Security & Privacy

Your conversations,
your control

Q: Where is my data stored?

Audio: Only on your device. Transcripts: Device or encrypted cloud (EU/US based on region). AI processing: Routed through EU or US servers, or fully on-device with Local AI Processing. Account data: Encrypted in Google Cloud Platform.

How Hedy handles data, who we work with, and what protections are in place.

Core Principles

Privacy by Design

Speech recognition runs locally on your device — and AI analysis can too. Audio never leaves your control unless you explicitly share it.

User Control

You decide what's shared, synced, and deleted. Your data, your rules.

Transparent Operations

Clear documentation about how we handle data, who we work with, and what protections are in place.

How We Handle Data

On-Device Speech Recognition

Audio stays on your device by default. Speech recognition is powered by on-device models.

Optional Cloud Storage

Choose device-only or cloud sync. EU users get European server storage.

Transient Cloud AI

Default. Data sent anonymously to AI partners. Not stored or used for training. EU routing available.

Local AI Processing (Optional)

Run AI analysis fully on your device. Your conversation transcripts and AI-generated content never leave your machine. Available on Apple Silicon Macs, Windows PCs, iPhone 15 Pro, and M-series iPads.

How We Protect Your Data

TLS 1.3 in-transit encryption

AES-256 encryption at rest

Zero training on your data

In-memory only cloud analysis

Regional control EU or US residency

Zero-trust employee access

GDPR Responsibility: Hedy is the data processor. Organizations remain responsible as data controllers for legal basis, consent, and data subject rights. See our Trust Center.

Compliance & Certifications

GDPR

VALID

Processor-side alignment with European data protection regulations, including DPA and SCCs.

SOC 2 Type I

CERTIFICATION: Q2 2026

Security controls audit covering availability, processing integrity, confidentiality, and privacy.

HIPAA

CERTIFICATION: Q2 2026

Healthcare data protection compliance for medical conversations. BAAs will be available.

Trust Center

Policies & compliance

View

Help Docs

Guides & documentation

Browse

EU Data Residency

Choose where your data lives during account setup. This also determines where AI processing takes place.

🇪🇺

European Union

Conversations stored and AI processed on EU servers. Available to EU, EEA, UK, Switzerland, and any user worldwide.

🇺🇸

United States

Conversations stored and AI processed on US servers. Default for users outside Europe.

Stored in your region

Sessions, transcripts, highlights, topics, chat history, custom prompts, webhooks, and settings.

Always in US

Account credentials, billing, error reports (no content), and email communications.

EU AI processing

All AI analysis routed through EU servers. Existing users can enable in Account Settings.

Region is permanent

Chosen during onboarding. To switch, create a new account and select the correct region.

Frequently Asked Questions

Is my meeting data used to train AI models?

No. Strict agreements prohibit AI providers from using your data for training. Conversations are processed for immediate insights, then discarded.

Where is my data stored?

Audio: Only on your device

Transcripts: Device or encrypted cloud (EU/US based on region)

AI processing: Routed through EU or US servers, or fully on-device with Local AI Processing

Account data: Encrypted in Google Cloud Platform

Can AI analysis run entirely on my device?

Yes. Local AI Processing is an opt-in option that runs summaries, detailed notes, chat replies, and in-session suggestions on your device. Transcripts and AI-generated content stay on the device. Available on Apple Silicon Macs, Windows PCs, iPhone 15 Pro and later, and M-series iPads. Combine with Cloud Sync turned off for the strictest setup.

Can Hedy employees access my conversations?

No. Zero-trust model. Any access requires business justification, security approval, and is audit-logged.

How do I delete all my data?

Account Settings → Delete Account. All server data permanently removed within 30 days.

What are my responsibilities under GDPR?

As a data controller, you handle: legal basis, transparency, data subject rights, and DPIAs. Hedy provides technical measures to support your compliance. See our Trust Center.

Have more questions?

Explore our Help Center for in-depth security guides, data handling policies, and compliance documentation.

Visit Help Center

Privacy-first AI,
no compromises

On-device processing. Zero data training. Your most sensitive conversations deserve the strongest protections.

Download for macOS

Your conversations,your control