Security
by architecture, not by policy.
A privacy promise is a commitment. An architecture is a constraint. SoundSense is designed so that the risky thing, uploading your audio, is not something the app is even capable of. This page explains the details, including what third parties can and cannot see.
What is on your device.
Everything that matters.
The machine learning classifier runs entirely on your iPhone. It ships bundled with the app: no download of model weights after install, no cloud round-trip for inference. That is true on the first launch, the hundredth launch, and forever.
Audio is never written to disk. We capture short buffers in volatile memory, feed them to the classifier, read the result, and release the memory. Even crash reports, if you opt in to them, do not include audio. The audio buffer is gone by the time the process can be snapshotted.
Sound fingerprints you train, your specific doorbell, your specific smoke detector, are stored in the iOS secure sandbox for this app. Other apps cannot read them. We cannot read them. If you uninstall SoundSense, they are gone.
What leaves your device
only if you choose.
Sound names and settings
If you turn on iCloud sync, the names you gave your sounds ("Front doorbell," "Upstairs smoke alarm") and their urgency settings back up to your personal iCloud container. That is all.
Never the fingerprint
The acoustic fingerprint itself, the thing that lets the classifier recognize your specific sound, does not sync. Never to iCloud, never to our servers (which do not exist for this purpose), never anywhere.
In transit and at rest.
For the small amount of data that does sync, sound names and settings, we use Apple's iCloud end-to-end encrypted containers. The data is encrypted on your device before it leaves, stays encrypted in iCloud, and is only decrypted on another device you own that is signed into the same Apple ID.
SoundSense does not operate its own backend servers for user data, which means there is no SoundSense server to breach. The smaller the attack surface, the smaller the failure mode.
What SoundSense asks for
and why.
Without it, the app cannot listen, which is the app's entire purpose. Used only while the app is running.
Alerts have to reach you. Notifications are how the app delivers visual alerts outside of the foreground.
If you enable context mode, coarse location lets the app tell "home" apart from "in the city" and adjust urgency accordingly.
No contacts, no photos, no calendar, no health, no tracking identifiers. If iOS ever shows you a permission dialog we do not list here, do not grant it. Tell us.
Found something?
Tell us, and we will thank you.
Send vulnerabilities to security@soundsense.app. Please give us a reasonable window to fix before public disclosure. 90 days is a good default, less for trivial issues, more if the fix requires coordination with Apple.
- ✓We acknowledge within 48 hours.
- ✓We give you an honest time estimate for a fix.
- ✓If you consent, we credit you in the release notes.
- ✓We do not take legal action against good-faith researchers.
Third parties
and what they see.
Distributes the app, processes in-app purchases (when Plus launches), and provides the end-to-end encrypted iCloud container for optional sync. Apple's privacy practices apply.
If you turn on crash reports, anonymized stack traces and device model data are sent to our crash-reporting vendor. No audio, no fingerprints, no user identifiers we generate. Current vendor: to be finalized before launch, will be listed here and in-app.
If you turn on usage metrics, screen-view counts and feature-use counts are sent to our analytics vendor. No audio, no content, no identifying data. Current vendor: PostHog (self-hosted, EU region), confirmed before launch.
This marketing site is hosted on Vercel. Vercel sees standard HTTP request logs. The site does not set tracking cookies or send analytics.
If we add a new vendor that touches any data from the app, we will list it here and update the privacy policy before the change ships.