Security & Trust
Last updated: July 13, 2026
Overview
Moduvox processes sensitive data: uploaded PowerPoint files, voice samples for AI cloning, generated narration text and audio, and viewer engagement data. This page describes how each type of data is stored, encrypted, retained, and deleted.
We believe in being transparent about what we actually do today, not what we plan to do. Where we identify gaps in our current implementation, we note them below.
1. Data Storage
Voice Samples
Voice samples are uploaded directly from your browser to Cloudflare R2 object storage using time-limited presigned URLs (1-hour expiry). The audio file never passes through our application server. File paths are structured as{userId}/{uuid}.{ext}in the moduvox-audio R2 bucket.
When you generate a voice clone, the sample is sent to our TTS provider (HuggingFace or a self-hosted inference server) for processing. The generated narration audio is returned and stored in R2. The TTS provider does not retain the voice sample after processing.
Consent tracking: When you clone a voice, we record your consent (timestamp, IP address, and user agent) alongside the voice record. This data is stored in the database and used to demonstrate that informed consent was obtained.
Uploaded Presentations
PowerPoint files are uploaded directly to R2 at{userId}/{presentationId}.pptx. After upload, a stateless worker converts the PPTX to per-slide PDFs stored at{userId}/pdf/{presId}/slide-{N}.pdf. The worker runs in an isolated Docker container and cleans up all temporary files after each conversion.
Generated narration audio is stored as per-slide WAV files and a combined WAV at {userId}/audio/{presId}/.
Viewer Data
When viewers access a shared presentation with email gating, we collect their name, email address, IP address, and user agent. Tracking events (opens, progress updates, completions, closes) are stored with timestamps and associated with the viewer record. Presentation owners can see aggregated viewer data (names, emails, progress, time spent) in their dashboard.
2. Encryption
In Transit
All data transmitted between your browser and Moduvox is encrypted via HTTPS/TLS. Vercel (our hosting provider) terminates TLS at the edge. All communication with Cloudflare R2, Supabase, and third-party APIs uses HTTPS. The PPTX conversion worker on Render is accessible only via HTTPS.
At Rest
Cloudflare R2 provides default AES-256 server-side encryption for all stored objects (voice samples, audio files, PDFs). Your Gemini API key (if provided) is encrypted at rest in the database using AES-256-GCM with a server-side key. Share link passwords are hashed using bcrypt with 12 salt rounds.
What is not encrypted at rest: User email addresses, viewer email addresses, IP addresses, presentation content, narration text, and other application data are stored as plaintext in the database. Row-Level Security (RLS) policies restrict access to this data at the database level — only authenticated users can access their own data, and RLS is enabled on every table.
3. Data Retention & Deletion
Voice Samples
When you delete a voice clone from your dashboard, the voice sample file is immediately removed from R2 and the database record is deleted. Preview audio files are cleaned up when you delete your account but not when you delete an individual voice (we track this as a known gap).
Presentations & Audio
Deleting a presentation removes the PowerPoint file from R2 and cascade-deletes associated database records (viewers, events, narration versions, audit log) via foreign key constraints. Per-slide PDFs and audio files remain in R2 after presentation deletion — we are actively working on adding cleanup for these.
Account Deletion
You can delete your account from Settings. This removes your user record, all projects, presentations, voices, viewer data, and waitlist entries from the database via cascade deletes. Voice sample files are cleaned up from R2. Voice clone consent records are deleted with the voice records.
Known gap: Account deletion does not currently clean up presentation-related R2 files (PPTX files, per-slide PDFs, and audio files). These remain in storage as orphaned objects. We are working on adding full R2 cleanup to the account deletion flow.
Viewer Data
Viewer tracking data is retained as long as the associated presentation exists. When a presentation is deleted, viewer records and events are cascade-deleted from the database. There is currently no self-service mechanism for viewers to request deletion of their own data — please contactanubhavrai100@gmail.comfor manual processing.
4. Third-Party Data Processing
Moduvox shares data with the following service providers:
Cloudflare R2
All file storage (voice samples, audio files, PDFs). AES-256 encryption at rest. Data distributed globally via Cloudflare's edge network.
HuggingFace / Self-Hosted Inference
Voice cloning and audio generation. Receives voice sample audio and narration text during processing. Samples are not retained after processing.
Google Gemini
Narration text generation. Receives slide titles and bullet points when generating narration scripts. You can provide your own API key in Settings to use your own Gemini quota.
Supabase
Database, authentication, Row-Level Security. All structured data resides in Supabase Postgres on AWS US-East. Encrypted at rest and in transit.
Resend
Transactional email delivery (welcome emails, magic links, feedback notifications). Receives recipient name and email address.
Sentry (Germany)
Error monitoring. May receive error context including request payloads. Data processed in Sentry's German region (GDPR-compliant).
Vercel + Render
Application hosting (Vercel) and PPTX conversion worker (Render). All data passes through these providers' networks in transit.
Each provider is bound by data processing agreements. Your data is processed only for the purposes described on this page and in ourPrivacy Policy.
5. User Controls
- Delete a voice clone: Go to My Voices, click the delete icon. Voice sample and database record are removed immediately.
- Delete a presentation: Open the presentation menu and select Delete. The PPTX file and all associated database records are removed.
- Delete your account:Go to Settings > Delete Account. Your user data, projects, presentations, voices, and viewer data are removed.
- Use your own Gemini key: Go to Settings to provide your own API key. Narration generation will use your quota instead of the shared key.
- Expire a shared link: Set an expiration date in Share Settings. Viewers will see a 410 error after the expiration date.
6. Access Controls
Row-Level Security (RLS) is enabled on all database tables. Users can only access their own data through RLS policies enforced at the database level. Shared presentations are protected by:
- A unique, unguessable share token (UUID v4)
- Optional bcrypt-hashed password protection
- Optional email gating with 15-minute magic link expiry
- Optional presentation expiration date
Viewer tracking is rate-limited (100 events/minute/presentation) and gated by session tokens validated server-side before any event is recorded.
7. What We Are Working On
We track our security posture openly. These are the known gaps we are actively addressing:
- Automatic cleanup of orphaned R2 files (PDFs, audio) on presentation and account deletion
- Security headers (HSTS, CSP, X-Frame-Options) on all responses
- Preview audio cleanup on individual voice deletion
- Audit log viewer for account owners
- Viewer self-service data export and deletion
- Data retention limits on tracking events and email logs
8. Reporting a Vulnerability
If you discover a security issue, please emailanubhavrai100@gmail.com. We will acknowledge receipt within 48 hours and work to address the issue promptly.