
Is AI Transcription Private? What Providers Really Do
Summarize this article with:
Most AI transcription tools are reasonably private if you pick one that does not train on your audio by default, offers configurable auto-deletion, and encrypts both in transit and at rest. The marketing language is almost always vague about the part that matters most: whether your recordings feed back into AI training data. This post walks through what actually happens to your audio, how to read a privacy policy, and what ConvertAudioToText does and does not certify about its own practices.
Most AI transcription tools are reasonably private, but the distinction that matters most, whether your audio is used for model training, is buried in policy fine print. Here is what actually happens when you hit upload, and the specific questions that cut through the marketing language.
What Happens to Your Audio After You Upload
A typical AI transcription job has four data touchpoints, each carrying its own risk profile:
- Upload over the network. Your file leaves your device and travels to the provider's servers. Without TLS/HTTPS, it is sniffable on public Wi-Fi.
- Storage during processing. The file sits on disk while the AI model processes it. Encryption at rest matters here.
- Post-processing storage. The file often persists far longer than you would assume, sometimes indefinitely unless you delete it.
- Model training. Some providers feed your audio and transcript back into their training datasets.
None of these are visible from a marketing page. The privacy policy is where you find out.

The Questions Worth Asking Every Provider
If you are evaluating a service for anything sensitive, these are the questions that get you real answers:
- Do you encrypt files in transit? (HTTPS/TLS: almost always yes. Table stakes.)
- Do you encrypt files at rest on your storage?
- How long do you retain audio after processing? Is it configurable?
- Do you use customer audio to train AI models? Is it opt-in or opt-out?
- Do you have a data processing agreement (DPA)?
- Where are your servers located? Do you offer EU data residency?
- Are you HIPAA-eligible, with a BAA available? (Specific yes/no, not "we follow HIPAA principles.")
- Are you SOC 2 audited? Type 1 or Type 2? How recent?
- What is your breach notification policy?
Vague answers like "we take privacy seriously" or "industry-leading encryption" should be treated as a non-answer. Real privacy postures are easy to state in a sentence.
Model Training: The Risk Most People Miss
This is where providers diverge most sharply, and where marketing is most opaque.
Opt-out by default with no prominent disclosure is the worst pattern. Your audio becomes training data unless you find and toggle a buried setting. AWS Transcribe falls here: per AWS documentation, it "may store and use voice inputs processed by the service solely to provide and maintain the service and to improve and develop the quality of Amazon Transcribe and other Amazon machine-learning/artificial-intelligence technologies." You can opt out via an AWS Organizations policy, but it requires active configuration. AWS Transcribe Medical is explicitly exempt from this, per vendor documentation.
Opt-out available only on paid tiers is the middle ground. AssemblyAI, per their documentation, may use customer audio for model training and benchmarking by default. Paid customers can opt out by emailing data-opt-out@assemblyai.com. Free users cannot opt out. That is worth knowing if you are on a trial.
Otter.ai, per their privacy and security page, trains on de-identified audio using a proprietary anonymization method. Third-party AI providers are contractually barred from training on Otter customer data. There is no toggle to opt out of Otter's own first-party training use.
Descript gives users an explicit opt-out via a "Share Data with Descript" setting. With that setting off, your projects are not used to improve the service.
Rev states plainly: "We never use your content to train external AI models." They do use it to improve their own proprietary speech recognition, which is a narrower claim than "no training," but meaningfully different from broad third-party data sharing.
TurboScribe states it does not train AI or machine learning models on customer media files or transcripts, and runs transcription in-house on machines it owns, per their security FAQ.
Fireflies.ai maintains a blanket policy: "We do not use personal information for AI model training and we contractually prohibit our vendors from using this information for their own model training." They also claim a zero data retention policy for meeting content with third-party vendors.
OpenAI's Whisper API: per OpenAI's data documentation, API inputs are not used for training by default. Whisper audio transcription endpoints qualify for zero data retention, which means audio is not retained even for the brief abuse-monitoring window. That option requires eligibility approval and enterprise account configuration.
The three postures in order from worst to best:
| Posture | Example | What it means |
|---|---|---|
| Default on, opt-out buried | AWS Transcribe (standard) | Audio trains models unless you configure an org policy |
| Default on, opt-out by request | AssemblyAI (paid tier) | Email to opt out; free users cannot |
| No training on customer audio | TurboScribe, Fireflies, OpenAI API | Your content never enters a training set |
What ConvertAudioToText Does With Your Audio
In plain terms, matching our published privacy policy:
Files in transit: Encrypted via TLS/SSL from your browser to our servers.
Files at rest: Stored on Cloudflare R2 with provider-side encryption. Access is authenticated.
Retention: You control audio retention. By default, uploaded audio and video files are deleted automatically right after transcription unless you choose to keep them; on the free tier, kept audio auto-deletes within 7 days. Transcripts stay private to your account and you can delete them any time from the dashboard. Deleting your account removes all associated data within 30 days. See the auto-delete transcription files guide for when each setting makes sense.
Model training: Per our privacy policy, your content is not used to train AI/ML models, is never sold or transferred to third parties, and is never used for advertising. Audio is processed by third-party speech engines acting as subprocessors, which are listed in the privacy policy.
HIPAA and SOC 2: We are not HIPAA-certified by default and our standard plans do not include a BAA. A BAA, SOC 2 attestation, or VPC-isolated deployment can be scoped as a custom enterprise plan. Healthcare teams handling PHI on standard plans should use a HIPAA-eligible provider with a signed BAA instead; see HIPAA-compliant transcription.
DPA: Available for business customers on request.
This is the honest answer, stated at the same level of specificity we ask of other vendors above.
How to Read a Privacy Policy: The Marketing Decoder
Marketing language that should trigger more questions:
- "Industry-leading encryption": Means TLS in transit. Every provider does this. Ask about at-rest encryption and key management separately.
- "Your data is never sold": Does not say anything about training. "Never sold" and "used to train models" are compatible statements.
- "Bank-grade security": Usually means AES-256 at rest. Also table stakes.
- "We delete your data": When? What triggers it? Is it automatic or manual? What is the default?
- "GDPR-compliant": Does it mean EU data residency? A DPA? The right to deletion with a response SLA? Ask which specific obligations they satisfy.
- "SOC 2 certified": Type 1 or Type 2? How old is the audit report? Available on request?
Real answers to these are short. If the reply is a paragraph of reassurance with no specifics, the specific answer is probably "no."
Compliance Certifications: What They Actually Tell You
A note on how to weight these:
SOC 2 Type II (not Type I) means an independent auditor reviewed actual controls over a period, typically six to twelve months. Type I is a point-in-time snapshot. Rev, Otter (per their documentation), Descript, and Happy Scribe all claim SOC 2 Type II.
HIPAA eligibility is not a certification a tool earns on its own. It is a property of a deployment plus a signed Business Associate Agreement (BAA). Otter added HIPAA compliance in mid-2025, available on Enterprise with a signed BAA. Rev offers HIPAA on enterprise tiers. Fireflies claims HIPAA. AWS Transcribe Medical is HIPAA-eligible under AWS's broader BAA.
No blanket claim that a tool "is HIPAA compliant" means much without a BAA that covers your specific use case. The question to ask is: "Will you sign a BAA, and does it cover audio processing?"
GDPR compliance is similarly relational. The right questions are: Do you offer a DPA? Where is data processed? Do you honor deletion requests, and within what timeframe? Do you have SCCs in place for EU-US transfers?
For more on what each regulation actually requires and what to ask vendors, see GDPR-compliant transcription.
Auto-Deletion: Why It Matters More Than You Think
The most common pattern in transcription services is to retain audio "until you delete it." That sounds user-friendly. It is the opposite. Files sit indefinitely until you remember to clean up, which most people do not.
Auto-deletion bounds the risk window. Files have a time-to-live. They disappear automatically unless you actively choose to keep them. This matters most for sensitive content where the exposure window is the main risk.
When evaluating a provider, ask: Is auto-deletion an option, or does everything persist until manual deletion? What is the default? Can you configure it per-job or only account-wide?
When No SaaS Provider Is the Right Answer
For some recordings, no cloud service is appropriate regardless of the provider's policy:
- Government classified material
- Attorney-client privileged conversations where any third-party exposure breaks privilege
- Healthcare PHI when no BAA is available
- Personal therapy recordings where exposure would cause real harm
- Confidential business strategy with specific contractual data handling obligations
For these cases, running Whisper locally is the only fully private option. Setup requires technical effort and the accuracy is lower than the latest cloud-hosted models, but the trade is worth it for occasional high-stakes recordings. See on-device vs cloud transcription for a practical comparison.
A Decision Framework
What the audio contains should determine what you require from a provider:
| Content type | Minimum requirements |
|---|---|
| Public content (podcasts, lectures) | Any provider; privacy risk is low |
| Internal business (team meetings, strategy) | No training on audio by default; auto-deletion available |
| Client/customer conversations | DPA required; no training on audio; clear retention policy |
| Healthcare PHI | HIPAA-eligible provider with signed BAA |
| Classified or legally privileged | Self-host only |
ConvertAudioToText covers the first three. We do not cover HIPAA-eligible or self-hosted cases, and we say so plainly.
For discussions of what lawyer and journalist workflows specifically require, see transcription and attorney-client privilege and transcription and confidentiality agreements.
A note on legal and compliance framing: nothing in this post is legal advice. GDPR, HIPAA, and privilege obligations vary by jurisdiction and specific deployment. Verify requirements with your legal counsel.
FAQ
Does AI transcription keep my audio forever?
It depends on the provider and your settings. Many services retain audio indefinitely unless you delete it manually. Some offer auto-deletion after a fixed period. A few, like ConvertAudioToText, offer user-configurable retention so you can set files to delete after processing or after a defined window. Always check the default retention period and whether you can shorten it.
Do transcription services use my audio to train their AI?
Several do, at least by default. AWS Transcribe (standard tier) uses customer audio for service improvement unless you configure an organizational opt-out policy. AssemblyAI allows training use by default; paid users can opt out by request. Otter trains on de-identified audio using a proprietary method. TurboScribe and Fireflies state they do not train on customer audio. OpenAI's Whisper API does not use audio for training by default. Check the specific policy for any provider you use for sensitive content.
What is the difference between "encrypted in transit" and "encrypted at rest"?
Encryption in transit means your audio is protected while it travels from your device to the provider's servers. Encryption at rest means the file is encrypted while sitting in storage. Both matter. In-transit encryption prevents interception on public networks. At-rest encryption means a stolen disk does not expose your files. Most reputable providers do both, but it is worth confirming, especially at-rest encryption and who holds the decryption keys.
Is a transcription tool "HIPAA compliant"?
No single tool is HIPAA-compliant on its own. HIPAA compliance is a property of the deployment and requires a signed Business Associate Agreement (BAA) between your organization and the vendor covering the specific processing of Protected Health Information. Some providers, including Rev (enterprise tier), Otter (Enterprise with BAA), and Fireflies, offer BAAs. AWS Transcribe Medical is HIPAA-eligible under AWS's broader BAA. Always ask for a BAA specifically, not just a claim of "HIPAA compliance."
What should I do if my audio contains attorney-client privileged content?
The core issue is whether sending audio to a third-party SaaS breaks privilege. In many jurisdictions, using an approved subprocessor with appropriate agreements does not break privilege, but this is jurisdiction-specific and depends on your bar's guidance. At minimum, require a DPA that formalizes the vendor's role as a processor, verify the vendor does not train on your content, and confirm deletion policies. For the highest-stakes recordings, local transcription avoids the question entirely. Consult your bar's ethics guidance before uploading privileged material to any cloud service.
How do I verify what a transcription provider actually does with my data?
Ask for the DPA (not just the privacy policy), the SOC 2 Type II report (dated within the last 12 months), and a direct written answer to the training question from someone in their trust or legal team. If any of these are unavailable, or the answer to the training question is a marketing paragraph instead of a yes/no, treat it as a gap. The providers who have clean answers produce them quickly.
Sources
- Otter.ai Privacy and Security page - checked 2026-07-02
- Otter.ai SOC 2 Type II attestation announcement - checked 2026-07-02
- Otter.ai HIPAA compliance announcement - checked 2026-07-02
- Rev Security page - checked 2026-07-02
- Descript Privacy Policy - checked 2026-07-02
- Descript Security page - checked 2026-07-02
- Fireflies.ai Privacy page - checked 2026-07-02
- TurboScribe Security and Privacy FAQ - checked 2026-07-02
- HappyScribe Security and Privacy - checked 2026-07-02
- AssemblyAI Security page - checked 2026-07-02
- AssemblyAI model training opt-out documentation - checked 2026-07-02
- AWS Transcribe FAQs on data usage - checked 2026-07-02
- OpenAI data controls documentation - checked 2026-07-02
- Deepgram data security page - checked 2026-07-02
Try transcription free
Convert any audio or video to clean, unwatermarked text — speaker labels, timestamps, and AI summaries included. First 30 minutes free, no account.
Related Articles

Auto-Delete Transcription Files: Retention You Control
How transcription services handle file retention, what auto-delete settings exist across major tools, and how to configure storage to match your actual risk and workflow.

On-Device vs Cloud Transcription: The Real Tradeoff
On-device transcription is finally production-ready. Here is when it beats cloud, when it does not, and the real privacy, accuracy, and cost tradeoffs in 2026.