Privacy & GDPR

Your shoppers' voices never leave the store

On-device is not a feature we added — it is the architecture. Speech-to-text, the language model and the product search all run on the store's own hardware. Nothing is sent to the cloud, and the spoken words are never stored. That is how ShopVoices turns voice, normally retail's biggest data-protection risk, into something your legal team can approve.

Why this matters

Voice is one of the most sensitive things a shopper can give you

Under GDPR, a voice recording is personal data the moment it can be linked to an identifiable person, and European regulators treat voice as inherently biometric. A spoken question can also carry far more than its words — accent, health, age, mood. The moment that audio leaves the device for a third party, a chain of obligations begins.

How ShopVoices handles a shopper's voice

From the first word to the answer — nothing leaves the device

Capture, locally

The microphone feeds audio directly into the in-store device. On-device voice-activity detection notices when the shopper has finished.

Transcribe, locally

Speech-to-text runs on the device's own processor. The audio is held only in memory.

Understand, locally

A language model running on the same device works out what the shopper wants — no cloud call.

Answer, locally

The device searches a local product, stock and store-layout database and shows the answer plus an aisle highlight — typically in about two to three seconds.

Discard

The raw voice audio is processed in memory and then discarded. It is never persisted and never transmitted.

Security is multi-layered: on-device processing, no network exposure of voice data, permission-locked local storage and data minimisation by design — so there is no single point of failure and no honeypot of recordings to breach.
The risk you avoid

Why cloud voice-AI is a GDPR minefield

The obligations multiply the instant audio leaves the device for a cloud processor:

Lawful basis & consent

Sending personal — and potentially special-category — voice data to a third party needs a valid lawful basis. Freely-given consent is hard to obtain in a busy aisle.

Transparency duties

You must tell shoppers who processes their voice, where, and why.

Processor chains (Article 28)

Each cloud vendor and sub-processor needs a compliant data-processing agreement to put in place and govern.

Cross-border transfers

Processing outside the EU/EEA triggers post-Schrems II transfer rules — Standard Contractual Clauses plus a transfer impact assessment.

Special-category (Article 9)

Using a voiceprint to identify a person engages the strictest tier of GDPR obligations.

Breach exposure

Every hop multiplies risk — and a leaked voiceprint, unlike a password, can never be reset.

Architecture, not policy

Why on-device sidesteps the minefield

The guarantee comes from where the computation physically happens — which makes it verifiable in due diligence.

The cloud voice-AI riskWhy it doesn't arise with ShopVoices
Cross-border transfer chain (Schrems II / SCCs)No transmission, no transfer problem — voice never leaves the device.
Article 28 processor & sub-processor agreementsNo cloud processor — no Article 28 chain to paper or govern.
Article 9 special-category biometric trapNo voiceprint — ShopVoices transcribes a request to fulfil it; it does not identify people.
Retained recordings holding incidental sensitive contentData minimisation by design — the transcript is never stored.
Audio at rest to leak, subpoena or eraseAudio is ephemeral — processed in memory and discarded.
A large data footprint for the DPO to governA tiny, governable footprint — anonymous metrics only, with an off switch.
Full transparency

What we store, and what we never store

DataHow it's handled
Voice audioProcessed in memory on the device. Never persisted, never transmitted.
The transcript (the words spoken)Never stored. Used in memory to find the answer, then discarded.
Operational telemetryOptional and anonymous — timings, counts, a language code and a success flag. No words spoken. Permission-locked, auto-expiring, and can be switched off entirely.
Orientation

Where ShopVoices sits under the EU AI Act

The Act's most severe prohibitions and its high-risk biometric-identification category target uses ShopVoices does not perform — it transcribes a request rather than recognising or profiling a person, and it does not categorise people by sensitive traits. As a local, task-specific assistant, it is not a general-purpose-AI model provider.

For your compliance team

Built to make the privacy review easy

  • On-device architecture removes the data transfer and third-party processing that create most GDPR exposure.
  • Supports your DPIA and records-of-processing work with a small, clearly-described data footprint.
  • A guarantee you can verify in due diligence — because it is enforced by where computation happens.

See it in your store

Faster service and more upsell, with a privacy posture your legal and DPO teams will thank you for.