Privacy Architecture

SumaFlow Minutes · Last updated: June 2, 2026

A short, visual tour of how SumaFlow Minutes is built. Everything that touches your meeting content runs on your phone. This page is the friendly overview — for the full architecture, encryption details, threat model, and verifiable claims, read the Privacy & Security Whitepaper.

The architecture in one diagram

The whole product fits in a single picture. Everything inside the boundary runs on your phone. The only path out is an export you tap. The only path in is an opt-in, Wi-Fi-gated download of a public AI model — never your data.

SumaFlow Minutes data flow A device boundary contains five nodes — audio file, Whisper transcription, transcript, minutes engine, and an encrypted database. One arrow exits the boundary, labeled "User-initiated export only." The only inbound arrow is an opt-in, Wi-Fi-gated download of a public AI model file from huggingface.co into the minutes engine; it carries no user content. No user audio, transcript, or minutes ever crosses the boundary outbound except through a user-initiated export. YOUR PHONE Everything inside this boundary runs locally. Audio file AES-256-GCM App-private storage Whisper (FFI) whisper.cpp ARM64 base.en model, bundled Transcript Plain text Saved to encrypted DB Minutes engine Gemma 4 E2B (LiteRT-LM) or template fallback Encrypted DB SQLCipher Key: Android Keystore (StrongBox where avail.) User export Email, PDF, share sheet, clipboard (you choose) huggingface.co Public AI models: Gemma 4 E2B, Whisper small.en SHA256-pinned commit Model file ↓ opt-in · Wi-Fi only Zero outbound calls carry your content No telemetry, no analytics, no crash reporting that phones home. The one network use is the opt-in model download (top right) — a privacy regression test allows huggingface.co as the sole host.
1

Record

Tap once. The recorder captures audio at 16 kHz mono to an encrypted file on your device. Pause and resume supported.

2

Transcribe

Whisper runs locally via Dart FFI. The base English model ships in the app. The transcript can build live as you record in an opt-in pull-up sheet, with a post-stop pass as backup. No audio is uploaded — there is nowhere to upload it to.

3

Generate minutes

Gemma 4 E2B runs on-device via LiteRT-LM — an open-weight model you download once over Wi-Fi (~2.6 GB, optional) that works on most Android phones, not just flagships. Every set of minutes leads with a short summary. A deterministic template extractor covers devices that decline the download or are RAM-constrained.

4

Optionally export

PDF, email draft, share sheet, or copy to clipboard. Every export shows a confirmation screen and writes an entry to the local audit log.

The seven promises

These promises are the product. They hold in v1 without exception; a violation is a P0 defect.

  1. Audio never leaves the device. Recording, transcription, and minutes generation all run locally.
  2. Transcripts and minutes are stored encrypted at rest on the device.
  3. Zero outbound network calls from the core app carrying user content — no telemetry, no analytics, no "anonymous" launch counters. The one narrow, opt-in exception (model download) is described below.
  4. Exports are user-initiated, one meeting at a time, with a confirmation screen showing exactly what will be sent and where.
  5. No account is required. No cloud sync. No login.
  6. An open architecture page (this one) explains exactly what runs where.
  7. Privacy-critical code is open source, so the claims above are verifiable rather than asserted.

What runs where

StageWhere it runsHow
RecordingOn-deviceMicrophone → foreground service → app-private storage
Encryption at restOn-deviceAES-256-GCM before anything is persisted
TranscriptionOn-devicewhisper.cpp via Dart FFI — no network
Minutes generationOn-deviceGemma 4 E2B via LiteRT-LM, or a deterministic Dart extractor fallback
StorageOn-deviceSQLCipher (encrypted SQLite) + encrypted audio files
ExportOn-device → where you send itUser-initiated intent, one meeting at a time, with a confirmation screen

There is no server, no account, and no cloud sync. On-device minutes generation uses Gemma 4 E2B via LiteRT-LM where the model is present and RAM allows, and a pure-Dart deterministic extractor otherwise. Both run locally; neither transmits your content.

The network posture — the honest part

The core app makes zero outbound network calls carrying user content. The INTERNET (and ACCESS_NETWORK_STATE) permission is present in the manifest, and exists for exactly one purpose: optional, opt-in, Wi-Fi-gated downloads of the on-device AI models from huggingface.co — the Gemma 4 E2B minutes model and the optional Whisper small.en transcription model.

Each download is SHA256-verified against a pinned HuggingFace commit, transfers a public model file down to the device (it never uploads user content), and after download all inference runs on-device. A privacy regression test enforces huggingface.co as the only allowed host. No telemetry, no analytics, no crash reporting that phones home.

SumaFlow Minutes Pro is an optional in-app purchase handled by Google Play Billing — Google's native channel, which runs below the app layer. It is user-initiated only, creates no SumaFlow account and contacts no SumaFlow server (there is none), and carries no audio, transcript, or minutes. No payment details reach us; your Pro entitlement is derived on the device. The no-network test above covers the app's own calls; Play Billing runs inside Google Play services, below that layer.

We disclose this download rather than hide it: shipping a multi-gigabyte model inside the app would be worse for users, and pretending the permission isn't there would be dishonest. The permission is present; the line above is exactly what it is for. The app also sets usesCleartextTraffic="false", so any network use must be HTTPS.

Encryption, in brief

  • Audio files are encrypted at rest with AES-256-GCM. The on-disk format is [12-byte nonce][16-byte GCM tag][ciphertext], with a fresh random nonce per file and fail-closed authentication on decryption.
  • Transcripts, minutes, and metadata live in a SQLCipher-encrypted database.
  • Keys derive from one per-install 256-bit master key via HKDF-SHA256, stored in the Android Keystore (using StrongBox where the device provides one). The master key is non-exportable and never leaves the device.

The whitepaper covers the file format, key derivation labels, and the threat model in full detail.

Open source, so you don't have to take our word for it

The privacy-critical code is published under the MIT license at github.com/SumaFlow-App/sumaflow-minutes-privacy-core. It contains the AES-256-GCM at-rest crypto layer, the key derivation and management code, and the no-network test harness — an executable assertion that the app makes no outbound call to any host outside the huggingface.co allowlist. You can run that test yourself.

What this design does not protect against

We are explicit about the limits so you can reason about your own obligations:

  • A compromised OS or a rooted device with the screen unlocked can read what the running app can read. On-device encryption protects data at rest, not data in use on a hostile system.
  • Shoulder-surfing and screen capture by someone with physical access are outside the cryptographic boundary.
  • Once you export a meeting, that copy lives by the rules of its destination. The app makes the export explicit and logs it; it cannot recall it.
  • There is no recovery path: no cloud backup, no key escrow. Lose the device or its keystore and the encrypted data is unrecoverable — the direct cost of having no server.

For regulated professionals

SumaFlow Minutes is designed for financial advisors, fiduciaries, and other regulated professionals who cannot route client conversations through a cloud meeting service. An on-device, no-cloud architecture can help you meet your own confidentiality obligations by keeping client content on hardware you control, with no third-party processor in the path. We do not claim certification under, or compliance with, any regulatory or security framework — compliance is a property of your practice, not of an app. What we offer is an architecture whose properties you can verify and reason about against your own obligations.

Go deeper: this page is the overview. The Privacy & Security Whitepaper is the full, canonical document — architecture, encryption details, threat model, and verifiable claims.

↓ Download the whitepaper (PDF)  ·  Privacy policy