Privacy Policy
Last updated: July 14, 2026
1. Controller and scope
Crăciun Cosmin Viorel PFA trading as Side Whisper, Romania, is the controller for the personal data described in this policy.
Contact: privacy@sidewhisper.com. This policy covers the Side Whisper website, waitlist, account and entitlement services, and the Side Whisper desktop application. Websites you open inside Side Whisper remain separate services governed by their own privacy policies.
2. Privacy summary
- Browser data, app settings, saved links, permission choices, voice settings, recordings, and transcriptions are handled on your device. Side Whisper does not upload your browsing history, page contents, microphone recordings, or transcripts to its account backend.
- Account access requires limited server data such as your email, consent records, plan, hashed device identifier, device label, app version, and session records.
- Offline voice models are downloaded only when you request them. Voice transcription then runs locally.
- The desktop app has no automatic usage telemetry and does not upload crash reports. Optional website analytics is described below.
3. Data processed by our website and account services
Waitlist and email
- Email address and waitlist status
- Update and marketing consent choices
- Signup, confirmation, invitation, and email-send timestamps
- Signup source, such as the homepage or footer form
- Hashed, expiring confirmation and invitation tokens, plus rate-limit records used to prevent abuse
Account, entitlement, and device access
- Email address, account identifier, optional display name, account status, and creation time
- Plan, access status and expiry, entitlement history, and consent versions, choices, and acceptance time
- A one-way hash derived from a system machine identifier and a random installation identifier; we do not send the raw machine identifier
- Device label, which currently includes the computer hostname, operating-system family, app version, registration time, last activity time, and revocation status
- Hashed desktop session tokens and one-time-code records. The one-time code and device-code flows expire after 10 minutes; desktop sessions expire after 30 days or earlier when revoked.
We do not currently collect payment-card details through the Side Whisper app or website. Microsoft may independently process Store account, acquisition, payment, and transaction information under Microsoft's own terms.
4. Data kept on your device
The desktop app stores information needed to provide its features:
- Saved links and dividers, titles, URLs, custom icons, favorites, templates, themes, shortcuts, window placement, and browser and voice settings
- Open-tab metadata such as URLs, titles, favicons, active-tab state, and notification badge counts
- Per-site permission choices keyed by site origin, including camera, microphone, location, notifications, clipboard read, screen sharing, and supported MIDI permissions
- Voice Dictionary entries and Voice Snippets that you create
- Chromium browser data used by sites, such as cookies, cache, local storage, service workers, and login sessions
- If you explicitly use Advanced website session migration, the selected JSON export is reviewed and imported locally. The app shows only file metadata, domain names, and entry counts; it stores one-way value hashes locally so unchanged imported sessions can later be removed without retaining cookie values in app settings.
- Local crash dumps and a local encrypted authentication cache containing the desktop session, email, consent state, entitlement snapshot, and offline-grace expiry
The authentication cache is written only when Electron secure storage is available. If secure storage is unavailable, Side Whisper does not persist the cache and discards an existing cache it cannot securely decrypt. Other app and browser settings are stored in the normal Side Whisper application-data folder and are not all encrypted.
Side Whisper does not upload a selected session-export file and does not delete the source file after import. Because such a file can grant access to signed-in websites, review it carefully and delete the export yourself when you no longer need it.
5. Browsing and third-party websites
Side Whisper is a browser shell. When you visit a site, search the web, sign in, download a file, or grant a site permission, your device communicates directly with that site or provider. As in other browsers, those services may receive your IP address, browser and device information, requested URL, cookies, account data, and content you submit. Side Whisper does not control those services.
Site notifications are intercepted locally so the app can show a Windows notification, maintain a badge count, and reopen the originating page when you click it. Notification titles, bodies, icons, and destination URLs are processed on the device and are not sent to the Side Whisper account backend.
Ad and tracker blocking runs locally using Ghostery's engine and EasyList/EasyPrivacy-compatible rules. The app maintains local blocked-request counts; it does not send those counts to Side Whisper servers.
6. Voice dictation and model downloads
With Voice enabled, microphone audio is captured by the app, converted to a temporary local audio file, and transcribed on your device with the selected Whisper model. Temporary audio and chunk files are deleted after processing during normal operation, but a file may remain in the operating system's temporary folder if the app or computer stops unexpectedly.
The resulting text is processed locally, placed on the clipboard, and, depending on your setting, pasted into the active app. Text may therefore remain in clipboard history or in the destination app. Side Whisper does not send recordings or transcripts to its website or account backend.
Voice models are not bundled. When you choose Download, the model file is fetched directly from Hugging Face and stored in Side Whisper's local model directory until you delete it. Hugging Face will receive normal network-request data, including your IP address, under its own privacy policy.
7. Screen sharing, permissions, and downloads
Permission decisions are requested per site and stored locally when you choose a persistent decision. Screen sharing uses a trusted local picker that lists available windows and displays; selection details and preview thumbnails are held in memory for the picker and are not uploaded to Side Whisper. The chosen site receives the stream you authorize.
Files you download from third-party websites are transferred directly from those websites to the location you choose. Their content and handling remain subject to the source website and your operating system.
8. Diagnostics and updates
Electron crash reporting is configured with server upload disabled. Crash dumps remain local. If you manually export a diagnostics report, it includes app/runtime versions, operating system and hardware summaries, display layout, feature toggles, item counts, and crash-dump filenames. It intentionally excludes URLs, link titles, emails, tokens, and theme contents. Nothing is sent unless you choose to share the exported file.
Microsoft Store builds receive updates through Microsoft Store. Non-Store builds may check GitHub Releases and download an update after you approve it. Microsoft or GitHub receives normal network request data for those operations under its own privacy policy.
9. Why we process data and our legal bases
- Provide the service: authenticate you, register devices, apply plan access, deliver protected downloads, and maintain account security. Legal basis: performance of a contract or steps requested before entering a contract (GDPR Art. 6(1)(b)).
- Waitlist and marketing: confirm your signup and send the updates or marketing you chose. Legal basis: consent (GDPR Art. 6(1)(a)).
- Security and reliability: rate-limit abuse, investigate failures, enforce device limits, and protect accounts and services. Legal basis: our legitimate interests (GDPR Art. 6(1)(f)), balanced against your rights.
- Legal compliance: retain or disclose limited records where law requires it. Legal basis: legal obligation (GDPR Art. 6(1)(c)).
Side Whisper applies technical plan, expiry, and device-limit rules automatically. We do not use personal data for profiling or automated decisions that produce legal or similarly significant effects. Contact us if you believe an access decision is wrong.
10. Service providers and international transfers
We use these services for limited operational purposes:
- Convex — account, waitlist, consent, device, entitlement, session, and release metadata storage and processing
- Resend — confirmation, invitation, and sign-in email delivery
- Clerk — website account and administrator authentication
- Vercel — website hosting and, only when enabled, Web Analytics
- Hugging Face — user-initiated voice-model downloads
- Microsoft — Store distribution, acquisition, and Store-managed updates
- GitHub — update metadata and binaries for non-Store builds
Some providers may process data outside the European Economic Area. Where Side Whisper is responsible for such a transfer, we rely on the provider's applicable GDPR transfer safeguards. Third-party websites you choose to visit are not Side Whisper processors.
11. Website analytics, cookies, and connection logs
Vercel Web Analytics is optional and is included only when enabled in the website deployment. When enabled, it measures website visits and interactions without Side Whisper setting an analytics cookie. Vercel and hosting infrastructure may still process normal connection data such as IP address, user agent, timestamps, and requested pages for delivery, security, and aggregate reporting.
Website account areas may use cookies or similar storage required by Clerk to authenticate a session. The desktop app stores your analytics-consent choice with the accepted policy version, but the desktop application itself does not send usage analytics.
12. Retention and deletion
- Waitlist data is retained until the early-access period ends plus up to 12 months, or until you unsubscribe or request deletion, unless a legal requirement applies.
- Account, entitlement, consent, and device records are retained while your account is active and as needed for access, security, dispute handling, and legal obligations. Revoked device and entitlement-history records may be retained for audit and fraud prevention. Account deletion requests are completed subject to required legal retention and provider backup cycles.
- OTPs, device codes, sessions, and invitation links have short validity periods. Expiry stops their use; related hashed records may remain until replaced, cleaned up, or the account is deleted.
- Local app, browser, model, crash, and temporary data remains on your device until you clear or delete it, remove the relevant app data, or the operating system cleans it up. Uninstall behavior varies by distribution channel and operating-system settings.
13. Security
Measures include HTTPS/TLS in transit, one-way hashing for confirmation tokens, OTPs, server sessions, and device identifiers, Electron secure storage for the local auth cache, rate limiting, expiring authentication challenges, scoped administrator access, and local-only crash reporting. No system is completely secure; please contact us if you believe your account or data is at risk.
14. Your GDPR rights
Depending on the circumstances, you may have the right to access, correct, erase, or receive a portable copy of your personal data; restrict or object to processing; and withdraw consent without affecting earlier lawful processing. Some rights are limited by their legal conditions and applicable retention duties.
Send requests to privacy@sidewhisper.com. We may need to verify your identity before acting. You can also use the unsubscribe link in waitlist or marketing email. For a plain-language overview, see the European Commission's GDPR rights guide.
15. Complaints and policy changes
You may lodge a complaint with your local data-protection authority or with Romania's authority:
ANSPDCP
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
www.dataprotection.ro
We will update the date above when this policy changes materially. Where required, we will request renewed consent or give additional notice in the app or by email.