Privacy Policy
Last updated: May 15, 2026
1. Introduction
HyperVoice ("we", "our", or "us") operates the HyperVoice desktop application and the hypervoice.app website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Display name (if provided)
- Authentication credentials (managed securely via Firebase Authentication)
2.2 Subscription & Billing Information
Payment processing is handled entirely by our billing partner, Lemon Squeezy. We do not store your credit card number, CVV, or full billing details on our servers. We receive and store:
- Subscription status (active, cancelled, expired)
- Plan type and billing period
- Lemon Squeezy customer and subscription identifiers
2.3 Voice & Audio Data
Local processing (default): When you use HyperVoice Desktop in offline mode, all speech-to-text processing happens locally on your device using the Whisper AI model. Audio is captured in memory, transcribed, and immediately discarded. We never receive, transmit, or store your audio recordings in this mode.
Cloud post-processing (optional): If you enable AI post-processing via HyperVoice Cloud or a third-party provider (OpenAI, Anthropic), only the transcribed text is sent to the selected provider's API for enhancement. The original audio is never transmitted. Third-party providers process data according to their own privacy policies.
2.4 Usage & Diagnostic Data
To diagnose issues and improve the app, we collect the following from your desktop installation and account:
- Machine metadata (per app launch): CPU brand string and core count, total/available RAM, number of microphones detected, default microphone name, Whisper backend (Vulkan or CPU), operating system version
- Reliability events: application crashes, hotkey-registration failures, audio-capture failures, model-load durations, pipeline step failures (with provider name, mode, audio duration in seconds, error message, and the provider's upstream request ID where available)
- Feature usage: which post-processing providers and modes are used, plus simple UI events such as app-window-shown and settings-page-visited
- Website errors: server-side endpoint exceptions and uncaught browser-side JavaScript errors on hypervoice.app, throttled per-signature and size-capped
- Platform bucket: a single label (Windows / macOS / iOS / Android / Linux) inferred from your browser's user-agent on first dashboard visit, used to route visitors to the right per-platform installer (Windows, Linux, macOS)
What we never collect: the content of what you dictate or what Whisper transcribes, any character or word count or hash derived from that text, contents of form inputs or dashboard fields, cookie or localStorage values, keystrokes outside the recording hotkey, files on your machine, or general browsing data.
Section 10 below records every concrete change to what we capture, with dates.
2.5 Website Analytics & Cookie Consent
We use the following analytics tools to understand how visitors interact with our website. Both are gated behind your explicit consent: on your first visit you'll see a banner with equal-prominence Accept all and Reject analytics buttons. You can change your choice at any time via the Cookie preferences link in the footer.
- Google Analytics (measurement ID
G-4T7MJXDPMY) — collects pages visited, referring URLs, browser type, and approximate geographic region. Configured with Google Consent Mode v2:analytics_storage,ad_storage,ad_user_data, andad_personalizationdefault to denied. Visitors who decline still register as anonymous aggregate counters via Google's "cookieless ping" mode (no GA cookie set, no cross-page identifier). You can also opt out at the browser level via the Google Analytics Opt-out Browser Add-on. - Microsoft Clarity — records anonymized session replays and heatmaps of visitor interactions (clicks, scrolls, cursor movement) on public marketing pages. The Clarity script is not loaded at all for visitors who decline or have not yet made a choice — gating is at the script-tag level, not just at the cookie level. Clarity does not capture input field contents.
We do not use any other analytics, advertising, fingerprinting, or third-party tracking
scripts. The only cookies set on hypervoice.app are: your Firebase Authentication session
(necessary), your dashboard preferences (necessary), and — only if you accept — Google
Analytics' _ga identifier and Microsoft Clarity's session
identifier.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process your subscription and manage your account
- Send transactional emails (account verification, billing receipts, subscription changes)
- Respond to your support requests
- Detect and prevent fraud or abuse
- Analyze aggregated usage patterns to improve the product
4. How We Share Your Information
We do not sell your personal information. We may share information with:
- Service providers: Firebase (authentication), Lemon Squeezy (billing), Cloudflare (hosting)
- AI providers (only when you opt in): OpenAI, Anthropic, or other providers you explicitly configure for post-processing
- Legal requirements: If required by law, regulation, or legal process
5. Data Retention
We retain your account information for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes. Anonymized, aggregated data may be retained indefinitely.
6. Data Security
We implement industry-standard security measures to protect your information, including encryption in transit (TLS/HTTPS), secure authentication via Firebase, and access controls on our infrastructure. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Object to or restrict processing of your data
- Data portability
To exercise any of these rights, please contact us at support@hypervoice.app.
8. Children's Privacy
The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.
9. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.
10. Data & Privacy Update Log
Beyond policy wording, this log tracks every concrete change to what HyperVoice captures, stores, or transmits. Reverse chronological order — most recent first. Purely cosmetic or UI-only changes aren't listed; they're in the regular changelog.
What HyperVoice has never logged and still doesn't: the content of what you dictate, the text Whisper transcribes, any word or character count derived from that text, or hashes of it. Local transcription is 100% local. Cloud post-processing (if you opt in) sends only the transcribed text to the selected provider for that request; we do not retain it on our servers afterwards.
Paste telemetry now records which app you pasted into (executable name + window class) so we can find apps where dictation silently fails
When auto-paste runs, HyperVoice now logs the target application's executable file name (e.g. slack.exe) and its window class (e.g. Chrome_WidgetWin_1), plus whether the paste was blocked by an elevated/admin window. We added this because a meaningful share of installs get set up and then go quiet — and we previously couldn't tell whether dictation was working or silently failing to paste into certain apps (an admin window Windows blocks us from, or an app that ignores a synthetic Ctrl+V). This lets us see "paste fails in app X" and fix it.
What's captured: the target process's executable basename only and the window class, written to the details field of the existing pipeline_logs table on each auto-paste. No new request and no new payload type — it rides the telemetry write that already happens.
What's NOT captured: never the window title (which can contain document names, URLs, or message text), never the full executable path (so your C:\Users\<name> profile folder — and your username — never leaves your machine), and still no transcripts, no word/character counts, and no keystrokes. Turn auto-paste off and no paste row is written at all.
A per-install random ID is now sent with telemetry so we can count distinct installs without IP-based tracking
Each HyperVoice install now generates a random UUID v4 on first launch, persists it locally at %LOCALAPPDATA%\com.hypervoice.app\install_id, and includes it as the X-Install-Id header on every telemetry request alongside the existing fields. The ID is generated entirely on your machine, contains no derived information about your machine or you (it's not a hash of hardware identifiers, not derived from your account, not tied to a username), and is used on our side only to count how many distinct installs are active in a given week — replacing a prior approach that was undercounting because it required users to enter a setup code before installs were credited. The alternative approaches we considered required storing a hash of your IP address; we chose this one specifically to avoid that.
What's captured: a new install_id column on the existing pipeline_logs table, populated from the header on each telemetry write. No new requests, no new payload shape, no IP storage. The ID rotates if you uninstall HyperVoice with data-wipe and reinstall.
What's NOT captured: still no transcripts, no word/character counts, no keystrokes, no IP addresses. The ID is purely a stable random identifier and cannot be reversed to anything else.
Platform waitlist is now opt-in only; account deletion scrubs email from more places
Two privacy improvements. First: the platform waitlist for non-Windows users (macOS / iOS / Android / Linux) is now opt-in only — you join it by clicking Add me to the waitlist on the dashboard banner. Previously, visiting the dashboard on a non-Windows device silently added you to the waitlist. Second: account deletion now also scrubs your email address from the platform-waitlist table, the per-category email opt-out table, and the beta-key assignment record, in addition to the user / feedback / crash-log / beta-signup tables it already scrubbed.
What's captured: nothing new. The waitlist row is now only created when you click the opt-in button.
What's NOT captured: after this change, deleting your account leaves no copy of your email in any HyperVoice table (existing rows from before today's deploy are not retroactively purged from platform_waitlist).
Groq added as an option for HyperVoice Cloud post-processing
The server-side cleanup step (only invoked when you opt in to HyperVoice Cloud) can now route requests to Groq in addition to OpenAI and Anthropic. The choice of upstream provider is configured by us in the admin dashboard and applies to every cloud cleanup request — you can see which provider handled your request in the response. We default to Groq's llama-3.1-8b-instant because it returns roughly 6× faster than the previous default while running in a US datacenter under their standard API terms.
What's captured: nothing new on our side. Exactly the same payload (the transcribed text + the chosen mode's system prompt) is sent to whichever provider is currently configured. We still don't retain transcripts post-request.
What's NOT captured: still no transcripts, no word/character counts, no keystrokes. Local-only transcription (the default) is unaffected — text never leaves your device unless you explicitly select a Cloud cleanup mode.
Cookie consent banner + Google Consent Mode v2
The website now asks for your explicit consent on first visit before loading Google Analytics' cross-page identifier cookie or loading Microsoft Clarity at all. Until you click Accept, GA runs in Google's "cookieless ping" mode (a single anonymous counter, no _ga cookie set, no cross-page identifier) and the Clarity script is never injected. Necessary cookies (your sign-in session, your saved theme) are unaffected. A Cookie preferences link in the footer lets you change your choice at any time, which is the GDPR Article 7(3) right of withdrawal.
What's captured: nothing new on the server side. Your accept/reject choice and the timestamp are stored only in your browser's localStorage under the key hv-consent — we never receive a copy.
What's NOT captured: nothing new. This change is purely about gating existing analytics behind consent, not collecting anything additional.
Account ID stored on each pipeline log row
Each pipeline log entry (one per dictation, mic test, app launch, error event etc.) now carries your account ID directly on the row, instead of us deriving it at admin-query time by joining your license_key or device-link token back to the users table. The ID itself is the same opaque Firebase identifier we already had — what changed is only where it's stored. Done for admin-dashboard performance: the previous per-query attribution was reading ~150,000 rows per page-load.
What's captured: nothing new. The row-level account ID is derived from data we already had on file (the license_key or device-link token already attached the same row to the same account; we just stopped recomputing the link on every read).
What's NOT captured: still no transcript content, still no word/character counts derived from what you said, still no keystrokes — exactly the same headline guarantees.
Website error capture
Two new sources of error reporting on the website itself, mirroring the desktop app's existing telemetry. Server-side endpoint exceptions and uncaught browser-side JavaScript errors are now logged centrally so we can see and fix problems without waiting for users to report them. Throttled to one report per minute per error signature to avoid runaway loops.
What's captured: error message, file/line/column where it threw, page URL, browser user-agent, the HTTP method and path of the failing API request (server-side only), and a truncated stack trace. Each capped at ~2 KB total.
What's NOT captured: form input, your transcripts, anything you've typed into the dashboard, cookie values, localStorage contents.
System capabilities + setup-failure events
On every app launch HyperVoice now reports a small set of machine metadata so we can spot when a user's hardware can't run the app well, and so we can diagnose silent setup failures (no microphone detected, hotkey already taken by another app, model load timing out, etc.) without requiring you to report them.
What's captured: CPU brand string + core count, total/available RAM in MB, number of microphones visible to the audio system, default microphone name, Whisper backend (Vulkan or CPU) once the model loads, hotkey-registration failures with reason, audio-capture failures with reason, model-load durations, app-window-shown event, settings-page-visited event.
What's NOT captured: the content of what you say or transcribe (this hasn't changed — see the headline above), GPU adapter vendor/model/VRAM (deferred to a later release; needs a heavier dependency), keystrokes, browsing data, files on your machine, network details.
Whisper voiced-time added to local history
Each dictation on your device now stores a voiced_duration_s value — the sum of Whisper's per-segment timestamps, i.e. how long the model thinks you were actually speaking. Used only for accurate words-per-minute display on your own machine.
What's captured: a duration number (seconds), stored locally.
What's NOT captured: nothing new is transmitted off your device. The server-side logs remain unchanged.
Platform icon on admin user list
When you visit /dashboard for the first time, we classify your browser's user-agent string into a platform bucket (Windows / macOS / iOS / Android / Linux / unknown) and store it on your user record server-side. Helps us route visitors to the right per-platform installer (Windows, Linux, macOS).
What's captured: a single platform bucket string, inferred from the user-agent header you've always sent on every request.
What's NOT captured: no device IDs, no IP address storage beyond what Cloudflare's default logs already retain, no fingerprinting.
Upstream request IDs on provider errors
When a Cloud post-processing call to HyperVoice Cloud, OpenAI, or Anthropic fails, the failing response's x-request-id (or Cloudflare's cf-ray) header is now included in our error log so we can trace the failure with the provider if needed.
What's captured: the provider's own opaque request identifier from their error response, plus the provider name, mode, audio duration, and the error string.
What's NOT captured: the text that was being processed, or any signal derived from it.
Pipeline failures logged centrally
Previously, if a pipeline step (post-processing, Whisper, audio, paste) failed on your device, the error stayed in your local app log only — we couldn't see it or fix it unless you reported it. The desktop app now transmits step-level failure events so we can diagnose issues centrally.
What's captured: step name (e.g. post_processing), status (failed), app version, OS info, provider/mode where relevant, the error string itself, and which account/device the event came from.
What's NOT captured: the transcript text, the audio, or anything derived from either.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy, please contact us at: