VoC

The Glass Room — security, privacy & data handling in plain language

Your raw customer feedback is parsed in your browser and never uploaded — only de-identified, redacted aggregates ever leave the device — so you get a branded Voice-of-the-Customer dashboard in minutes while the most sensitive data stays on your laptop.

Last updated 20 June 2026

This page is written to be read before a trial, not after — by the person whose job is to say no. It is public, form-free and downloadable, so a champion can forward one URL to InfoSec, the DPO or procurement and unblock the decision the same day. We name the single real caveat (a US AI endpoint under EU Standard Contractual Clauses) rather than hiding it, because a trust page that hides things isn't one.

The one-paragraph version. VoC parses your feedback exports in the browser. Raw comments and any PII inside them are never uploaded to us. When you press a ✨ insight button, the tool sends only (a) aggregated statistics with no raw text and (b) comment text that has already been de-identified in your browser — to an AI service, to write the narrative. There is no application database: nothing about your feedback is persisted on our servers. Last reviewed: 17 June 2026.

1. How your data actually flows

"Raw files never leave the browser" is an architecture, not a slogan. Here is the whole path, end to end. Read it left as a wall: everything inside the dashed box runs on your device.

  Your export files (Excel / CSV)
  Trustpilot · Bazaarvoice · NPS · Google · App Store / Play · +more
        │   you drop them into the page
        ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  YOUR BROWSER  (nothing here is uploaded)                    │
 │   • parses every file, computes the whole dashboard          │
 │   • stores months locally (IndexedDB), this profile only     │
 │   • DE-IDENTIFIES comment text before any AI call            │
 │                                                              │
 │        on an explicit ✨ click, and only then:               │
 │        ▸ aggregated stats  (counts, scores — NO raw text)    │
 │        ▸ redacted comments (emails/links/IBANs/long numbers  │
 │          already replaced with placeholders)                 │
 └───────────────────────────────┬─────────────────────────────┘
                                 ▼
   OUR PROXY  — Cloudflare Pages Function, EU edge
     • verifies your login · attaches the AI key (server-side)
                                 ▼
   AI NARRATIVE  — returns written text → your dashboard

Read this off the diagram: raw export files and the locally-stored months are never transmitted. The only thing that ever leaves your device is the de-identified payload, and only when a human clicks a button. No background sync, no telemetry of your content, no "upload to get started".

2. What we never see vs. what transits

The honest table. Everything in the left column stays on your machine; everything in the right column is the minimum needed to write the narrative, after de-identification.

Data	Never uploaded — stays in your browser	Transits (only on an explicit ✨ click)
Raw export files (xlsx / csv)	✓ Never leaves the device	—
Full raw comment text	✓ Never leaves the device	—
PII in comments (emails, links, IBANs, phone/order/customer numbers)	✓ Pattern-redacted before anything is sent	— (replaced with placeholders first)
Reviewer names / account IDs from the source files	✓ Used only locally to de-duplicate; not transmitted	—
Aggregated statistics (counts, scores, theme tallies)	Computed locally	Sent — no raw text in them
De-identified comment text (for the narrative)	Redacted locally first	Sent — placeholders in place of detected PII

See exactly what gets sent — a real before/after

What a customer typed (stays in your browser):

"Great staff at the Köln store but my order 4471902883 never arrived — call me on +49 171 555 0199 or email anna.becker@example.de, IBAN DE89 3704 0044 0532 0130 00 for the refund."

What the AI service actually receives (after in-browser redaction):

"Great staff at the [LOC] store but my order [NUM] never arrived — call me on [NUM] or email [EMAIL], IBAN [IBAN] for the refund."

The honest limitation: a name or address written in plain prose (not as an email, link, IBAN or long number) is not pattern-detectable and can be transmitted. We treat that as the one accepted residual risk — mitigated by keeping outputs internal-confidential and the audience small — and we document it openly in the DPIA (risk R1) rather than implying the redaction is perfect.

Exactly what gets redacted, today: email addresses, URLs/links, IBANs, and any run of 7 or more digits (phone, order and customer numbers). Aggregated statistics contain no raw comment text at all.

3. Sub-processor register — named and dated

Two sub-processors. That's the whole list. We name them, where they run, and the safeguard each operates under.

Sub-processor	What it does	Location	Safeguard
Cloudflare, Inc.	EU-edge hosting, the Access login gateway, and the AI proxy (it routes the request and holds the key — it runs no model)	EU edge; global network	Cloudflare DPA incorporating EU SCCs
Anthropic, PBC	Generates the AI narrative from the de-identified payload	United States (standard endpoint)	Commercial Terms incorporating the DPA + EU SCCs; no training on API data; short retention

The one real caveat, stated plainly. A direct EU-region Anthropic endpoint is not currently available, so the standard (US) endpoint is used under the DPA and EU SCCs. The data crossing the border is already de-identified — aggregates plus redacted text, with no direct identifier and no way to single out an individual from it alone. Third-party model routers (e.g. OpenRouter) are disabled so no further sub-processor is introduced. An EU-resident inference route (AWS Bedrock EU geo profile, keeping inference inside EU regions) is the documented upgrade path if EU-only processing is a hard requirement for your deployment.

30-day change notice. We will not add or swap a sub-processor that touches your data without giving you at least 30 days' written notice, leaving you time to object before the change takes effect. This register is dated and maintained — last reviewed 17 June 2026.

4. Access controls & data residency

Allow-list, not open sign-up. The app sits behind Cloudflare Access. Only email addresses you approve can reach it.
Per-person login. Each user authenticates with their own email — no shared passwords, no anonymous access.
Short sessions, instant revoke. Sessions last 24 hours; removing someone from the allow-list cuts their access immediately.
Saved reports are inert off the URL. A boot-time session check means a copied or saved file will not run for anyone outside the gateway.
EU-edge hosting. The app and proxy are served from Cloudflare's EU edge.
No application database. There is nothing for us to breach: your feedback lives in your browser and your own exports, never in a central store keyed to individuals.
Retention = none for raw data. We keep no raw comments or files. Anthropic applies short retention to the API payload and does not train on it.
The AI key is server-side only. It never reaches the browser; usage is metered per seat and capped, and the key is revocable.

SSO / SAML — stated honestly. Today, access is enforced through the Cloudflare Access allow-list with per-person email login. Full SAML/OIDC single sign-on against your IdP is on the roadmap, not yet shipped. If SSO is a gating requirement, tell us at the trial stage — Cloudflare Access can already federate to common identity providers for managed deployments, and we'll scope it with you.

5. GDPR posture — roles, basis and documents

In plain terms: you are the controller of your customers' feedback; VoC (and its two sub-processors) act as processors on your instructions. We make no decisions about your data subjects and run no profiling, marketing or automated decisions.

Question	Plain answer
Controller	You (the retailer whose customers gave the feedback)
Processors	VoC, plus Cloudflare and Anthropic as sub-processors (§3)
Lawful basis for the analytics	Legitimate interest (Art. 6(1)(f)) — acting on feedback customers already provided. The three-part test is written out in the LIA.
Special-category data	None processed by design (Art. 9)
Data-subject rights	No new central, individually-addressable store is created; access/erasure/objection are honoured at your source feedback systems, which remain the system of record
International transfer	De-identified payload to the US under EU SCCs + DPA; a transfer impact assessment is recorded in the DPIA

Read the DPIA (Article 35) Read the LIA (Article 6(1)(f)) Data-protection overview

DPA. A data processing agreement with the §3 sub-processors and EU SCCs is available to sign. Use the request-a-DPA path and we'll send the ready-to-sign document — no sales call required to get the paperwork. Both the DPIA and LIA are dated 17 June 2026 and maintained, not abandoned.

6. Send this to your security team

Everything a reviewer needs is public and downloadable without a form or a login. Forward this URL; the pack below answers the standard questions before they're asked.

One-page security summary (PDF). The architecture, the data-flow, the sub-processor register and the residency facts on a single page a CISO can skim. Request the PDF (kept current with this page).
Standard vendor-security questionnaire — answered. Hosting, encryption in transit, access control, data residency, retention, sub-processors, incident handling and the in-browser architecture, mapped to the usual SIG / CAIQ-style questions. Ask for the completed questionnaire.
Security / vulnerability disclosure. Found something? Email security@voc.example. We acknowledge reports and won't pursue good-faith research.

Certifications — the honest posture. SOC 2 and ISO 27001 are not yet in place — we won't claim a badge we don't hold. Here's why that's a smaller gap than usual: the in-browser architecture means there is no application database and no central store of your customers' raw feedback for an auditor — or an attacker — to assess. The most sensitive data simply never reaches our infrastructure, which shrinks the attack surface to the proxy and the gateway. Formal certification is on the roadmap; in the meantime, the controls on this page are real, implemented and documented in the DPIA, and we'd rather earn trust with the architecture than with a logo.

The fastest way to evaluate us is to use us

Because nothing is stored, a trial costs you no exposure: drop in an export, watch your branded dashboard build in minutes, and see for yourself that the raw file never leaves the tab. Two analyst-days of work, finished while you watch — with the sensitive part staying on your device.

Start free, nothing is stored See the live sample dashboard

Prefer a person? Request a DPA or talk to a human → · 14-day free trial, no credit card, per-seat. EU/GDPR-aware by design.

Start free — no credit card See a sample dashboard