ZapVox

Transcribe, translate, and summarize WhatsApp Web audio messages with AI

1. Introduction

This Privacy Policy describes how the ZapVox extension ("we", "us", "our") collects, uses, and protects user information ("you"). ZapVox is a browser extension for Chrome/Edge that transcribes, translates, and summarizes audio messages on WhatsApp Web.

Last updated: April 23, 2026

Version: 1.6

2. Data We Collect

2.1 Data processed locally (never leaves your device)

Audio messages: The content of audio messages from WhatsApp is processed locally in your browser via Whisper (a local AI model). Raw audio is never stored to disk. When local transcription fails or your daily limit is reached, audio may be sent to our cloud server (Groq) for processing—this applies to all plans (Free, Trial, Pro, and BYOK).
Cached transcriptions: Transcribed text is stored in chrome.storage.local for up to 7 days to avoid reprocessing. This data stays exclusively in your browser.
Settings: Preferences such as language, feature toggles, and hardware profile are stored locally.
Extension preferences: Your chosen transcription mode, AI model, and other preferences are stored exclusively in chrome.storage.local and never sent to servers.
Anonymous usage statistics: Local counters (e.g., total transcriptions, daily usage) are stored in your browser to display in the extension panel. This data is never transmitted externally.
Sentiment analysis cache (v3.4.9+): When you click the 🎭 Sentiment button, the analysis result is stored in chrome.storage.local (key zapvox_sentiment_cache) for up to 7 days so the sentiment chip survives page reloads without reprocessing. The associated message identifier is the same sanitized hash used by the transcription cache. This data never leaves your browser and is automatically purged after 7 days.

2.2 Data sent to servers (only when necessary)

Data	When	Destination	Purpose
Audio (base64)	Cloud transcription (all plans, when local fails)	Supabase Edge Function → Groq	Convert audio to text
Audio (base64)	BYOK transcription (your own key)	Groq or OpenAI (directly from browser)	Convert audio to text
Transcribed text	Translation or summary	Supabase Edge Function → Groq/Gemini	Translate or summarize text
JWT token	Authentication	Supabase Auth	Validate session and plan
Email	Login/signup	Supabase Auth	Create and manage account

        Important: In Local mode, no audio data leaves your device. In Auto mode (default), the extension tries local first and only uses cloud if necessary. This fallback applies to all plans (Free, Trial, Pro, and BYOK). The extension does not access your microphone—it only reads audio already received in WhatsApp Web.
      

2.3 Local storage for extension functionality

To provide a smooth experience, ZapVox temporarily stores the following technical data in your own browser (never on our servers):

Contact name cache: Sender names are stored locally for up to 30 days for quick display in transcriptions. These names are the same ones already visible in your WhatsApp Web and are never transmitted to external servers.
Diagnostic logs: A circular buffer of up to 200 entries is maintained locally for debugging. Logs contain only anonymized name initials (e.g., "JS***"), never full names, and are not transmitted externally.

        Full control: You can remove this data anytime by opening ZapVox Settings → "Clear privacy data" within the extension, or by clearing extension data at chrome://extensions.
      

2.4 Data we do NOT collect

Browsing history or activity outside WhatsApp Web
Contacts, photos, videos, or text messages from WhatsApp
Microphone, camera, or location data
Payment information (processed by Stripe; we have no access)
Fingerprinting data (GPU, detailed hardware, etc.)

3. API Keys (BYOK)

If you choose to use your own API keys (Bring Your Own Key — BYOK), they are:

Encrypted with AES-GCM 256-bit before being stored
Protected by PBKDF2 with 600,000 iterations and a unique random salt per user
Stored exclusively in your browser's chrome.storage.local
Never sent to our servers—they are used directly with Groq/OpenAI

4. Security

AES-GCM 256-bit encryption for BYOK keys
PBKDF2 with 600,000 iterations (OWASP standard) and unique random salt per user
Communication exclusively via HTTPS
JWT tokens with expiration and automatic refresh
Rate limiting on Edge Functions to prevent abuse
Payload validation on all messages (content script ↔ background)
Restrictive Content Security Policy in manifest.json

5. Browser Permissions

Permission	Why We Need It
`storage`	Save settings, transcription cache, and encrypted keys
`unlimitedStorage`	Cache Whisper models locally (140 MB to 1.5 GB) to avoid re-download on each use
`notifications`	Show notifications when transcription completes
`identity`	OAuth authentication for login (Google Sign-In via Supabase)
`alarms`	Keep the Service Worker active during long transcriptions and manage daily usage resets
`tabs`	Detect WhatsApp Web tabs to send results
`offscreen`	Run local Whisper model in an offscreen document (required for Web Workers in MV3)
`host: web.whatsapp.com`	Inject content script to add transcription buttons to audio messages

6. Your Rights (LGPD / GDPR / CCPA)

6.1 LGPD Rights (Brazil)

Under Brazil's Lei Geral de Proteção de Dados (General Data Protection Law), you have the right to:

Access: Request what data we hold about you
Correction: Correct inaccurate data
Deletion: Request removal of all your data
Portability: Receive your data in a readable format
Revocation of consent: Disable auto-transcription anytime via the extension popup
Information about sharing: Understand how your data is shared with third parties

6.2 GDPR Rights (European Union)

Under the General Data Protection Regulation (GDPR), you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure (Right to be Forgotten): Request permanent deletion of your data
Restriction of Processing: Limit how we use your data
Data Portability: Receive your data in a structured, commonly used format
Objection: Object to our processing of your personal data

6.3 CCPA Rights (California)

If you are a California resident, you have the right to:

Know: Learn what personal information we collect, use, and share
Delete: Request deletion of your personal information
Opt-out of sale: Opt out of any potential sale or sharing of your data (note: ZapVox does not sell personal information)

To exercise any of these rights, contact us using the information in Section 12.

How to clear local privacy data: Open ZapVox Extension → Settings → click "Clear privacy data". This removes diagnostic logs and contact name cache without affecting your settings or account.

How to clear all extension data: Go to chrome://extensions, click "Details" on ZapVox, then "Clear site data". This removes all cached transcriptions, settings, and BYOK keys.

7. International Data Transfers

Most of your data is processed locally on your device. However, when cloud processing is used, your data may be transferred to and processed on servers located in the United States (through Supabase and Groq). We implement appropriate safeguards to protect your data during international transfers, including standard contractual clauses and encryption in transit via HTTPS. By using ZapVox, you consent to the transfer of your data to the United States for processing as described in this policy.

8. Third Parties and Subprocessors

Service	Purpose	Privacy Policy
Supabase	Authentication, Edge Functions (transcription/translation for Pro plan)	supabase.com/privacy
Groq	Cloud transcription, translation, summary (primary provider) + BYOK	groq.com/privacy
OpenAI	BYOK transcription (when user provides own key)	openai.com/privacy
Google Gemini	Translation and summary fallback (via Edge Function)	policies.google.com/privacy
HuggingFace	Download of Whisper ONNX models for local transcription (no user data)	huggingface.co/privacy
Stripe	Payment processing (Pro plan)	stripe.com/privacy

9. Data Retention

Transcription cache: 7 days (automatic, local)
Contact name cache: 30 days (automatic, local)—removable via Settings
Diagnostic logs: Last 200 entries in circular buffer (local)—removable via Settings
JWT session: Until token expiration (auto-renewed)
Account data: Retained while account is active
BYOK keys: Until you remove them or clear extension data
Processed audio: Discarded immediately after transcription (never stored)

10. Minors

ZapVox is not intended for children under 13 years of age. We do not intentionally collect data from children. If you believe a minor has provided data, please contact us for immediate removal.

11. Chrome Web Store Limited Use Disclosure

ZapVox complies with the Chrome Web Store's Limited Use policy:

Permitted use: Data collected is used exclusively to provide and improve the features described in this policy (transcription, translation, summary).
No advertising: Your data is never used for personalized advertising, retargeting, or ad targeting.
No data sales: Your data is never sold, licensed, or shared with third parties for commercial purposes.
No human access: No employee or contractor accesses your personal data except in case of legal obligation or with your explicit consent.
Limited transfers: Data is only transferred to the subprocessors listed in Section 8, exclusively to provide extension features.

12. Changes to This Policy

We may update this policy periodically. Significant changes will be communicated via notification in the extension or in the changelog. The last updated date will always be visible at the top of this page.

13. Contact

For questions, data requests, or to exercise your rights:

Email: [email protected]

Developer: Diegomaier Nunes Neri

Related documents: Terms of Service