Privacy Policy
Last updated: April 30, 2026
Vox ("Vox", "we", "us", "our") provides a voice-capture service that records short voice notes, transcribes them with automatic speech recognition, structures the result with a language model, and routes the output to services the user has explicitly connected (such as Google Drive or Google Calendar). This Privacy Policy explains what information we collect, why, how we use it, who we share it with, how long we keep it, and the rights you have over it. By creating an account or using Vox you agree to this Policy.
Who we are
Vox is operated by Fernando Junior, an independent developer based in Brazil. The service is available worldwide. Contact: fernandorovai@hotmail.com.
Information we collect
We collect only what is necessary to operate the service:
- Account information. When you sign in we receive your email address, your Google account display name (if you used Google Sign-In), and a Firebase user identifier. We do not store passwords; authentication is handled by Firebase Authentication.
- Audio recordings. When you capture a voice note, the recording is uploaded to our servers, transcribed, and structured. Audio files are encrypted in transit (HTTPS) and at rest (Vercel Blob storage). Recordings remain associated with your account until you delete them.
- Transcripts and structured output. The text transcript and the JSON-structured output (notes, tasks, reminders, etc.) are stored in our Postgres database (Neon) so they can be displayed in the dashboard and routed to connectors.
- Device identifiers. Your Firebase Cloud Messaging (FCM) push token, platform (Android / macOS / iOS), and app version, used to deliver result notifications back to your device.
- Connector credentials. If you connect Vox to a third-party service (e.g. Google), we store the OAuth access and refresh tokens for that service so we can route your captures there. Tokens are stored encrypted at rest.
- Usage metadata. Capture count, total seconds processed in the current month, timestamps of capture creation and routing results — used to enforce free-tier quotas and to show you usage in the dashboard.
- Subscription state. If you purchase Vox Pro, your subscription status (free/pro), expiration date, and an opaque store identifier are received via webhook from RevenueCat. Vox does not see or store payment instruments — those remain with Apple, Google, or Stripe.
How we use your information
- To run the capture pipeline (transcribe, structure, route to your connectors).
- To display your captures and account information in the Vox dashboard.
- To send you push notifications when a capture has been processed.
- To enforce monthly and per-capture quotas.
- To process subscription payments via the relevant app store.
- To diagnose errors and prevent abuse (rate limits, fraud detection).
Google API services and limited use
When you connect a Google account, Vox requests the following OAuth scopes. We follow the Google API Services User Data Policy, including its Limited Use requirements:
openid,email,profile— to identify the connected account.drive.file— to create a single document titled “Vox — Voice Notes” in your Google Drive and append your captures to it. This scope grants access only to files Vox itself creates; we cannot read or modify any other file in your Drive.calendar.events— to create calendar events when you speak time-bound reminders (for example, “dentist next Tuesday at 3 pm”).
Google user data obtained through these scopes is used solely to provide the Vox features described above. We do not transfer it to third parties for advertising, do not allow humans to read it (other than for security investigations or with the user's explicit consent), and do not use it to train generalized AI / ML models.
Sub-processors
We share data with the following service providers, only to the extent necessary to operate Vox:
- Firebase / Google Cloud — authentication, push notifications.
- Vercel — application hosting and audio blob storage.
- Neon — managed Postgres database.
- Upstash — asynchronous job queue (QStash).
- OpenAI — Whisper transcription and lightweight text structuring.
- Anthropic — language-model based structuring (when used).
- RevenueCat — subscription state synchronization.
Each sub-processor is bound by their own privacy and security commitments. We do not sell your personal data and do not share it with advertisers.
International transfers
Vox is operated from Brazil and uses sub-processors based primarily in the United States and the European Union. By using the service you consent to your data being processed in those jurisdictions. We use the Standard Contractual Clauses where required.
Retention
Captures and their transcripts are retained until you delete them or your account. Audio files are deleted from storage at the same time as the corresponding capture row. Account deletion is processed within 7 days; backups are purged within 30 days. Aggregated, non-identifiable usage metrics may be retained longer for service-improvement purposes.
Your rights
Subject to applicable law (including the GDPR in the EU, the LGPD in Brazil, and the CCPA in California), you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (full account deletion is available from the in-app settings).
- Export your data in a portable format.
- Withdraw consent for any optional data processing.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email fernandorovai@hotmail.com. We will respond within 30 days.
Children
Vox is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
Security
We use TLS for all data in transit and rely on the encryption-at-rest provided by our sub-processors. OAuth tokens and API keys are stored encrypted in our database. We follow the principle of least privilege when requesting OAuth scopes.
Changes to this Policy
We may update this Policy from time to time. Material changes will be announced via email or in-app notice at least 14 days before they take effect.
Contact
Questions, requests, complaints, or data-subject requests: fernandorovai@hotmail.com.