The Privacy Ledger
Every capability Viola ships with, what it runs on, what leaves your device, and how to turn it off. Open source would let a few developers read our code. This table lets everyone read what we do.
Local — stays on your device
Opt-in cloud — off by default
Always cloud — required for the feature
Voice pipeline
From the microphone to an intent. The default is local end-to-end unless you opt in.
| Capability | Status | What runs | What leaves your device | Off switch |
|---|---|---|---|---|
| Microphone capture | Local | OS-level mic capture on your device | Nothing. Audio is processed in-memory; temp files deleted after transcription. | Mute mic / pause wake word (hotkey, tray) |
| Wake word ("Viola") | Local | ViolaWake ONNX model on your CPU | Nothing. | Disable wake word in Settings |
| Voice activity detection (Silero) | Local | Silero VAD ONNX model on your CPU | Nothing. | N/A (core component) |
| Speech-to-text (STT) | Local or Opt-in | Configurable. Default is local Whisper-style model. Cloud STT providers are selectable per user. | If you select a cloud STT provider, transcribed-by-them audio chunks are sent to that provider. | Set STT provider to local in Settings |
| Acoustic echo cancellation (AEC) | Local | AEC DSP on your CPU | Nothing. | N/A |
| Wake-word sample upload (Contributor Mode) | Opt-in | Off by default. When on, short consented wake-word snippets are uploaded to help retrain the model. | Consented snippets only, when enabled. | Disable Contributor Mode in Settings > Privacy |
LLM execution path
Viola's reasoning runs through one of three paths. You pick, per user.
| Path | Status | Who processes your prompts | What leaves your device | Off switch |
|---|---|---|---|---|
| BYOK (OpenAI or Anthropic) | Opt-in | OpenAI or Anthropic under your API key | Transcribed commands (text). Never raw audio. | Remove API key in Settings |
| Managed Viola subscription (ChatGPT / Codex routing) | Opt-in (paid plans) | OpenAI's ChatGPT backend under Viola's managed account | Transcribed commands (text). Token counts go to Viola's billing system for spend caps (metric only, not content). | Switch to BYOK or Local in Settings |
| Local LLM (Ollama, etc.) | Local | A model running on your own hardware | Nothing. | N/A (opt-in to use) |
Multi-room audio
Hub runs on your desktop. Spokes are browsers on your LAN.
| Capability | Status | What runs | What leaves your device | Off switch |
|---|---|---|---|---|
| Hub audio decode | Local | Audio pipeline on your hub PC | Nothing beyond your LAN. | Close the app |
| Spoke playback (browser) | Local LAN | Browser spoke page connects to the hub over your LAN (WebSocket) | Audio streams between hub and spoke on your LAN. Nothing leaves your network. | Close the browser tab |
| Third-party music playback | Provider required | YouTube Music, Spotify, Apple Music, Tidal via OAuth | Playback requests go to the music provider you chose. Their privacy policy applies. | Disconnect the provider in Settings |
Integrations you connect
Viola is the client. You own the accounts; we hold only the OAuth tokens, encrypted, locally.
| Integration | Status | Who sees it | What leaves your device | Off switch |
|---|---|---|---|---|
| Google (Gmail, Calendar, YouTube) | Opt-in | Google, under your OAuth scopes | Read/write requests to Gmail / Calendar / YouTube APIs. Your OAuth token never leaves your keyring. | Revoke at accounts.google.com or in Viola Settings |
| Home Assistant (smart home) | Opt-in | Your own Home Assistant instance | Commands and entity queries to the HA URL you configured (typically your LAN). | Remove HA URL in Settings |
| Browser automation (agent mode) | Opt-in, per-action approval | Websites you direct Viola to visit | Normal browser traffic to those sites, from your device. No interception by Viola. | Disable agent mode in Settings |
| Web search | Opt-in | Your configured search provider (SearXNG, DDG, etc.) | Search queries to the provider you configured. | Change or disable in Settings |
Phone features
Phone is off by default. If you turn it on, here's exactly what happens.
| Capability | Status | Who processes it | What leaves your device | Off switch |
|---|---|---|---|---|
| Phone calls (local mode) | Opt-in | Telnyx carrier for PSTN; audio pipeline on your hub PC via Pipecat | Phone numbers, call metadata, and live call audio flow between Telnyx and your hub. | Disable phone feature in Settings |
| Phone calls (cloud mode) | Opt-in | Telnyx carrier; api.useviola.com cloud bridge multiplexes streams |
Call audio transits the Viola bridge for multiplexing; not stored unless recording is enabled. | Switch phone_mode to local or disable phone entirely |
| Call recording | Opt-in | Storage backend you configured (local disk or an S3-compatible bucket you control) | Recording files, if recording is enabled. | Disable recording in Settings; retention is configurable |
Account, billing, and data-at-rest
The minimum we need to bill you and let you sync; nothing we don't.
| Capability | Status | What we store | Where | Off switch |
|---|---|---|---|---|
| Local settings and history | Local | SQLite database on your device | Your device | Clear data / uninstall |
| Encrypted memory | Local | Conversation memory, encrypted at rest per-user | Your device | Clear memory in Settings |
| Memory backup & device loss | Local only, by design | Memory has no automatic cloud backup. If you don't enable cross-device sync, your memory lives and dies on the device you installed on. Device loss = memory loss, on purpose. | Your device only | Opt in to cross-device sync if you want a backup, or copy the SQLite file yourself. A user-initiated encrypted memory export is on the roadmap. |
| OAuth tokens / API keys | Local | Credentials are stored Fernet-encrypted on disk (credentials.enc). The encryption key is held in the OS keyring (Windows Credential Manager / macOS Keychain / Linux Secret Service). If keyring is unavailable, the key is derived from the JWT secret via PBKDF2-HMAC-SHA256 @ 600k iterations as a fallback. |
Your device | Disconnect integration / clear data |
| Viola account (email, password hash) | Opt-in | Email, bcrypt password hash (cost factor 12, with a SHA-256 prehash), optional display name, MFA/passkey material | Viola cloud | In-app account deletion (GDPR § 17) |
| Billing records | Required if you subscribe | Stripe token, last-4 of card, plan, renewal date; aggregate usage meters (token counts, phone minutes) | Stripe and Viola billing database | Cancel subscription; records retained 7 years for compliance |
| Cross-device sync | Opt-in | Settings and preferences you choose to sync | Viola cloud | Disable sync; purge via account deletion |
| Analytics / behavioral telemetry | None by default | We do not collect behavioral analytics. No page-view tracking, no cohort analytics, no ad identifiers. | — | — |
Agent mode (disabled by default)
Agent mode lets Viola act on your computer. It is off by default. Every high-risk action requires per-action approval.
| Action | Status | Approval | What leaves your device |
|---|---|---|---|
| Read window text / UI elements | Opt-in | Feature toggle | Nothing. |
| Type text into apps | Opt-in | Per-action approval | Nothing. |
| Click UI elements | Opt-in | Per-action approval | Nothing. |
| Keyboard shortcuts | Opt-in | Per-action approval | Nothing. |
| Shell command execution | Opt-in | Per-action approval; sandboxed eval for unsafe expressions | Nothing by default; depends on command. |
| File read / write / delete | Opt-in | Write and delete require per-action approval | Nothing. |
| Payment submission (browser) | Opt-in | Payment-Gate: final submit always requires you | Normal browser traffic to the merchant. |
Why a ledger instead of open source?
Open source lets a small group of developers read the code. A ledger lets everyone read what the code does. Paired with our Network Flows doc, you can inspect Viola's traffic with Wireshark and compare it against this table. If the two ever diverge, we want to hear about it — security.html has the disclosure address.
This page is versioned alongside releases. If a feature's privacy shape changes, this ledger changes with it.