Every WhatsApp extension that has popped up in the last three years had a common problem: it asked for overly broad permissions and did things with user data that nobody fully understood.

When designing ZapVox, I went the opposite way. Not for the marketing — for the engineering. The less data you store, the fewer headaches you have. The fewer permissions, the smaller the attack surface.

This article explains EXACTLY what happens to your audio, your keys, your conversations. No PR, no legal jargon.

1. Your audio: processed in seconds, then discarded

When you click "transcribe" in ZapVox, depending on your plan:

Pro/Trial plan (Cloud)

  • The audio leaves your browser via HTTPS to our server
  • Gets processed in ~1 to 5 seconds by the Whisper model
  • The resulting text comes back to you
  • The audio is discarded immediately — nothing persists on disk, nothing goes to backup, nothing stays in logs

BYOK (your own Groq or OpenAI key, any plan)

  • The audio leaves your browser DIRECTLY to Groq or OpenAI via HTTPS
  • It DOES NOT pass through our server
  • You are responsible for the privacy policy of the chosen provider (Groq and OpenAI document this publicly)
  • Advantage: zero contact with the ZapVox infrastructure for audio content

In any scenario, we never store audio on disk. There's no folder, no bucket, no audio log. The engineers on our cloud APIs cannot "listen in" because there's no file to listen to.

2. Your BYOK keys: encrypted locally, never transmitted

If you set up a Groq or OpenAI key in ZapVox (the BYOK feature), it goes through 3 layers of protection:

🔐 How your BYOK key is protected
  • AES-GCM 256-bit encryption — NIST standard, used in banking and government security
  • PBKDF2 with 600,000 iterations — makes brute-force computationally unfeasible
  • Random salt unique per user — even if two users have the same key, the ciphertext is different

The encrypted key lives only in your browser's local storage. It's never transmitted to our servers. When you use the key, it's decrypted in memory and sent directly to the provider (Groq or OpenAI) — never going through an intermediary.

Concretely: if our database gets breached tomorrow, your keys aren't there. You can't leak what you don't have.

3. Your WhatsApp messages: the extension doesn't read them

Verify yourself: chrome://extensions → ZapVox → Details → "Site access" section. You'll see:

ZapVox permissions
  • Access to: web.whatsapp.com (needed to detect audios)
  • Access to: api.groq.com and api.openai.com (needed for BYOK)
  • Access to our server (only for auth + cloud transcription)

We DO NOT have access to: other sites, browsing history, downloads, bookmarks, Chrome identity, contacts, photos, location.

Technically, ZapVox detects audio HTML elements in WhatsApp Web's DOM — it doesn't read message text, doesn't read contact names (except what appears in the specific audio you want to transcribe), doesn't capture images.

4. Google login: why and what we collect

You need to sign in with Google to use ZapVox. We collect exactly:

  • Your email — to associate your account and billing cycle
  • Preferred language — for the interface (PT-BR or EN)
  • Usage counters — how many transcriptions you did today, this month (to apply plan limits)

We DO NOT collect:

  • Your Google profile photo
  • Your Google contacts list
  • Your Calendar or Drive
  • Your search history

When you delete your account (email [email protected]), we erase that data within 30 days. The only thing we keep longer are tax records of payments — Brazilian legal requirement of 5 years.

5. Legal compliance: LGPD, GDPR, CCPA

Full compliance with:

  • LGPD (Brazilian Data Protection Law) — Law 13.709/2018
  • GDPR (EU General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act, USA)

Your guaranteed rights:

  • Access — request a copy of all data we hold about you
  • Correction — update email, name, account data
  • Deletion ("right to be forgotten") — erase account and associated data
  • Portability — export your data in machine-readable format
  • Objection — refuse data processing for specific purposes (e.g., marketing emails)
  • Consent withdrawal — granular unsubscribe by category (transactional, product, marketing)

To exercise any right: [email protected]. We reply within 72 business hours (usually faster).

6. What makes us different

Without comparing to specific competitors, there are similar extensions on the market that:

  • Ask for "all sites" permission — huge attack surface
  • Send transcriptions to an internal database to "improve the model"
  • Don't document what's kept and for how long
  • Don't allow telemetry opt-out

ZapVox was designed with the opposite mindset: starting from "what's the minimum data collection that still enables the product?". It's more engineering work, but it lets us sleep at night.

How to verify yourself

Don't take our word for it. Check yourself:

  1. Open chrome://extensions and check the actual permissions
  2. Open DevTools (F12) → Network tab while using the extension. See exactly which requests go out
  3. Read our full Privacy Policy
  4. Read our Terms of Service
  5. Check the product history in the Changelog (what features changed, and why)
⬇️ Install ZapVox free

No credit card. 7-day full Trial. LGPD/GDPR/CCPA compliance guaranteed.

Have a specific privacy concern for your organization? Email [email protected] with the concrete question — I'll reply within 72 business hours (usually faster) with what's technically possible.