Privacy, Security & Compliance

Version 1.4 — September 24, 2025

Our Commitment

WhisperTyping respects your privacy and your rights under international frameworks such as the EU General Data Protection Regulation (GDPR), the Australian Consumer Law and Privacy Act 1988, and California Consumer Privacy Act (CCPA/CPRA).

We are committed to transparency: you can ask us at any time what data we hold, request correction or deletion, and we will act promptly. Our guiding principle is simple — your data belongs to you.

What data we process & why

Data	Purpose	Legal basis (GDPR)
Voice buffers (RAM-only, no retention)	Convert speech to text	Art 6 (1)(b) – contract
Usage logs - transcription metadata - computer footprint - coarse locale - crash traces (5 years)	Billing, keep the service reliable, scale capacity, spot abuse	Art 6 (1)(b) – contract Art 6 (1)(f) – legitimate interests
Account and billing - Contact details - Payment info (10 years)	Billing, account management, support, inform users of changes to functionality and policy	Art 6 (1)(b) – contract Art. 6(1)(c) – legal obligation

We never store audio or transcripts.
Audio is held only in memory until transcription finishes, then erased.
Logs contain no spoken content and no direct identifiers.
We never store request and response data for AI mode requests.
No automated decisions with legal or significant effects are made.

Transcription

On our servers, audio is processed transiently and never stored in permanent memory.
We route your audio to cloud providers for speech-to-text conversion:
- Groq: Zero data retention enabled - audio processed and immediately discarded
- Cloudflare: Zero data retention by default - no audio storage
- OpenAI: Standard 30-day retention for service reliability
Dictation history and transcripts remain only on your own computer. WhisperTyping staff cannot access them.

AI Modes

When you use our AI features to process your text:

We use OpenAI LLMs for text enhancement and processing
Your text is sent to OpenAI for processing with their standard 30-day retention
Processed results are returned to your device; we don't store the content

Screen OCR

Our Screen OCR feature helps recognize text on your screen to increase transcription accuracy:

OCR processing happens locally on your device
The raw text content of your active window is sent to WhisperTyping servers for extraction of keywords. Your screen content is not stored and only processed transiently and may only be used to build a shared anonymous dictionary.
Unrecognized words may be processed for categorization to cloud provider servers to extract technical terms, names, etc. Only words not in our dictionary are sent, not full sentences or personal context, as the majority of words are already in our dictionaries. We apply a strict no retention policy for these requests, they are kept in RAM only and are never stored, both on our servers and our cloud provider servers.

Account & Payment Information

We collect account details (such as name and email) to manage your subscription.
For billing, we process payment information (including billing address and payment method) through trusted third-party payment processors.
We do not store your complete payment card details on our servers.
Payment processors we use are compliant with international standards for secure transactions (e.g. PCI-DSS).
In the case of recurring subscriptions, your payment method may be securely tokenised by the payment processor to enable automatic renewals.
To maintain service reliability and prevent abuse, we collect technical information such as device type, operating system version, IP address, user account and hardware footprint.
We do not use technical metadata to build personal profiles, track browsing behaviour, or identify individuals beyond what is strictly necessary for providing the service.

Security measures

Encryption: TLS 1.2+ in transit; AES-256 at rest for account/usage data.
Access controls: unique accounts with mandatory two-factor authentication for all WhisperTyping staff.
Endpoint protection: industry-standard antivirus on WhisperTyping workstations.
Application hardening: only trusted software and one authorised developer has access to core code; no unnecessary features enabled on staff systems.
Operational hygiene: regular patching, secure cloud configurations, backups of essential service data.
Baseline compliance: aligned with ACSC Essential Eight, APPs, and GDPR principles.
We operate in alignment with ISO 27001 controls.
We follow SOC 2 Trust Services Criteria internally.

Data Sharing

Service providers: We use trusted third parties to support core operations (e.g. cloud hosting, payment processing). These providers process data only under our instructions and with strict confidentiality.
Legal compliance: We may disclose limited information if required by law, court order, or regulatory authority.
With your consent: Beyond these cases, we will only share your information if you explicitly authorise us to do so.

Legal and Regulatory Compliance

We comply with applicable privacy and consumer protection laws in the EU, California and Australia, and other jurisdictions where we operate.
We cooperate with lawful requests from regulatory or judicial authorities, provided they are valid and proportionate.
We enforce our Terms of Service and security policies to protect the rights and safety of WhisperTyping, our users, and others.

Cross-border data processing

We may process data transiently through servers located outside of your jurisdiction. These providers do not retain audio or transcripts once processing is complete. We take steps to ensure any overseas processing meets your local privacy laws and international standards.

Your rights

You can access, erase, object to, or restrict our use of usage logs at any time.

Please note: if you request erasure or restriction of logs, we may no longer be able to provide the service, as these logs are required for billing, performance, and abuse prevention.

To make a request, email privacy@whispertyping.com and include your device ID from:
%localappdata%/whispertyping/settings.json

Healthcare use

WhisperTyping is not a medical device and does not diagnose or treat conditions.
We do not persist or store Protected Health Information (PHI). Audio is processed transiently in memory and erased immediately.
For healthcare clients, we apply enhanced safeguards aligned with Australian health privacy laws and international best practices.
If U.S. healthcare customers require HIPAA Business Associate Agreements, we will review and address this as the service evolves.

Children's Privacy

Our services are not designed for or directed at children under 13 years of age (or the minimum age of digital consent in your jurisdiction).
We do not knowingly collect personal information from children. If we learn we have inadvertently collected such information, we will delete it promptly.

Changes to This Privacy Policy

We reserve the right to periodically update this Privacy Policy. Any revisions will be posted prominently, with the updated effective date clearly indicated. We encourage you to regularly review this policy to stay informed about our privacy practices.