Privacy Policy
Your voice, your choice. We're transparent about what happens with your data.
Last updated: January 2026
TL;DR
- Audio is processed in memory and never saved to disk
- Zero Data Retention — cloud providers (Groq, Deepgram) don't store your audio
- Local transcription keeps everything on your device
- Privacy Mode = zero cloud connectivity
- We don't sell your data. Ever.
What Stays on Your Device
| Data | Storage | Notes |
|---|---|---|
| Audio recordings | Memory only | Never saved to disk, cleared after processing |
| Whisper models | %APPDATA%\Finch\models\ | Downloaded from HuggingFace |
| Dictionary entries | SQLCipher database | Encrypted with 256-bit AES |
| Snippets | SQLCipher database | Encrypted with 256-bit AES |
| Recording history | SQLCipher database | Optional, encrypted, can be disabled |
| Settings | JSON file | Preferences (no sensitive data) |
| API keys | OS Credential Manager | Windows Credential Manager or macOS Keychain |
What Goes to the Cloud
Only when you choose cloud transcription or AI cleanup:
| Action | Destination | Data Sent |
|---|---|---|
| Cloud transcription | Groq or Deepgram | Audio (WAV format) |
| AI text cleanup | Groq | Transcribed text |
| AI voice commands | Groq | Command + clipboard content |
| Update checks | releases.finch.talk | Current version only |
All network requests use HTTPS encryption. Cloud providers process and discard data per their privacy policies. We do not receive or store your transcriptions.
Privacy Mode
Enable Privacy Mode for maximum data protection:
- Forces local-only transcription
- Disables recording history
- Disables LLM processing
- Zero cloud connectivity
With Privacy Mode + Local Whisper, Finch operates fully offline.
API Key Security
Your API keys (Groq, Deepgram) are protected with multiple layers of security:
- OS Credential Storage: Keys stored in Windows Credential Manager (or macOS Keychain), not in plain text files
- DPAPI Protection (Windows): Encryption keys bound to your Windows user account using Data Protection API
- Auto-Migration: Legacy plaintext keys automatically upgraded to encrypted storage on app update
- Never included in backup exports
- Only transmitted to their respective APIs (never to Finch servers)
Local Database Security
Your personal data (dictionary, snippets, recording history, custom commands) is stored locally with encryption:
- SQLCipher Encryption: Database encrypted with 256-bit AES at rest
- User-Bound Keys: Encryption key protected by DPAPI on Windows, bound to your user account
- Automatic Migration: Existing unencrypted databases are automatically migrated to encrypted format
- Data Location:
%APPDATA%\Finch\finch.db
Input Protection
Finch protects against malicious input patterns:
- Character Limits: Text input capped at 10,000 characters to prevent abuse
- Prompt Injection Prevention: Code blocks and instruction-like patterns are neutralized before LLM processing
- Audio Size Limits: Maximum 100 MB to prevent memory exhaustion
Update Security
Finch uses Tauri's built-in updater with cryptographic verification:
- 1 Update manifest fetched from releases.finch.talk over HTTPS
- 2 Download verified against Ed25519 digital signature
- 3 Signature checked against public key embedded in the app
- 4 Only installs if verification passes
Third-Party Services
If you use cloud features, data is processed by:
Groq
Zero Data RetentionUsed for cloud transcription and AI text processing. Groq does not retain customer data for inference requests by default.
View Groq Privacy Policy →Deepgram
Zero Data Retention SOC 2 Type IIUsed for real-time streaming cloud transcription. Deepgram uses zero storage by default — audio is processed and immediately discarded.
View Deepgram Privacy Policy →Questions?
If you have any questions about our privacy practices, please contact us.
[email protected]