Security & Privacy
Your privacy is our top priority. Learn how Whisper keeps your data safe with 100% local processing.
100% Local Processing
All audio transcription happens entirely on your device. Your voice recordings never leave your computer, and we have zero access to your audio or transcriptions. This is not just a feature — it's our core architecture.
Why you can trust Whisper
No certificates to wave around — just verifiable facts about how the app actually works.
Local-first
Audio is transcribed on your own device. In local mode it never reaches our servers.
Signed & notarized
Every build is code-signed on Windows and notarized by Apple on macOS, and updates are signature-verified before they install.
No audio stored
Recordings are processed in memory and discarded — we never save or upload them.
Open security contact
We publish a security.txt and a disclosure policy, so anyone can report an issue.
How Your Data Flows
See exactly where your data goes — and more importantly, where it never goes. Our architecture keeps your sensitive content on your device.
Local Processing Pipeline
When you record audio, here's exactly what happens on your device:
- 1.Audio Capture: Microphone records to temporary buffer
- 2.Processing: Whisper engine transcribes locally (CPU or GPU)
- 3.Output: Text goes to clipboard and your app
Zero network calls during this entire process.
Local Storage
All sensitive data stays on your computer:
- Transcription History: SQLite database in your AppData folder
- Speech Models: Downloaded once, stored locally (~140MB-3GB per model, int8 quantized)
- User Preferences: Settings, hotkeys, themes
- License Cache: Validated locally for 24 hours
Delete the app folder to remove all local data.
Server Communications
Whisper connects to the internet only for:
- Authentication: Magic link, Google OAuth (PKCE), or email/password
- License Validation: Encrypted check at app launch
- Model Downloads: One-time from Hugging Face
- Update Checks: GitHub releases (optional)
All connections use TLS 1.3 encryption.
Privacy Guarantees
These types of data are NEVER sent to our servers:
- XAudio Recordings: Your voice never leaves your device
- XTranscription Text: What you say stays with you
- XPersonal Documents: Content you paste or dictate
We physically cannot access your content — it never reaches our servers.
The Bottom Line
Whisper uses a privacy-by-design architecture. Your audio and transcriptions are processed and stored 100% locally. Server connections are limited to authentication, license validation, and updates — never your content.
Data Privacy FAQ
Q: Where is my audio data stored?
A: Your audio data is NEVER stored on our servers. All audio processing happens locally on your device. We have zero access to your recordings.
Q: Who can access my transcriptions?
A: Only you. Transcriptions are stored locally in SQLite on your device. They never leave your computer.
Q: How long is data retained?
A: Local transcription history is stored until you delete it. We store only account info (email, subscription status) on our servers — never your audio or transcriptions.
Q: Can Whisper employees see my data?
A: No. We physically cannot access your audio or transcriptions because they never leave your device. We only see account and billing data needed to manage your subscription.
Privacy-First Architecture
Whisper was designed from the ground up with privacy as a core principle. Unlike cloud-based transcription services, your sensitive conversations stay on your device.
Read our full Privacy Policy →Audio Processing
Q: How does local processing work?
A: When you record audio, Whisper processes it entirely on your computer using downloaded speech models. The audio is captured, transcribed locally by the Whisper engine (running as a persistent sidecar service within the Tauri v2 app), and the result is saved to your local SQLite database. No internet connection is required during transcription.
Q: What technology powers the transcription?
A: Whisper uses OpenAI's Whisper speech recognition technology, running locally within a Tauri v2 desktop app. Choose from 7 models (~140MB to 3GB) offering speed vs. accuracy trade-offs, with int8 quantization for CPU efficiency and optional NVIDIA GPU acceleration. Models are downloaded once from Hugging Face and stored on your device.
Q: Is any audio sent to the cloud?
A: No, never. Your audio stays on your device at all times. The transcription engine runs completely offline once models are downloaded. We cannot hear, access, or store your recordings.
Technical details: Whisper is built with Tauri v2 (Rust backend + native WebView). Transcription runs via a persistent local sidecar service. Models use int8 quantization for CPU efficiency, with optional NVIDIA CUDA GPU acceleration. Results are stored in a local SQLite database. The entire pipeline operates without any network calls during transcription.
Network Security
Zero Network During Transcription
When you're recording and transcribing, Whisper makes no network requests. Your audio stays completely offline.
While transcription is 100% local, Whisper does connect to the internet for specific purposes. Here's a complete list of all network connections the app makes:
| Connection | Purpose | When |
|---|---|---|
| Authentication | Magic link, Google OAuth (PKCE), or email/password via Supabase | Sign in only |
| License Validation | Verify your subscription status (encrypted) | App launch |
| Model Downloads | Download speech recognition models from Hugging Face | First run / model change |
| Update Checks | Check for new versions via GitHub releases (cryptographically signed) | App launch |
| Device Registration | SHA256 device fingerprint for license seat management | App launch |
| Payment Processing | Stripe checkout (opens in browser) | Purchase only |
Encryption Standards
- TLS 1.3: All network communications use modern TLS 1.3 encryption
- HTTPS Only: All API endpoints use HTTPS with certificate validation
- Secure Tokens: JWT tokens with auto-refresh and session validation
- OAuth PKCE: RFC 7636 compliant authorization flow (no client secret exposed)
- Signed Updates: App updates are cryptographically signed and verified before installation
Compliance & Enterprise
GDPR Compliance
Whisper is designed with GDPR principles in mind:
- ✓Data Minimization: We only collect data necessary for service operation
- ✓Right to Deletion: Request deletion of your account data anytime
- ✓Data Portability: Export your account information upon request
- ✓Privacy by Design: Local processing means most data never leaves your device
CCPA Compliance (California)
For California residents under the California Consumer Privacy Act:
- ✓Right to Know: We disclose all categories of personal information collected
- ✓Right to Delete: Request deletion of your account data anytime
- ✓No Sale of Data: We never sell personal information to third parties
- ✓Non-Discrimination: Exercising privacy rights will not affect your service
APPI Compliance (Japan)
For users in Japan under the Act on Protection of Personal Information:
- ✓Purpose Limitation: Personal data used only for stated purposes (account management, licensing)
- ✓Cross-Border Transfer Notice: Account data is stored on US-based servers
- ✓Local Voice Processing: Audio and transcription data never leaves your device (no cross-border transfer)
- ✓Disclosure Rights: Request disclosure, correction, or cessation of use of your personal data
See our Japan-Specific Privacy Policy for full APPI details.
Data Residency
Understanding where your data lives:
- •Audio & Transcriptions: Your device only (never uploaded)
- •Account Data: Supabase servers (PostgreSQL, US region)
- •Payment Data: Stripe (PCI DSS compliant, we never see card details)
- •Speech Models: Downloaded from Hugging Face, stored on your device
Enterprise & Security Questionnaires
Need Whisper for your organization? We're happy to assist with:
- • Security questionnaires and vendor assessments
- • Compliance documentation
- • Technical architecture reviews
- • Volume licensing inquiries
Contact us at: security@whisper.remskill.com
Reporting a security issue
Found a vulnerability? We want to hear from you.
Email us with details and clear steps to reproduce, and please give us reasonable time to fix the issue before disclosing it publicly.
We will not pursue legal action against good-faith researchers who report in good faith and follow this policy.
Have More Questions?
We take security seriously. If you have additional questions or concerns about how Whisper handles your data: