Designed so we
can't see your work.

Architecture · what runs where

On your Mac (default path)

Core transcription uses on-device speech-recognition models through WhisperKit and the WhisperKit-CoreML weights, both running locally. As a strictly on-device fallback, the macOS Speech framework is invoked with requiresOnDeviceRecognition = true; cloud Apple Speech is explicitly refused. The optional local AI polish feature uses a local Qwen 3.5 4B model running through a llama.cpp inference engine entirely on your Mac. None of these on-device paths uploads your audio or transcribed text to our servers.

Our servers (direct subscriptions and API)

We operate a small number of authenticated HTTPS endpoints at api.voicetype.dev:

• verify Stripe checkout sessions and link verified subscribers to a device;
• verify subscription state by email or recovery key, manage device entitlements;
• proxy Cloud Polish requests for Pro users (post-transcription text only) so no third-party API key is embedded in the app;
• serve the latest local-LLM model manifest;
• ingest opt-in funnel events;
• receive Stripe webhooks for subscription lifecycle and refund/dispute deprovisioning.

These endpoints are served over TLS from managed infrastructure (Vercel) and are not used to store raw dictation audio. Server-side persistent state lives in Upstash. Recovery-key reset additionally requires a card last-4 verified against Stripe at request time — the last-4 is not stored beyond verification.

Third-party clouds (only when you use them)

Stripe processes payment information under PCI-DSS; we don't handle card data ourselves. If you turn on Cloud Polish (Pro), the text submitted for that step is processed by the cloud language-model provider listed in Sub-processors. Audio is never sent.

Biometric data · not collected

VoiceType does not generate, store, transmit, or use voiceprints, voice templates, biometric identifiers, biometric information, or biometric data within the meaning of:

• the Illinois Biometric Information Privacy Act, 740 ILCS 14 ("BIPA");
• the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code §503.001 ("CUBI");
• the Washington My Health My Data Act, RCW 19.375;
• the New York City POST Act;
• the California Consumer Privacy Act / California Privacy Rights Act, Cal. Civ. Code §1798.140(ae)(2);
• or analogous statutes elsewhere.

We don't perform speaker identification, speaker authentication, or voice-print matching.

Encryption

• In transit. TLS 1.2+ for every browser and app call to our APIs; modern clients negotiate TLS 1.3.
• At rest (server side). Records held in Upstash use the provider's encryption-at-rest controls.
• On-device long-lived secrets. Subscription session material and the random app-generated device identifier are stored in the macOS Keychain with the access attribute kSecAttrAccessibleWhenUnlockedThisDeviceOnly.
• On-device transcript history. Up to 20 most recent transcriptions stored in ~/Library/Application Support/VoiceType/history.enc, encrypted with a 256-bit AES-GCM key generated at first run and kept in your Keychain. Written with restrictive POSIX permissions (0o600).
• Payments. Card data is handled exclusively by Stripe's PCI-DSS-validated infrastructure, never by VoiceType code paths.
• API keys. User-provided API keys (where applicable) are stored in the Keychain via a com.techbantu.voicetype service entry; we never persist them in plain files.

Device identity

The app generates a random UUID at first launch and stores it in the Keychain. This identifier:

• is not derived from a hardware UUID, host name, MAC address, or any persistent device feature;
• is used solely to bind Pro entitlements to a device and enforce abuse limits;
• is rotated when you delete the app and request server-side deletion (subject to fraud-prevention holds).

Update channel

Direct (non-App Store) builds update through Sparkle. Update feeds are served over HTTPS at voicetype.dev/appcast.xml; appcasts reference builds signed with EdDSA so the app verifies authenticity before installation. We distribute macOS builds with Apple notarization and stapled tickets so Gatekeeper can validate them offline. App Store builds are reviewed and signed by Apple under standard distribution.

Access and operations

TechBantu IT Solutions, LLC is a small, founder-led company. Production access to signing keys, hosting, and back-end records is limited to the founder and, on rare occasions, vetted contractors operating under written confidentiality for narrowly scoped work. Contractor access is provisioned with least privilege, scoped to the specific work, and revoked at engagement end. We do not operate a 24/7 on-call rotation. For sensitive requests we prefer written communication over screen sharing.

Logging and retention

Server logs (request metadata: IP, user agent, path, status code) are retained up to 90 days for operational purposes, abuse detection, and rate-limiting, then deleted or rotated by our hosting provider. Funnel events (opt-in, off by default) are aggregated and pruned as described in the Privacy Policy retention schedule.

Vulnerability disclosure

We welcome good-faith security research. Email security@techbantu.us with a clear description, affected component (e.g., the macOS app, api.voicetype.dev, the marketing site, the Stripe integration), and reproduction steps. We aim to acknowledge within a few business days.

Safe-harbor scope

We will not pursue legal action against research that:

• does not violate user privacy or exfiltrate, disclose, or destroy user data;
• does not impair availability for other users (no DoS testing, no automated scanning at high rates);
• tests only against accounts you own or have written consent for;
• gives us reasonable time to remediate before public disclosure (suggest 90 days for app/web, 30 days for marketing site, longer where third-party coordination is required);
• complies with applicable law.

Out of scope

• Social engineering of TechBantu personnel, contractors, or end users.
• Physical attacks against TechBantu infrastructure or personnel.
• Denial-of-service or volumetric attacks; rate-limit testing without prior written approval.
• Findings that solely concern email-authentication records (SPF/DKIM/DMARC) without a demonstrated security impact.
• Issues in third-party services (Stripe, Vercel, Upstash, OpenAI, Hugging Face, Apple) — please report to the affected party.
• Reports generated solely by automated scanners without manual validation.
• Self-XSS or attacks requiring substantial victim interaction without a realistic exploit chain.

Acknowledgment

With your permission, we credit you in release notes. We don't currently offer monetary bounties. PGP available on request; otherwise TLS email to the address above is acceptable.

Data deletion

To delete account data tied to a direct (Stripe) purchase or to remove device linkage, contact support@techbantu.us from the email you used to subscribe. We delete or de-identify what we can within legal and fraud-prevention requirements and confirm when processing is complete. App Store subscribers must additionally manage Apple-held records through Apple's account tools.

Open verification

The on-device, no-audio-leaves-the-device design is verifiable by inspecting the app's network behavior. In default operation, the only outbound network connections associated with the transcription pipeline are (a) one-time downloads of model files from public model registries (Hugging Face) and (b), only if you explicitly enable Cloud Polish, post-transcription text (not audio) sent to our authenticated proxy. Independent network inspection of these flows is welcome under the safe-harbor terms above.