Security FAQ
Recording conversations requires trust. Here is exactly how your data is handled.
Where is my audio stored?
Nowhere but your browser. Audio is captured using the MediaRecorder API and held in browser memory only. We never upload, store, or log your recordings on our servers. When you close the tab, the audio is gone.
What happens when I press stop?
The audio is sent directly from your browser to OpenAI’s Whisper API for transcription over an encrypted HTTPS connection. It passes through our server for authentication only — we do not store, log, or retain the audio. OpenAI processes it and discards it per their API data usage policy.
Do you store my transcripts?
Only if you explicitly save them to your account. Otherwise, transcripts exist only in your browser session. When you close or refresh the page, they’re gone. Cleanup and summarization features also run through OpenAI and return results to your browser — we don’t keep copies.
Is my data used to train AI models?
No. We use OpenAI’s API, which has a clear policy: data sent via the API is not used to train their models. We do not train any models of our own on your content.
Is my connection encrypted?
Yes. All traffic between your browser and our services uses TLS (HTTPS) encryption — including API calls to OpenAI, Supabase, and our own endpoints. Your audio and text are encrypted the entire time they’re in transit.
What data do you actually collect?
Your email address (only if you sign up or use “Send me a copy”), account preferences, and content you choose to save. We also collect anonymous analytics events — page views, clicks, scroll depth — with no personally identifiable information attached. Two first-party cookies (visitor ID and A/B test assignment) with a 90-day expiry. No advertising cookies, no third-party marketing trackers.
Which third-party services touch my data?
We’re transparent about our full stack. OpenAI handles transcription and text processing. Supabase provides our database and authentication (US-hosted, with row-level security). Vercel hosts the application with no persistent data storage. PostHog tracks anonymous usage analytics (IP addresses are anonymized). Resend delivers transactional emails without storing content.
How is my account protected?
Accounts use Supabase Auth with magic-link (passwordless) sign-in — there’s no password to steal or guess. Sessions are managed with secure, HTTP-only tokens. Our database enforces row-level security, meaning the database itself ensures only you can access your data. Service-role keys are server-side only and never exposed to browsers.
Can other people see my content?
Only if you share it. Content saved to your account is private by default. Row-level security policies enforce this at the database level — it’s not just application-level protection.
How do I delete my data?
You can delete your account and all associated data at any time from your account settings. For anything else, email us at hello@tryorganism.com and we’ll handle it promptly.