VoiceNote and the GDPR: compliant by design
Most software asks you to trust its data-processing agreement. VoiceNote takes a different route — it never processes your data in the first place. Here's what that means for the GDPR, in plain English.
The short version
Because VoiceNote runs entirely on your own computer — the transcription, the AI that writes your text, and everything it learns about your voice — your personal data is never sent to us or anyone else. There's no server holding your recordings, no cloud transcript, and nothing for a third party to process. Under the GDPR, that removes most of the obligations before they even arise.
We're not saying "trust our compliance paperwork." We're saying there's almost nothing to *be* compliant about, because the data stays with you.
Why "on-device" changes the GDPR picture
The GDPR puts the burden on whoever processes personal data. Cloud dictation tools are processors of your voice — they receive it, transcribe it on their servers, and therefore need Data Processing Agreements, a lawful basis, and transfer mechanisms. VoiceNote isn't a processor of your dictation, because it never receives it. The work happens on your machine, the way a local word-processor works.
Do you need a DPA with us? No.
A Data Processing Agreement governs a processor handling personal data on your behalf. Since VoiceNote doesn't handle your dictation on your behalf — it happens on your device — there's no processing for a DPA to cover. (If you sign up for our product-update emails or buy a licence, that limited data *is* covered by our Privacy Policy and handled by our payment provider, Polar. That's separate from anything you dictate.)
How VoiceNote maps to the GDPR's core articles
| GDPR requirement | How VoiceNote meets it |
|---|---|
| Art. 5 — data minimisation & purpose limitation | Audio is transcribed locally and immediately discarded; only the text you choose to keep remains, in a folder you control. |
| Art. 25 — data protection by design & by default | Local-only processing is the default and the *only* mode. There is no cloud setting to get wrong. |
| Art. 32 — security of processing | There's no transmission and no central store to breach. Your data lives on your own secured device. |
| Art. 44 — international transfers | Your dictation never crosses a border, because it never leaves your machine. |
| Arts. 15–17 — access, rectification, erasure | You already hold all your data locally — view it, export it, or delete it yourself, any time. |
What this means for organisations in the EU and UK
A compliance team can approve VoiceNote quickly, because there's no vendor data flow to assess:
- No DPA to negotiate, and no sub-processor list to vet for your dictation content.
- Nothing to add to your Record of Processing Activities for what VoiceNote does with dictation — it processes nothing on your behalf.
- Safe for staff who handle personal or special-category data (health, legal, HR), because that data never leaves the device it's created on.
The one place data does leave: this website
To be straight with you: this website uses analytics, which set cookies — that's the only place any data is collected, and it's about site *visitors*, not the product. Our Cookie Policy lists exactly what's set and how to opt out.
Related
Compliance you can approve in an afternoon.
Nothing to negotiate, nothing to send. Keep your data where it belongs.