Your shoppers' voices never leave the store
On-device is not a feature we added — it is the architecture. Speech-to-text, the language model and the product search all run on the store's own hardware. Nothing is sent to the cloud, and the spoken words are never stored. That is how ShopVoices turns voice, normally retail's biggest data-protection risk, into something your legal team can approve.
Voice is one of the most sensitive things a shopper can give you
Under GDPR, a voice recording is personal data the moment it can be linked to an identifiable person, and European regulators treat voice as inherently biometric. A spoken question can also carry far more than its words — accent, health, age, mood. The moment that audio leaves the device for a third party, a chain of obligations begins.
From the first word to the answer — nothing leaves the device
Capture, locally
The microphone feeds audio directly into the in-store device. On-device voice-activity detection notices when the shopper has finished.
Transcribe, locally
Speech-to-text runs on the device's own processor. The audio is held only in memory.
Understand, locally
A language model running on the same device works out what the shopper wants — no cloud call.
Answer, locally
The device searches a local product, stock and store-layout database and shows the answer plus an aisle highlight — typically in about two to three seconds.
Discard
The raw voice audio is processed in memory and then discarded. It is never persisted and never transmitted.
Why cloud voice-AI is a GDPR minefield
The obligations multiply the instant audio leaves the device for a cloud processor:
Lawful basis & consent
Sending personal — and potentially special-category — voice data to a third party needs a valid lawful basis. Freely-given consent is hard to obtain in a busy aisle.
Transparency duties
You must tell shoppers who processes their voice, where, and why.
Processor chains (Article 28)
Each cloud vendor and sub-processor needs a compliant data-processing agreement to put in place and govern.
Cross-border transfers
Processing outside the EU/EEA triggers post-Schrems II transfer rules — Standard Contractual Clauses plus a transfer impact assessment.
Special-category (Article 9)
Using a voiceprint to identify a person engages the strictest tier of GDPR obligations.
Breach exposure
Every hop multiplies risk — and a leaked voiceprint, unlike a password, can never be reset.
Why on-device sidesteps the minefield
The guarantee comes from where the computation physically happens — which makes it verifiable in due diligence.
| The cloud voice-AI risk | Why it doesn't arise with ShopVoices |
|---|---|
| Cross-border transfer chain (Schrems II / SCCs) | No transmission, no transfer problem — voice never leaves the device. |
| Article 28 processor & sub-processor agreements | No cloud processor — no Article 28 chain to paper or govern. |
| Article 9 special-category biometric trap | No voiceprint — ShopVoices transcribes a request to fulfil it; it does not identify people. |
| Retained recordings holding incidental sensitive content | Data minimisation by design — the transcript is never stored. |
| Audio at rest to leak, subpoena or erase | Audio is ephemeral — processed in memory and discarded. |
| A large data footprint for the DPO to govern | A tiny, governable footprint — anonymous metrics only, with an off switch. |
What we store, and what we never store
| Data | How it's handled |
|---|---|
| Voice audio | Processed in memory on the device. Never persisted, never transmitted. |
| The transcript (the words spoken) | Never stored. Used in memory to find the answer, then discarded. |
| Operational telemetry | Optional and anonymous — timings, counts, a language code and a success flag. No words spoken. Permission-locked, auto-expiring, and can be switched off entirely. |
Where ShopVoices sits under the EU AI Act
The Act's most severe prohibitions and its high-risk biometric-identification category target uses ShopVoices does not perform — it transcribes a request rather than recognising or profiling a person, and it does not categorise people by sensitive traits. As a local, task-specific assistant, it is not a general-purpose-AI model provider.
Built to make the privacy review easy
- On-device architecture removes the data transfer and third-party processing that create most GDPR exposure.
- Supports your DPIA and records-of-processing work with a small, clearly-described data footprint.
- A guarantee you can verify in due diligence — because it is enforced by where computation happens.
See it in your store
Faster service and more upsell, with a privacy posture your legal and DPO teams will thank you for.