← WhisperShortcut

Privacy Policy for WhisperShortcut

Last updated: May 12, 2026

Overview

WhisperShortcut is a macOS menu bar app for dictation, voice editing, AI chat, text-to-speech, live meeting transcription, and related productivity workflows. The app is local-first and bring-your-own-key: cloud features use your Google Gemini API key, optional OpenAI API key, and optional xAI API key for Grok chat models. Optional Google and Trello connections add controlled chat tools. Offline Whisper transcription can run without sending audio to a cloud service. This privacy policy explains what data is stored locally, what may be sent to third-party services when you use cloud or connected features, and what controls you have.

Data Collection Summary

WhisperShortcut collects minimal data and prioritizes your privacy:

  • No analytics or tracking; no crash reporting operated by us
  • No data sold to third parties
  • App data is stored locally on your Mac
  • API keys, OAuth refresh tokens, and Trello tokens are stored in macOS Keychain
  • Offline Speech-to-Text can use local Whisper without sending audio to any server
  • No backend, no accounts, no server-side data storage

What Data We Collect

1. API Keys And OAuth Tokens

To use cloud features, you enter your own provider API keys. Usage is billed to the account for the relevant provider. Optional Google and Trello integrations use tokens only after you connect them.

Credentials

  • What: Your Google Gemini API key, optional OpenAI API key, optional xAI API key, optional Google OAuth tokens, and optional Trello API key/token
  • Where: Stored securely in macOS Keychain
  • Purpose: Authenticates requests to Google Gemini (cloud transcription, Dictate Prompt, Chat, TTS, Smart Improvement, and Live Meeting), OpenAI models when selected (Transcribe, Dictate Prompt, and Chat), xAI Grok chat models when selected, Google Calendar, Tasks, and Gmail tools when connected, and Trello board, list, and card tools when connected. Not needed for offline Whisper Speech-to-Text
  • Retention: Stored locally until you delete the credential or disconnect the connected account
  • Access: Only accessible by the app on your device

2. App Preferences

  • What: Keyboard shortcuts, model selections, notification preferences, TTS voice, chat behavior, feature toggles, auto-paste toggle, and other settings
  • Where: Stored locally in macOS UserDefaults
  • Purpose: To remember your preferred configuration
  • Retention: Stored locally until you reset to defaults
  • Access: Only accessible by the app on your device

3. Temporary Audio Files

  • What: Audio recordings during dictation, prompt workflows, TTS-related processing, live meeting transcription, or short-lived Smart Improvement verification
  • Where: Stored temporarily in the app data folder. Smart Improvement verification samples, when enabled, are stored under UserContext/audio-samples/
  • Purpose: Required for transcription and AI processing. Smart Improvement audio samples are used only as verifier evidence for dictation-related suggestions.
  • Retention: Automatically deleted after processing. Smart Improvement audio samples are capped and deleted at the start of the next Smart Improvement run or when interaction data is deleted.
  • Access: Only accessible by the app on your device

4. Chat Sessions

  • What: Chat sessions, messages, model choices, and local chat metadata
  • Where: Stored locally on your Mac
  • Purpose: Lets you continue previous conversations
  • Retention: Stored until you delete the chat data
  • Access: Only you can access these files on your device

5. Live Meeting Transcripts (Optional)

  • What: Transcript files from Live Meeting mode
  • Where: Saved in the app data folder under Meetings/
  • Purpose: Persistent record of live meeting transcription
  • Retention: Stored until you delete the files manually
  • Access: Only you can access these files on your device

6. User Context / Interaction Logs

  • What: Local JSONL interaction logs may include mode names, timestamps, result snippets, prompt-related history, and optional references to short-lived dictation audio samples used to improve system prompts, user context, and dictation glossary suggestions.
  • Where: Stored locally in the app data folder under UserContext/
  • Purpose:Used when you click "Generate with AI" in Settings to derive suggested system prompts and user context, or for automatic system prompt improvement (if enabled).
  • When it's collected: Interaction logs are saved when Save usage data is enabled. Data stays on your device until you delete it or it is automatically removed.
  • Retention:Log files older than 90 days are automatically deleted. For "Generate with AI" and automatic improvement, only interactions from the last 30 days are read and sent to Google Gemini.
  • Gemini Analysis:Recent local logs may be summarized and sent to Google Gemini when you run "Generate with AI", "Improve from usage", or related Smart Improvement features. You can disable automatic improvement at any time.
  • Deletion:Settings > Smart Improvement > Delete interaction data, or remove the UserContext folder manually.

7. Google account — Calendar, Tasks, and Gmail (optional OAuth)

If you choose to connect your Google account, the app can access services you authorize on the Google consent screen, which may include: Google Calendar (read and create events), Google Tasks (read and manage tasks in your task lists, including create, complete, and delete), and Gmail in read-only form (search and read message content requested through the app). Exact permissions depend on the scopes Google shows you at sign-in.

OAuth scopes(as shown on Google's consent screen) align with the following. Google's own short descriptions: Calendar — view and edit events on your calendars; Tasks — create, edit, organize, and delete your tasks; Gmail (read-only) — view your email messages and settings. WhisperShortcut uses them as follows:

  • https://www.googleapis.com/auth/calendar.events — list upcoming events and create timed events you request in the app.
  • https://www.googleapis.com/auth/tasks — read your task lists and create, complete, or delete tasks when you ask the assistant to, matching the in-app tools.
  • https://www.googleapis.com/auth/gmail.readonly — search your mailbox and read specific messages (including body text) when you ask. The app does not send email, change labels, move messages to trash, or use Gmail for advertising, background bulk sync, or model training. The connection is user-initiated; read-only access is the minimum needed to answer questions about what a message says (metadata-only access would be insufficient for that).
  • OAuth tokens: Access and refresh tokens for this connection are stored only on your Mac in the macOS Keychain. WhisperShortcut has no backend and does not upload or store these tokens on our servers.
  • Data and third parties: We do not sell your information and do not share it with unrelated third parties. Calendar, Tasks, and Gmail data retrieved for you may be included in requests to the cloud AI provider you configure in the app (for example, Google Gemini when you use it with your API key) only to produce the response you asked for in that session—for example, as context inside the in-app chat. That processing is subject to that provider's terms and, where applicable, Google's Privacy Policy. Direct calls to Google's Calendar, Tasks, and Gmail APIs are also subject to Google's terms and policies.
  • Disconnect: You can revoke the connection at any time in the app Settings (Google connection) or by using the /disconnect-googlecommand in the in-app chat, which removes access to Calendar, Tasks, and Gmail for this app. You can also remove the app's access in your Google Account security settings.

8. Trello boards, lists, and cards (optional token)

If you choose to connect Trello, the app can use Trello's API when you ask chat to work with boards, lists, and cards. Trello uses a manual token flow: you create or provide your Trello Power-Up API key, open Trello's authorization page, copy the token Trello shows after you click Allow, and paste it back into the app.

  • What it can access: Boards, lists, and cards exposed by the Trello token you grant, including card names, descriptions, due dates, list membership, and board/list metadata.
  • What it can do: List boards/lists/cards, create cards, update card name/description/due date, move cards between lists, and archive cards when you ask.
  • Where credentials are stored: Your Trello Power-Up API key and Trello user token are stored only on your Mac in the macOS Keychain.
  • Disconnect: You can disconnect Trello at any time in app Settings or with the /disconnect-trello command in chat. You can also revoke the token in Trello/Atlassian account settings.

What Data We Do NOT Collect

  • Name, email, or physical address
  • Usage analytics or tracking data
  • Crash reports operated by us
  • Audio recordings beyond temporary processing and the short-lived Smart Improvement verification samples described above
  • Clipboard content (beyond temporary use during Speech-to-Prompt)
  • Email, calendar, task, Trello board, list, or card data except when you explicitly use connected tools

Third-Party Services

Google Gemini API

WhisperShortcut can use Google's Gemini API when you configure a Google API key, for Speech-to-Text (cloud), Speech-to-Prompt, Chat, TTS, Smart Improvement, live meeting transcription, and optional flows that may include Calendar, Tasks, and Gmail-related context when you have connected your Google account. Data sent may include audio files, text, screenshots, image attachments, prompt context, and tool results. Data received may include transcribed text, AI chat responses, generated audio, or AI-modified text. Subject to Google's Privacy Policy. When you use cloud features, your audio and/or text may be sent to Google's servers. For offline Speech-to-Text with Whisper, no data leaves your device.

OpenAI API

If you choose OpenAI models, WhisperShortcut sends the minimum needed audio, text, images, chat messages, tool results, or prompt context to OpenAI using your OpenAI API key. This includes OpenAI Transcribe, OpenAI Dictate Prompt, OpenAI chat models, and hosted web search for supported OpenAI chat models when enabled. OpenAI models are used only when selected and are subject to OpenAI's policies and API terms.

xAI Grok API

If you choose a Grok chat model, WhisperShortcut sends chat messages and relevant chat context to xAI using your xAI API key. Grok models are used only when selected.

Self-hosted transcription endpoint

If you configure the Self-hosted Transcription Endpoint, WhisperShortcut sends dictation audio directly from your Mac to the endpoint URL you provide. This feature is intended for user-controlled or self-hosted OpenAI-compatible /v1/audio/transcriptions services. You are responsible for the endpoint, credentials, logs, storage, and retention behavior of that service.

Google Calendar, Google Tasks, and Gmail APIs (optional)

If you connect your Google account, the app may communicate with Google's Calendar, Tasks, and/or Gmail APIs using OAuth tokens stored in your macOS Keychain, as permitted by the scopes you approve. Use of these services is subject to Google's Privacy Policy and Google API Terms of Service, and to Gmail, Calendar, and Tasks product terms as applicable.

Trello API (optional)

If you connect Trello, WhisperShortcut communicates with Trello's API using your Trello Power-Up API key and user token. Board, list, and card data retrieved for you may be included in requests to the cloud AI provider you configure only to produce the response or action you asked for in that session. Trello data and token handling are subject to Atlassian/Trello policies and terms.

Data Protection Mechanisms for Sensitive Data

We apply the following safeguards to sensitive data, including API keys, OAuth tokens, Trello tokens, and Google Workspace data accessed through user-authorized scopes (Calendar, Tasks, Gmail):

  • Encryption in transit: Requests to Google APIs (Gemini, Calendar, Tasks, Gmail), OpenAI APIs, xAI APIs, and Trello APIs use HTTPS with TLS 1.2 or higher (industry-standard transport encryption). The app does not accept insecure or downgraded connections for built-in cloud endpoints.
  • Credential protection at rest: Google API keys, OpenAI API keys, xAI API keys, Google OAuth access and refresh tokens, Trello API keys, and Trello user tokens are stored exclusively in the macOS Keychain, which provides OS-level encryption and per-app access controls. They are never written to plain configuration files, logs, or any backend.
  • Local data isolation:App files (chat sessions, live meeting transcripts, interaction logs, preferences) are stored inside the app's macOS user container at ~/Library/Containers/com.magnusgoedde.whispershortcut/ and are protected by macOS user account and file permission controls.
  • Least-privilege access: WhisperShortcut requests only the minimum OAuth scopes required for the features you enable (Calendar events, Tasks management, Gmail read-only). No additional scopes are requested in the background.
  • User-controlled access and revocation: You can disconnect your Google account at any time from in-app Settings or with the /disconnect-googlechat command, which deletes the locally stored OAuth tokens. You can additionally revoke the app's access at any time in your Google Account permissions.
  • User-controlled Trello revocation: You can disconnect Trello at any time from in-app Settings or with the /disconnect-trello chat command, which removes the local Trello token. You can also revoke the token in Trello/Atlassian account settings.
  • Retention and deletion controls: Temporary audio files are deleted after processing. Smart Improvement audio verification samples are capped and deleted at the start of the next Smart Improvement run or when interaction data is deleted. Interaction logs older than 90 days are deleted automatically; only the last 30 days are read for Smart Improvement features. You can delete API keys, chat sessions, meeting transcripts, and interaction data at any time from in-app Settings.
  • No server-side storage by WhisperShortcut: WhisperShortcut does not operate a backend that receives, stores, or processes user content, API keys, or OAuth tokens. All credentials and user data remain on your device or are sent directly from your device to the third-party API provider you configured.
  • No sale of personal data: We do not sell, rent, or trade personal data to third parties.
  • AI/ML training disclosure for Workspace APIs: Data accessed from Google Workspace APIs (Calendar, Tasks, Gmail) through this app is used solely to provide the user-requested feature in that session and is not used by WhisperShortcut to develop, improve, or train generalized AI/ML models. Workspace data is not shared with third parties for AI/ML training. When such data is included in a request to a configured cloud AI provider (e.g. Google Gemini using your own API key) to produce the response you asked for, that provider's own terms and policies apply to its handling.

Your Rights and Controls

You can access and modify preferences through the app settings, delete your API keys, reset preferences, delete meeting transcripts and interaction data, disable Save usage data, and disable automatic improvement. If you connected your Google account, you can disconnect it in Settings or with the /disconnect-googlecommand in the in-app chat, which revokes the app's use of Calendar, Tasks, and Gmail. If you connected Trello, you can disconnect it in Settings or with the /disconnect-trello command in chat. Microphone and Accessibility permissions can be revoked in macOS System Settings.

Children's Privacy

WhisperShortcut does not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes by updating the "Last updated" date and posting the new policy in the app repository.

Contact Information

For questions about this privacy policy or our data practices, contact us at mgsgde@gmail.com. You can also open an issue on the public GitHub repository: https://github.com/mgsgde/whisper-shortcut.

This privacy policy is provided to comply with Apple App Store requirements, GDPR principles, CCPA requirements, and other applicable privacy laws.

WhisperShortcut is committed to protecting your privacy and ensuring transparency about our data practices.

Terms of Service · Imprint

← Back to WhisperShortcut