The Privacy Ledger
Every capability Viola ships with, what it runs on, what leaves your device, and how to turn it off.
Local — stays on your device
Feature cloud — used only for the selected feature or provider
Required cloud — required for account, billing, or the selected provider
Voice pipeline
Microphone capture, wake word, VAD, AEC, and default STT run locally. LLM routing is listed separately.
| Capability | Status | What runs | What leaves your device | Off switch |
|---|---|---|---|---|
| Microphone capture | Local | OS-level mic capture on your device | Nothing. Audio is processed in-memory; temp files deleted after transcription. | Mute mic / pause wake word (hotkey, tray) |
| Wake word ("Viola") | Local | ViolaWake ONNX model on your CPU | Nothing. | Disable wake word in Settings |
| Voice activity detection (Silero) | Local | Silero VAD ONNX model on your CPU | Nothing. | N/A (core component) |
| Speech-to-text (STT) | Local or Opt-in | Configurable. Default is local Whisper-style model. Cloud STT providers are selectable per user. | If you select a cloud STT provider, transcribed-by-them audio chunks are sent to that provider. | Set STT provider to local in Settings |
| Acoustic echo cancellation (AEC) | Local | AEC DSP on your CPU | Nothing. | N/A |
LLM execution path
Viola's reasoning runs through one of three paths. Prompts may include relevant profile fields, learned preferences/facts, and suggestion context when those features are enabled. Managed OpenAI is the default after sign-in; BYOK and local modes can replace it in Settings.
| Path | Status | Who processes your prompts | What leaves your device | Off switch |
|---|---|---|---|---|
| BYOK (OpenAI, Anthropic, Google, or OpenAI-compatible) | Opt-in | The provider you choose, under your API key | Transcribed commands and relevant prompt context. Never raw audio. | Remove API key in Settings |
| Viola-managed OpenAI API access | Default after sign-in | OpenAI's API, accessed through Viola's managed OpenAI API account | Transcribed commands and relevant prompt context. Token counts go to Viola's billing system for spend caps (metric only, not content). | Switch to BYOK or Local in Settings |
| Local LLM (Ollama, etc.) | Local | A model running on your own hardware | Nothing. | N/A (opt-in to use) |
Multi-room audio
Hub runs on your desktop. Spokes are browsers on your LAN.
| Capability | Status | What runs | What leaves your device | Off switch |
|---|---|---|---|---|
| Hub audio decode | Local | Audio pipeline on your hub PC | Nothing beyond your LAN. | Close the app |
| Spoke playback (browser) | Local LAN | Browser spoke page connects to the hub over your LAN (WebSocket) | Audio streams between hub and spoke on your LAN. Nothing leaves your network. | Close the browser tab |
| Third-party music playback | Provider required | YouTube/Google and Spotify | Playback requests go to the music provider you chose. Their privacy policy applies. | Disconnect the provider in Settings |
Integrations you connect
Viola is the client. You own the accounts; provider credentials are stored locally in encrypted credential storage.
| Integration | Status | Who sees it | What leaves your device | Off switch |
|---|---|---|---|---|
| Google (Gmail, Calendar, Workspace) | Opt-in | Google, under your OAuth scopes | Read/write requests to Gmail, Calendar, and supported Workspace APIs. OAuth tokens are stored in encrypted local or cloud credential storage for the account context and are sent to Google for token refresh and API authorization. | Revoke at accounts.google.com or in Viola Settings |
| Home Assistant (smart home) | Opt-in | Your own Home Assistant instance | Commands and entity queries to the HA URL you configured (typically your LAN). | Remove HA URL in Settings |
| Browser automation (agent mode) | Opt-in, high-risk approval | Websites you direct Viola to visit | Normal browser traffic to those sites, from your device. No interception by Viola. | Disable agent mode in Settings |
| Web search | Opt-in | Your configured search provider (SearXNG, DDG, etc.) | Search queries to the provider you configured. | Change or disable in Settings |
Phone features
Phone calls require account sign-in and Phone Terms acceptance before first use. Launch support uses local phone mode. Call recording and transcript retention default on, and the separate AI-announcement setting defaults off.
| Capability | Status | Who processes it | What leaves your device | Off switch |
|---|---|---|---|---|
| Phone calls (local mode) | Opt-in | Telnyx carrier for PSTN; audio pipeline on your hub PC via Pipecat | Phone numbers, call metadata, and live call audio flow between Telnyx and your hub. | Disable phone or change Phone Settings |
| Phone calls (cloud mode) | Conditional | Telnyx carrier; api.useviola.com cloud bridge multiplexes streams |
Call audio transits the Viola bridge for multiplexing; not stored unless recording is enabled. | Use local phone mode |
| Call recording | Default on | Configured recording storage (local disk or S3-compatible storage) | Recording files are auto-deleted after 30 days. | Disable recording in Phone Settings |
| Call transcripts | Default on | Phone pipeline and transcript partition storage | Transcript text is stored with the authenticated call record and auto-deleted after 30 days. | Disable transcript retention in Phone Settings |
Account, billing, and data-at-rest
Account and billing data exist when you create an account, subscribe, sync, or use managed paid actions.
| Capability | Status | What we store | Where | Off switch |
|---|---|---|---|---|
| Local settings and history | Local | Local app database and settings files on your device | Your device | Clear data / uninstall |
| Encrypted memory | Local | Conversation memory, encrypted at rest per-user | Your device | Clear memory in Settings |
| Memory backup & device loss | Local only | Memory has no automatic cloud backup. If you do not enable cross-device sync, memory stays on the device where you installed Viola. | Your device only | Opt in to cross-device sync if you want a backup |
| OAuth tokens / API keys | Local | Credentials are encrypted at rest in local credential storage. The OS keyring is used when available. | Your device | Disconnect integration / clear data |
| Viola account identity | Opt-in | Email, account ID, session/auth state, plan linkage, and optional profile fields. GoTrue owns the authentication records; Viola stores the app profile and billing linkage. | GoTrue and Viola cloud | In-app account deletion (GDPR § 17) |
| Personalization profile and weekly review | Local by default | Profile fields, learned preferences/facts, user-model records, queued suggestion metadata, weekly-review artifacts, and personalization audit rows. Cloud sync stores allowlisted profile/model data only when enabled. | Your device by default; Viola cloud sync tables only with consent | Disable weekly review/cloud sync; export or delete through account/local data deletion |
| Billing records | Required if you subscribe | Stripe or BTCPay customer/invoice/subscription IDs, plan, renewal/cancel state, invoice status, and usage meters (token counts, phone usage) | Stripe or BTCPay, plus Viola billing database | Cancel subscription; records retained 7 years for compliance |
| Cross-device sync | Opt-in | Settings and preferences you choose to sync | Viola cloud | Disable sync; purge via account deletion |
| App analytics / behavioral telemetry | Aggregate | The desktop app does not send analytics by default. If telemetry is enabled with consent, Viola sends operational counters only. The website and cloud checkout/download/account funnel use aggregate events, and useviola.com uses Cloudflare's cookieless Web Analytics for page-view counts. | No desktop analytics by default; aggregate cloud and Cloudflare metrics where applicable | Disable telemetry in Settings; website metrics are aggregate only |
Agent mode (disabled by default)
Agent mode lets Viola act on your computer. It is off by default. Every high-risk action requires per-action approval.
| Action | Status | Approval | What leaves your device |
|---|---|---|---|
| Read window text / UI elements | Opt-in | Feature toggle | Nothing. |
| Type text into apps | Opt-in | High-risk outcomes require approval | Nothing. |
| Click UI elements | Opt-in | High-risk outcomes require approval | Nothing. |
| Keyboard shortcuts | Opt-in | Destructive or high-risk shortcuts require approval or are blocked | Nothing. |
| Shell command execution | Opt-in | Per-action approval | Nothing by default; depends on command. |
| File read / write / delete | Opt-in | Write and delete require per-action approval | Nothing. |
| Payment submission (browser) | Opt-in | Final submit always requires your confirmation | Normal browser traffic to the merchant. |
How to check it
Use this page with Network Flows to compare the privacy shape of each feature with the traffic your machine actually makes. If you find a mismatch, security.html has the disclosure address.
This page is updated alongside releases. If a feature's privacy shape changes, this ledger changes with it.