LEGAL DOCUMENTS

Privacy Policy

Effective Date: 20 May 2026 · Last Updated: 20 May 2026

Privacy at a Glance

We do not sell your data. We do not retain raw voice recordings. Your voice is processed only to extract acoustic parameters, then immediately deleted. We use Stripe for payments, Supabase for secure database storage, and Anthropic for optional AI narrative generation. You can delete your account and all data at any time. We are fully compliant with UK GDPR and the Data Protection Act 2018.

§ 01

Who We Are

This Privacy Policy explains how College of Human and Business Efficiency Ltd ("we", "us", "our"), trading as "PYTHIA" and operating pythiaoracle.com, collects, uses, and protects your personal data when you use our Service.

We are the Data Controller for the purposes of UK GDPR and the Data Protection Act 2018.

Registered company: College of Human and Business Efficiency Ltd, registered in England and Wales.

Contact for privacy matters: contact@viccaone.com

§ 02

What Data We Collect

Account Data

Email address, password (encrypted), name (optional), subscription tier

Voice Recordings

Audio files you record (processed and deleted immediately after analysis)

Acoustic Parameters

Extracted measurements: fundamental frequency, harmonics, jitter, shimmer, HNR, coherence values, timing characteristics

Session Data

Generated frequency protocols, session timestamps, your personal model history

Payment Data

Subscription status, Stripe customer ID (we do not store credit card numbers — these are held by Stripe)

Profile Data

For family/couple/practitioner tiers: profile names for additional users you create

Technical Data

IP address, browser type, device type, login timestamps (used for security and service improvement)

Communications

Emails you send us, support requests, feedback

§ 03

What Voice Data Is and Is Not

3.1 What Happens to Your Voice Recording

When you record your voice in the Service:

The audio file is uploaded over an encrypted connection (HTTPS)
The file is temporarily stored in server memory or temporary storage
Our algorithms extract acoustic parameters (numerical measurements)
The raw audio file is permanently deleted within seconds of analysis completion
Only the extracted parameters are retained as part of your session history

3.2 What We Do NOT Do With Your Voice

We do not retain raw voice recordings
We do not perform speaker identification or voice biometric authentication
We do not share voice recordings with third parties
We do not use your voice for training generic AI models
We do not analyse your voice content (what you say) — only acoustic properties of the sounds you make

3.3 Why Voice Recordings Are Not "Special Category" Data Under GDPR

Because we extract only acoustic parameters (frequency, amplitude, timing) and do not perform biometric identification, voice recordings as processed by PYTHIA are not classified as "special category" biometric data under UK GDPR Article 9. They are treated as standard personal data with appropriate security measures.

§ 04

Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

4.1 Contract (Article 6(1)(b))

To provide the Service you have subscribed to, including account management, voice analysis, protocol generation, and billing.

4.2 Legitimate Interest (Article 6(1)(f))

For service improvement, security, fraud prevention, and operational analytics. We balance these against your privacy rights.

4.3 Consent (Article 6(1)(a))

For optional marketing communications and certain non-essential cookies. You may withdraw consent at any time.

4.4 Legal Obligation (Article 6(1)(c))

For compliance with tax, accounting, regulatory, and law enforcement requirements.

§ 05

How We Use Your Data

We use your personal data to:

Authenticate your account and provide secure access to the Service
Process your voice recordings to generate personalised frequency protocols
Maintain your session history for your own reference and to improve your personal model
Process subscription payments via Stripe
Send you essential service emails (account confirmations, billing, security notices)
Provide customer support when you contact us
Detect and prevent fraud, abuse, or violation of our Terms
Comply with legal and regulatory obligations
Improve and develop the Service (using anonymised or aggregated data where possible)

§ 06

Third-Party Data Processors

We use carefully selected third-party services to operate the Service. Each is a Data Processor acting on our instructions:

Stripe

Payment processing. Receives: email, name, payment card details (Stripe-encrypted), billing address. Stripe is PCI DSS compliant and GDPR compliant.

Supabase

Secure database hosting for account data and acoustic parameters. Hosted in EU data centres. GDPR compliant.

Fly.io

Application hosting infrastructure. Temporary processing of voice files during analysis. GDPR compliant.

Anthropic (optional)

AI-generated narrative summaries (when intelligence layer is active). Receives: acoustic parameters only — never voice recordings. GDPR compliant.

Email service

Account emails and support communications.

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

§ 07

Data Retention

We retain your personal data only as long as necessary:

Account data: While your account is active, plus 90 days after deletion
Voice recordings (raw): Deleted within seconds of analysis
Acoustic parameters & session history: While your account is active
Payment records: 7 years for UK tax compliance
Support communications: 2 years
Anonymised analytics: Indefinitely (no longer identifies you)

§ 08

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

8.1 Right to Access

You may request a copy of the personal data we hold about you.

8.2 Right to Rectification

You may request correction of inaccurate or incomplete data.

8.3 Right to Erasure (Right to Be Forgotten)

You may request deletion of your personal data. Deletion is permanent and removes your personal algorithmic model — it cannot be recovered.

8.4 Right to Restriction

You may request that we limit how we use your data while a request is being investigated.

8.5 Right to Data Portability

You may request your data in a machine-readable format for transfer to another service.

8.6 Right to Object

You may object to processing based on legitimate interest, including for marketing.

8.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time.

8.8 How to Exercise Your Rights

To exercise any of these rights, email us at contact@viccaone.com. We will respond within 30 days. We may need to verify your identity before processing your request.

8.9 Right to Complain

If you believe we have mishandled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

§ 09

Security Measures

We implement industry-standard security measures to protect your data, including:

Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
Encryption at rest: Database storage is encrypted
Password security: Passwords are hashed using industry-standard algorithms (we cannot see your password)
Access control: Internal access to user data is restricted and logged
Regular security review: We review our security practices regularly
Breach notification: In the event of a data breach affecting your rights, we will notify you and the ICO within 72 hours where required by law

However, no online service can guarantee absolute security. By using the Service, you acknowledge this risk and agree to take reasonable steps to protect your account (strong password, not sharing credentials).

§ 10

International Data Transfers

Some of our third-party processors (e.g., Stripe, Anthropic) may process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, such as:

EU Standard Contractual Clauses
UK International Data Transfer Agreement (IDTA)
Adequacy decisions by the UK Government or European Commission

§ 11

Cookies and Tracking

We use cookies and similar technologies to:

Maintain your authenticated session (essential)
Remember your preferences (functional)
Analyse anonymous usage patterns (analytics, with consent)

We do not use third-party advertising or tracking cookies. You can control cookies through your browser settings.

§ 12

Children's Privacy

The Service is intended for users aged 18 and over. We do not knowingly collect data from children under 18. If we become aware that a minor has created an account, we will delete the account and associated data. If you believe a minor has used the Service without parental consent, contact us at contact@viccaone.com.

§ 13

Marketing Communications

We may send you essential service emails (about your account, billing, security, or material changes to terms). These are not marketing.

For marketing emails (product updates, new features, offers), we will ask for your explicit consent at signup or in your account settings. You can unsubscribe at any time by clicking the link in any marketing email or updating your preferences.

§ 14

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email or via in-app notification at least 14 days before they take effect. The "Last Updated" date at the top of this page indicates when changes were last made.

Data Protection Contact

Data Controller: College of Human and Business Efficiency Ltd

Trading As: PYTHIA / ANAX Institute

Privacy Inquiries: contact@viccaone.com

Website: pythiaoracle.com

For any questions about how we handle your data, to exercise your GDPR rights, or to file a privacy complaint, please email us at the address above. We respond to all privacy requests within 30 days.