> Trust Charter

🛡 Trust Isn't a Feature—
It's the Foundation

This charter explains how we design our systems, our organization, and our legal commitments so that your data cannot be misused, even if someone wanted to.

Last updated: November 18, 2025

Our Core Promise

âś“Your data never trains third-party AI.
âś“Your data is never sent to any external AI company or model.
âś“All AI processing happens on open-source models we host ourselves.
âś“We collect as little data as possible, and delete it as soon as we can.

> These are not just marketing lines—they are enforced in code, in infrastructure, and in our governance structure.

Section 1
// MINIMIZATION

Data Minimization by Design

We design Deep Vote so that we never hold more information than we need.

Avoid PII Collection
We avoid collecting personally identifying information wherever possible.
No Accounts Required
We do not require accounts to participate in most votes.
Anonymized Summaries
Raw conversations are processed into anonymized summaries and then scheduled for deletion.
Aggressive Metadata Stripping
We aggressively strip or anonymize metadata (IP addresses, device details, etc.) wherever feasible.

> You can't leak what you never stored.

Section 2
// INFRASTRUCTURE

Self-Hosted, Open-Source AI Only

All AI processing for Deep Vote happens on open-source models running on infrastructure we control.

Model Requirements

Only models that meet all of the following criteria may be used:
1.Downloadable, self-hostable weights
2.Open-source or similarly permissive license
3.Registered and approved in our internal Model Registry (with checksums and versioning)
•We do not use external AI APIs for production traffic.
•Our inference servers run in a private network, with no outbound internet access.
•If a model is not in the registry, it simply cannot be loaded in production.
Section 3
// COMMITMENT

No 3rd-Party AI Access. Ever.

We commit to the following:
❌ We do NOT send your data to any third-party AI service for:
• inference
• fine-tuning
• "product improvement"
âś“ We configure our cloud providers so they cannot use your data to train or improve their own models.
âś“ Our production codebase and CI pipeline actively block the inclusion of external AI SDKs and API clients.

> This is enforced both technically and contractually.

Section 4
// ENCRYPTION

Encryption & Zero-Knowledge Principles

We strive toward a zero-knowledge architecture, where our systems see as little as possible.

Data in Transit
Always encrypted (HTTPS/TLS).
Data at Rest
Encrypted with strong keys stored in secure key management systems.
Future Goal
Where feasible, we design flows so that only the vote organizer can decrypt detailed results, while our servers only handle encrypted blobs.

> Over time, our goal is to make it cryptographically impossible for us to read anything beyond what's strictly required to provide the service.

Section 5
// RETENTION

Strict Data Retention & Deletion

We set clear, conservative retention rules and treat retention as a liability, not an asset.

Raw Conversation Text
Kept only as long as needed for analysis and is then deleted.
Summaries & Vote Results
Retained only while the vote remains active, or as long as the organizer chooses.
Deletion Requests
Organizer accounts can request deletion of votes and associated data, which we honor promptly and completely (including backups once within rotation).
Section 6
// GOVERNANCE

The Deep Vote Trust Foundation

To make these commitments durable, Deep Vote's core privacy and AI policies are stewarded by an independent, privacy-first entity: the Deep Vote Trust Foundation.

Foundation Bylaws

Immutable Principle 1
No user data may be sent to third-party AI services.
Immutable Principle 2
Only open-source, self-hosted models may be used for AI processing of user data.
Change Requirements
These principles cannot be changed without a supermajority vote of the Foundation's board and a public notice period.
Acquisition Protection
In any acquisition or structural change, user data must either remain under these same protections, or be securely deleted.

> This ensures our privacy stance cannot quietly "flip" in the future.

Section 7
// VERIFICATION

Transparency, Audits & Verification

We want you to be able to verify, not just believe.

Open Source Pipeline
We plan to open-source the critical parts of our data and AI pipeline, so anyone can inspect how data flows.
Public Model Registry
We maintain a public Model Registry listing all models we use (name, version, license, checksum).
Regular Third-Party Audits
We undergo regular security and privacy audits to confirm no external AI endpoints are reachable from production, only approved models are used, and retention aligns with this charter.
Published Audit Summaries
We publish high-level summaries of these audits on our website.
Section 8
// YOUR RIGHTS

Your Rights

As a user or vote participant, you have the right to:

•Know what data we collect and why.
•Request deletion of your data where applicable.
•Know which models and infrastructure are used to process your data.
•Be notified if we ever propose changes to this charter that meaningfully affect your privacy or data handling.

> You can contact us at privacy@deep-vote.com with any questions, concerns, or requests related to your data.

🧩 Concrete Architecture

Here's how we enforce these commitments in our actual infrastructure:

Client (Browser)

• Renders vote UI and AI conversation interface
• Communicates only with Backend over HTTPS
• No direct external API calls

Backend API

• Stateless web service
• Handles vote creation & authentication
• Orchestrates AI conversations
• Aggregates results

LLM Inference Gateway

• Internal-only HTTP/gRPC API
• Dispatches to approved model runtimes
• Network-isolated: no outbound internet
• Only accepts calls from Backend

Model Runtimes

• vLLM / TGI / llama.cpp instances
• Load weights only from internal storage
• Verify checksums against Model Registry
• Cannot load unapproved models

Model Registry

• Lists all approved models
• Includes name, version, checksum, license
• Enforced by Gateway and Runtimes
• Audit trail for all changes

Database & Encryption

• Minimal participant artifacts stored
• Raw logs in short-lived tables with TTL
• KMS/HSM for encryption keys
• Immutable audit log

Deep Vote exists to make group decisions clearer, fairer, and more transparent— without ever trading away your privacy.

If we can't do both, we won't do it.

Ready to Try Deep Vote?

Experience trustworthy voting with full transparency