Back to Home

Privacy Policy

Effective Date: April 28, 2026

Last Updated: July 3, 2026

Summary

HireScribe is a desktop app. Your recordings, transcripts, and AI summaries are processed and stored entirely on your device. We do not have access to that content. We never see it.

The app does make a small number of outbound network connections, all of which are described below in plain terms:

  1. Crash reports to Sentry, off by default, opt-in in Settings.
  2. Update checks against GitHub Releases every 4 hours. You can turn these off in Settings.
  3. One-time model downloads on first run: transcription models from a HireScribe-controlled GitHub repository, summarization models from Hugging Face.
  4. Optional cloud AI processing (OpenAI) only if you bring your own API key and turn it on in Settings.
  5. Pro license activation and validation against Lemon Squeezy, only if you purchase and activate a Pro license.

That is the entire surface area. The rest of this document is the detail.


1. What Stays on Your Device

The following data is created by you and stored only on your device:

  • Audio recordings
  • Transcripts
  • AI-generated summaries
  • Templates and edits
  • Application settings and database
  • Speaker labels and notes

We do not transmit, copy, or have access to any of it. There is no account, no cloud sync, no telemetry pipeline that sees your content.

Storage locations:

  • macOS: ~/Library/Application Support/hire-scribe/
  • Windows: %APPDATA%\hire-scribe\
  • Linux: ~/.config/hire-scribe/ (or XDG equivalent)

Local logs: ~/Library/Logs/hire-scribe/ on macOS, equivalent paths on Windows and Linux. See Section 3.4.


2. Local AI Processing

By default, the app uses AI models that run entirely on your device. No audio, transcript, or summary is sent to any server in the default configuration.

  • Transcription: Faster-Whisper or MLX Whisper. Open-source. Local.
  • Summarization: llama.cpp running quantized GGUF models. Bundled with the app. Local.
  • Speaker diarization: pyannote.audio (community-1 model). Local.

If you switch to cloud processing (Section 5), your audio is sent to OpenAI for transcription and the resulting transcript is sent to OpenAI for summarization. Choosing local processing keeps every step on your device.


3. Crash Reporting (Sentry)

Crash reporting helps us find and fix bugs. It is off by default. You can turn it on in Settings, and the change takes effect immediately. Turning it off again stops any future crashes from being sent.

3.1 What is sent when crash reporting is on

When the app crashes or hits a captured error, the following is sent to Sentry (a third-party error monitoring service):

  • The error message and stack trace.
  • The app version, build environment, and release identifier.
  • The operating system name and version, CPU architecture, and total RAM.
  • A "breadcrumb" trail: the most recent ~50 log events leading up to the crash. Breadcrumbs may include things like recording IDs (random UUIDs, not file contents), template names, model names, file sizes, durations, processing step names, and error strings. They do not include audio data, transcript text, or summary text.
  • Sentry's SDK also collects standard environment fields such as a randomly generated install ID and a timestamp.

3.2 What we strip before sending

Before any event leaves your device, a filter replaces home-directory paths in stack traces with generic placeholders, drops any user fields (id, email, username) the SDK may have populated, and drops free-form fields containing an @ sign or home-directory paths as a defense-in-depth check.

This filter is best-effort. If something sensitive were logged in a future build and did not match those patterns, it could be sent. We treat that as a bug and fix it. If you are worried about that risk, leave crash reporting off.

3.3 What is never sent

Even with crash reporting on, the following never leaves your device through Sentry: audio recordings, transcript text, AI-generated summary text, template prompt content, or email addresses you have entered. The Sentry SDK has no access to those data paths in the application.

3.4 Local logs

Independent of crash reporting, the app writes a local log file capped at 10 MB (rotating). It stays on your device and you can delete it at any time.

3.5 Sentry as a sub-processor

Sentry is operated by Functional Software, Inc. Its privacy policy: sentry.io/privacy. Crash reports are stored in Sentry's US infrastructure.


4. Auto-Update Checks

The app checks github.com/SourceBuddy-ai/HireScribe-downloads/releases for new versions:

  • Five seconds after launch, then every 4 hours while the app is running.
  • The request includes only what GitHub naturally sees on any HTTP request: your IP address, the standard request headers, and the user-agent identifying the version of electron-updater.
  • No HireScribe-specific identifier is sent.
  • If a newer version is available, it is downloaded in the background and installed on next quit.

Automatic update checks can be turned off in Settings → Privacy & Reporting ("Automatic Update Checks"). When the toggle is off, the app makes no update requests on its own; the manual "Check for Updates" button in Settings still works if you choose to use it.


5. Optional Cloud AI Processing (BYOK)

The app supports optional cloud AI processing through a single provider: OpenAI. It is off by default. To use it, you generate an OpenAI API key yourself, paste it into Settings, and switch processing to cloud. One key powers both transcription (Whisper API) and summarization (gpt-4o).

When cloud processing is on, the audio file you are transcribing and the resulting transcript (plus the template prompt) are sent to OpenAI. API keys are stored using your operating system's secure credential store (macOS Keychain, Windows DPAPI, libsecret on Linux). Keys are sent only to OpenAI over HTTPS, and only when you trigger that step.

When you use cloud processing, OpenAI's terms and privacy policy apply to the data you send them. We are not a party to that data. We do not see it. You can switch back to local processing at any time, and keys can be deleted in Settings.


6. Model Downloads

On first run (or when you switch models), the app downloads the requested models: transcription models from the HireScribe-controlled GitHub releases repository, and summarization models (GGUF files) directly from Hugging Face. These are standard HTTPS downloads; we do not collect any information about which models you choose. Once downloaded, a model lives on your device and is reused.


7. Pro License Activation (Lemon Squeezy)

Pro purchases are processed by Lemon Squeezy, our merchant of record. Checkout happens in your browser on lemonsqueezy.com under Lemon Squeezy's own privacy policy; the app is not involved in the payment itself.

If you activate a Pro license key in the app:

  • The app sends your license key and an instance name ("HireScribe - " plus your computer's hostname) to the Lemon Squeezy License API to activate, validate, or deactivate the key.
  • After activation, the app re-validates the key against Lemon Squeezy at most every 14 days. Between checks it trusts a locally cached entitlement, so day-to-day use makes no license network calls and works offline.
  • No recordings, transcripts, summaries, or usage data are ever included in these requests.

If you never purchase or activate a license, the app makes no connections to Lemon Squeezy.


8. Data Security

  • Your data is stored in your user-account directory and inherits your operating system's file permissions.
  • We recommend full-disk encryption (FileVault on macOS, BitLocker on Windows, LUKS on Linux).
  • Cloud API keys are stored in your OS secure credential store via Electron safeStorage, with a legacy machine-derived AES-256-GCM fallback only where no OS keyring is available.
  • The renderer process runs with context isolation, a navigation allowlist, and IPC filtering.

The app does not encrypt your audio recordings or database file at rest beyond what your OS provides. If you need stronger protection, use full-disk encryption.


9. Data Retention and Deletion

There is no server-side retention because there is no server-side storage of your content.

To delete recordings within the app: Library → select → Delete. To delete everything the app has stored on your device (database, settings, logs, downloaded models), remove the application data directory:

# macOS

rm -rf ~/Library/Application\ Support/hire-scribe/

rm -rf ~/Library/Logs/hire-scribe/

# Windows (PowerShell)

Remove-Item -Recurse -Force "$env:APPDATA\hire-scribe"

# Linux

rm -rf ~/.config/hire-scribe/

Then move the app to Trash or uninstall it.


10. Recording Consent

You are responsible for obtaining proper consent before recording, and for complying with the recording laws in your jurisdiction (one-party-consent vs. two-party-consent).

The app provides a pre-recording consent gate, a customizable consent message you can adapt to your jurisdiction, and persisted consent metadata: a timestamp, the literal consent text shown, and the jurisdiction selected, stored alongside the recording. Recordings without confirmed consent can be attested after the fact from the Library.

We do not provide legal advice. Consult counsel if you need certainty about your obligations.


11. GDPR (EU Users)

  • Controller / processor: For recordings you create, you are the controller. HireScribe acts as a software tool you operate; we are not a processor of your recording content because we do not receive it.
  • Sub-processors of the limited data we do receive: Sentry (US) for crash reports when crash reporting is on; GitHub (US) for update checks and transcription model downloads; Hugging Face (US) for summarization model downloads; Lemon Squeezy (US) as merchant of record for Pro purchases and license key activation, only if you buy a Pro license; OpenAI, only if you opt in to cloud processing with your own API key.
  • Lawful basis: You select your own lawful basis for the recordings you make.
  • Data subject rights: You exercise access, rectification, deletion, and portability directly on the file system and through the app's export and delete functions.
  • Cross-border transfers: Crash reports, update-check requests, model downloads, and license activation reach US infrastructure (Sentry, GitHub, Hugging Face, Lemon Squeezy). If that is incompatible with your obligations, turn crash reporting off and turn off automatic update checks in Settings.

A Data Processing Agreement template is available in the source repository. Email tyler@talmarkdigital.com to request a signed copy if you need one.


12. California (CCPA / CPRA)

We do not sell or share personal information. We collect no personal information about you in the default local-only configuration.

In the configurations described above (crash reporting, update checks, optional cloud processing, Pro license activation), the only categories of information involved are: device and OS metadata, error stack traces, app version, IP address (as part of routine network requests), your license key and computer hostname if you activate a Pro license, and content you explicitly choose to send to OpenAI when you opt into cloud processing.

Right to know: this document is the disclosure. Right to delete: see Section 9. Right to opt out of sale: not applicable.


13. Children

The app is not intended for users under 13.


14. Changes to This Policy

We update this policy when the software changes in ways that affect what data is collected or transmitted. Material changes are noted in the in-app changelog and in the GitHub release notes. The "Last Updated" date at the top of this document always reflects the most recent change.


15. Contact

For privacy-specific questions, use the subject line "Privacy".


What we do not claim

For honesty:

  • We do not claim SOC 2, ISO 27001, or HIPAA certification.
  • We do not claim "zero knowledge" of all data: we receive crash reports, update-check metadata, and license-activation metadata when those features are on, as described above. We do claim that we never receive your recordings, transcripts, or summary content in any configuration.
  • We do not claim the privacy filter on crash reports is foolproof. It is best-effort scrubbing on top of an architecture that minimizes what gets logged in the first place. Leave crash reporting off if that is not enough for your threat model.

Copyright © 2026 Talmark Digital. All rights reserved.