Vocert Privacy Policy (v2)
Effective: 2026-06-22
Vocert is operated by Vanillapha Inc. ("Vocert", "we", "us"). This policy explains what we collect, how it is used, and your choices. Questions: contact@vocert.com.
Your audio never leaves your device permanently
This is the core of how Vocert works:
- Your audio is stored only on your phone. The on-device copy is the system of record. Playback is always from that local copy.
- The cloud never permanently stores audio. When you use paid cloud transcription, your audio is sent to our backend transiently: it is forwarded to the speech-to-text provider, and the bytes are deleted immediately afterward. They are never written to durable storage and never retained.
- After processing, the server keeps only the transcript, a SHA-256 hash chain of your audio chunks, and a signed integrity receipt — proof of what was recorded, without keeping the audio itself.
- On-device (free) transcription never sends audio anywhere: the transcript is produced on your phone and only the text is uploaded.
What we collect
- Account: email address, password (stored as a bcrypt hash). For Sign in with Apple / Google, a provider identifier instead of a password.
- Audio: stored only on your device. The cloud receives it transiently for paid transcription and deletes it immediately.
- Transcripts and Highlights: derived from your audio; the transcript text is retained server-side, the audio is not.
- Consent and acknowledgment records: which document versions you accepted, jurisdiction acknowledgments, timestamps, app version, device model.
- Integrity metadata: chunk hashes, manifests, signed receipts, audit events (uploaded/transcribed/analyzed/played/deleted/audio purged).
- Location (optional, coarse): if you grant permission, Vocert binds a coarse, neighbourhood-level location — rounded to about a kilometre — into a recording's tamper-evident record to strengthen its authenticity. It is optional (recordings work fully without it), and your precise location is never stored or shared: only a salted commitment computed on your device is folded into the record, so the raw location never leaves your phone.
We run no advertising or cross-app tracking, and use no analytics SDKs.
How your data is processed
- For paid recordings, audio is transiently forwarded to our speech-to-text sub-processor (Deepgram) for transcription and diarization, then deleted from our servers immediately.
- Transcript text only — never your identity, email, or the audio itself — is sent to our AI sub-processor (OpenAI) for legal-content triage. Provider no-retention / no-training options are enabled where available.
Sub-processors
- Deepgram — speech-to-text & diarization (transient, paid recordings only)
- OpenAI — AI legal-content triage (transcript text only)
- Resend — transactional email (verification & password-reset codes)
- Railway — cloud hosting & database
- Apple — in-app purchases & subscription billing
Each sub-processor is bound by a written data-processing agreement to protect your data to the same or an equally protective standard as this policy, to use it only to provide the service to us — never for their own purposes and never to train their models on your content — and to delete it as described here. We ask for your explicit in-app consent before any recording data is sent to a third-party AI provider (speech-to-text or legal-content analysis).
Payments are processed entirely by Apple; we never receive or store your payment-card details.
International transfers
Our sub-processors are located in the United States. When you use the service, the limited data described above may be processed in the U.S. under the providers' contractual safeguards.
Data retention
- Audio: not retained server-side — deleted immediately after transient processing.
- Transcripts, Highlights, integrity metadata, account data: retained while your account is active, and deleted as described below.
Deletion
- Because audio is never stored on our servers, there is nothing server-side to delete; your audio lives on your device and you control it there.
- You can delete any recording in the app. Its transcript and Highlights are hard-deleted; a tombstoned evidence record (hashes only, content nulled) is retained for integrity.
- You can delete your account in the app. Content is purged within 30 days; a pseudonymized consent skeleton (no email, no content) is retained as a legal record of past consent.
Children
Vocert is not directed to children. You may not use Vocert unless you meet the minimum age of digital consent in your country (at least 16 in much of the EEA, and in no case under 13). We do not knowingly collect personal data from children; if you believe a child has provided us data, contact contact@vocert.com and we will delete it.
Security
TLS in transit; tokens stored device-side in the Keychain (this-device-only); recordings protected with iOS file protection; server-side write-once integrity hashing with no durable audio retention.
Your rights
Depending on your jurisdiction you may have rights of access, rectification, erasure, and portability. To exercise them, contact us at contact@vocert.com or in-app.
Changes
We may update this policy and will change the "Effective" date above. Material changes will be surfaced in the app.