organism

Security

Recording conversations requires trust. Here is exactly how your data is handled.

How audio flows through Organism

1

You press record

Audio is captured by your browser using the MediaRecorder API. The audio stays in your browser's memory — it is never sent to our servers.

2

You stop recording

The audio is sent directly from your browser to OpenAI's Whisper API for transcription. It passes through our API route for authentication only — we do not store, log, or retain the audio.

3

Transcript cleanup

The raw text is sent to OpenAI (GPT-4o-mini) for grammar and formatting cleanup. Again, routed through our server for auth only — no storage.

4

You see the result

The clean transcript appears in your browser. You can copy, download, edit, or email it. The audio remains in browser memory until you close the tab.

What we store

Audio files

Never. Audio stays in your browser.

Transcripts

Never. Transcripts exist only in your browser session.

!

Email address

Only if you create an account or use "Send me a copy."

!

Analytics events

Page views, clicks, scroll depth — aggregated, no personal data.

!

Cookies

Two first-party cookies for visitor ID and A/B test assignment. 90-day expiry.

Third-party services

OpenAI

Transcription and text processing

Audio and text are processed via their API. Per OpenAI's API data usage policy, data sent via the API is not stored or used for model training.

Supabase

Database and authentication

Stores user accounts and analytics data. US-hosted. Row Level Security (RLS) policies control all data access.

Vercel

Hosting

Serves the application. No persistent data storage.

PostHog

Analytics

Tracks aggregated usage events. US-hosted. No personal data beyond IP address (which PostHog anonymizes).

Resend

Email delivery

Sends transactional emails (confirmation, transcript delivery). Does not store email content.

Infrastructure security

  • All traffic is encrypted via HTTPS/TLS
  • Database protected by Row Level Security (RLS) policies
  • Service role keys are server-side only — never exposed to browsers
  • No advertising trackers, no third-party marketing cookies
  • Authentication via Supabase Auth with email confirmation

Questions or concerns

If you have security questions or want to report a vulnerability, contact us at jorgensen.tb@gmail.com.

← Back to home