Voice Goof! Privacy Policy
Developer: Puffy Slippers Tech LLC
Application: Voice Goof! (com.voicegoof.app)
Effective Date: 2026-05-15
Last Updated: 2026-05-15
Contact: admin@tech.puffyslippers.com
1. Who We Are
Puffy Slippers Tech LLC ("we," "us," "our") develops Voice Goof!, a personal entertainment application that lets you record a short voice sample and generate new audio with that voice speaking AI-written or user-written text. We are incorporated under the laws of the State of Washington, United States.
2. The Short Version
Voice Goof! collects nothing from you. All AI processing happens entirely on your device. No audio, voice recordings, biometric data, or personal information ever leaves your phone. We have no servers that receive your data. We cannot access your voice recordings because they never reach us.
3. What Data the App Processes (On Your Device Only)
The following data is created and stored exclusively on your device. It is never transmitted to us or any third party.
| Data Type | Purpose | Storage Location |
|---|---|---|
| Voice recordings (audio files) | Source voice for AI cloning | Device local storage, encrypted |
| Mathematical voice reference codes | Enable voice cloning inference | Device local storage, encrypted |
| AI-generated audio files | Output of the voice cloning feature | Device local storage |
| EULA acceptance timestamp | Record that you agreed to terms | Device AsyncStorage |
| Voice recording consent timestamp | Record per-recording consent | Device AsyncStorage |
No analytics, advertising, crash-reporting, or tracking SDKs are included in the app. There is no third-party data collection of any kind.
4. Biometric Data — How We Protect It
Voice recordings are biometric data under Illinois BIPA, GDPR Article 9, and CCPA/CPRA.
4.1 Encryption
Every voice recording and reference code file is encrypted with AES-256-GCM before being written to disk. The encryption key is stored in your device's hardware-backed secure storage (iOS Keychain / Android Keystore), locked to your device only (WHEN_UNLOCKED_THIS_DEVICE_ONLY). We do not have access to this key.
4.2 Retention Schedule
| Trigger | Action |
|---|---|
| 30 days of inactivity | All voice samples, reference codes, and generated audio files are automatically and permanently deleted from your device |
| "Delete All My Data" (in Settings) | All files are immediately deleted and the encryption key is destroyed; a fresh key is generated on the next use |
The 30-day inactivity window resets each time you use a voice sample or play a generated audio file. "Inactivity" means you have not accessed the data within that period.
This retention schedule is disclosed here to satisfy BIPA § 15(a) (publicly available biometric data retention policy).
4.3 No External Transmission
All AI inference (text generation via Google Gemma 4 E2B; voice synthesis via NeuTTS-Air) runs entirely on your device using native on-device runtimes. No audio or voice data is sent to any server at any point.
5. Legal Basis for Processing (GDPR — EEA Users)
If you are located in the European Economic Area, we process your biometric voice data under Article 9(2)(a) GDPR — your explicit consent, given at first launch via the scroll-gated End-User License Agreement and confirmed again via the per-recording consent checkbox before each voice sample is saved.
| GDPR Principle | How We Comply |
|---|---|
| Lawful basis (Art. 9(2)(a)) | Explicit consent at first launch and per recording |
| Data minimization (Art. 5(1)(c)) | Only the voice sample needed for cloning is stored |
| Purpose limitation (Art. 5(1)(b)) | Sole purpose: personal entertainment voice cloning |
| Storage limitation (Art. 5(1)(e)) | 30-day inactivity deletion; immediate erasure on request |
| Integrity & confidentiality (Art. 5(1)(f)) | AES-256-GCM encryption; hardware-backed key storage |
| No cross-border transfer | All processing on-device; no external server communication |
Right to Erasure (Art. 17): You can exercise this right at any time using "Delete All My Data" in the app's Settings tab. This permanently removes all biometric data and destroys the encryption key.
6. Your Rights — California Residents (CCPA / CPRA)
Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the following rights regarding personal and sensitive personal information:
| Right | How to Exercise |
|---|---|
| Right to Know what data is collected | This Privacy Policy discloses all data; the app's EULA provides additional detail at first launch |
| Right to Deletion | Use "Delete All My Data" in the app's Settings tab |
| Right to Opt-Out of Sale/Sharing | Not applicable — we do not sell, share, or disclose your data to any third party |
| Right to Non-Discrimination | We do not discriminate for exercising any privacy right |
Data we collect: Voice recordings (audio), processed mathematical reference codes, and generated audio output — stored on-device only, never transmitted or sold.
7. Your Rights — Illinois Residents (BIPA)
Under the Illinois Biometric Information Privacy Act (740 ILCS 14), Illinois residents have the following rights regarding biometric data (including voiceprints):
- Notice: You are notified that biometric data (your voice recording) is being collected before any recording is made, via the EULA at first launch and the per-recording consent dialog.
- Written Release: Your acceptance of the EULA and the per-recording checkbox constitute the written release required by BIPA § 15(b).
- Purpose Disclosure: The sole purpose of collecting your voice recording is personal entertainment voice cloning.
- Retention Schedule: 30-day inactivity window, as described in Section 4.2 above. This publicly available schedule satisfies BIPA § 15(a).
- Protection Standard: AES-256-GCM encryption with hardware-backed key storage satisfies BIPA § 15(e).
- No Profit from Biometric Data: We do not sell, lease, trade, or profit from your biometric data (BIPA § 15(c)).
- No Disclosure: We do not disclose your biometric data to any third party (BIPA § 15(d)).
8. Children's Privacy (COPPA)
Voice Goof! is not directed at children under 13. We do not knowingly collect personal information from children under 13. The app's EULA requires users to be at least 13 years old. Users between 13 and 17 must have a parent or guardian accept the EULA on their behalf.
If you believe a child under 13 has used the app, contact us at admin@tech.puffyslippers.com. Because all data is stored locally on the device, the parent or guardian can immediately delete all data using "Delete All My Data" in Settings.
9. AI-Generated Content Disclosure
Every audio file generated by Voice Goof! is automatically marked as AI-generated using dual watermarking:
- LSB steganographic marker: A 16-bit app signature embedded inaudibly in every audio sample — machine-detectable, survives most re-encoding.
- RIFF LIST INFO metadata: Standard WAV header fields embed the app name, "AI cloned voice" designation, creation timestamp, and AI model names — readable by any standards-compliant audio tool.
This satisfies the EU AI Act Article 50 machine-readable marking requirement (enforcement date: August 2, 2026).
10. Third-Party AI Models
Voice Goof! bundles the following third-party AI models, which run entirely on your device:
| Model | Developer | License |
|---|---|---|
| Google Gemma 4 E2B | Google DeepMind | Apache License 2.0 |
| NeuTTS-Air | NeuTTS | License per distribution terms |
These models are used solely for on-device inference. No data is sent to Google, NeuTTS, or any other party during use.
11. Data Security
We implement the following measures to protect your data:
- AES-256-GCM encryption for all stored voice and audio files, with a unique random initialization vector per file
- Hardware-backed key storage via iOS Keychain and Android Keystore, locked to your specific device
- Automatic deletion of data inactive for 30 days
- No network transmission of any personal or biometric data
- No third-party SDKs that could collect or transmit data
12. Changes to This Policy
We will post any material changes to this Privacy Policy at this URL with an updated "Last Updated" date. For significant changes affecting your biometric data rights, we will display a notice within the app.
13. Contact & Data Requests
For privacy questions, data deletion requests, or to exercise any right described in this policy:
Puffy Slippers Tech LLC
Email: admin@tech.puffyslippers.com
Website: https://tech.puffyslippers.com
We will respond to verifiable requests within 45 days (CCPA / CPRA) or 30 days (GDPR).
14. Governing Law
This Privacy Policy is governed by the laws of the State of Washington, United States, without regard to conflict-of-law principles. EEA users retain all rights under GDPR regardless of governing law.
This Privacy Policy covers the Voice Goof! mobile application (com.voicegoof.app). It does not cover any third-party websites or services linked from within the app.