Privacy Policy

Viola Voice Assistant

Version: 3.2

Effective Date: 2026-01-08

Last Updated: 2026-05-23

1. Introduction

Jihad Shkoukani ("we", "us", "our", "Company", or "Viola") operates the Viola voice assistant desktop application, local-first desktop features, account and subscription features, and the cloud service at api.useviola.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Service. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy is incorporated into our Terms of Service.

Our Core Principle: Viola is designed to keep device-only data on your device. Account, subscription, managed AI, phone, sync, telemetry, and other hosted features use cloud services only as described in this Policy.

2. Data We Collect

2.1 Voice Audio

• Processing: Voice audio is processed locally on your device for wake word detection and speech recognition.
• Temporary Storage: When you speak a voice command, audio is temporarily saved to a local file for transcription processing. This temporary file is automatically deleted immediately after transcription completes. No voice audio is retained on disk after processing.
• Cloud Speech-to-Text (Opt-In): If you configure cloud-based speech-to-text (e.g., OpenAI Whisper API), your voice audio may be transmitted to that third-party provider for transcription. This is opt-in and disabled by default; local transcription is the default mode. See Section 4.2 for the applicable provider's privacy policy.
• Transmission to Our Servers: Ordinary desktop voice audio is not transmitted to Viola servers by default. Voice audio may be transmitted only when you use a feature that requires it, such as cloud phone mode, call recording storage, or cloud speech-to-text. Wake-word audio is processed locally and is not uploaded to Viola servers.
• No Biometric Profiling: We do not create voice prints, speaker identification profiles, or any biometric identifiers from your voice audio. Ordinary voice commands and custom wake-word creation do not enroll your identity, and voice data is not retained for profiling purposes.

2.2 Music Preferences

• Listening History: Your queue and playback history are stored locally only.
• Preferences: Settings like preferred volume, voice mode, and audio device are stored locally.
• No Tracking: We do not track what you listen to or share this information with anyone.

2.3 Authentication Tokens

• Music Provider Tokens: OAuth tokens for YouTube Music and Spotify are stored in your device's encrypted keyring.
• API Keys: Any API keys you provide (OpenAI, Anthropic) are stored locally in encrypted storage.
• No Transmission: Your tokens and API keys are never transmitted to Viola servers. They are device-only — Viola's servers never receive them.

2.4 Settings and Preferences

• Local Storage: All application settings are stored in a local database on your device.
• No Cloud Sync by Default: Settings remain on your device unless you explicitly enable cloud sync.

2.5 Hosted and Optional Cloud Features

Viola separates hosted features into independently controlled paths. You control which optional hosted features you use.

2.5.1 Cloud AI execution path

• BYOK (Bring Your Own Key): You configure your own OpenAI or Anthropic API key. Prompts are sent directly from your device to the provider under your account. Viola does not proxy or log these prompts.
• Managed Viola access: The default AI source is Viola-managed access to OpenAI's API services. In this mode, Viola holds an OpenAI API account and is the contracting party with the provider; under that business arrangement your inputs and outputs are not used to train the provider's models by default. Aggregate usage metrics (token counts, not prompt content) are processed by our billing system to enforce spend caps.
• Local LLM: If you configure a local inference backend such as Ollama, no prompts leave your device.

2.5.2 Account and billing

• Account Information: Email address, optional display name, hashed password (if you create a Viola account)
• Identity Service: Viola cloud accounts use a self-hosted GoTrue identity service, the open-source Supabase Auth service, for account creation, login, sessions, password storage, email verification, and identity lifecycle events.
• Subscription Status: Plan type, renewal date, billing status (processed by Stripe and optionally BTCPay Server or another disclosed Bitcoin payment flow)
• Usage Meters: Aggregate request counts, token counts, plan allowance use, and phone minute counts used to enforce subscription limits; these are metrics, not command content
• Sync Data: Settings, device registry entries, and preferences (if you enable cross-device sync, multi-device, or multi-room cloud features)

2.5.3 Phone features

• If you enable phone features, call metadata (phone numbers, timestamps, durations) is processed through Telnyx and, in cloud phone mode, through the api.useviola.com bridge.
• Phone calling places outbound calls only. It is available for United States/NANP phone numbers only, and that limit is enforced in the application.
• Phone Settings include three user controls: call recording (default on), transcript retention (default on), and proactive AI announcement (default off).
• If recording or transcript retention is active, Viola includes the applicable disclosure in the opening greeting. Recording and retained transcripts are auto-deleted after 30 days.
• Viola answers truthfully if a called party asks whether it is automated, will not claim to be human, and will not impersonate you. Lawful use is your responsibility (see Terms Section 5A.2).

2.5.4 Telemetry and error reporting

• Telemetry and error reporting are disabled by default and require configuration plus explicit consent.
• If enabled, telemetry may send operational counters and health metrics such as app version, operating system, plan tier, command category counts, latency percentiles, feature names used, error code counts, multi-room drift buckets, agent approval counts, messaging counters, and LLM token/cost counters.
• Telemetry does not send command text, voice audio, message content, file contents, screenshots, prompts, secrets, or payment details. If telemetry is not enabled, no telemetry server URL is configured, or error-reporting consent is not granted, telemetry transmission fails closed.

2.6 Agent and Desktop Automation (Opt-In Only)

When agent mode is enabled, Viola can access and interact with data on your device on your behalf. Agent mode is disabled by default and must be explicitly enabled in settings.

• Screen Reading — Read the contents of application windows on your desktop, including text, UI element names, and window titles
• Text Typing — Type text into application windows (requires per-action approval)
• Button and Element Clicking — Click buttons, menu items, and other UI elements (requires per-action approval)
• Keyboard Shortcuts — Send keyboard shortcuts to applications (requires per-action approval)
• Shell Command Execution — Run shell commands on your system (requires per-action approval)
• File System Access — Read, write, search, and delete files on your device (write/delete require per-action approval)
• Browser Automation — Navigate websites, extract content, take screenshots, and click elements in an automated browser session
• Web Search — Search the web and retrieve results on your behalf

When the agent acts on a third-party website, it uses your own logged-in sessions, cookies, and OAuth tokens for the accounts you have connected — you authorize this, and you remain bound by those sites' own terms. Desktop agent actions are processed locally by default. If you enable cloud browser, cloud vision, managed AI routing, messaging, email/calendar, phone, or other hosted agent features, the relevant page content, screenshots, messages, prompts, call context, or task metadata may be transmitted to Viola servers or the configured third-party provider as needed to provide that feature. Actions classified as high-risk require per-action approval before execution.

2.7 Phone Calls (Opt-In Only)

When you enable phone calling, Viola can make outbound calls on your behalf via the Telnyx telephony service. Viola does not answer inbound calls. Phone calling requires acceptance of a separate Phone Calling Terms of Service before first use, and is available for United States/NANP phone numbers only (enforced in the application).

Data collected when phone calling is enabled:

• Phone numbers: The numbers you call are stored locally for call history and billing purposes.
• Call recordings: Recording is on by default and can be turned off in Phone Settings. Calls may be recorded locally as WAV files; in cloud mode, recordings may be stored in cloud storage (S3-compatible). Recording does not begin until the opening disclosure has been spoken. Recordings are auto-deleted after 30 days.
• Call transcripts: Real-time speech-to-text is used so the AI agent can listen during the call. Transcript retention is on by default and can be turned off in Phone Settings. Retained transcripts are disclosed in the opening and auto-deleted after 30 days; when transcript retention is off, transcripts are ephemeral and not stored.
• Call metadata: Duration, timestamps, and call status are logged locally and used for per-plan minute tracking.

Opening disclosures: Viola constructs one natural opening that identifies Viola as calling for you, includes any active recording/transcript disclosure, and then states the purpose of the call. If recording only is active, the disclosure says the call may be recorded for your records. If transcript retention only is active, it says the call may be transcribed for your records. If both are active, it says the call may be recorded and transcribed for your records.

AI identity: Proactive AI self-identification is controlled by a Phone Settings toggle and is off by default. When it is on, the opening identifies Viola as your automated assistant. When it is off, Viola does not proactively add that clause, but if the called party asks whether Viola is a person, robot, AI, or automated system, Viola answers truthfully that it is an automated assistant calling on your behalf. Viola will not claim to be human or impersonate you.

Third-party call data: The people Viola speaks with on a call did not agree to Viola's terms. We use call recordings and transcripts only to complete the task you asked for, to give you a record of what your assistant did, to keep the service secure, and to comply with law. We never sell this data, never use it for advertising, and never use it to train AI models.

Opt-out by called parties: Called parties can request to be added to Viola's do-not-call list, and Viola will not place further calls to opted-out numbers.

Rate limits and use limits: Phone calling is rate-limited per user and may be blocked for prohibited or unsafe use. You may not use phone calling for telemarketing, sales outreach, political calls, fundraising, debt collection, surveys, mass/proactive calling, emergency services, harassment, calls to numbers on the National Do Not Call Registry, or calls where required consent has not been obtained.

2.8 Email and Calendar Access (Opt-In Only)

When you connect your email or calendar accounts (via Google OAuth, IMAP/SMTP, or other providers), Viola can read, compose, and send emails, and read or create calendar events on your behalf.

Data handling:

• Email content: Email subjects, bodies, recipients, and attachments accessed by Viola are processed locally or transmitted to the configured LLM provider (as part of the agent context) for command processing. We do not independently store, copy, or index your email content on our servers.
• Calendar events: Event titles, times, and attendees are processed similarly.
• OAuth scopes: When using Google OAuth, we request unified scopes for YouTube Music, Gmail, and Google Calendar. You can review and revoke these permissions at any time in your Google Account settings.
• Credentials: IMAP/SMTP passwords are stored locally in encrypted credential storage (see Section 7.1). OAuth tokens are stored in your device's encrypted keyring and never transmitted to Viola servers.
• Google Limited Use: Viola's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train generalized or foundational AI/ML models, we do not transfer Google user data to data brokers, and Google user data is used only to provide or improve the email and calendar features you have enabled.

2.9 Purchase and Payment Activity (Opt-In Only)

When agent mode is enabled, Viola can browse e-commerce websites and complete purchases on your behalf (e.g., ordering food, buying products).

Data handling:

• Payment card data: If you add payment cards to Viola's local vault, the card number, expiration date, and security code (CVV) are encrypted at rest on your device and are stored on your device only. This card data is never transmitted to Viola's servers. Its safety depends on the security of your device. The full card number is never exposed to the AI model — the model only sees last-4 confirmations. The local payment vault is separate from Stripe subscription billing and never enters Viola's payment-processor environment.
• Virtual-card recommendation: Storing a card security code on your device may increase exposure if your device is compromised. Where your bank or a virtual-card provider offers a merchant-locked or spend-limited virtual card, we recommend using one for agent-assisted purchases — it limits the impact of any device compromise.
• Purchase history: Records of purchases made through the agent are stored locally.
• Payment form interaction: When Viola fills payment forms on websites, card data flows directly from the local vault to the browser DOM. It does not pass through LLM processing or network transmission to Viola servers.

2.10 Device Information

We collect minimal device information:

• Operating system and version: Used for compatibility and support purposes.
• Device identifier: A random device-based identifier is generated locally for rate limiting and session management. This is not a hardware fingerprint and can be reset by the user.
• IP address: When connecting to Viola cloud services, your IP address is processed for rate limiting and security (brute-force protection). IP addresses are personal data; we use them only for service operation and security, and we do not store them long-term or use them for tracking.

2.11 Messaging Integrations (Opt-In Only)

Viola can connect to messaging platforms (Telegram, Discord, Slack, Signal, WhatsApp, Matrix) to send and receive messages on your behalf. Each integration is opt-in and requires you to provide your own credentials or bot tokens. Message content is processed locally or by the configured LLM provider. We do not independently store message content on our servers.

SMS opt-in data, consent status, and mobile numbers are not sold, rented, or licensed for third-party marketing or promotional purposes. We may share this information with service providers, carriers, and messaging vendors only as needed to deliver and manage Viola SMS.

2.12 Telemetry and Analytics

Application telemetry and error reporting are disabled by default and require configuration plus explicit consent (see Section 2.5.4).

The useviola.com marketing website uses Cloudflare Web Analytics — a cookieless, privacy-preserving edge analytics service. It records aggregate page-view counts and basic visit metrics. It does not set cookies, does not use a cross-site identifier, and does not build an advertising or behavioral profile of you. Desktop application telemetry remains governed by the consent controls described above and in Section 7.3.

If you enable error reporting (Sentry integration), scrubbed error stack traces and diagnostic context may be sent to Sentry for production monitoring. Sentry initialization and event sending are gated by consent_error_reporting; request bodies, secrets, tokens, cookies, session material, and sensitive fields are scrubbed or dropped before transmission.

If you enable pipeline telemetry and configure a telemetry server URL, aggregate usage metrics may be sent to Viola's telemetry endpoint at /api/telemetry/ingest. The telemetry reporter sends operational counters and health metrics such as app version, operating system, plan tier, wake-word model, room count, command category counts, latency percentiles, cache hit counts, feature names used, error code counts, multi-room drift buckets, agent approval counts, messaging counters, and LLM token/cost counters. It does not send command text, voice audio, message content, file contents, screenshots, prompts, secrets, or payment details. Counters are bucketed or noise-adjusted where practical. If telemetry is not enabled, no telemetry server URL is configured, or consent_error_reporting is not granted, telemetry transmission fails closed.

3. Data We Do NOT Collect

We explicitly do not collect:

• Persistent Voice Recordings: Temporary command-audio files are deleted immediately after transcription and are never transmitted to our servers. Wake-word audio is processed locally and is not uploaded to Viola servers. If you opt in to cloud STT, audio is transmitted to the third-party STT provider but not retained by us.
• Unconsented Phone Recordings: Phone calls are not recorded or stored unless phone calling and recording are enabled as described in Section 2.7.
• Listening History: Stays on your device.
• Personal Identifiable Information: Unless you create an account.
• Precise Location Data: No GPS tracking. IP addresses are processed transiently for security but not stored for location tracking.
• Behavioral Advertising Profiles: We do not build advertising or marketing profiles, and we do not sell data to advertisers.
• Biometric Data: No voice prints, speaker identification profiles, or fingerprints are stored or created.
• Desktop Content by Default: Desktop content read by local agent features is processed locally by default. It may be transmitted only if you enable a cloud/hosted agent feature or a configured LLM provider path that requires that context.
• User Content for AI Training: We do not use your content to train AI or machine-learning models (see Section 3 below for the full, scoped statement).

3.1 No Sale or Sharing of Your Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under California law. We do not build advertising or marketing profiles about you. We use limited technical and operational information to run, secure, bill for, and improve the Service, and we use aggregate, population-level statistics — which do not identify you, your household, your device, your account, or anyone you contact — to understand and improve the product. If we ever change these practices, we will tell you in advance and give you a meaningful choice before the change applies to data we already hold; we will also add a "Do Not Sell or Share My Personal Information" link if it ever becomes applicable.

3.2 No AI Training on Your Content

We do not use your content — voice commands, conversations, prompts, messages, files, call audio or transcripts — to train AI or machine-learning models. This is our default and it does not change unless you take a separate, explicit opt-in action. Your prompts and related context are processed by third-party AI providers to answer you; under our business arrangements with those providers, your inputs and outputs are not used to train their models by default, but those providers' own terms govern their processing — see Section 4.2. Data about people other than you that Viola encounters while acting for you — for example, parties on a phone call, email recipients, or people visible on your screen — is never used to train models.

3.3 De-Identified and Aggregate Data

We may use aggregate or de-identified operational data to understand reliability, feature usage, latency, cost, fraud, abuse, and service health. We maintain de-identified data in de-identified form and do not try to re-identify it unless required by law or needed to investigate security abuse. Aggregate or de-identified data is not used to build advertising profiles and does not include raw voice audio, call recordings, message content, payment card numbers, OAuth tokens, API keys, screenshots, or file contents.

4. Third-Party Services

4.1 Music Providers

When you connect a supported music provider (YouTube Music or Spotify):

• You authenticate directly with that provider via OAuth.
• The provider's own privacy policy applies to your use of their service.
• We only store the authentication token locally; we do not access your account data.

Provider Privacy Policies:

• YouTube Terms of Service
• Spotify Privacy Policy

4.2 AI Providers (Optional)

If you enable cloud AI features, which provider receives your prompts depends on the execution path you selected in Settings (see Section 2.5.1):

• OpenAI (BYOK, managed OpenAI API access, or cloud STT): Your transcribed commands, prompts, tool context, or cloud STT audio (if cloud STT is enabled) may be sent to OpenAI for processing. See OpenAI Privacy Policy.
• Anthropic (BYOK): Your transcribed commands, prompts, and tool context may be sent to Anthropic for processing. See Anthropic Privacy Policy.
• Google/Gemini: Your prompts or vision/agent context may be sent to Google/Gemini when that provider path is configured. See Google Privacy Policy.
• Viola-managed OpenAI API access (paid plans): Paid plans may route prompts through Viola's managed OpenAI API account. OpenAI's privacy policy and API data-use terms apply to those prompts; under the API business arrangement, inputs and outputs are not used to train OpenAI's models by default.
• Local providers: Local providers such as Ollama run on your device; prompts do not leave your device through Viola for those providers.
• Note: Raw microphone audio is transmitted only when you enable a feature that requires audio transmission, such as cloud STT or cloud phone mode.

4.3 Payment Processing

If you subscribe to a paid plan:

• Stripe: Credit/debit card payments are processed by Stripe. We do not store your full credit card information on our servers; Stripe handles subscription card data directly. See Stripe Privacy Policy.
• BTCPay Server: If you choose cryptocurrency payment, transactions are processed through a self-hosted BTCPay Server instance. We control this infrastructure and no card data is involved; BTCPay processes invoice identifiers and wallet/payment metadata.
• Local Payment Vault: If you add payment cards to Viola's local vault for agent-assisted purchases (see Section 2.9), the card number, expiration, and security code are stored locally on your device in encrypted form and never transmitted to Viola's servers. This is separate from Stripe subscription billing.

4.4 Telephony Provider

If you enable phone calling:

• Outbound calls are placed via Telnyx. Telnyx processes the phone numbers you call, call metadata, and audio streams during the call.
• See Telnyx Privacy Policy.

4.5 Email Delivery and Operational Alerts

• Transactional emails (account verification, notifications) may be sent via Resend. Resend processes email addresses and message content for delivery.
• Operational or security alerts to the Viola operator may be sent through Cloudflare Email Service, PagerDuty, Pushover, Telegram, Telnyx SMS, or a configured webhook provider. These alerts contain operational metrics, incident summaries, and status details, not user content.
• See Resend Privacy Policy.

4.6 Third-Party Data Processors

The following third-party services may process data on our behalf:

Note: Music providers (YouTube/Google and Spotify) are not our data processors — you have a direct relationship with them. We facilitate OAuth authentication but do not receive or process your music data.

For a complete list of data processors and DPA status, see our Third-Party Processors document.

We will notify users via email or in-app notification at least 30 days before adding new processors that materially change data handling.

4.7 Other Disclosures

We may disclose personal information outside the processor relationships above only in these limited situations:

• At your direction: when you connect a third-party account, approve an agent action, send a message, place a phone call, or otherwise ask Viola to share information with another person or service.
• Legal and safety requests: when required by law, subpoena, court order, or valid legal process; to protect the rights, safety, privacy, or property of users, called parties, Viola, or the public; or to detect and prevent fraud, abuse, security incidents, or unlawful activity.
• Business transfers: if Viola is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be reviewed in diligence and transferred to a successor as part of that transaction, subject to the commitments in this Policy.
• Professional advisers: to attorneys, accountants, auditors, insurers, or other advisers who need the information to provide professional services to us and are bound by confidentiality obligations.

5. Data Storage Tiers

Viola separates user data by storage tier:

• Tier 1: Cloud account data: Account identity, subscription records, usage counters, hosted-feature state, and related service records are stored in cloud Postgres for account-backed and hosted features.
• Tier 2: Cloud-synced data with consent: Settings, preferences, and other syncable data move through cloud services only when you enable the relevant sync or hosted feature.
• Tier 3: Desktop-only data: Local payment-vault contents, BYOK API keys, desktop integration tokens stored in the OS keyring, and local browser profiles stay on your device and are not sent to Viola's cloud service.
• Offline-capable local use: Core local desktop features can operate without a Viola account. Hosted features, managed AI, subscription services, phone calling, and cloud sync require network access and account-backed services where offered.

6. Your Rights

6.0 Privacy Controls

Most Viola privacy controls are available directly in the application:

• Local data: Settings > Privacy > My Data lets you review, export, or clear local application data where the feature exposes that control.
• Connected accounts: You can disconnect music, Google, messaging, AI-provider, and other optional integrations from Settings or revoke access in the third-party provider's account controls.
• AI routing: You can switch between local, BYOK, and Viola-managed model paths in Settings; the active path is shown in the application.
• Phone data: Phone Settings control call recording, transcript retention, and proactive AI announcement. Saved call recordings and retained transcripts can be deleted before the automatic 30-day retention period ends.
• Telemetry and error reporting: These remain off unless configured and consented to. You can withdraw consent for telemetry or error reporting at any time.

6.1 GDPR Rights (European Economic Area)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

Right of Access (Article 15)

• You have the right to obtain confirmation of whether we process your personal data and to request a copy.
• Since most data is stored locally, you have direct access to it on your device.
• For cloud accounts: Contact us to request a data export within 30 days.

Right to Rectification (Article 16)

• You have the right to correct inaccurate personal data.
• Local data: You can edit your settings and profile directly in the application.
• Cloud accounts: Contact us or use in-app profile editing to correct account information.
• AI outputs can be inaccurate and may contain personal information about you generated by a third-party model or local model. If you believe a hosted Viola record contains inaccurate personal information about you, contact us and we will address the request within the limits of the data we control and the technical capabilities of the relevant model path.

Right to Erasure (Article 17)

• You have the right to request deletion of your personal data.
• Local data: Delete the app or clear app data from Settings > Privacy > My Data.
• Cloud accounts: Contact us or use in-app account deletion; data is removed within 30 days.
• Some records may be retained longer where required or permitted by law, including tax and billing records, security logs, fraud and abuse prevention records, records needed to resolve disputes or enforce the Terms, legal holds, and an audit record showing that we handled your deletion request.

Right to Restriction of Processing (Article 18)

• You have the right to restrict processing of your personal data in certain circumstances (e.g., while we verify accuracy of data you have contested).
• Contact us at [email protected] to request restriction.

Right to Data Portability (Article 20)

• You have the right to receive your data in a structured, commonly used, machine-readable format.
• Local data is stored in a standard database format, directly accessible on your device.
• Cloud data: Contact us for JSON export.

Right to Object (Article 21)

• You have the right to object to processing based on legitimate interests.
• If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Contact us at [email protected] to object.

Right to Withdraw Consent (Article 7)

• You can withdraw consent for any consent-based processing at any time.
• Disable cloud features, phone calling, or other opt-in features in Settings.
• Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Right to Lodge a Complaint

• You have the right to lodge a complaint with your local Data Protection Authority if you believe we have violated your data protection rights.
• A list of EU/EEA Data Protection Authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

6.2 CCPA/CPRA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to Know

• You have the right to know what personal information we collect, use, and disclose.
• You may request this information up to twice in a 12-month period.
• See Section 2 above for complete details of data we collect.

Categories of Personal Information Collected

In the preceding 12 months, we may have collected the following categories of personal information (only when you opt in to the relevant features):

• Identifiers: Email address, account name, device identifiers, IP address
• Commercial information: Subscription plan, payment history, purchase records
• Internet or electronic network activity: Browsing history (agent mode only, processed locally), interaction with the application
• Audio information: Voice commands are processed transiently. Wake-word audio is processed locally and is not uploaded to Viola servers.
• Geolocation data: IP-derived approximate location (transient, for security only)

Right to Delete

• You have the right to request deletion of your personal information.
• Contact us at [email protected] or use Settings > Privacy > My Data.
• We may retain limited records when an exception applies, such as completing a transaction you requested, detecting security incidents, preventing fraud or abuse, complying with law, resolving disputes, maintaining tax and billing records, or keeping a deletion-request audit record.

Right to Correct

• You have the right to correct inaccurate personal information.

Right to Opt-Out of Sale or Sharing

• See Section 3.1 — we do not sell or share your personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.
• If this changes in the future, we will provide a "Do Not Sell or Share My Personal Information" link.

Right to Limit Use of Sensitive Personal Information

• We process sensitive personal information (account login credentials, precise geolocation if applicable, voice data) only as necessary to provide the Service.

Right to Non-Discrimination

• We will not discriminate against you for exercising your CCPA/CPRA rights, including by denying services, charging different prices, or providing a different quality of service.

Authorized Agent

• You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority.

Shine the Light (California Civil Code Section 1798.83)

• California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

6.3 Virginia VCDPA, Colorado CPA, and Connecticut CTDPA Rights

If you are a resident of Virginia, Colorado, or Connecticut, you have similar rights under your state's privacy law, including the right to access, correct, delete, and obtain a copy of your personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling. We do not engage in targeted advertising, sale of personal data, or automated profiling that produces legal or similarly significant effects.

To exercise these rights, contact us using the methods in Section 6.4 below. You may appeal our decision regarding your request by contacting [email protected] with the subject line "Privacy Rights Appeal."

6.4 How to Exercise Your Rights

To exercise any of these rights:

• Email: [email protected]
• In-App: Settings > Privacy > My Data

Verification: We will verify your identity before fulfilling your request. For account holders, we verify via your logged-in session or account email. For non-account holders, we may ask for information sufficient to verify your identity.

Response Time: We will acknowledge your request within 10 business days and respond substantively within 30 days (45 days for CCPA requests, extendable by an additional 45 days with notice). GDPR requests are fulfilled within 30 days, extendable by up to 60 days for complex requests with notice.

7. Data Security

7.1 Encryption

• Authentication tokens: Stored in OS-level encrypted keyring.
• API keys: Encrypted at rest using platform-specific secure storage.
• Local payment vault: Card data encrypted at rest on your device; never transmitted to Viola servers.
• Local database: Standard file system permissions (user-only access).

7.2 Access Controls

• Only the Viola application can access your local data.
• No remote access to local data.
• Cloud data (if enabled) protected by account authentication.

7.3 Desktop Application Network Access

• At idle with the default desktop configuration, the Viola desktop application makes no analytics or telemetry calls.
• Application telemetry and error reporting require explicit consent (see Section 2.12).
• Desktop network access is used for music streaming and the hosted features you use.
• The useviola.com website uses Cloudflare's cookieless Web Analytics for aggregate page-view metrics, as disclosed in Section 2.12 and Section 9A.

8. Children's Privacy (COPPA Compliance)

• Minimum Age: Viola is not intended for children under 13 years of age (or the minimum age required by applicable law in your jurisdiction). Users under 18 must have parental or guardian consent. Users in the European Economic Area must be at least 16 years old unless a lower age (no younger than 13) has been set by their EU member state.
• Age Verification: Account registration requires age confirmation. Users who indicate they are under the minimum age are blocked from creating an account.
• No Knowing Collection: We do not knowingly collect, use, or disclose personal information from children under 13. We do not knowingly allow children under 13 to create accounts or use cloud features.
• Parental Rights: Parents or legal guardians who believe their child has provided personal information to Viola may contact us at [email protected] to request access to, deletion of, or cessation of further collection of the child's personal information.
• Response: We will respond to verified parental requests within 30 days and delete the child's information promptly.
• Discovery: If we discover that we have collected personal information from a child under 13 without verified parental consent, we will delete that information as quickly as possible.

9. Data Retention

9.1 Local Data

• Retained until you delete it or uninstall the application.
• You have full control over local data retention.

9.2 Cloud Data (If Enabled)

• Account data: Retained while account is active; deleted within 30 days of an account deletion request.
• Subscription records: Retained for 7 years for tax/legal compliance.
• Deletion-request audit records and legal-hold records: Retained only as long as needed to prove compliance, resolve disputes, prevent abuse, or satisfy legal obligations.

9.3 Data Retention Schedule

9A. Cookies and Website Analytics

9A.1 What We Use

9A.2 Cookies

• The Viola desktop application does not use tracking, analytics, or advertising cookies.
• The useviola.com website uses Cloudflare Web Analytics, which is cookieless — it does not set cookies and does not use a cross-site tracking identifier. It records aggregate page-view metrics so we can understand site traffic; it does not build a behavioral or advertising profile of you.
• We do not use advertising cookies or sell data to advertisers.

9A.3 Third-Party Service Cookies

When you authenticate with music providers (via OAuth), those providers may set cookies in your browser according to their own policies. We have no control over these cookies.

9B. Security Breach Notification

9B.1 Our Commitment

In the unlikely event of a security breach affecting your personal data, we will follow a structured incident response process to contain the breach, assess the impact, and notify affected parties in accordance with applicable law, including the EU General Data Protection Regulation (GDPR) and applicable U.S. state breach notification laws.

9B.2 Internal Incident Response

Upon discovery or credible report of a potential breach, we will:

1. Triage (0-4 hours): Acknowledge the report, classify severity, and activate the incident response process.

2. Contain (0-24 hours): Isolate affected systems, revoke compromised credentials, and prevent further unauthorized access.

3. Investigate (0-48 hours): Determine the root cause, scope of data affected, number of users impacted, and whether data was exfiltrated or merely exposed.

4. Remediate (24-72 hours): Patch the vulnerability, restore systems from clean backups if necessary, and implement safeguards to prevent recurrence.

5. Document: Maintain a written record of the incident, response actions taken, timeline, and findings. This record is retained for a minimum of 5 years.

9B.3 Notification to Supervisory Authorities

• Within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority (Data Protection Authority) in accordance with GDPR Article 33.
• The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
• If full details are not available within 72 hours, we will provide information in phases without further undue delay.

9B.4 Notification to Affected Users

• We will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34.
• Notifications will be sent via email to the address on file and, where possible, via in-app notification.
• Our notification will include: a plain-language description of the breach, the types of personal data involved, the likely consequences, measures we have taken, the steps you can take to protect yourself, and contact information for our privacy team.

9B.5 Reporting a Security Concern

If you believe you have discovered a security vulnerability or suspect a breach of Viola systems, please report it immediately:

• Security email: [email protected]
• Privacy inquiries: [email protected]

We take all reports seriously. You will receive an acknowledgment within 24 hours and a substantive response within 72 hours.

9B.6 Scope of Breach Procedures

Viola's data-handling design limits the user data held in hosted systems:

• Data stored only on your device is not accessible through Viola's hosted infrastructure.
• Hosted features, account services, telemetry, and third-party integrations are the primary systems covered by these breach-response procedures.

10. International Data Transfers

• Device-only use: Data stored only on your device is not transferred internationally by Viola.
• Hosted features: If you use account, subscription, managed AI, cloud sync, cloud phone, telemetry, or other hosted features and are outside the United States, your data may be transferred to servers located in the United States.
• Safeguards for EEA/UK/Swiss Transfers: Before processing personal data from the EEA, UK, or Switzerland through a given processor, we put a Data Processing Agreement in place with that processor and rely on the Standard Contractual Clauses adopted by the European Commission for the transfer to the United States, supplemented by additional technical and organizational safeguards where appropriate. Where a processor is certified under the EU-U.S. Data Privacy Framework, we may also rely on that certification. Our processor-agreement status is tracked in our Third-Party Processors document.
• Your Consent: By enabling cloud features, you acknowledge and consent to the transfer of your data to the United States, which may have data protection laws that differ from those in your country.
• Third-Party Processor Locations: Most current third-party processors are located in the United States; some operate globally. We will update this section if we engage processors in other jurisdictions.

11. Changes to This Policy

• We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.
• Material changes (new categories of data collection, new third-party processors that materially change data handling, changes to data-sharing practices, or changes to your rights) will be communicated at least 30 days in advance via email (to the address on file) and in-app notification.
• Non-material changes (clarifications, formatting) may be made without advance notice.
• For processing based on consent, we will seek renewed consent where required by applicable law before applying material changes to consent-based processing.
• Continued use of the Service after the effective date of a modified Privacy Policy constitutes acceptance for processing activities not based on consent.
• Previous versions of this Privacy Policy are available upon request at [email protected].

12. Contact Us

For privacy questions or to exercise your rights:

• Email: [email protected]
• Security: [email protected]
• Website: https://useviola.com/privacy
• Response Time: We will respond to requests within 30 days.
• Data Controller: Jihad Shkoukani is the data controller for personal information processed under this Policy.

Mailing Address:

Jihad Shkoukani

Attn: Privacy

Milwaukee, Wisconsin, United States

13. Legal Basis for Processing (GDPR)

14. Commercial Email (CAN-SPAM Compliance)

We may send you transactional emails related to your account (verification, password reset, subscription confirmations, security alerts). These are not marketing communications and do not require opt-in.

If we send promotional or marketing emails in the future:

• Each email will clearly identify us as the sender and include our physical mailing address.
• Each email will include a clear and conspicuous unsubscribe mechanism.
• We will honor unsubscribe requests within 10 business days.
• We will not use deceptive subject lines or misleading header information.
• We will not sell or transfer email addresses to third parties for their marketing purposes.

15. Data Protection Impact Assessments (GDPR Article 35)

For processing activities likely to result in high risk to data subjects — including voice processing, agent-mode desktop automation, phone call recording and transcription, and browser automation involving payment-card handling — we will conduct and document a Data Protection Impact Assessment before the relevant high-risk processing is offered to the public. Completed DPIA records will be maintained internally and made available to supervisory authorities on request.

16. Changelog