Skip to content
← Voix

Privacy Policy

Effective 2026-07-15

Voix (“the Service”) is operated by John Afinni trading as Future_AI_Lab, Barcelona, Spain. This policy explains what data Voix collects, why, how it is protected, and the rights you have over it.

We have written this in plain language. If something is unclear, email privacy@voixapp.org and we will explain.

1. What we collect

  • Account data: your name and email address, supplied by Clerk when you sign up.
  • Gmail data: when you connect your Gmail account, we request the gmail.readonly scope. We read recent emails on demand to produce your briefing. We do not store the full content of your emails in our database. We store a short ranked summary (subject lines, sender, our score) for each briefing you generate so we can show you history.
  • OAuth refresh token: we store one Google OAuth refresh token per user so Voix can re-authenticate to Gmail without asking you to sign in again. The token is held in our Supabase database, encrypted at rest, and never exposed to your browser.
  • Usage metrics: we record when you generate a briefing, how many emails were read, which model was used, which voice was used. We use this to monitor cost and reliability.
  • Rate-limit records: a row per briefing call, keyed by your Clerk user id, used only to enforce the per-hour briefing cap.
  • Slack data (optional): if you connect Slack, we read your recent direct messages on demand to rank them alongside your email. We store your Slack access token (encrypted at rest) and, like email, do not store full message content, only the short ranked summary you see.
  • Morning email (optional): if you turn on the morning email, we store that you opted in and your timezone, so we can send a “your briefing is ready” nudge at your local morning. The email contains no inbox content. You can unsubscribe in one click.

Lawful basis for processing (GDPR Article 6)

  • Performance of a contract (Art. 6(1)(b)): reading your inbox to produce your briefing, drafting and sending replies you approve, and the related account data: this is the core service you asked us to provide.
  • Consent (Art. 6(1)(a)): product analytics (only if you accept the cookie banner) and the optional morning email (only if you opt in). You can withdraw either at any time (decline analytics, or unsubscribe from the email) with no effect on the core service.
  • Legitimate interests (Art. 6(1)(f)): security, abuse-prevention (rate limits), and error monitoring, balanced against your rights and limited to what is necessary to keep the service safe and working.

2. What we do not collect

  • We do not download or store attachments.
  • We do not store the full email body in our database.
  • We do not share your data with advertisers, data brokers, or third-party marketing services.
  • We do not use your email content to train AI models. Email text sent to Anthropic for ranking is processed under Anthropic's commercial API terms, which prohibit Anthropic from training its models on your content.
  • We do not access another user's data on your behalf.

3. Why we need each Gmail scope

  • gmail.readonly: restricted scope. Voix reads up to the last 10 messages in your Primary inbox each time you press Brief me. We need read access to extract the subject line, sender, and a short body excerpt for ranking. Without this scope Voix cannot tell you what is in your inbox.
  • gmail.send: restricted scope, requested separately and only if you want it. Your first sign-in asks for gmail.readonly and nothing else. We ask for gmail.send later, in context, the first time you approve a drafted reply. If you never approve a reply, we never ask for it and Voix never holds permission to send. Once granted, the scope lets Voix send the reply on your behalf from your own Gmail account, without copy-pasting into Gmail. Each send is triggered by an explicit user action (button click or voice command); Voix never sends emails autonomously.
  • calendar.events.readonly: optional, read-only. Only if you choose to add your calendar, this scope lets Voix read your upcoming events so the briefing can tell you what your day looks like alongside your mail. It cannot create, change, or delete events. You can turn calendar reading off in Settings, which stops the reads immediately.

We minimise scope: we do not request gmail.modify, gmail.labels, or full mail.google.com, even though those would unlock additional features, because gmail.readonly plus gmail.send is enough to deliver Voix's value. Each scope above is requested incrementally, so the permissions you hold are only the ones you have actually used.

4. Where your data lives

  • Supabase (Frankfurt, EU region) stores your account row, OAuth refresh token, briefing summaries, rate-limit records.
  • Vercel hosts the Voix application. Server logs are retained per Vercel's default policy.
  • Clerk manages your sign-in identity (name + email) under their own privacy terms.
  • Anthropic processes the ranking and reply-drafting prompts. The Anthropic API enterprise terms prohibit training on our customer data.
  • Google Cloud Text-to-Speech synthesises the spoken briefing from the transcript. Google's standard API terms apply and Google does not train on our requests.
  • Slack (if connected) provides the direct-message content we rank, under Slack's own terms.
  • Microsoft 365 (if connected) provides the Outlook mail, calendar, and Teams chat content we rank, under Microsoft's own terms.
  • PostHog (Frankfurt, EU region) provides product analytics and error monitoring, only after you accept the cookie banner. The analytics events we define carry no inbox content, names, or message text. Error reports are generated automatically rather than written by us, so we redact email addresses and strip our AI prompt markers from them before they are sent; we will not promise more than that, because an automatic error message is text we do not fully control.
  • Resend (if the morning email is enabled) sends the opt-in nudge. The email carries no inbox content.

Some of these processors (Anthropic, Vercel, Clerk, Google) are based in or transfer data to the United States. Those transfers are covered by Standard Contractual Clauses and/or the EU-US Data Privacy Framework, and each processor is bound by a data-processing agreement that prohibits using your data for their own purposes or to train generalised AI models.

The list below names every processor, where it processes data, and the legal safeguard for any transfer outside the EU. A current sub-processor list is available on request at privacy@voixapp.org.

  • Anthropic (US): AI ranking and reply drafting. Transfer: SCCs / EU-US Data Privacy Framework. Bound not to train on your data.
  • Google Workspace + Google Cloud Text-to-Speech (US/global): inbox read/send and spoken-briefing synthesis. Transfer: SCCs / EU-US DPF. Google does not train on these requests.
  • Microsoft (US/EU): Outlook mail, calendar, and Teams chat read for your briefing, when you connect Microsoft 365. Transfer: SCCs / EU-US DPF.
  • Clerk (US): sign-in identity (name + email). Transfer: SCCs / EU-US DPF.
  • Supabase (EU, Frankfurt): primary data store (encrypted tokens, briefing summaries). No transfer outside the EU.
  • Stripe (US/EU): billing. No card data reaches Voix. Transfer: SCCs / EU-US DPF.
  • Vercel (US): application hosting and server logs. Transfer: SCCs / EU-US DPF.
  • PostHog (EU, Frankfurt): product analytics and error monitoring, consent-gated. No transfer outside the EU. The analytics events we define carry no inbox content.
  • Activated only when you use the feature: Resend (US, morning email), Twilio and Vapi (US, Private Call), Meta (US/global, WhatsApp/Instagram business). Each under SCCs / EU-US DPF.

Scheduling and uptime-monitoring services that only trigger our background jobs on a timer and receive no personal data (just an authentication secret) are infrastructure, not processors, and are not listed above.

If you process personal data through Voix on behalf of an organisation and need a Data Processing Agreement (DPA) in place, you can read our Data Processing Agreement and request a counter-signed copy at privacy@voixapp.org.

5. Encryption

  • All traffic to Voix uses TLS 1.2 or higher.
  • All database storage uses AES-256 encryption at rest, managed by Supabase.
  • OAuth refresh tokens are stored in a dedicated table accessible only by the Voix server using a service-role key. The service-role key never reaches the browser.

6. How long we keep your data

  • While your account is active: we keep account data, OAuth tokens, and briefing summaries for as long as you choose to use Voix.
  • If you delete your account: all rows associated with your Clerk user id are removed from our database within 30 days. Backups age out within a further 60 days. After 90 days no copy remains.
  • Audit logs of access: kept for 90 days. Retained in the rare case of a security incident investigation.

7. Your rights (GDPR + CCPA)

If you are in the EU, the UK, or California, you have the following rights and we will honour them regardless of where you live:

  • Access: request a copy of your data.
  • Correction: request we fix inaccurate data.
  • Deletion: delete your account yourself in Settings (this erases all your data immediately) or request erasure by email.
  • Portability: request your data in a machine-readable format.
  • Objection: object to specific processing.
  • Withdraw consent: in Voix Settings you can Disconnect Gmail or Slack, decline analytics on the cookie banner, and unsubscribe from the morning email in one click. You can also revoke Gmail or Slack access directly in your Google or Slack account at any time.

To exercise any of these rights, email privacy@voixapp.org. We will respond within 30 days.

For access and portability requests we provide your data in a structured, machine-readable format within 30 days. A self-serve export of your core account data is available; until it covers your full record, email privacy@voixapp.org and we will send the remainder.

8. Security incidents

If we detect a personal-data breach affecting your account, we will notify you and any required regulator within 72 hours of discovery, as required by GDPR Article 33.

9. Children

Voix is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, contact privacy@voixapp.org and we will delete it.

10. Changes to this policy

We will update this page when our practices change. The effective date at the top of this page reflects the most recent revision. For material changes we will notify active users by email at least 30 days before the change takes effect.

Cookies and electronic communications

Strictly necessary cookies and local storage (sign-in session, OAuth state, CSRF, your cookie choice) are always on and need no consent. Product analytics is off by default and runs only if you accept it on the cookie banner; if you decline, no analytics is loaded. We do not send marketing email unless you separately opt in; transactional emails (the briefing-ready nudge if you enable it, billing, and security notices) are not marketing, and every marketing email carries a one-click unsubscribe that works without signing in. This satisfies Spanish LSSI-CE art. 22.2, UK PECR, and GDPR Article 7.

11. Contact

Operator: John Afinni, trading as Future_AI_Lab, Barcelona, Spain.
Privacy questions, data-access requests, and deletion requests: privacy@voixapp.org.
EU Data Protection Authority for complaints: Agencia Española de Protección de Datos (aepd.es).