Security at OpenWhispr
Your voice data is personal. Here's exactly how we handle it, what we store, and what controls you have.
How OpenWhispr Works
OpenWhispr is a desktop application for macOS, Windows, and Linux that converts speech to text. You choose how your audio is processed — there are three modes, and you pick the one that fits your needs.
Local Models — Nothing Leaves Your Device
You can run open-source Whisper models directly on your machine. When you choose this option, your audio is processed entirely on-device and never transmitted anywhere. If keeping your data off the internet is important to you, this is the option to use.
Bring Your Own API Key
You can connect your own API key from providers like OpenAI. Your audio is sent directly to that provider for transcription using your own account. You control the relationship with the provider, and their privacy policy applies.
OpenWhispr Cloud
Our managed cloud transcription service handles processing on our end. Audio is sent to our API, transcribed, and returned. Neither we nor our providers store your audio — it is processed in real time and discarded. We use third-party AI providers behind the scenes and may switch between them, but we always ensure no provider trains on your data.
Open source desktop app: The OpenWhispr desktop application is fully open source and available on GitHub. You can inspect exactly how audio is captured, processed, and transmitted. The cloud API service is separate and managed by us.
Data Processing and Storage
Audio Recordings
Nobody stores your audio. With local models, it never leaves your device. With your own API key, audio goes directly to your chosen provider and is not retained. With OpenWhispr Cloud, audio is processed in real time and discarded — neither we nor our providers keep it.
Transcriptions
Transcriptions are stored locally on your device. If you opt in to cloud sync, they are also stored in our database so you can access them across devices. You can disable sync at any time.
Account Data
If you create an account, we store your email, name, and authentication credentials. Passwords are hashed and never stored in plain text. Payment processing is handled entirely by Stripe.
Diagnostic Data
Diagnostic reporting is off by default. You must explicitly enable it in settings. When enabled, we collect anonymous performance metrics to improve the product. No audio or transcription content is ever included.
AI Training Policy
We take a firm stance on AI training: your data is not used to train any AI models. Period.
OpenWhispr Cloud: Every provider we use behind our cloud service is opted out of using your data for model training. We may switch between providers for quality and speed, but the no-training guarantee always applies.
Bring your own key: If you use your own API key, your provider's training policies depend on your account settings with them. Most major providers offer training opt-outs — check your provider's documentation.
OpenWhispr itself: We do not train models on your transcriptions, audio, or any user-generated content.
Local models: No training concern at all. Your audio stays on your device and is never sent anywhere.
Infrastructure Security
For users who opt in to cloud features, we follow industry-standard security practices:
Encryption
All data in transit is encrypted using TLS. Data at rest in our cloud database is encrypted. API connections to third-party providers use secure, authenticated endpoints.
Authentication
We support email/password and Google OAuth sign-in. Sessions are managed with secure, short-lived tokens that refresh automatically. Credentials are never shared with third parties.
Dependency Management
We use automated tools to monitor for known vulnerabilities in our dependencies and apply patches promptly. Our open-source codebase means the community can audit our supply chain.
Your Controls
You decide how OpenWhispr handles your data. You choose your processing mode during setup, and you can change it at any time in settings.
Choose Your Processing Mode
Pick local models, your own API key, or OpenWhispr Cloud. If you want your audio to never leave your device, choose local models.
Enable or Disable Cloud Sync
Keep transcriptions local-only or sync them across devices. Your choice.
Opt In to Diagnostic Reporting
Diagnostic data collection is disabled by default. You can turn it on if you want to help us improve OpenWhispr.
Delete Your Data
You can delete individual transcriptions, clear all local data, or delete your account entirely from within the app.
Cloud Providers
OpenWhispr Cloud
When you use OpenWhispr Cloud, your audio is processed through our managed API. We use third-party AI providers behind the scenes and may change them at any time to improve quality or speed. All providers are opted out of training on your data.
Bring Your Own Key
When you use your own API key, your audio goes directly to your chosen provider. Their privacy policy and training settings apply based on your account with them.
Services we use across the platform:
| Provider | Purpose | Training Opt-Out |
|---|---|---|
| OpenAI | Cloud transcription & AI (via OpenWhispr Cloud or BYOK) | Opted out for our accounts |
| Neon | Database & authentication | N/A |
| Stripe | Payment processing | N/A |
| OAuth sign-in | N/A | |
| Vercel | Website hosting & analytics | N/A |
We may add or change cloud providers at any time. This page will be updated to reflect changes.
Vulnerability Reporting
If you discover a security vulnerability in OpenWhispr, we want to hear about it. As an open-source project, we value responsible disclosure from the community.
How to Report
- Email security@openwhispr.com with a description of the issue.
- Include steps to reproduce if possible.
- We will acknowledge your report within 48 hours and keep you updated on the fix.
Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to address them.
Questions?
If you have questions about our security practices or want to learn more about how we handle your data, reach out: