Privacy Policy for Voilà

Last Updated: May 26, 2026

Voilà ("we", "our", or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our XR language learning application ("the App") and related services (together, "the Services").

We comply with the General Data Protection Regulation (GDPR) and applicable privacy laws in regions where our users reside.

1. Who We Are

Until formal incorporation, Voilà operates as the Data Controller of your personal data under the name Voilà, reachable at:

📧 legal@voila.fun — 🌐 www.voila.fun

Once incorporated in the United States, Voilà Technologies LLC will act as the formal data controller, continuing to abide by GDPR for European customers.

2. What Data We Collect

We collect the following categories of personal data:

A. Information You Provide

Account details: Name, email, password, and language preferences.
Profile information: Country, target language, learning level, and subscription tier.
Audio/video data: Recordings, speech samples, and transcriptions used for learning.
Tutor interactions: Messages, call logs, and feedback in the app.
Billing data: Managed by third-party providers (Stripe, Google Play, Apple) — Voilà does not store full payment details.

B. Information Collected Automatically

Device and usage data: XR headset type, operating system, app version, session logs.
Analytics: Through Google and Firebase Analytics (only with consent).
Approximate location: For localization and time zone alignment (not continuous tracking).
Cookies and similar technologies: Explained in Section 10.

C. Information from Third Parties

Partner institutions (language schools) if you register through them.
OAuth providers (Google, Apple) if you sign up via Single Sign-On (SSO).

D. Meeting recordings, participants, and your obligations

When you use features that capture or process audio, video, or transcripts from meetings or calls (including through the Voilà browser extension or bot hosting), that information may include personal data about you and about third parties (for example, students, tutors, or other participants). You are responsible for ensuring that you have a valid lawful basis—and, where required, explicit freely given consent or other permissions—from every affected person before any recording or processing takes place.

Voilà processes such data only as described in this Privacy Policy and in reliance on your agreement with our Terms. We do not monitor whether you have correctly obtained consent in each session. If you use our Services in a manner that violates privacy, wiretap, surveillance, or similar laws, you are solely responsible for that use and for any resulting harm, subject to applicable law.

Voice samples and biometric data

When you record a voice sample, you provide biometric data that uniquely identifies you. We treat this category with extra care under GDPR Article 9 and only process it with your explicit consent.

What we use it for

Labelling who is speaking in your lesson transcripts (speaker diarisation).
Generating voice-matched text-to-speech in our learning tools, so synthesised audio sounds similar to you.

Who processes it

The raw audio is stored on AWS in Europe (eu-west-3). We derive a 192-dimensional voice fingerprint (ECAPA-TDNN embedding) from the audio. The fingerprint is shared with Google Cloud Text-to-Speech only when generating voice-matched output. The raw audio is never sent to Google.

How long we keep it

Both the audio file and the voice fingerprint are retained until you delete your voice sample, or until your account is deleted, whichever happens first.

How to withdraw consent

You can withdraw your consent at any time by deleting your voice sample in Settings → Personal → Voice sample, which also deletes the derived fingerprint. Deleting your account removes both as part of the standard erasure flow.

Lawful basis

Explicit consent under Article 9(2)(a) GDPR. We do not rely on any other lawful basis for biometric processing.

3. How We Use Your Data

We process your personal data based on the following legal grounds:

Purpose	Legal Basis
Providing the app and its features	Contract performance
Personalized learning recommendations	Legitimate interest / Consent
Analytics and product improvement	Consent
Email notifications (learning reminders, updates)	Consent
Payment processing and subscription management	Contract performance
Customer support and troubleshooting	Legitimate interest
Compliance with legal obligations	Legal obligation

You can withdraw consent at any time via account settings or by emailing legal@voila.fun.

Google Calendar Integration & User Data

When you use our Calendar OAuth Integration, we adhere to strict privacy standards regarding your Google User Data:

Real-Time Access & Event Storage: We strictly limit data retention. We do not store your external Google Calendar events on our servers; we fetch this data momentarily only when you view your calendar within the Voila platform. We only store the specific meeting details for events created directly within Voila to manage your schedule.
No Third-Party Sharing: We do not share your Google Calendar data with anyone outside of our company or with any third-party AI models.
Limited Use: Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Changes & Notifications: We will verify that our usage of your data matches this policy. If we make any changes to how we use or process your Google user data, we will notify you promptly via email or an in-app notification prior to the change taking effect.

4. Who We Share Your Data With

We share limited data with trusted third parties acting as data processors:

Processor	Purpose	Region
Stripe, Inc.	Payment processing, subscription billing, and tutor payouts (Stripe Connect KYC)	Global (US + EU sub-processors; SCCs)
Amazon Web Services, Inc.	Cloud hosting, database, storage (S3), transactional email (SES), mobile push relay (SNS), and operational logs	EU (eu-west-3 Paris, eu-central-1 Frankfurt)
Google LLC (Cloud, Firebase, Workspace, Analytics)	AI features (Vertex AI / Gemini), translation, embedded maps, text-to-speech, optional calendar sync, mobile push (FCM), and consent-gated web analytics	EU / Global (SCCs)
Microsoft Corporation	Optional sign-in (Entra ID) and Outlook calendar sync	EU data boundary where the user is EU-based
100ms Technology Pvt. Ltd.	WebRTC video room infrastructure for live lessons	Global
Recall.ai, Inc.	Recording bots for Google Meet, Microsoft Teams, and Zoom (only when the recording feature is enabled)	US (SCCs)
Functional Software, Inc. (d/b/a Sentry)	Error monitoring and performance tracing (PII scrubbed before send)	EU (de.sentry.io)

Each provider operates under GDPR-compliant Data Processing Agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) or the EU—US Data Privacy Framework for international transfers.

5. Data Retention

We retain data only as long as necessary for the purposes collected.

Data Type	Retention Period
Account information	Until deletion or 2 years of inactivity
Audio/video recordings	Until user deletes or account closure
Payment/billing data	Up to 7 years (legal compliance)
Analytics data	26 months (then anonymized)

When data is no longer needed, it is securely deleted or anonymized.

6. Data Security and Breach Notification

We implement encryption, access controls, and network isolation across our infrastructure (AWS).

In the event of a data breach that may impact your rights and freedoms, we will notify you and the appropriate supervisory authority in accordance with GDPR Article 33.

7. International Data Transfers

Your data may be processed outside the European Economic Area (EEA), specifically in the United States.

We rely on:

Standard Contractual Clauses (SCCs) for data transfers,
EU—US Data Privacy Framework (where applicable), and
Secure encrypted channels (TLS) for all cross-border transfers, with primary storage in the EU (AWS eu-west-3 and eu-central-1) and SCCs in place for US-based sub-processors (e.g. Stripe, Recall.ai).

All transfers follow GDPR Articles 44–49 safeguards.

8. Your GDPR Rights

You have the following rights regarding your personal data:

Access – Obtain a copy of your data.
Rectification – Correct inaccurate or incomplete data.
Erasure – Request deletion ("Right to be Forgotten").
Restriction – Limit processing of your data.
Data Portability – Receive data in machine-readable format.
Objection – Object to processing under legitimate interests.
Withdraw Consent – At any time, without affecting prior lawful processing.

To exercise any right, contact legal@voila.fun.

You may also lodge a complaint with your local Data Protection Authority (e.g., CNPD – Comissão Nacional de Proteção de Dados, Portugal).

9. Automated Decision-Making and AI

Voilà uses AI to:

Generate translations and grammar corrections,
Provide feedback on pronunciation and sentence structure,
Suggest personalized learning content.

All AI processing is assistive, non-deterministic, and human-reviewed where necessary.

Voilà does not make any automated decisions producing legal or significant effects.

You can disable personalization features in your account settings.

10. Cookies and Tracking Technologies

When using the Voilà web platform, we use cookies and similar technologies.

Cookies are small files placed on your device to improve functionality, analytics, and personalization.

Categories of Cookies:

Category	Purpose	Consent Required
Essential	Required for core site functionality, authentication, and security	No
Analytics	Used to understand usage and improve experience (e.g., Firebase Analytics, Google Analytics)	Yes
Marketing	Used to deliver relevant promotions or content	Yes

Your Choices:

Upon first visit, you will see a cookie consent banner allowing you to:

Accept all cookies;
Reject non-essential cookies; or
Manage preferences by category.

No analytics or marketing cookies are set until you grant consent.

You can change or withdraw consent anytime via "Cookie Settings" in the app or website footer.

11. Children's Privacy

Voilà is not directed to children under 13.

If we become aware of data collected from minors without parental consent, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically.

If significant changes occur, we will notify you via in-app message or email.

The latest version will always be available at www.voila.fun/privacy.

13. Contact Us

For questions, concerns, or to exercise your rights, contact:

📧 legal@voila.fun — 🌐 www.voila.fun

Privacy Policy for Voilà

Last Updated: May 26, 2026

We comply with the General Data Protection Regulation (GDPR) and applicable privacy laws in regions where our users reside.

1. Who We Are

Until formal incorporation, Voilà operates as the Data Controller of your personal data under the name Voilà, reachable at:

📧 legal@voila.fun — 🌐 www.voila.fun

Once incorporated in the United States, Voilà Technologies LLC will act as the formal data controller, continuing to abide by GDPR for European customers.

2. What Data We Collect

We collect the following categories of personal data:

A. Information You Provide

Account details: Name, email, password, and language preferences.
Profile information: Country, target language, learning level, and subscription tier.
Audio/video data: Recordings, speech samples, and transcriptions used for learning.
Tutor interactions: Messages, call logs, and feedback in the app.
Billing data: Managed by third-party providers (Stripe, Google Play, Apple) — Voilà does not store full payment details.

B. Information Collected Automatically

Device and usage data: XR headset type, operating system, app version, session logs.
Analytics: Through Google and Firebase Analytics (only with consent).
Approximate location: For localization and time zone alignment (not continuous tracking).
Cookies and similar technologies: Explained in Section 10.

C. Information from Third Parties

Partner institutions (language schools) if you register through them.
OAuth providers (Google, Apple) if you sign up via Single Sign-On (SSO).

D. Meeting recordings, participants, and your obligations

Voice samples and biometric data

When you record a voice sample, you provide biometric data that uniquely identifies you. We treat this category with extra care under GDPR Article 9 and only process it with your explicit consent.

What we use it for

Labelling who is speaking in your lesson transcripts (speaker diarisation).
Generating voice-matched text-to-speech in our learning tools, so synthesised audio sounds similar to you.

Who processes it

How long we keep it

Both the audio file and the voice fingerprint are retained until you delete your voice sample, or until your account is deleted, whichever happens first.

How to withdraw consent

Lawful basis

Explicit consent under Article 9(2)(a) GDPR. We do not rely on any other lawful basis for biometric processing.

3. How We Use Your Data

We process your personal data based on the following legal grounds:

Purpose	Legal Basis
Providing the app and its features	Contract performance
Personalized learning recommendations	Legitimate interest / Consent
Analytics and product improvement	Consent
Email notifications (learning reminders, updates)	Consent
Payment processing and subscription management	Contract performance
Customer support and troubleshooting	Legitimate interest
Compliance with legal obligations	Legal obligation

You can withdraw consent at any time via account settings or by emailing legal@voila.fun.

Google Calendar Integration & User Data

When you use our Calendar OAuth Integration, we adhere to strict privacy standards regarding your Google User Data:

Real-Time Access & Event Storage: We strictly limit data retention. We do not store your external Google Calendar events on our servers; we fetch this data momentarily only when you view your calendar within the Voila platform. We only store the specific meeting details for events created directly within Voila to manage your schedule.
No Third-Party Sharing: We do not share your Google Calendar data with anyone outside of our company or with any third-party AI models.
Limited Use: Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Changes & Notifications: We will verify that our usage of your data matches this policy. If we make any changes to how we use or process your Google user data, we will notify you promptly via email or an in-app notification prior to the change taking effect.

4. Who We Share Your Data With

We share limited data with trusted third parties acting as data processors:

Processor	Purpose	Region
Stripe, Inc.	Payment processing, subscription billing, and tutor payouts (Stripe Connect KYC)	Global (US + EU sub-processors; SCCs)
Amazon Web Services, Inc.	Cloud hosting, database, storage (S3), transactional email (SES), mobile push relay (SNS), and operational logs	EU (eu-west-3 Paris, eu-central-1 Frankfurt)
Google LLC (Cloud, Firebase, Workspace, Analytics)	AI features (Vertex AI / Gemini), translation, embedded maps, text-to-speech, optional calendar sync, mobile push (FCM), and consent-gated web analytics	EU / Global (SCCs)
Microsoft Corporation	Optional sign-in (Entra ID) and Outlook calendar sync	EU data boundary where the user is EU-based
100ms Technology Pvt. Ltd.	WebRTC video room infrastructure for live lessons	Global
Recall.ai, Inc.	Recording bots for Google Meet, Microsoft Teams, and Zoom (only when the recording feature is enabled)	US (SCCs)
Functional Software, Inc. (d/b/a Sentry)	Error monitoring and performance tracing (PII scrubbed before send)	EU (de.sentry.io)

5. Data Retention

We retain data only as long as necessary for the purposes collected.

Data Type	Retention Period
Account information	Until deletion or 2 years of inactivity
Audio/video recordings	Until user deletes or account closure
Payment/billing data	Up to 7 years (legal compliance)
Analytics data	26 months (then anonymized)

When data is no longer needed, it is securely deleted or anonymized.

6. Data Security and Breach Notification

We implement encryption, access controls, and network isolation across our infrastructure (AWS).

In the event of a data breach that may impact your rights and freedoms, we will notify you and the appropriate supervisory authority in accordance with GDPR Article 33.

7. International Data Transfers

Your data may be processed outside the European Economic Area (EEA), specifically in the United States.

We rely on:

Standard Contractual Clauses (SCCs) for data transfers,
EU—US Data Privacy Framework (where applicable), and
Secure encrypted channels (TLS) for all cross-border transfers, with primary storage in the EU (AWS eu-west-3 and eu-central-1) and SCCs in place for US-based sub-processors (e.g. Stripe, Recall.ai).

All transfers follow GDPR Articles 44–49 safeguards.

8. Your GDPR Rights

You have the following rights regarding your personal data:

Access – Obtain a copy of your data.
Rectification – Correct inaccurate or incomplete data.
Erasure – Request deletion ("Right to be Forgotten").
Restriction – Limit processing of your data.
Data Portability – Receive data in machine-readable format.
Objection – Object to processing under legitimate interests.
Withdraw Consent – At any time, without affecting prior lawful processing.

To exercise any right, contact legal@voila.fun.

You may also lodge a complaint with your local Data Protection Authority (e.g., CNPD – Comissão Nacional de Proteção de Dados, Portugal).

9. Automated Decision-Making and AI

Voilà uses AI to:

Generate translations and grammar corrections,
Provide feedback on pronunciation and sentence structure,
Suggest personalized learning content.

All AI processing is assistive, non-deterministic, and human-reviewed where necessary.

Voilà does not make any automated decisions producing legal or significant effects.

You can disable personalization features in your account settings.

10. Cookies and Tracking Technologies

When using the Voilà web platform, we use cookies and similar technologies.

Cookies are small files placed on your device to improve functionality, analytics, and personalization.

Categories of Cookies:

Category	Purpose	Consent Required
Essential	Required for core site functionality, authentication, and security	No
Analytics	Used to understand usage and improve experience (e.g., Firebase Analytics, Google Analytics)	Yes
Marketing	Used to deliver relevant promotions or content	Yes

Your Choices:

Upon first visit, you will see a cookie consent banner allowing you to:

Accept all cookies;
Reject non-essential cookies; or
Manage preferences by category.

No analytics or marketing cookies are set until you grant consent.

You can change or withdraw consent anytime via "Cookie Settings" in the app or website footer.

11. Children's Privacy

Voilà is not directed to children under 13.

If we become aware of data collected from minors without parental consent, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically.

If significant changes occur, we will notify you via in-app message or email.

The latest version will always be available at www.voila.fun/privacy.

13. Contact Us

For questions, concerns, or to exercise your rights, contact:

📧 legal@voila.fun — 🌐 www.voila.fun