РусскийRUEnglishEN

Data security and privacy

Overview

Whisperer listens to your calls, so we take a conservative approach to your data: we store only what's needed for history and search, we offer a mode in which nothing is saved, and we protect access on a fail-closed basis (deny by default). This page explains what is stored and where, how the private no-logs mode works, what mechanisms protect your data, and how to delete it.

The core principles: the overlay panel is invisible in screen sharing, files are stored locally on your Mac, and access to other users' data is locked down by ownership checks. We don't claim certifications the product doesn't have — only the measures that are actually implemented.

When to use it

  • You're evaluating Whisperer from a privacy standpoint before using it on work calls.
  • You want to understand what is saved after a session and what isn't.
  • You need to have a sensitive conversation and leave no traces (no-logs mode).
  • You want to delete your data or understand your rights to it (GDPR).

What is stored and where

  • The transcript and the model's answers are saved for history and search across past sessions — except for sessions in no-logs mode (see below).
  • The knowledge base (notes) is kept until you delete it yourself.
  • Files (for example, materials) are stored locally: there is no external object storage (S3).
  • Client access tokens on macOS are stored in the Keychain and encrypted.

No-logs mode (private)

No-logs (ephemeral) is a session mode for sensitive conversations:

  1. The transcript and the model's answers are not written to the database.
  2. After the session ends, the associated data is deleted.
  3. Minutes are still consumed from your quota (a separate counter, no_logs_minutes_used) — you save storage, not time.

Use no-logs when the content of the conversation matters more than the history: NDA-bound negotiations, personal or medical topics, confidential interviews.

How data is protected

Whisperer is built on the principle of security by default:

  1. Fail-closed. If an access right isn't explicitly confirmed, access is denied — not granted "just in case."
  2. Ownership checks. You see only your own sessions, notes, and settings; a request to another user's identifier is rejected.
  3. Input validation. External data is validated before processing.
  4. User-context isolation. Data you provide to the assistant is treated as reference material and cannot override system-level instructions.
  5. Tokens in the Keychain. On macOS, client tokens are encrypted and live in the system Keychain, not in plaintext files.
  6. WebSocket token in the header. The token is passed in the Authorization header, not in the URL/query — so it doesn't leak into server and proxy logs.
  7. Token session management. A token version (token_version) invalidates old tokens on a password change or sign-out from all devices; the refresh cookie is httpOnly, with CSRF protection (double-submit).
  8. Secrets in .env. Keys and passwords are not stored in the code.

Data deletion and GDPR

  1. Deleting sessions. Sessions and their history can be deleted in the web dashboard — this removes the associated transcripts and answers.
  2. Deleting notes. The knowledge base is kept until you delete it; deleting a note also removes it from the RAG index.
  3. Leaving no traces ahead of time. To keep a particular conversation's data out of storage entirely, run the session in no-logs mode.
  4. Full account deletion and data-subject rights requests are handled through support: write to support with a request to delete or export your data.

Screenshots

📸 [Screenshot: the no-logs mode toggle in session settings]

📸 [Screenshot: session history in the dashboard with a "Delete" action]

📸 [Screenshot: the overlay absent from the screen-sharing window]

Common mistakes

  • Thinking no-logs saves minutes. Minutes are consumed as usual; only the data isn't saved.
  • Expecting a regular session not to be saved. Outside no-logs, the transcript and answers are saved for history and search.
  • Assuming that deleting a note leaves it in the suggestions. Deleting it removes the note from both the knowledge base and the RAG index.
  • Looking for a "delete account" button in the dashboard. Full account deletion is handled through support.

Best practices

  • For sensitive conversations, turn on no-logs in advance — "erasing after the fact" what's been saved is harder than not recording it in the first place.
  • Regularly clean up the history of sessions you no longer need.
  • Don't put secrets (passwords, tokens) into user context and notes — it's sent to the model as part of the prompt.
  • Use a strong password and sign out from all devices if you suspect a compromise: this invalidates issued tokens.
  • Remember that the overlay is invisible in screen sharing, but the other person's audible audio is still recognized — keep this in mind on group calls.

Related articles