Privacy Policy
Last updated: February 16, 2026
Version 2.0
TL;DR: Your Voice Stays on Your Device
Vocoding processes your voice 100% locally using Whisper. No audio data ever leaves your computer. We collect only the minimum data needed to manage your account, license, and payments. We do not sell, rent, or trade your personal data.
Vocoding ("we," "us," "our," or "the Company") develops and operates the Vocoding desktop application and the vocoding.com website and platform (collectively, the "Services"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Services.
We are committed to protecting your privacy. Vocoding is designed with a privacy-first architecture: all voice transcription is performed 100% locally on your device using Whisper. No audio data ever leaves your computer.
This Privacy Policy applies to:
- The Vocoding desktop application (macOS and Windows)
- The vocoding.com website and web platform
- Our licensing and payment systems
- Our customer support communications
1. Who We Are (Data Controller)
Vocoding is operated by E-Clients Consulting LP, a limited partnership registered in Ontario, Canada. For the purposes of data protection law, we are the data controller of the personal data described in this policy.
Contact Details:
- Company: E-Clients Consulting LP
- Address: 2967 Dundas St W, No. 878, Toronto, Ontario, M6P 1Z2, Canada
- Website: https://vocoding.com
- Privacy Email: privacy@vocoding.com
Data Protection Contact: For any questions about this Privacy Policy or your personal data, contact us at privacy@vocoding.com. We will respond to all privacy-related inquiries within 30 days, or within the timeframes required by applicable law.
2. Data We Collect
We categorize data into three tiers based on where it is processed and stored:
2.1 Local Data (Stays on Your Device — Never Transmitted)
This data is processed and stored entirely on your device. We have no access to this data.
| Data Type | Description | Storage | Retention |
|---|---|---|---|
| Audio recordings | Voice captured via your microphone | Temporary file on device | Deleted immediately after transcription (seconds) |
| Transcribed text | Output of local Whisper STT processing | Application memory | Session only; cleared when app closes |
| User preferences | Settings, configurations, workspace data | Local application files (JSON) | Until you delete or uninstall |
| Custom agents | Your custom AI agent configurations | Local encrypted files | Until you delete or uninstall |
| API keys | Your cloud LLM provider keys (if configured) | OS keychain (macOS Keychain / Windows Credential Manager) | Until you remove them |
| Whisper models | Speech-to-text AI models | Application directory | Until you delete or uninstall |
Our guarantee: Audio recordings are NEVER transmitted over any network. Speech-to-text processing occurs 100% locally using the Whisper model running on your device. Temporary audio files are automatically and immediately deleted after transcription.
2.2 Platform Data (Web Platform — vocoding.com)
When you use our website, create an account, or purchase a license, we collect:
| Data Type | Description | Retention |
|---|---|---|
| Account information | Email address, name (if provided) | Until account deletion |
| Authentication data | Login credentials (hashed), session tokens | Until account deletion |
| Payment information | Processed by Stripe; we store transaction ID, amount, date, license tier | Minimum 5 years (tax/accounting law) |
| License data | License key, activation status, device fingerprint (SHA256 hash) | Duration of license validity |
| Trial data | Trial start date, credits used, device hash | 90 days after trial expiration |
| Communication data | Support emails, feedback | 2 years after last communication |
| Transactional emails | Purchase confirmations, license delivery | As required by law |
2.3 Optional Data (Cloud LLM — Only If You Enable It)
If you choose to use cloud LLM features for prompt optimization:
| Data Type | Description | Retention |
|---|---|---|
| Transcribed text sent to LLM | Your transcribed text sent to your chosen LLM provider | Not retained by us; subject to provider's policy |
| LLM responses | Optimized prompts returned by the provider | Session only; copied to clipboard |
BYOK (Bring Your Own Key):
Cloud LLM features require you to provide your own API key. You choose which provider receives your text (Groq, OpenRouter, or local Ollama). We do not proxy, log, intercept, or store your API communications. The LLM provider's own privacy policy applies to their processing of your data. Using local Ollama requires no internet connection and no data leaves your device.
3. Legal Basis for Processing (GDPR Article 6)
Under the EU General Data Protection Regulation (GDPR), we process personal data based on the following legal grounds:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing the desktop application | Contract performance | Art. 6(1)(b) |
| Processing account registration | Contract performance | Art. 6(1)(b) |
| Processing payments via Stripe | Contract performance | Art. 6(1)(b) |
| Delivering and activating licenses | Contract performance | Art. 6(1)(b) |
| Device fingerprinting for license enforcement | Legitimate interest (fraud prevention, license integrity) | Art. 6(1)(f) |
| Trial usage tracking (per-device) | Legitimate interest (service integrity) | Art. 6(1)(f) |
| Sending transactional emails (AWS SES) | Contract performance | Art. 6(1)(b) |
| Responding to support requests | Legitimate interest (customer service) | Art. 6(1)(f) |
| Complying with tax/legal obligations | Legal obligation | Art. 6(1)(c) |
| Cloud LLM text processing | Consent (your explicit action to optimize) | Art. 6(1)(a) |
| Website analytics (if implemented) | Consent | Art. 6(1)(a) |
Legitimate Interest Assessment: Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 8).
4. How We Use Your Data
We use personal data solely for the following purposes:
4.1 Service Delivery
- Converting speech to text (100% local)
- Optimizing prompts via cloud LLM (only when you enable it)
- Managing your license and activation
- Providing the trial experience
- Processing payments and refunds
4.2 Service Integrity
- Preventing license fraud through device fingerprinting
- Enforcing trial limits (one trial per device)
- Verifying license validity
4.3 Communication
- Sending purchase confirmations and license keys
- Responding to your support requests
- Notifying you of critical security updates
4.4 Legal Compliance
- Maintaining transaction records as required by applicable tax law
- Responding to lawful requests from authorities
What We Do NOT Do:
- We do NOT sell, rent, or trade your personal data
- We do NOT use your data for advertising or marketing profiling
- We do NOT train AI models on your voice, text, or usage data
- We do NOT track your behavior within the desktop application
- We do NOT create user profiles for targeted advertising
- We do NOT share your data with data brokers
- We do NOT use your data for automated decision-making that produces legal effects
5. Data Sharing and Third-Party Services
We share personal data only with the following service providers, and only to the extent necessary:
5.1 Payment Processing — Stripe, Inc. (US)
- Purpose: Process credit/debit card payments for license purchases
- Data shared: Payment card details (collected directly by Stripe), transaction amount, email
- We do NOT store your full card details; Stripe handles this under PCI DSS Level 1
- Stripe's Privacy Policy: https://stripe.com/privacy
5.2 Authentication and Database — Supabase, Inc. (US)
- Purpose: User account authentication, license management, database hosting
- Data shared: Email address, account data, license records, trial records
- Supabase's Privacy Policy: https://supabase.com/privacy
5.3 Transactional Email — Amazon Web Services (AWS SES) (US)
- Purpose: Sending purchase confirmations, license delivery emails, critical notifications
- Data shared: Email address, email content
- AWS Privacy Policy: https://aws.amazon.com/privacy/
5.4 Cloud LLM Providers (Optional, User-Selected)
If you enable cloud LLM optimization and provide your own API key, data may be shared with:
- Groq, Inc.: https://groq.com/privacy-policy/
- OpenRouter: https://openrouter.ai/privacy
- Ollama (local): No data transmitted; runs entirely on your device
Data sent: Only your transcribed text (never audio). Subject to each provider's privacy policy and your direct agreement with them.
5.5 No Other Sharing
We do not share data with:
- Advertising networks
- Analytics services (we do not use Google Analytics, Facebook Pixel, or similar)
- Data brokers
- Social media platforms
- Any other third party not listed above
6. International Data Transfers
E-Clients Consulting LP is based in Canada. The European Commission has recognized Canada as providing an adequate level of data protection under GDPR Article 45, which facilitates lawful transfers of personal data between the EU/EEA and Canada. Some of our service providers are based in the United States.
When your personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:
| Provider | Location | Transfer Mechanism |
|---|---|---|
| Stripe | United States | EU-US Data Privacy Framework + SCCs |
| Supabase | United States | Standard Contractual Clauses (SCCs) |
| AWS (SES) | United States | EU-US Data Privacy Framework + SCCs |
| Groq (optional) | United States | Your direct relationship (BYOK) |
| OpenRouter (optional) | United States | Your direct relationship (BYOK) |
Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as approved by Commission Implementing Decision (EU) 2021/914 to ensure adequate protection for data transferred outside the EU/EEA.
Canada Adequacy: Canada benefits from an EU adequacy decision under GDPR Article 45, meaning personal data can flow from the EU/EEA to Canada without the need for additional safeguards, provided the transfer is covered by PIPEDA.
BYOK Transfers: When you use cloud LLM features with your own API key, you establish a direct data controller relationship with the LLM provider. We facilitate the connection but do not act as a data processor for this transfer. The LLM provider's terms and privacy policy govern their processing.
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Audio recordings | Deleted immediately (seconds) | Auto-deleted after local transcription |
| Transcribed text | Session only | Cleared when application closes |
| Application preferences | Until uninstall/deletion | User convenience |
| API keys (keychain) | Until user removes them | User convenience |
| Account information | Until account deletion request | Contract performance |
| Payment/transaction records | Minimum 5 years | Tax law requirements |
| License activation records | Duration of license + 1 year | Contract performance + dispute resolution |
| Device fingerprint (hash) | Duration of license + 1 year | License enforcement |
| Trial records | 90 days after trial end | Service integrity |
| Support communications | 2 years after resolution | Service improvement |
| Transactional email logs | 1 year | Delivery verification |
After the retention period, data is permanently deleted or anonymized.
8. Your Rights (GDPR)
Under the GDPR and applicable EU/EEA law, you have the following rights regarding your personal data:
8.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. For platform data, contact us at privacy@vocoding.com. For local data, you can access it directly on your device.
8.2 Right to Rectification (Article 16)
You have the right to correct inaccurate personal data. You can update your account information directly through the platform, or contact us for assistance.
8.3 Right to Erasure / Right to Be Forgotten (Article 17)
You have the right to request deletion of your personal data. We will delete your data unless we have a legal obligation to retain it (e.g., tax records). For local data, uninstalling Vocoding removes all application data from your device.
8.4 Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
8.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). This applies to data you provided to us that we process based on consent or contract.
8.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interest. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
8.7 Right to Withdraw Consent (Article 7)
Where we process data based on your consent (cloud LLM optimization), you can withdraw consent at any time by disabling cloud features in the application settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. If you reside in the EU/EEA, you may contact your local data protection authority.
How to Exercise Your Rights:
- Email: privacy@vocoding.com
- Subject line: "Data Subject Request — [Your Right]"
We will respond within 30 days. If we need to extend this period (by up to 60 additional days for complex requests), we will inform you within the initial 30-day period with reasons for the delay. There is no charge for exercising your rights, except for manifestly unfounded or excessive requests.
9. Your Rights (CCPA/CPRA — California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:
- Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
- Right to Delete: You have the right to request the deletion of your personal information that we have collected, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information. We have never sold personal information and have no plans to do so.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under the CPRA.
Categories of personal information collected: Identifiers (email address), commercial information (purchase history, license data), and internet activity (device fingerprint hash for license enforcement only).
To exercise your CCPA/CPRA rights, contact us at privacy@vocoding.com. We will verify your identity before processing your request. We will respond within 45 days.
10. Your Rights (PIPEDA — Canadian Residents)
As E-Clients Consulting LP is based in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to our collection, use, and disclosure of personal information in the course of commercial activities. Under PIPEDA, you have the following rights:
- Right to Access: You may request access to the personal information we hold about you. We will respond within 30 days.
- Right to Correction: You may challenge the accuracy and completeness of your personal information and have it amended as appropriate.
- Right to Withdraw Consent: You may withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions.
- Right to Complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe we have not handled your personal information properly.
PIPEDA Fair Information Principles:
We adhere to the 10 fair information principles set out in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca
11. Cookies
The Vocoding desktop application does not use cookies.
Our website (vocoding.com) uses cookies and similar technologies. We use only essential cookies required for authentication and payment processing. We do not use advertising cookies or third-party tracking.
For detailed information about the specific cookies we use, their purposes, and durations, please see our Cookie Policy.
12. Children's Privacy
Vocoding is not directed at children under 16 years of age (under 13 in the US). We do not knowingly collect personal data from children. If we discover that we have collected personal data from a child without parental consent, we will delete that data promptly.
If you believe a child has provided us with personal data, please contact us at privacy@vocoding.com.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make changes:
- We will update the "Last Updated" date at the top of this policy
- For significant changes, we will notify you via email (if we have your email address) or through the application
- The previous version of this policy will remain available upon request
- Continued use of the Services after changes constitutes acceptance, except where consent is required for specific processing activities
We will not materially reduce your rights under this Privacy Policy without your explicit consent.
14. Contact Us
If you have questions about this Privacy Policy, your personal data, or wish to exercise your data subject rights:
- Company: E-Clients Consulting LP
- Address: 2967 Dundas St W, No. 878, Toronto, Ontario, M6P 1Z2, Canada
- Privacy Email: privacy@vocoding.com
- General Support: support@vocoding.com
- Website: https://vocoding.com
For EU/EEA residents, you may also contact your local data protection authority.
For Canadian residents, contact the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca
Summary of Our Privacy Commitments
| Aspect | Our Approach |
|---|---|
| Voice/Audio Data | 100% local processing, never transmitted, auto-deleted |
| Speech-to-Text | Whisper running entirely on your device |
| Cloud LLM | Opt-in only, requires your own API key (BYOK) |
| In-App Telemetry | None |
| Data Selling | Never |
| Ad Tracking | None |
| API Keys | Stored in OS-level secure keychain |
| Temporary Files | Auto-deleted after use |
| Payment Data | Processed by Stripe; we never see full card details |
| Device Fingerprint | SHA256 hash only, for license enforcement |
| GDPR Rights | Full compliance; contact privacy@vocoding.com |
| CCPA/CPRA Rights | Full compliance for California residents |
| PIPEDA Rights | Full compliance for Canadian residents |
Your voice stays on your device. Your privacy is our default.