Almost every voice-to-text app on the market claims to be "GDPR compliant." Most of them genuinely have done the paperwork to back that up: Standard Contractual Clauses, sub-processor lists, breach notification policies, the lot. So this isn't a post about which app is "legal" and which isn't.
It's a post about a much more interesting question: what does GDPR compliance actually mean when your microphone audio is being streamed to a server in another country? And what does it mean when it isn't?
I'm going to lay out exactly how PeekoType handles your data (spoiler: it doesn't really handle it at all), compare it to how the popular cloud-based competitors handle yours, and explain why I think one of those architectures is structurally stronger than the other, regardless of how good anyone's paperwork is.
The two ways to be "GDPR compliant"
Under the UK GDPR and EU GDPR, if you're a UK or EEA user, your personal data can only leave the UK/EEA for processing if one of a small set of legal mechanisms is in place:
- An adequacy decision, where the receiving country has been formally judged to provide essentially equivalent protection (Japan, South Korea, the EU itself, and so on).
- The UK–US Data Bridge (an extension of the EU–US Data Privacy Framework, in force since October 2023), if the recipient is a US company that's self-certified to it.
- Standard Contractual Clauses (SCCs) or the UK's International Data Transfer Agreement (IDTA), if not.
- Binding Corporate Rules, derogations under Article 49, and various other narrower routes.
That gives a cloud-based service two routes to lawfully process your audio:
- Set up transfer paperwork. Self-certify under the UK–US Data Bridge, sign SCCs/IDTAs with sub-processors, publish a privacy policy and a sub-processor list, agree to a Data Processing Agreement (DPA) with business customers, and trust that the receiving country's surveillance laws don't undermine the protection in practice.
- Don't transfer the data in the first place. Process it on the user's own device. No transfer, no transfer mechanism required, no chain of trust.
Both can be GDPR-compliant. They're just very different shapes.
The short version of this entire post: the first route can be compliant if everyone in the chain does their job perfectly. The second route is compliant whether they do or not, because there is no chain.
How PeekoType actually works under the hood
This is the bit I want to be specific about, because if I'm going to claim "GDPR-compliant by design" I should explain what the design is.
Speech recognition runs on your CPU
PeekoType ships with a local copy of OpenAI's open-source Whisper model. When you press F9 and start talking, your microphone audio is sent to a local Whisper instance running on your own computer (specifically through a library called faster-whisper, configured to run on your CPU). The audio never reaches a PeekoType server, an OpenAI server, or any other server. There is no PeekoType server.
That's the design choice that makes everything else fall into place. From a GDPR perspective, the audio data simply doesn't enter our processing pipeline at any point.
The licence check is local too
This is the place where "private" apps most often quietly cheat. They keep the transcription local, then phone home every time you launch the app to verify your licence, which means an internet connection, a request that includes your machine fingerprint, and a server that knows when each customer is using the software.
PeekoType doesn't do that. The licence key is a structured string with a SHA-256 checksum verified entirely on your machine, using a salt that's baked into the application. There's no licence server, no activation call, no anonymous-sounding telemetry endpoint. If you unplug your network cable, every feature still works.
No telemetry, analytics, or "improvement" pipelines
The desktop app makes no outbound HTTP requests during normal use. There are exactly two URLs anywhere in the codebase, and both are the same Gumroad purchase page, opened in your browser only when you click the "Buy licence" or "Upgrade to Pro" button. Nothing is sent to either URL by the app itself.
No crash reporting service. No usage analytics. No A/B testing framework. No "we collect anonymous usage data to improve the product" small print. It's possible because the app is sold as software you own, not as a service we're trying to optimise.
What this means in GDPR terms
Because the audio, the transcript, and the licence check never leave your device, PeekoType isn't acting as a "processor" of that data under Article 4(8) of the UK/EU GDPR. The legal consequence of that is striking:
- You don't need a Data Processing Agreement with us to use PeekoType for personal data, because we aren't a processor of it.
- There is no sub-processor list to audit, because there are no sub-processors involved in transcription.
- There is no international transfer to authorise, because nothing crosses a border.
- There is nothing for the ICO (or any EU supervisory authority) to investigate at the transcription layer, because no controller-to-processor relationship exists there.
You are the controller of your own data, on your own device, and that's the end of the data flow.
How the cloud-based competitors compare
Now the comparison part. To be clear and fair: all of these tools have legitimate GDPR posture documentation. I'm not accusing anyone of breaking the law. I'm pointing out the structural difference between "compliant via legal mechanism" and "compliant via not collecting the data."
| App | Where transcription happens | UK/EEA audio leaves the country? | What GDPR posture relies on |
|---|---|---|---|
| Wispr Flow | Cloud (US-based servers) | Yes | Data Privacy Framework / SCCs, internal DPA, sub-processor controls. |
| Otter.ai | Cloud (US-based) | Yes | DPF / SCCs, DPA available for business customers. |
| Notta | Cloud | Yes | SCCs, internal processor agreements. |
| Google Docs Voice Typing | Cloud (Google) | Yes | Google's standard Workspace transfer framework. |
| Windows Voice Typing (the built-in one) | Cloud (Microsoft) for the higher-accuracy mode | Yes (for online mode) | Microsoft's standard Online Services framework. |
| Dragon Professional | Local (on Windows desktop) | No (for offline use) | Local processing. Similar architecture, very different price. |
| PeekoType | Local (on your CPU) | No | Nothing. There is no transfer to authorise. |
The cloud tools can all be used compliantly under UK/EU law. But notice what their compliance depends on: things that aren't under your control. The continued validity of the UK-US Data Bridge (which has already had one predecessor, Privacy Shield, invalidated in 2020 by the Schrems II ruling). The accuracy of someone else's sub-processor list. The honesty of someone else's data-retention claims. The ability to challenge a US government access request from outside the US.
None of those things are necessarily problems in the normal case. They're only a problem if you're handling material where you need to be able to prove that nothing leaked: patient notes, legal client records, confidential journalistic sources, internal HR matters, sensitive research interviews. For that kind of work, "the paperwork is in order" is a noticeably weaker guarantee than "the data didn't move."
"GDPR-friendly" vs "GDPR-compliant by design"
A surprising number of cloud transcription services lean on the phrase "GDPR compliant" without much qualification. That isn't dishonest, since they have done the legal work, but it does paper over the fact that you, as the user, are still trusting an entire infrastructure stack you can't see.
Here's a cleaner way to read the marketing:
- "GDPR compliant" usually means: "We have the legal apparatus in place to process your data lawfully under UK/EU GDPR." Compliance is achieved through paperwork plus a trust relationship.
- "GDPR-compliant by design" (the language Article 25 GDPR actually uses) means: "The system is architected so that GDPR-relevant data flows don't happen in the first place." Compliance is achieved through the absence of risk.
PeekoType is the second kind. Almost every cloud dictation app is the first.
How I verified all this for our own app
I'm including this section because I think transparency about how a privacy claim was checked is part of the privacy claim. Here's exactly what I did to confirm PeekoType's behaviour matches the marketing:
- Searched the app source for outbound networking. I grepped every Python file shipped with the app (
peekotype.py,file_transcription.py,license_checker.py,audio_utils.py,text_processing.py,ui_builder.pyand the file transcription controller) for any use ofrequests,urllib,httpx,aiohttp,socket, or theopenaiSDK. There are zero such imports in the actual app code. The matches that do exist live inside the bundled Pythonsite-packagesfolder. That's library code present on disk for completeness, but never called by PeekoType itself. - Verified the transcription engine. PeekoType imports
WhisperModelfromfaster-whisper, then loads it withdevice="cpu", compute_type="int8". That's purely local CPU inference: no cloud Whisper API, no GPU upload, no remote call. The model weights load from~/.cache/whisperon your machine. - Verified the licence checker. Keys are validated against a SHA-256 checksum using a salt that's reassembled at runtime from XOR-encoded bytes. Trial state is mirrored across three local stores (a dotfile under your user profile,
%LOCALAPPDATA%, and a Windows registry key), all on your own machine. There is no remote licence server. - Audited the URLs the app contains. Two: both the same Gumroad purchase URL. Both are passed to
webbrowser.open(), which is to say they open in your browser when you click "Buy licence" or "Upgrade to Pro". The app itself never sends anything to those URLs.
This isn't a one-off audit either. Every release is built from the same source tree, so you can re-run the same checks on any version of the app you've got installed. If you're a developer or IT admin who wants to verify before deploying PeekoType at scale, drop us an email and we'll walk you through exactly what to grep for.
When does this actually matter?
Honestly? For most people, dictating a Slack message or a draft email, it doesn't matter much. Cloud dictation will be fine. The transfer mechanisms exist for a reason and they generally work.
Where it starts to matter:
- Healthcare professionals. NHS clinicians, private GPs, therapists, dentists. UK NHS Digital guidance on cloud services pushes you toward minimising what leaves the local environment, particularly for unstructured clinical notes. On-device transcription sidesteps the whole question.
- Legal professionals. Solicitors handling privileged client communications. The professional conduct rules around confidentiality are stricter than GDPR alone, and uploading a draft witness statement to a US server, even one with DPF certification, is a conversation most firms would rather not have to have with their compliance officer.
- Journalists. If you've promised a source anonymity, dictating notes about them to a cloud transcription provider creates a metadata trail (timestamps, IP addresses, server-side logs) that wouldn't otherwise exist. It's a quiet kind of risk and one that local-only tools eliminate cleanly.
- HR, finance, internal investigations. Anything containing names, salaries, allegations, or commercially sensitive material. The same logic applies.
- EU/UK organisations with a DPO who's been burned before. Anyone who lived through Schrems II and Privacy Shield's invalidation tends to prefer architectures that don't depend on the next transfer framework holding up in court.
For all of these, "compliance by design" is the easier conversation, the easier audit, and, crucially, the easier thing to keep being true over time.
What this doesn't mean
I want to keep this honest, so let me list what PeekoType's architecture does not automatically give you:
- It doesn't protect against malware on your own machine. If your computer is compromised, anything in local storage is at risk, including dictated transcripts. That's a baseline-hygiene problem, not a transcription problem, but worth being clear about.
- It doesn't relieve you of your own GDPR obligations as a controller. If you're dictating personal data about other people and storing those transcripts, you still need a lawful basis, a retention policy, and the rest of the controller responsibilities, same as if you'd typed it.
- The Gumroad purchase flow (which handles your licence payment) is a normal cloud SaaS interaction with its own GDPR posture. We handle limited account details (name, email, billing) through Gumroad and Stripe, and those providers handle their own UK/EEA transfer compliance through standard mechanisms. That's covered in our Privacy Policy.
What the architecture does give you is a sharp, unambiguous answer to the question that matters most: "where does my voice go when I press F9?" It goes to your CPU. That's it.
The bottom line
Cloud dictation services can be GDPR-compliant. They've done the work. But their compliance is a function of paperwork and trust. Paperwork can change when frameworks get invalidated, and trust in a stack you'll never see the inside of is a thinner protection than not having handed over the data in the first place.
PeekoType's compliance is a function of architecture. The data doesn't leave your machine. There's nothing to transfer, nothing to certify, nothing to renew, nothing for a future Schrems III ruling to disrupt. It's the simplest possible privacy guarantee, because there's nothing in the middle.
If you've been side-eyeing the GDPR claims in cloud dictation marketing and wondering whether the paperwork really does what it says, this is the alternative: a piece of software you install once, that talks to your CPU, and doesn't have anyone's servers in the loop. £19.99, one time. Free 14-day trial. No account needed to start.