Privacy Policy

Last updated: June 28, 2026

Lalophos is a voice-first AI communication training tool. This policy explains exactly what data we collect, how it is processed, and what rights you have. We do not sell your data. We do not use your data to train AI models.

1. What We Collect

When you use Lalophos, the following data is processed:

Voice / speech audio — captured by your browser's microphone during a session. Audio is processed in real-time and is not stored on our servers. Transcription is performed locally in your browser via the Web Speech API (Google Chrome) or via Deepgram's API as a fallback. Deepgram's privacy policy applies to the fallback path.
Conversation transcript — the text of your conversation with the AI persona is held in server memory for the duration of your session and used to generate your verdict. Transcripts are not persisted to our database unless you choose to save or share your result.
Verdict / score — if you share your result or submit to the leaderboard, your score, scenario, persona, and session breakdown are stored in our database. Your handle (display name) is chosen by you.
Email address — only if you voluntarily provide it to receive your verdict summary and optional follow-up messages. Email addresses are stored in our database and used only for those purposes.
Session logs — anonymous event logs (e.g. "session started", "verdict generated") are recorded for operational monitoring. These contain no personal identifiers.

2. How Voice Data Is Handled

Your microphone is only activated when you explicitly press the mic button. Audio is never recorded passively or in the background.

Primary path (browser SpeechRecognition): Speech-to-text runs entirely inside your browser. No audio leaves your device. Google's Web Speech API documentation applies.

Fallback path (Deepgram): On browsers that do not support the Web Speech API (e.g. Firefox), audio is streamed to Deepgram's servers for transcription. Deepgram's retention policy (by default: no permanent storage after transcription) applies. See deepgram.com/privacy.

Audio is not stored by Lalophos at any point. We receive only the text transcript returned by the speech recognition system.

3. Third-Party Services

Groq (LLM inference) — conversation text is sent to Groq's API to generate AI responses and verdict analysis. Groq processes this data under their terms. See groq.com/privacy-policy. Groq does not use your data for model training by default.
ElevenLabs (text-to-speech) — AI response text is sent to ElevenLabs to generate the AI persona's voice. No user voice data is sent to ElevenLabs. See elevenlabs.io/privacy.
Microsoft Edge TTS (fallback text-to-speech) — when ElevenLabs is unavailable, AI response text is converted to speech using Microsoft's Edge TTS service. See Microsoft's privacy policy for details.
Google Fonts — fonts are loaded from Google Fonts CDN. Google may log the request. If fonts fail to load, system fonts are used as a fallback — the app remains fully functional.

4. Cookies and Storage

Lalophos uses the following browser storage:

Session cookie — a server-side session cookie is used to associate your conversation turns during an active session. It contains no personal data and expires when you close your browser.
Service worker cache — a service worker caches static assets (HTML, icons, manifest) to enable fast load times and basic offline capability. No personal data is cached.
localStorage — used to remember UI preferences (e.g. PWA install prompt). No personal data is stored.

We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

5. Data Retention

Conversation transcripts: Deleted from server memory at session end (within minutes). Not persisted unless shared.
Shared verdicts: Stored indefinitely to keep share links functional. You can request deletion by contacting us.
Leaderboard entries: Stored indefinitely. Your handle is chosen by you — use a pseudonym if you prefer anonymity.
Email addresses: Retained until you unsubscribe or request deletion. Each drip email includes an unsubscribe mechanism.
Event logs: Retained for up to 90 days for operational monitoring, then purged.

6. Your Rights

Depending on your jurisdiction (EU GDPR, UK GDPR, California CPRA, and similar laws), you may have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data
Object to or restrict processing
Withdraw consent at any time (where processing is based on consent)
Data portability (receive your data in a machine-readable format)

To exercise any right, contact us at the address below. We will respond within 30 days.

7. Security

Lalophos is served over HTTPS with HSTS enabled. All API keys are stored as environment secrets, never in source code. Rate limiting is applied to all API endpoints. We apply security headers including Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy.

8. Children

Lalophos is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy. Material changes will be reflected in the "Last updated" date at the top. Continued use of the service after an update constitutes acceptance of the revised policy.

Questions: contact@lalophos.com | lalophos.com