Legal · Privacy

Privacy Policy

Effective date: 1 May 2026 · Policy version: 2026-05-01

Each top-level heading below is a self-contained section. You can replace any single section without breaking the rest of the document. Section IDs are in square brackets [SECTION-ID] for cross-referencing.

Our Commitment & How to Read This Policy

is built on trust. We process the minimum amount of personal data necessary, never sell it, never use it for advertising profiling, and give you full control over what we store. This policy explains exactly how we handle your information under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR & Data Protection Act 2018, the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, "AI Act"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the Lithuanian Law on Legal Protection of Personal Data, and applicable e-Privacy rules.

This policy is layered:

Sections 1–4: Who we are, what we are, and the short summary you can read in 30 seconds.
Sections 5–9: What data we collect, why, and on what legal basis.
Sections 10–14: Sub-processors, international transfers, retention, and security.
Sections 15–19: Your rights and how to exercise them (EU, UK, US, global).
Sections 20–24: AI-specific disclosures, age limits, breach response, and policy changes.

If anything in this document is unclear, that is our problem, not yours — email privacy@voxsoma.com and we will explain it in plain language within 48 hours.

Data Controller Identification (GDPR Art. 13(1)(a))

The data controller responsible for personal data processed through voxsoma.com and related services is:

Ramūnas Deniušis, sole trader operating under Lithuanian individual activity (individuali veikla).

Individual Activity Certificate No.: 1293607 (issued by the State Tax Inspectorate of the Republic of Lithuania, Valstybinė mokesčių inspekcija prie LR FM; active since 25 October 2023).
EVRK 2 economic activity codes registered: 477890 (other retail sale in non-specialised stores), 472700 (retail sale of food, beverages and tobacco), 855900 (other education n.e.c.), 702000 (management consultancy activities).
Registered legal address: Kalnėnų g. 5-3, LT-89145 Mažeikiai, Lithuania.
Privacy and data-subject requests: privacy@voxsoma.com
General inquiries: hello@voxsoma.com
Postal correspondence (legal notices only): the registered legal address above.

Note on the registered address. The address above is the legal address used solely for tax, legal notices, and regulatory correspondence. We do not operate a public office. For day-to-day communication please use the email addresses above; we typically reply within 48 hours and always within the statutory 30-day deadline for data-subject rights requests.

No mandatory Data Protection Officer (DPO). As a sole-trader micro-business that does not carry out (a) systematic monitoring of data subjects on a large scale or (b) large-scale processing of special-category data, is not required to appoint a DPO under GDPR Article 37. The privacy contact above performs the equivalent function. You may always escalate any privacy concern to the supervisory authority (see Section 19).

What Is — and What It Is Not

is a digital audio wellness content product. It generates personalised audio tracks combining stereo difference tones, isochronic tones, Schumann-resonance carriers, and (optionally) your own voice recording layered with affirmation text.

is explicitly not:

A medical device under EU Regulation 2017/745 (MDR) or 21 CFR (US FDA);
A diagnostic, therapeutic, or treatment service for any disease, disorder, or psychological condition;
A substitute for professional medical, psychological, or psychiatric advice;
A high-risk AI system under Annex III of the EU AI Act;
An employer, education provider, credit-scoring service, or any other regulated decision-making system.

No automated decision-making with legal or significant effects. We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Article 22. The AI we use generates content (affirmation text, audio scripts) — it does not make decisions about you.

One-Paragraph Summary

Your voice recording stays in your browser — it never reaches our servers. Your affirmation text and chat assistant messages are sent to Anthropic's Claude API for content generation under their commercial Data Processing Agreement, and are not persisted to our application databases. Payments are handled by Stripe. We use Cloudflare for hosting and Loops for transactional emails. We collect the minimum necessary, never sell your data, never use it for advertising, and give you full GDPR/UK GDPR/CCPA rights. Questions: privacy@voxsoma.com.

Categories of Personal Data We Process

The following table sets out every category of personal data we process, the purpose, the lawful basis, and the retention period. This table is the canonical reference; all other sections elaborate on it.

#	Data category	Purpose	Lawful basis (GDPR Art. 6 / 9)	Retention
1	Voice recordings (your own voice for layering into the audio track)	Local audio mixing inside your browser	Art. 6(1)(b) — contract; not processed as biometric identification data (see Section 6)	Stored only in your browser's IndexedDB; we never receive a copy. Cleared when you clear site data or use the self-service erasure page.
2	Affirmation / intention text entered into the generator	AI-generated affirmation script	Art. 6(1)(b) — contract	Not persisted to our databases. May exist transiently in edge-infrastructure logs ≤ 24h. Token-count metadata (no identifiers) ≤ 90 days for billing.
3	Chat assistant messages	AI-powered customer assistance	Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest in service quality	Not persisted to our databases. May exist transiently in edge-infrastructure logs ≤ 24h.
4	Email address	Delivery of purchased product, transactional notifications, GDPR-rights identity verification	Art. 6(1)(b) — contract	Until erasure request, or 5 years after last transaction (Lithuanian accounting law obligation, see Section 13).
5	First name (optional, for personalised email greeting)	Email personalisation	Art. 6(1)(a) — consent (collected only if you provide it)	Same as email. Withdrawable any time.
6	Country & billing details (collected by Stripe)	Tax calculation (VAT/sales tax), fraud screening, regulatory compliance	Art. 6(1)(c) — legal obligation (tax law); Art. 6(1)(b) — contract	Held by Stripe under its retention policy; we receive only minimal echo (country, last 4 digits of card, transaction ID). 10 years where required by Lithuanian tax law.
7	Access token	Re-access purchased content without re-paying	Art. 6(1)(b) — contract	Stored in your browser local storage. Deleted when you clear site data.
8	IP address & request logs	Security, abuse prevention, bot mitigation, fraud screening	Art. 6(1)(f) — legitimate interest	≤ 30 days at Cloudflare edge; aggregated security telemetry ≤ 12 months.
9	Cookie consent record (choice + policy version + timestamp)	Compliance evidence under e-Privacy Directive and GDPR Art. 7(1)	Art. 6(1)(c) — legal obligation	Stored in your browser. Mirrored server-side ≤ 13 months solely as audit evidence.
10	Affiliate referral ID & sale event (only if you arrived through an affiliate link and consented to non-essential cookies)	Affiliate commission calculation	Art. 6(1)(a) — consent (cookie consent)	≤ 24 months from last referral activity.
11	Age-confirmation flag (boolean)	Age-gate compliance	Art. 6(1)(c) — legal obligation; Art. 8 GDPR (children's data)	Until erasure.

No special-category (Art. 9) data is processed. See Section 6 for our position on voice data.
No criminal-conviction data (Art. 10) is processed.

Voice Recordings — Position Under GDPR Art. 9 and the EU AI Act

6.1 What we do with voice

When you record your voice on , the audio is captured by the Web Audio API running entirely inside your browser, stored locally in IndexedDB, and used solely to layer your own voice into the audio track that you then download. The audio data is never transmitted to our servers. We do not have, and cannot obtain, a copy.

6.2 Why this is not biometric identification data under GDPR Art. 9

GDPR defines biometric data as data resulting from "specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person" (Art. 4(14)). Article 9 special-category status applies only when the data is processed for the purpose of uniquely identifying a natural person.

Does not perform speaker recognition, voiceprint extraction, voice embedding, voice cloning, or speaker diarisation.
Does not use voice for authentication, identification, or verification.
Does not transmit voice data off the device.
Does not store voice on our servers, ever.

The voice data is therefore raw audio used as a passthrough mixing input — it is not processed for the purpose of unique identification, and Art. 9 does not apply. This position is consistent with EDPB Guidelines 3/2019 and the European Data Protection Board's clarifications on biometric data.

6.3 Why this is not a high-risk or prohibited AI system under the EU AI Act

The EU AI Act (Reg. 2024/1689) prohibits real-time remote biometric identification in publicly accessible spaces (Art. 5) and classifies biometric categorisation and emotion recognition systems as high-risk or limited-risk depending on context (Annex III; Art. 50). performs none of these activities. Voice is used solely as a creative input by the user themselves on their own device.

6.4 Your control over voice data

You can clear all locally stored voice recordings at any time by:

Visiting /account-delete.html (single-click self-service erasure of all locally stored data); or
Clearing site data for voxsoma.com in your browser settings; or
Using the in-app "Delete my voice recording" button.

We have no record of when you do this because we never had the data.

6.5 Recovery Card — how access transfers to a new device without an account

does not operate user accounts, passwords, or login systems. To enable users to restore their library on a new device, we use a 6-word Recovery Card generated deterministically at purchase time and shown on the success page. The user is responsible for saving the 6 words (we recommend their password manager or a screenshot).

On a new device, the user enters the 6 words and we restore their library entitlements. This is the only way library state crosses devices. We do not sync, push, or back up your library to our servers — only entitlement records (which products you purchased) are stored, keyed by a one-way hash of your Recovery Card. Your voice recordings, your affirmations, and your baked audio files never leave your device. If you lose the Recovery Card, your Stripe purchase receipt is the legal fallback — contact privacy@voxsoma.com with the receipt and we will manually verify and restore.

The Recovery Card hash is processed under GDPR Art. 6(1)(b) (performance of a contract — delivery of the lifetime access you purchased). We retain the hash for the lifetime of your purchase. To erase the hash and forfeit your future restore ability, contact us — but note this also makes future device transfers impossible.

AI Processing — Anthropic Claude API (Art. 13(2)(f), AI Act Art. 50)

7.1 What goes through AI

Two features use the Anthropic Claude API:

Affirmation generator — your intention/topic text is sent to Claude, which returns an affirmation script.
Chat assistant — your messages are sent to Claude, which returns conversational replies.

7.2 AI Act Article 50 transparency disclosure

In compliance with EU AI Act Article 50, we expressly inform you:

The chat assistant on this site is an artificial intelligence system, not a human. You are interacting with an AI when you use it.
Affirmation text returned by the affirmation generator is AI-generated content.

This disclosure is also surfaced inside the chat assistant interface itself.

7.3 Sub-processor and contractual safeguards

The AI provider is Anthropic, PBC (a Public Benefit Corporation incorporated in Delaware, USA), acting as our data processor under GDPR Article 28. The processing is governed by Anthropic's Commercial Terms of Service and Anthropic's Commercial Data Processing Addendum (DPA), which form part of our contract with Anthropic for API access.

We use Anthropic's Claude API under Commercial Terms. This is materially different from Anthropic's consumer products (Claude Free / Pro / Max). Specifically:

Anthropic does not train its AI models on inputs or outputs sent through the Commercial API. This is contractually guaranteed by Anthropic's Commercial Terms and the Commercial DPA.
Default API retention is short-lived and limited to what is technically required to deliver the response and to detect abuse. Anthropic may retain User Safety classifier outputs to enforce its Usage Policy.
The model used is claude-haiku-4-5 (or a successor model in the same family if Anthropic deprecates the version).

7.4 Legal basis and retention

Legal basis: GDPR Art. 6(1)(b) — performance of the contract (we cannot deliver the affirmation or chat output without sending the input to the AI).
Retention by us: We do not persist the input text or AI output to any application database, file storage, or analytics system. Inputs and outputs may exist transiently in memory and short-lived edge-infrastructure request logs (e.g., Cloudflare Workers execution context, error-tracing logs) for the duration of the request and up to 24 hours for operational debugging, after which they are purged. Aggregated, non-identifying token-count metadata is retained for ≤ 90 days for billing reconciliation.
Retention by Anthropic: as set out in Anthropic's API and data-retention policy. Anthropic does not retain inputs or outputs at rest after the response is returned, except where technically necessary for abuse detection (User Safety classifier outputs).

7.5 What you should not put into the AI

To avoid unnecessary processing of sensitive data, please do not include in your inputs: full names of third parties, government identifiers, payment-card numbers, medical history, or other special-category data. The affirmation generator and chat assistant do not need this information to function. We do not block such inputs technically, but we filter and minimise them in line with GDPR Art. 5(1)(c) (data minimisation).

Payment Processing

Payment processing is performed exclusively by Stripe, Inc. (USA) and its EU sub-entities (Stripe Payments Europe Ltd., Ireland). Stripe is PCI-DSS Level 1 certified.

We never see, store, or transmit your full card number, CVC, or expiry date. The card data flows from your browser directly to Stripe over an encrypted connection (TLS 1.2+), and we receive only:

Stripe customer ID and transaction ID (opaque tokens);
Last 4 digits of the card and card brand (for receipts and refunds);
Billing country (for VAT determination);
Email address (passed through from checkout);
Tax-relevant fields when required by law.

Legal basis: GDPR Art. 6(1)(b) (contract) and Art. 6(1)(c) (legal obligation — tax & accounting law).

Retention: Stripe retains transaction data per its own retention policy. We retain transaction-linked records for 10 years as required by Lithuanian accounting law (Buhalterinės apskaitos įstatymas, Art. 19) and EU VAT rules (Council Directive 2006/112/EC).

For Stripe's own privacy practices and lawful basis for transfers, see Stripe's Privacy Policy and Stripe's Data Processing Agreement.

Cookies, localStorage, and Similar Technologies

uses only strictly necessary functional storage by default. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that follow you across the web. Specifically:

Technology	Purpose	Type	Lifetime
`voxsoma_consent` (localStorage)	Records your cookie-consent choice, policy version, timestamp	Strictly necessary (compliance evidence)	13 months
`voxsoma_token` (localStorage)	Lets you re-access purchased content	Strictly necessary	Until cleared by you
Cloudflare `__cf_bm` / Turnstile	Bot mitigation, abuse prevention	Strictly necessary (security)	Session / 30 minutes
Stripe `__stripe_mid` / `__stripe_sid`	Fraud prevention during checkout	Strictly necessary (security)	1 year / 30 minutes
Rewardful affiliate cookie	Affiliate commission attribution	Non-essential — only set after explicit consent	60 days

Consent mechanism. Before any non-essential cookie (currently only the Rewardful affiliate cookie) is set, we present a consent banner that complies with GDPR Article 7 (informed consent), ePrivacy Directive Article 5(3) (storage consent), and the EAA 2025 accessibility requirements. The banner allows you to Accept, Reject, or close (which is treated as rejection). Your choice is stored in voxsoma_consent with a 13-month TTL. You can withdraw consent at any time via Cookie Settings or by clearing your browser storage.

Your Rights Under GDPR & CCPA

You have the right to: (a) access the personal data we hold about you; (b) request rectification of inaccurate data; (c) request erasure (the "right to be forgotten"); (d) restrict processing; (e) data portability; (f) object to processing; (g) lodge a complaint with your local supervisory authority (in Lithuania: State Data Protection Inspectorate). California residents have additional rights under CCPA — see our CCPA Opt-Out page.

To exercise any of these rights, contact hello@voxsoma.com. We respond within 30 days as required by law.

Contact & Changes

Privacy questions or requests: hello@voxsoma.com. We may update this policy from time to time; the version date at the top of this page reflects the most recent revision. Material changes will be announced on the homepage and via email to active subscribers where applicable.

← Back to · Terms of Service · Refund Policy