop agent actions are processed locally by default. If you enable cloud browser, cloud vision, managed AI routing, messaging, email/calendar, phone, or other hosted agent features, the relevant page content, screenshots, messages, prompts, call context, or task metadata may be transmitted to Viola servers or the configured third-party provider as needed to provide that feature. Agent mode is disabled by default and must be explicitly enabled in settings. Actions classified as high-risk require per-action approval before execution.

3. Data We Do NOT Collect

We explicitly do not collect:

  • Persistent Voice Recordings by Default: Temporary command-audio files are deleted immediately after transcription unless you separately enable optional wake-word contribution features, cloud STT, phone calling, or recording-related controls described above
  • Unconsented Phone Recordings: Phone calls are not recorded or stored unless phone calling and recording-related controls are enabled
  • Listening History: Stays on your device
  • Personal Identifiable Information: Unless you create an account
  • Location Data: No GPS or IP-based tracking
  • Usage Telemetry: No analytics or behavioral tracking without explicit consent. Optional telemetry contains operational counters and health metrics, not command text, voice audio, message content, screenshots, prompts, secrets, or payment details
  • Biometric Data: By default, Viola does not store voice prints or training samples. If you enable optional Contributor Mode (off by default; controlled by the contributor_mode_enabled setting), Viola uploads consented wake-word samples to help improve detection accuracy. You can disable Contributor Mode at any time from Settings; previously uploaded samples are subject to the retention schedule in the "Data Retention" section below.
  • Desktop Content by Default: Desktop content read by local agent features is processed locally by default. It may be transmitted only if you enable a cloud/hosted agent feature or a configured LLM provider path that requires that context

4. Third-Party Services

4.1 Music Providers

When you connect a music provider (YouTube Music, Spotify, Apple Music, Tidal):

  • You authenticate directly with that provider via OAuth
  • The provider's own privacy policy applies to your use of their service
  • We only store the authentication token locally; we do not access your account data

Provider Privacy Policies:

4.2 AI Providers (Optional)

If you enable cloud AI features, which path your prompts travel through depends on the execution path you selected in Settings (see § 2.5.1):

  • OpenAI (BYOK, managed OpenAI API, or cloud STT): Your transcribed commands, prompts, tool context, or cloud STT audio (if cloud STT is enabled) may be sent to OpenAI for processing. See OpenAI Privacy Policy.
  • Anthropic (BYOK): Your transcribed commands, prompts, and tool context may be sent to Anthropic for processing. See Anthropic Privacy Policy.
  • Google/Gemini: Your prompts or vision/agent context may be sent to Google/Gemini when that provider path is configured. See Google Privacy Policy.
  • ChatGPT managed routing (paid plans): When you use Viola's managed subscription routing, prompts are sent to OpenAI's ChatGPT backend under Viola's managed account where offered. OpenAI's privacy policy still applies to the prompts.
  • Local LLM (Ollama and similar): No prompts leave your device.
  • Note: Raw microphone audio is transmitted only when you enable a feature that requires audio transmission, such as cloud STT or cloud phone mode.

4.3 Payment Processing

If you subscribe to a paid plan:

  • Card payments are processed by Stripe
  • Cryptocurrency payments, where offered, are processed through BTCPay Server or another disclosed Bitcoin payment flow
  • We do not store your full credit card information on our servers
  • If you add payment cards to Viola's local vault for agent-assisted purchases, card details are stored locally on your device in encrypted form and are separate from subscription billing
  • See Stripe Privacy Policy

4.4 Third-Party Data Processors

Processor Purpose Data Processed Location
Stripe Payment processing Name, email, payment method (last 4 digits) USA
BTCPay Server Cryptocurrency subscription payments Invoice identifiers, wallet/payment metadata; no card data USA/self-hosted
OpenAI (opt-in) AI command processing, speech-to-text if cloud STT is enabled Transcribed commands, prompts, tool context, voice audio if cloud STT enabled USA
Anthropic (opt-in, BYOK) AI command processing Transcribed commands, prompts, tool context USA
Google/Gemini (opt-in) AI command processing, OAuth integrations, optional vision/model routing Prompts, agent context, OAuth account data, connected Google content you authorize USA
OpenAI / ChatGPT managed routing (opt-in, paid plans) AI command processing via Viola's managed subscription Transcribed voice commands (text only); token counts for billing USA
Telnyx (opt-in, phone feature) Phone call carriage, optional call recording Phone numbers, call timestamps, durations; audio if recording enabled USA
Viola Cloud Bridge (opt-in, cloud phone mode) Phone stream multiplexing at api.useviola.com Call audio (in-flight; not stored unless recording enabled) USA
Home Assistant (opt-in, user-hosted) Smart home control via your Home Assistant instance Entity IDs, commands, state queries (you host HA; Viola sends commands over your LAN or your HA URL) Your infrastructure
Resend Transactional email delivery Email addresses and message content for delivery USA
Sentry (opt-in) Error monitoring Scrubbed error traces and diagnostic context; no request bodies USA
DuckDuckGo Web search Search queries without Viola user identifiers USA

Note: Music providers (YouTube, Spotify, etc.) are not our data processors -- you have a direct relationship with them. We facilitate OAuth authentication but do not receive or process your music data.

We will notify users via email or in-app notification if we add new processors that materially change data handling.

5. Local-First Architecture

Viola is designed with privacy as a core architectural principle:

  • Default Mode: All processing happens on your device
  • No Required Internet: Core features work offline
  • Cloud is Opt-In: Cloud features require explicit user action to enable
  • Transparent Data Flow: You can see exactly what data leaves your device (if any)

6. Your Rights

6.1 GDPR Rights (European Union)

If you are in the European Economic Area, you have the following rights:

Right of Access (Article 15)

  • You have the right to know what personal data we hold about you
  • Since most data is stored locally, you have direct access to it
  • For cloud accounts: Contact us to request a data export

Right to Erasure (Article 17)

  • You have the right to delete your personal data
  • Local data: Delete the app or clear app data
  • Cloud accounts: Contact us or use in-app account deletion

Right to Data Portability (Article 20)

  • You have the right to receive your data in a portable format
  • Local data is stored in standard SQLite format
  • Cloud data: Contact us for JSON export

Right to Withdraw Consent (Article 7)

  • You can withdraw consent for cloud features at any time
  • Disable cloud features in Settings > Privacy
  • Withdrawal does not affect the lawfulness of prior processing

6.2 CCPA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know

  • You have the right to know what personal information we collect
  • See Section 2 above for complete details

Right to Delete

  • You have the right to request deletion of your personal information
  • Contact us at [email protected]

Right to Opt-Out of Sale

  • We do not sell your personal information
  • There is nothing to opt out of

Right to Non-Discrimination

  • We will not discriminate against you for exercising your CCPA rights

6.3 How to Exercise Your Rights

To exercise any of these rights:

We will respond to requests within 30 days.

7. Data Security

7.1 Encryption

  • Authentication tokens: Stored in OS-level encrypted keyring
  • API keys: Encrypted at rest using platform-specific secure storage
  • Local database: Standard file system permissions (user-only access)

7.2 Access Controls

  • Only the Viola application can access your data
  • No remote access to local data
  • Cloud data (if enabled) protected by account authentication

7.3 No Data Transmission by Default

  • The application does not "phone home"
  • No analytics or telemetry without explicit consent
  • Network access only for music streaming and optional AI features

8. Children's Privacy

  • Viola is not intended for children under 13
  • We do not knowingly collect personal information from children
  • Account registration requires confirmation that the user is at least 13 years old
  • If you believe a child has provided personal information, contact us for deletion

9. Data Retention

9.1 Local Data

  • Retained until you delete it or uninstall the application
  • You have full control over local data retention

9.2 Cloud Data (If Enabled)

  • Account data: Retained while account is active
  • Deleted within 30 days of account deletion request
  • Subscription records: Retained for 7 years for tax/legal compliance

9.3 Data Retention Schedule

Data Type Retention Period Location Deletion Method
Voice audio Deleted immediately after transcription Local temp file Automatic
Voice transcripts Session only (RAM) Local Automatic on session end
Music queue Until cleared or app uninstalled Local SQLite User-initiated or uninstall
Playback history Until cleared or app uninstalled Local SQLite User-initiated or uninstall
Settings Until app uninstalled Local SQLite Uninstall or manual deletion
OAuth tokens Until revoked or expired Local keyring User revocation or expiry
API keys Until removed by user Local keyring User-initiated
Account data (cloud) Until account deletion Cloud servers 30 days post-deletion request
Subscription records 7 years Cloud servers Legal retention requirement
Error logs 90 days Local/Cloud Automatic rotation
Telemetry payloads (opt-in) 90 days unless aggregated earlier Local / Viola telemetry endpoint Automatic rotation / aggregation
Phone call recordings (opt-in) Until deleted by user Local / Cloud storage User-initiated deletion
Payment card data (opt-in) Until removed by user Local encrypted vault User-initiated deletion
Email/calendar data (opt-in) Session only Local Not retained after session
Agent browsing data (opt-in) Session only unless a cloud browser feature states otherwise Local / hosted browser session where enabled Automatic on session end / service retention controls

9A. Cookies and Local Storage

9A.1 What We Use

Technology Purpose Data Stored
SQLite Database Application state Settings, queue, playback history
OS Keyring Secure credential storage OAuth tokens, API keys
Session Storage (web UI) Temporary UI state Current view, transient preferences

9A.2 No Tracking Cookies

  • We do not use tracking cookies
  • We do not use analytics cookies
  • We do not use advertising cookies
  • No third-party cookies are set by Viola

9A.3 Third-Party Service Cookies

When you authenticate with music providers (via OAuth), those providers may set cookies in your browser according to their own policies. We have no control over these cookies.

9B. Data Breach Notification

9B.1 Our Commitment

In the unlikely event of a data breach affecting your personal information, we will:

  • Investigate the breach within 24 hours of discovery
  • Contain the breach and prevent further unauthorized access
  • Assess which users and data types are affected
  • Notify affected users and relevant authorities

9B.2 Notification Timeline

  • 72 hours: Notify relevant data protection authorities (as required by GDPR)
  • Without undue delay: Notify affected users via email and/or in-app notification

9B.3 What We Will Tell You

If your data is affected, our notification will include:

  • Description of the breach
  • Types of data involved
  • Likely consequences
  • Measures we're taking
  • Steps you can take to protect yourself
  • Contact information for questions

9B.4 Scope

Viola's local-first architecture significantly reduces breach risk:

  • Most user data never leaves your device
  • We cannot breach data we don't have
  • Cloud features (opt-in) are the primary breach surface

10. International Data Transfers

  • Default: No international data transfers (data stays on your device)
  • Cloud Features: If you enable cloud features and are outside the US, your data may be transferred to US servers
  • We rely on Standard Contractual Clauses for EU data transfers

11. Changes to This Policy

  • We may update this Privacy Policy from time to time
  • Material changes will be communicated via in-app notification
  • Continued use after changes constitutes acceptance
  • Previous versions available upon request

12. Contact Us

For privacy questions or to exercise your rights:

Mailing Address:
Jihad Shkoukani
Attn: Privacy Team
Jihad Shkoukani, Milwaukee, Wisconsin, United States
United States

13. Legal Basis for Processing (GDPR)

Processing Activity Legal Basis
Voice processing Legitimate interest (core functionality)
Music playback Contract performance
Settings storage Legitimate interest
Cloud sync (opt-in) Consent
Account creation Contract performance
Payment processing Contract performance
Desktop automation (opt-in) Consent
Phone calls (opt-in) Consent
Email/calendar access (opt-in) Consent
Purchase assistance (opt-in) Consent
Error reporting and telemetry (opt-in) Consent
Security measures Legitimate interest