Vox Probabilis

Privacy Policy

Last updated: 2026-04-19

1. Who we are

Vox Probabilis is a research project by Juan Fausto and Claude (Anthropic), open-sourced under MIT license. Contact: [email protected]

2. What we collect

A randomly generated session ID stored in a cookie (HttpOnly, SameSite=Lax)
A SHA-256 hash of your IP address (truncated to 16 chars) for rate limiting
Four spectral features extracted from your voice samples: jitter, MFCC delta variance, spectral flux, microtremor envelope
Timestamps of analysis requests
The quadrant label assigned by the analyzer

3. What we DO NOT collect (Explorer free tier)

Your raw audio. Audio files exist briefly in server memory and a temporary file during format conversion (less than 200 milliseconds), then are permanently deleted. We do not retain audio under any circumstances.
Your name, email, address, or any direct identifier (Explorer free tier only — see §3-A for Coach Tier 1+ and §3-B for Cofre Tier 2+)
Cookies for advertising or third-party tracking
Browser fingerprints

3-A. Coach Tier 1+ (paid) — additional data

If you activate a Coach account, we additionally store:

Your email address (lawyer account identifier)
Tier + billing period counters (sessions used / reports used)
Session metadata: name you assigned, planned questions (free text you typed), per-response narratives generated by Claude Sonnet
HMAC-signed session tokens + lawyer cookie tokens

Raw audio is still deleted within 60 seconds. Email is tombstoned (replaced with a random placeholder) on soft-delete via CLI revoke.

3-B. Cofre Tier 2+ (Profissional / Escritório) — additional data

If you use the Cofre feature (cross-session client persistence), we additionally store the following identifiers. The PII columns listed first are Fernet-encrypted at rest (AES-128-CBC + HMAC-SHA256); the Pre-Hearing Brief artefacts at the bottom are stored as plaintext rows + plaintext PDF files on the host filesystem under mode 0600.

Fernet-encrypted (BLOB columns):

Client/witness name (free text you provide)
Process reference (case number, court)
Your private notes about the client
Per-response notes attached to tags (the tag label itself is plaintext)

Stored as plaintext (TEXT rows + BLOB PDF on disk, filesystem permissions only):

Pre-Hearing Brief summary JSON (sections, recommendations, narrative) — referencing the client name + process the model decrypted into the prompt
Pre-Hearing Brief rendered HTML
Pre-Hearing Brief PDF file under /var/lib/voxprobabilis/briefs/ (mode 0600, owner vox)
Tag label itself (e.g. fraco) — designed to be short, non-PII; lawyer is responsible for not encoding sensitive content in the label

The Operator does not access or analyse Cofre data. Cross-tenant access is blocked at the SQL layer (any attempt by another lawyer returns 404 indistinguishable from non-existence).

Cofre retention: default 365 days from session end, configurable per client between 30 and 365 days. Daily cron purges expired sessions. DELETE via dashboard removes client + briefs + tags immediately; CLI cofre-wipe-client hard-erases the entire chain. CLI cofre-export provides LGPD Art. 18 portability in JSON.

4. Why we collect what we collect

Session cookie: to remember your baseline calibration and daily quota
IP hash: to enforce the free quota of 3 analyses per day
Feature values: to compute the analysis you requested

5. Optional: Research dataset (opt-in)

If you check the "Contribute to v2 dataset" box, the four feature values from a single analysis are saved without any link to your session, IP, or identity. These anonymous numerical vectors may be used in a future academic publication. You can stop opting in at any time. We cannot delete past anonymous contributions because they cannot be linked back to you — that is the point of anonymization.

6. Data retention

Explorer (free): session data 60 days from last visit, then deleted
Explorer (free): analysis records 90 days, then deleted
Coach Tier 1+: sessions, responses, and rendered reports are retained as long as the lawyer's account is active; the lawyer can request deletion of any individual session at any time via the dashboard or via the operator (LGPD §7)
Cofre Tier 2+ — automatic daily cron purge applies only to sessions that have been linked to a client: these are soft-deleted once now − ended_at exceeds the per-client retention window (default 365 days, lawyer-configurable 30-365 per client when the profile is created)
Cofre Tier 2+: client profiles, response rows, tag rows, and Pre-Hearing Briefs are retained until the lawyer issues an explicit delete (dashboard DELETE /clients/{id} for the client profile + tags + briefs; operator CLI cofre-wipe-client for full hard-erasure of the whole chain including disk-side PDF files)
Tier 1 sessions that are NOT linked to a Cofre client are not currently auto-purged — they live until the lawyer requests their deletion explicitly. This will be tightened in a later release.
Anonymous opt-in feature vectors: indefinite (research data)

7. Your rights under LGPD

You may request:

Access to data we hold about your session
Deletion of your session data (this is automatic if you stop using the service for 60 days)
Confirmation that we process your data
Information on how your data is used

Contact: [email protected] — we respond within 15 days.

8. Lawful basis

Processing of voice data (sensitive personal data under LGPD Art. 11) is based on your specific and explicit consent, given by uploading audio to the analyzer.

9. Children

This service is not directed at children under 13. We do not knowingly collect data from children.

10. Changes

We will post any changes here with an updated date. We will not silently expand what we collect.

11. Disclaimer about findings

Vox Probabilis is a research instrument, not a forensic or medical device. Outputs are scientific measurements with stated uncertainty. Do not use them to make legal, employment, relational, or medical decisions about yourself or others.

← back to vox probabilis