Never shared
Voice and face embeddings are stored encrypted and never leave our servers to third parties.
Security & privacy
Voice and face data
How wake-word and face-recognition data is stored and protected.
Twoody uses your voice to recognise the wake words (« Twoody », « ChatGPT », « Claude », « Gemini ») and, optionally, your face to identify who is speaking in the home. Under GDPR, this data is considered specially sensitive and is processed solely on the basis of your explicit consent. Wake-word matching runs on the device itself — your voice doesn't stream to us every time you speak.
Integrity verified
Your Twoody speaker at home verifies the SHA-256 integrity of every biometric file it downloads before using it, to detect any tampering in transit.
Free to revoke
You can remove a voice or face embedding at any time from the app, and add or remove household members as you wish.
On-device matching
Wake-word matching runs entirely on your Twoody speaker (Dynamic Time Warping against reference samples you enrolled). We never stream the raw wake-word audio anywhere. The only time audio leaves the device is when you actually ask it something — and then only the relevant window, not the silence around it.
Explicit consent
Enrolling a voice or face is gated by a consent checkbox in the app, with a plain-language explanation of what the data is used for. You can withdraw consent at any time from the Members screen — per-asset and per-member.
Purpose limitation
Voice and face data is used strictly for wake-word and speaker recognition inside your own household. We don't use it to train generic models. We don't use it for cross-household analytics. It doesn't leave the scope of the household it was enrolled in.
Minor protections
A household member flagged as a minor can be enrolled by a parent for voice recognition, but no user account is created for that child. Their embeddings inherit the same retention rules as the parent who enrolled them.
Encrypted at rest
Voice profiles and face embeddings are stored in ActiveRecord-encrypted columns with a separate key from the main database key. A database dump of the biometric tables is unreadable without access to the encryption keys — which never live in the same place as the database.
Deep dive
On-device vs cloud
Wake-word matching (Dynamic Time Warping against reference samples) runs entirely on your Twoody speaker. We never stream the raw wake-word audio anywhere. When you choose to record a new wake-word sample from the app, the WAV is uploaded once, stored encrypted, and mirrored down to the device — which then uses it offline.
The same model applies to face embeddings: the embedding is computed locally from the image you uploaded, and the image itself can be deleted afterwards. The only copy of your biometric data that's always readable is the one on your device — we hold an encrypted backup so that setting up a second Twoody doesn't require re-enrolling.
Legal basis and consent
Biometric data is processed exclusively on the basis of your explicit consent (GDPR art. 9.2.a). You provide that consent the first time you enroll a member — a plain-language dialog describes what the data is used for, where it will be stored, and how long.
You can withdraw consent at any time. The Members screen has per-asset delete buttons (one wake word, one voice profile, one face embedding) and a per-member delete button. On withdrawal, the embeddings are immediately erased from the database, the corresponding ActiveStorage blobs are queued for deletion, and the next device sync removes the files locally.
Integrity in transit
The device pulls biometric assets over HTTPS, and for every asset, compares the file's SHA-256 to the hash it received in the JSON payload. A byte-flipped or MITM'd file is rejected and not used. This defends against a future scenario where a network attacker manages to intercept traffic despite TLS (via a compromised CA) — the integrity check still holds.
In professional deployments, certificate pinning can be enabled on the device so it only accepts certificates issued by Let's Encrypt's roots. A rogue CA on the firmware's trust store still wouldn't be able to serve a man-in-the-middle certificate for twoody.com.
The strongest assurance we can give on biometrics is: nothing about you leaves your home for matching. The cloud is a backup, not a hot path. If our servers went away for an hour, your Twoody would still recognise you and wake up to your voice.