Valoquent is built by Lantern Works with security as the design foundation. This page documents what data is collected, who processes it, how long it is kept, and what controls are in place.
Encryption everywhereAll data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Voice, conversations, and personal information are never transmitted over unencrypted channels.
Your data is not sold or licensedLantern Works does not sell, license, or share personal data for advertising, marketing, or model training. Conversation content is processed by the AI vendors listed below solely to deliver the Valoquent experience. Each vendor's independent data practices are documented in their own privacy policies, linked from the Privacy Policy.
Minimal data collectionLantern Works collects only what is needed to deliver the experience: authentication credentials, conversation transcripts (used for the conversation meter, character memory, the Tapestry, and learning reports), voice audio (streamed in real time, retained briefly per the policy below), and basic usage analytics.
Secure authenticationValoquent supports Sign in with Apple and Sign in with Google, verified using JWT validation. Lantern Works never sees or stores your Apple or Google password.
Account deletion built into the productAccount deletion was included in V1. It is in the app, not behind a support ticket. Deleting an account removes all associated conversations, character memory, and personal data atomically. The exit is part of the design.
Lantern Works follows the SOC 2 Trust Service Criteria across all five categories. Formal Type I audit is planned.
Lantern Works works with audited service providers to deliver the Valoquent experience. All vendors are subject to a vendor security assessment and are contractually required to protect data through Data Processing Agreements.
| Partner | Role | Security status |
|---|---|---|
| Neon | Database hosting (PostgreSQL). Stores conversation transcripts, user accounts, and character memory. | SOC 2 Type I & II |
| LiveKit | Real-time audio and video transport. Routes voice and video between the user's device and the agent. | SOC 2 Type II |
| ElevenAgents (ElevenLabs) | Agents platform: real-time voice synthesis (TTS), speech-to-text (STT), and agent orchestration. Hosts the per-character agents and brokers calls to the underlying language model. ElevenAgents has direct access to user audio and conversation state during sessions. | SOC 2 Type II |
| Anthropic | Underlying language model configured inside ElevenAgents for character text generation. Anthropic also receives a separate direct API call from the Replit server for post-session learning report generation. Receives text payloads only; no user audio. | SOC 2 Type I & II |
| Lemon Slice | AI avatar video generation. Receives avatar source images and synthesized audio to produce lip-synced video for character responses. | Security review in progress |
| RevenueCat | Subscription and in-app purchase management. Handles App Store (iOS) and Google Play (Android) receipt validation and entitlement state across both platforms. | SOC 2 Type II / PCI-DSS |
| Replit | Development and hosting infrastructure. The Express API server and web properties run on Replit's platform. | SOC 2 compliant |
| Apple | Authentication (Sign in with Apple). Apple-issued JWTs are cryptographically verified server-side; Lantern Works never receives or stores your Apple password. | Apple authentication security |
| Authentication (Sign in with Google). Google-issued tokens are verified via OAuth 2.0 and JWT validation. Lantern Works never receives or stores your Google password. | OAuth 2.0 / JWT validation |
Lantern Works maintains a documented incident response plan with defined severity levels, response timelines, and notification procedures. In the event of a security incident affecting user data, impacted users will be notified in accordance with applicable law.
If you discover a security vulnerability in Valoquent, please report it to [email protected]. I take all reports seriously and respond within 48 hours.
Please include a description of the issue, the steps to reproduce it, and any relevant supporting material. I do not pursue legal action against researchers who report in good faith.
Security inquiries, data requests, and compliance questions
[email protected]