Legal

Privacy Policy

Whispy is built local-first. Your meetings live on your laptop, not on our servers.

Last updated: May 27, 2026

The short version

We built Whispy because lawyers, doctors, founders and recruiters can't afford their calls to live on someone else's servers. Here's what that means in practice:

  • Your recordings, transcripts and summaries are stored on your device — in a folder you pick. We never receive them.
  • You bring your own keys for Deepgram (transcription) and Anthropic (AI replies). Audio + context flows from your machine directly to those providers — we are not in the middle.
  • API keys are encrypted on your device using the OS keychain (macOS Keychain / Windows DPAPI).
  • We do not train any AI model on your data. Not ours. Not Anthropic's. Not Deepgram's.
  • No telemetry by default. Anonymous error reports are opt-in.
  • We can't back up your files. They're on your device only — back them up yourself (Time Machine, Drive, etc.).

1. Who we are

Whispy ("Whispy," "we," "us") is a desktop application and accompanying website operated by the makers of Whispy. For privacy questions, reach us via the contact page.

2. What data we collect

2.1 Account data (on our servers)

To run your subscription and license we store the minimum we need:

  • Email address
  • Hashed password (bcrypt) — we never see your plain password
  • Subscription status and billing references (handled by Stripe)
  • One active device fingerprint (so the 1-device license works)
  • App version installed, last sign-in timestamp

2.2 Meeting data (on YOUR device — not on our servers)

The desktop app records and writes the following locally into a folder you choose:

  • Video and/or audio recording (optional, off if you toggle it off)
  • Live transcript (.txt and .md)
  • AI-generated meeting summary (.txt and .md)
  • Pre-meeting notes you paste into the overlay
  • Your custom AI bots and their prompts

We never receive these files. They are not uploaded, not synced, not backed up by Whispy.

2.3 Ephemeral data sent to third-party processors

For Whispy to work, two things briefly leave your device — using your own API keys:

  • Audio chunks → Deepgram for real-time transcription. Audio is streamed, transcribed, and discarded. Deepgram's zero-retention mode is used by default.
  • Conversation context → Anthropic for reply generation. Only the recent transcript window plus your bot prompt is sent; full recordings are never uploaded.

Whispy does not proxy this traffic. The calls go from your laptop directly to the providers, billed to your keys.

Depending on your region, we process the limited account data above on the basis of:

  • Contract — to provide the Whispy service you signed up for.
  • Legitimate interest — to keep the service secure and prevent abuse.
  • Consent — for anonymous error reports, marketing emails, or any optional integration.

4. Who we share data with

We share account data only with the providers we need to run the business:

ProcessorPurposeData shared
StripePayments & subscription billingEmail, billing details
Postmark / ResendTransactional email (receipts, login)Email, message metadata
CloudflareWebsite + API delivery, DDoS protectionIP, request headers
Sentry (opt-in)Anonymous error reportsStack traces, app version

Your meeting data is processed by Deepgram and Anthropic only — and those calls happen on your own API keys, governed by their respective policies:

5. AI training

We do not train any AI model on your meetings, transcripts, summaries or prompts. Anthropic has confirmed in writing that API traffic on your key is not used for training. Deepgram's zero-retention mode is enabled by default in our app.

6. Invisible-in-screen-share feature

Whispy uses native OS APIs (NSWindowSharingNone on macOS, WDA_EXCLUDEFROMCAPTURE on Windows) to hide the overlay from screen sharing and screen recording. This is a privacy feature, not a way to deceive — please use it lawfully and with consent where the law requires it.

Recording laws vary widely by country and state (one-party vs. two-party consent). You are responsible for obtaining the consent required wherever you and the other parties are located. Whispy provides the tool — you set the policy for your calls.

8. Data retention

  • Account data: kept while your account is active, deleted within 30 days of account closure.
  • Billing records: kept for the period required by tax / accounting law (typically 7 years).
  • Meeting data: never on our servers — retention is up to you.

9. No backup, no recovery

Because we deliberately do not receive or store your recordings, transcripts, summaries or prompts, we cannot recover them for you.

  • All meeting files live in the folder you picked on your own device. If you delete them, lose them to a disk failure, or have your laptop stolen, Whispy cannot retrieve them.
  • We strongly recommend you back up that folder yourself — Time Machine on Mac, File History on Windows, or a cloud-sync folder (Drive, Dropbox, iCloud) that you control.
  • Loss of meeting files due to user action, device failure, theft, OS upgrade, or any cause outside Whispy's servers is your responsibility.

10. Third-party processor risks

Whispy's real-time features require sending audio and conversation context to two external providers on your own API keys:

  • Deepgram for audio transcription. Audio chunks are streamed to Deepgram; we do not proxy or store them.
  • Anthropic for AI reply generation. Recent transcript context is sent to Anthropic; we do not proxy or store it.

These transfers happen directly from your device to those providers, billed to your account with them. Their handling of that data is governed by their privacy policies (linked in Section 4 above).

Whispy is not liable for any data-handling decisions, outages, breaches, or billing actions by Deepgram, Anthropic, or any other third-party processor you choose to connect via your own API keys. By using Whispy you accept the privacy practices and risk profile of those providers.

11. Your rights

Depending on your region (EU/UK GDPR, California CCPA, India DPDP, etc.) you have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your account data in a portable format
  • Object to or restrict certain processing
  • Withdraw any consent you previously gave

Reach us via the contact page and we'll respond within 30 days.

12. Security

  • API keys encrypted at rest with OS keychain
  • TLS 1.2+ for all network traffic between your device and our API
  • Passwords hashed with bcrypt; we never store plaintext
  • Production database access limited to on-call engineering, audited
  • Annual external penetration test

No system is bulletproof. If you discover a vulnerability, please reach us via the contact page with a clear description so we can route it to the security team immediately.

13. Children

Whispy is not for users under 16. We do not knowingly collect data from children.

14. International transfers

Our servers run in the United States and the European Union. Where data is transferred across regions we rely on Standard Contractual Clauses and equivalent safeguards.

15. Changes to this policy

If we make material changes we'll notify you by email at least 14 days before they take effect. The current version is always at /privacy.

16. Contact

Questions? Write to us via the contact page.