Privacy Policy

1. Overview

Tone Translator analyzes the emotional tone of voice recordings to help users — particularly those on the autism spectrum — better understand spoken communication. Because the app processes voice audio and generates inferences about emotional state, we treat all data with heightened care.

This policy describes exactly what data we collect, how it flows through our systems and to third parties, and what rights you have over it. We have written it to reflect what the app actually does, not what we aspire to do.

Developer / Controller: KOKORO — Business Identification Number (BIN): 1001475416 — Toronto, Ontario, Canada.

2. What Tone Translator does — and does not do

Tone Translator records short voice clips, transcribes them, and classifies the general emotional tone (e.g., calm, tense, warm, uncertain). It returns a tone label, a confidence indicator, and an optional suggested next step.

Tone Translator does not:

• diagnose any medical or psychiatric condition,
• constitute a medical device or clinical tool,
• track you across other apps or websites for advertising,
• sell your personal data to third parties,
• collect location, contacts, photos, calendar, or health data.

Tone inference is probabilistic and can vary by context, individual communication style, neurodiversity, language, and audio quality. Results are hints, not verdicts.

3. Data we collect and how

A. Audio — two processing modes

Tone Translator accesses your microphone only while you are actively recording and only after you grant iOS permission. There are two transcription paths:

Primary mode (Apple SFSpeechRecognizer): Audio is streamed through Apple's Speech framework. Because requiresOnDeviceRecognition is set to false, iOS may transmit audio to Apple's speech recognition servers depending on device capabilities and network conditions. Apple's infrastructure handles this audio; we do not receive or store it. Apple's privacy policy governs that processing.

Fallback / chunk mode: If the primary path is unavailable, audio is recorded as short segments (.m4a, 22050 Hz mono AAC), temporarily stored on-device, uploaded to our backend over HTTPS, forwarded to OpenAI's Whisper API for transcription, and then stored in Supabase Storage linked to your account. Temporary on-device files are created in the app's Documents directory.

In chunk mode, audio is linked to your user account and retained in Supabase Storage until you delete it or delete your account.

B. Transcripts and emotion inferences

Once transcribed (by Apple or Whisper), the text is sent to our backend and forwarded to OpenAI's GPT-4o-mini model for emotion classification. The model receives the transcript text, optional prosody features (pitch, energy, pause ratio — derived from audio, not raw audio), and a system prompt. It returns a structured result: emotion label, confidence score, suggestion, valence, arousal, uncertainty flag, and top labels.

Both transcripts and inference results are stored in our Supabase database, linked to your account. You can view them in your recording history and delete them individually or all at once.

Note on OpenAI data retention: Data sent to OpenAI via its API is subject to OpenAI's API usage policies. OpenAI's default API terms include up to 30-day data retention for abuse monitoring unless a zero-data-retention agreement is in place. We do not currently have a confirmed zero-retention agreement with OpenAI. We are evaluating this.

C. Account data

If you create an account, we collect and store:

• Email address — for email/password sign-up, stored in Supabase Auth.
• Apple ID relay — if you use Sign in with Apple; we receive only the relay token (your real email is not accessible if you chose "Hide My Email").
• Authentication tokens — access token, refresh token, and user ID stored in the iOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection. Cleared on sign-out.
• Subscription status — plan, status, and expiry date stored in Supabase.
• Preferences and consent flags — stored locally in UserDefaults (e.g., haptic preference, transcription enabled, consent date). Not transmitted to our servers.

Passwords are sent directly to Supabase Auth and are never cached locally.

D. Device identifier (IDFV)

We collect your device's Identifier for Vendors (IDFV — UIDevice.current.identifierForVendor) and send it to our backend solely to enforce free-tier usage limits for guests (users without an account). It is stored locally in UserDefaults and in our user_free_minutes table. It is not used for advertising or cross-app tracking. It resets when you reinstall the app.

E. Usage data

We track the number of seconds of audio processed to enforce subscription and free-tier limits. This is stored locally (UserDefaults) and server-side in our database. We do not use analytics SDKs (no Firebase, Amplitude, Mixpanel, PostHog, or similar). We do not track sessions, feature usage events, or any behavioral analytics beyond what is necessary to enforce usage quotas.

F. Purchase and subscription data

When you purchase a subscription, Apple's StoreKit framework handles the payment. We receive a signed transaction (JWS), validate it server-side with Apple, and store plan, status, and expiry in Supabase linked to your account. We do not receive or store payment card details.

G. Server logs

Our backend runs on Vercel. Vercel automatically logs IP addresses, request paths, and timestamps for every request as part of standard infrastructure operation. We do not additionally log or store IP addresses ourselves. Vercel's privacy policy governs those logs.

4. Third-party sub-processors

We use the following third-party services to operate Tone Translator. Each receives only the data necessary for its function.

We do not use advertising networks, cross-app tracking services, analytics SDKs, or crash reporting services.

5. How we use your data

We use data solely to:

1. provide the tone analysis features you request,
2. enforce usage limits (free tier and subscription quotas),
3. verify subscription status via Apple's receipt validation,
4. maintain security, prevent abuse, and operate the backend,
5. respond to support requests when you contact us.

We do not use your audio, transcripts, or emotion inferences to train machine learning models, improve our or third-party models, or for any purpose beyond delivering the in-app result to you.

6. Sharing

We share data only with the sub-processors listed in Section 4 and only to the extent required to operate the app. We do not sell personal data. We do not share personal data for third-party advertising. We do not use data brokers.

We may disclose data if required by law, court order, or valid legal process, or to protect the rights, property, or safety of users or the public.

7. Data we do not collect

We confirm the following are not collected by Tone Translator:

• GPS coordinates or coarse location
• Contacts, calendar events, or photos
• Health or fitness data
• Camera data
• Identifier for Advertisers (IDFA) — the ATT prompt is not shown; IDFA is never accessed
• Crash logs or performance analytics
• Behavioral analytics or session data
• Bluetooth or motion sensor data

8. Data retention

• Audio (chunk/fallback mode): Stored in Supabase Storage linked to your account until you delete the recording or your account.
• Transcripts and emotion inferences: Stored in Supabase until you delete them individually or delete your account. No automatic time-to-live is currently implemented; we are evaluating an automatic 90-day retention policy.
• Account data (email, auth records): Retained until you delete your account. Deletion removes your Supabase Auth record and, via database cascade, all associated recordings, transcripts, and inferences.
• Subscription records: Deleted on account deletion.
• Local on-device data: UserDefaults and Keychain data are cleared when you sign out or delete your account via the in-app option. Uninstalling the app clears Keychain and UserDefaults; server-side data persists until you explicitly request deletion.
• OpenAI: Subject to OpenAI's API data retention terms (up to 30 days by default).
• Apple SFSpeechRecognizer audio: Governed by Apple's speech recognition privacy policy; we have no visibility or control over it.
• Vercel server logs: Governed by Vercel's data retention policy.

9. Your rights and controls

Controls available in the app

• Microphone access: Enable or revoke in iOS Settings → Privacy & Security → Microphone.
• Speech recognition: Enable or revoke in iOS Settings → Privacy & Security → Speech Recognition. Revoking falls back to chunk-based transcription (Whisper via backend).
• Transcription: You can disable transcription storage within the app settings.
• Delete individual recordings: Available in your recording history.
• Delete all data: Settings → Privacy & Data → Delete All My Data. This deletes your Supabase Auth user account and, via cascade, all recordings, transcripts, inferences, and subscription records on our servers. Server-side deletion completes within approximately 30 days.
• Export your data: Settings → Export My Data exports your recording history as a JSON file.
• Revoke recording consent: Settings → Privacy & Data → Revoke Consent resets your consent flags locally.

Rights under GDPR / CCPA and applicable law

Depending on your jurisdiction, you may have rights to access, correct, port, restrict, or erase your personal data, and to object to processing. To exercise any of these rights, contact [email protected]. We will respond within 30 days.

Note on emotion data under GDPR: Emotion inferences generated from audio of users who may have a neurological condition could be considered data "concerning health" under GDPR Article 9. We process this data based on your explicit consent (provided during onboarding). You may withdraw consent at any time by deleting your account.

10. Security

• All data is transmitted over HTTPS (TLS). HTTP is only permitted to localhost in development builds.
• Authentication tokens are stored in the iOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection.
• Supabase Storage encrypts files at rest (AES-256). Supabase database is encrypted at rest.
• Access to our backend and database is restricted by least-privilege policies and Row Level Security (Supabase RLS).
• We do not use certificate pinning. Standard iOS App Transport Security (ATS) is enforced.

No security measures are perfect. If you discover a vulnerability, please report it to [email protected].

11. Sensitive population notice

Tone Translator is designed for people on the autism spectrum who want help interpreting vocal tone. Because users may share deeply personal data — voice recordings in emotionally charged conversations — we apply heightened care:

• We do not use your data to train models or improve AI systems.
• Results are probabilistic hints, not clinical assessments. Limitations are disclosed in-app.
• Tone Translator is designed for use by the person whose voice is being recorded. It is not designed as a surveillance or monitoring tool. Users are responsible for obtaining consent from any third parties they record (see Terms of Service, Section 8).
• We do not share emotion inference results with any third party other than the sub-processors listed in Section 4.

12. Children's privacy

Tone Translator is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal data, contact [email protected] and we will delete it promptly.

Users between 13 and 17 should use Tone Translator with parental awareness.

13. Changes to this policy

We may update this policy as the app evolves. If changes are material — particularly changes to what data we collect, who we share it with, or how long we keep it — we will notify you via an in-app notice and update the effective date above. Continued use of Tone Translator after the effective date constitutes acceptance of the revised policy.

14. Contact

Privacy questions, data requests, or vulnerability reports:

[email protected]