Limited time: Save up to 33% on every planView pricing
Voibe Logovoibe Resources
voicyis voicy safevoicy privacyvoicy securityvoicy groqcloud dictation privacymac dictation privacyprivacy

Is Voicy Safe? Groq Cloud Path & Policy Gaps (2026)

Is Voicy safe? It's cloud-only β€” audio routes through Groq with immediate-deletion promises. But the no-training claim lives on marketing pages, not in policy.

Is Voicy Safe? The Direct Answer

TL;DR: Voicy makes some of the clearest deletion promises in the indie cloud dictation field β€” and they are worth crediting. Per its security policy (version 1.3, dated July 31, 2025): “No audio recordings are stored by Voicy or Groq - all audio data is permanently deleted immediately after processing,” and “all transcribed content is immediately deleted after delivery to the user.” Transcripts live only on your device. The privacy policy adds that Voicy has enabled Groq's Zero Data Retention setting, which β€” if enabled β€” switches off Groq's default up-to-30-day retention window.

The problems are about where those promises live, and what stands behind them:

  • It is 100% cloud, across two perimeters. Every dictation crosses Voicy's Heroku-hosted servers (USA) and Groq's infrastructure (USA), where Whisper V3 transcription and AI-command post-processing run. There is no offline or on-device mode at any tier, and the ZDR claim is self-attested β€” no audit verifies it.
  • The no-training promise sits on marketing pages, not in either policy. The homepage says “We do not use your recordings to train an AI model” β€” but neither the security policy nor the privacy policy contains any training language at all. The privacy policy also carries no version number, no effective date, and no entity name; and Voicy publishes no terms of service.
  • The paperwork hasn't kept up with the product. The security policy's scope covers the Mac, Windows, Linux, and Chrome extension apps β€” but Voicy shipped iPhone and Android apps in spring 2026 that no published security policy covers, and the two app stores' disclosure labels disagree with each other about whether audio is collected. There is no SOC 2, ISO 27001, HIPAA claim, or BAA.

So: for everyday drafts, emails, and notes, Voicy is a defensible cloud dictation tool with better-documented deletion behavior than many indie peers. For regulated, privileged, or NDA-bound work, the missing audits and the scattered paperwork rule it out. And if you want the two-perimeter question to disappear entirely, on-device tools like Voibe never transmit audio at all β€” per Voibe's privacy policy, “the Voibe application processes your voice entirely on your device. No audio is transmitted to our servers at any point.”

Disclosure: Voibe is our product. This investigation credits Voicy's genuine documentation strengths and flags its verification limits as fairly as possible. Voicy's claims are quoted from its security policy (v1.3, July 31, 2025), its privacy policy, and its homepage at usevoicy.com as retrieved July 6, 2026; company facts are grounded in our Voicy review and pricing guide.

Key Takeaways: The Voicy Safety Picture

AreaCurrent State (July 2026)Source
Processing architecture100% cloud at every tier. No offline, local, or BYOK mode exists.usevoicy.com + security policy v1.3
Data pathDevice β†’ Voicy servers (Heroku, USA) β†’ Groq (USA, Whisper V3 + AI-command post-processing) β†’ transcript back to device.Security + privacy policies
Audio retention“No audio recordings are stored by Voicy or Groq - all audio data is permanently deleted immediately after processing.”Security policy v1.3
Transcript retention“All transcribed content is immediately deleted after delivery to the user.” Transcripts stored locally on your device only.Security policy v1.3
Groq Zero Data RetentionPrivacy policy states Voicy “enabled their Zero Data Retention settings.” Groq's own default is up-to-30-day retention; the ZDR claim is self-attested with no audit.Privacy policy + Groq data docs
AI training“We do not use your recordings to train an AI model” β€” homepage only. Both policies are silent on training.usevoicy.com (marketing)
Named subprocessorsGroq (transcription + post-processing), Mixpanel (anonymous usage analytics, opt-out), Heroku (hosting).Security policy v1.3
Compliance attestationsNone. No SOC 2, ISO 27001, HIPAA claim, or BAA. Policy cites “adherence to international data protection standards” without naming one; no GDPR/CCPA language.Both policies (absence)
Policy freshness & scopeSecurity policy frozen at v1.3 (July 31, 2025) and scoped to Mac/Windows/Linux/Chrome β€” it does not cover the iOS (April 2026) or Android apps. Privacy policy is undated and unversioned.usevoicy.com/legal-pages
Store-label consistencyApple's privacy label declares Audio Data collected (not linked to identity); Google Play's Data Safety section declares no audio collected and no data shared β€” the two disclosures disagree.App Store + Google Play listings
Legal entityPishi LLC FZ (UAE free zone; operations in London and Dubai) β€” named in the security policy only. No terms of service exists. Founder: Kourosh Ghaffari.Security policy + app stores
Pricing$8.49/month (annual), $260 lifetime, Teams $6.79/user/month (3-seat minimum), 30-minute free trial.usevoicy.com/pricing
Third-party signalChrome Web Store 4.7/5 from 101 ratings (~10,000 users); Product Hunt 17 upvotes with 0 reviews; iOS App Store 0 ratings; no Trustpilot, G2, or Capterra presence; no independent security audit.Chrome Web Store + Product Hunt
Public incidentsNone reported.Public sources, July 2026
Privacy alternativeOn-device dictation (Voibe, VoiceInk, Handy) removes both perimeters and the paperwork question entirely.Architectural comparison

The rest of this article walks through each row: the two-hop Groq path, what each document actually commits to, why the placement of the no-training claim matters, and a decision tree for whether Voicy fits your work.

How Voicy Processes Your Voice: A Thin Client on Groq's Cloud

Voicy voice dictation app β€” a cross-platform cloud dictation tool for Mac, Windows, Linux, Chrome, iPhone, and Android that routes every dictation through Voicy's Heroku-hosted servers to Groq's cloud, where Whisper V3 transcription and AI-command post-processing run
Voicy (usevoicy.com) β€” cloud-only dictation routed through Groq. There is no on-device mode at any tier.

Voicy is a cross-platform dictation app (Mac, Windows, Linux, a Chrome extension, and β€” since spring 2026 β€” iPhone and Android) from solo founder Kourosh Ghaffari, operating through UAE free-zone entity Pishi LLC FZ. Architecturally, Voicy is a thin client over Groq's cloud inference: it does not run its own speech model, on your device or anywhere else.

Per the security policy (v1.3), the transcription path works like this:

  1. Capture: microphone audio is recorded locally on your device.
  2. First hop β€” Voicy: audio is encrypted in transit (TLS 1.3) and transmitted to Voicy's servers, hosted on Heroku in the USA.
  3. Second hop β€” Groq: audio is “immediately forwarded to Groq.com, which hosts the open-source Whisper V3 transcription model.” The privacy policy adds that AI-command post-processing runs on Groq too: “The transcription and post-processing steps are done through Groq.com.”
  4. Return: the transcript comes back through Voicy to your device, where it is typed into the active field. Per the homepage: “Your transcripts are only stored on your device locally.”

Alongside the dictation path, Voicy names Mixpanel for anonymous usage analytics (opt-out available) β€” a side-channel that carries usage events, not audio.

Two implications follow. First, your effective privacy is the intersection of Voicy's handling and Groq's handling β€” the same two-perimeter structure we flagged for VoiceDash, except Voicy's path crosses its own servers as well rather than going provider-direct. Second, there is no offline fallback and no on-device option at any price: when your connection drops, dictation stops, and when your content is sensitive, it still makes the round trip. For the architectural alternatives, see our cloud vs local dictation guide.

What Voicy's Policies Actually Say β€” and Where They Say It

Voicy's documentation splits across three surfaces, and the split is the story.

  • The security policy (usevoicy.com/legal-pages/security) is the strongest document: versioned (1.3), dated (July 31, 2025), names the entity (Pishi LLC FZ), names the subprocessors (Groq, Mixpanel, Heroku), and carries the two deletion commitments quoted above. It also states that only email and name are collected for billing, and that account data lives on your device rather than in a central user database.
  • The privacy policy (usevoicy.com/legal-pages/privacy-policy) repeats the no-storage commitments β€” “We do not store any recording or transcription data” β€” and adds the most important new claim since our original review: “The Groq API does not retain any information we send it as we have enabled their Zero Data Retention settings.” But the document has no version number, no effective date, no entity name, and no GDPR or CCPA language.
  • The marketing surfaces carry the promise buyers ask about most β€” “We do not use your recordings to train an AI model” β€” which appears on the homepage but in neither policy.

The ZDR claim deserves a careful read, because it is both genuinely meaningful and structurally weak. Groq's own data documentation confirms that audio endpoints default to retaining data for up to 30 days for reliability and abuse monitoring, and that customers can enable Zero Data Retention in their account's data controls. So Voicy's claim maps to a real Groq feature β€” and if enabled, it makes the “deleted immediately” promise coherent end-to-end. But whether ZDR is actually switched on for Voicy's account is knowable only to Voicy and Groq: it is self-attested, unaudited, and could change without any visible sign. That is the recurring pattern in this investigation: the promises are good; the verification surface is thin.

Also worth stating plainly: Voicy publishes no terms of service at all β€” the site's legal pages are Privacy, Refund (7-day, no-questions-asked), and Support. For a paid product, the absence of terms is unusual and matters for anyone buying the $260 lifetime plan.

The Paperwork Gap: Strong Promises in the Wrong Places

Map each promise to the document that carries it and the pattern becomes visible: the commitments that would matter most in a dispute are the ones sitting furthest from binding text.

  • The no-training claim is marketing-only. A privacy-conscious buyer's first question β€” does my voice train your models? β€” is answered on the homepage but in neither governing document. Marketing pages change without notice and carry no version history. The fix would take one sentence in the privacy policy; as of July 2026 that sentence does not exist.
  • The security policy is frozen while the product moves. Version 1.3 is dated July 31, 2025 β€” eleven months old β€” and its scope section covers the Mac, Windows, Linux, and Chrome extension apps. Voicy shipped an iPhone app in April 2026 and an Android app alongside it. No published security policy covers either. The mobile privacy story exists only as app-store labels.
  • And those store labels disagree. Apple's privacy label for Voicy declares Audio Data is collected (in the “Data Not Linked to You” category, which is consistent with transient processing). Google Play's Data Safety section declares no audio collected and “no data shared with third parties” β€” despite audio transiting Voicy's and Groq's servers by design. At least one of those disclosures is wrong, and neither is backed by a policy document.
  • Health-adjacent marketing has drifted. To Voicy's credit, its policies make no HIPAA claim. But one Voicy blog FAQ (July 2026) asserts that general-purpose tools like Voicy “offer medical-grade security for healthcare applications,” while another Voicy post published the same day says the opposite β€” “do not treat it like a healthcare compliance product.” The second post is right: with no SOC 2, no ISO 27001, and no BAA, there is no such thing as medical-grade security here.

None of this pattern says Voicy is doing anything wrong with your audio. It says the documentation discipline hasn't kept up with the product's growth β€” and for a safety assessment, documentation is most of what an outsider can check.

The Voicy Safety Decision Tree

Use the Voicy Safety Decision Tree to decide whether Voicy is safe enough for your situation. Work through the five questions in order and stop at the first one where you cannot accept the answer Voicy currently gives.

  1. Are you dictating only general, non-sensitive content (drafts, emails, notes)? If yes β€” Voicy is a defensible cloud tool: the deletion promises are specific, the subprocessor is named, and no incidents are on record. Continue only if your content or environment is more demanding.
  2. Do you need offline, air-gapped, or no-transmission dictation? If yes β€” Voicy cannot do this at any tier. Every dictation requires the round trip to Voicy and Groq. Use an on-device tool. If no, continue.
  3. Are you comfortable trusting two US-hosted perimeters, with Groq's Zero Data Retention taken on Voicy's word? If yes β€” read both Voicy's policies and Groq's data documentation, since your effective privacy is their intersection. If you want the training promise in binding text before you trust it, note that it currently isn't there. If you want a single policy to evaluate, continue.
  4. Are you dictating from the iPhone or Android app? If yes β€” know that the published security policy predates and does not cover the mobile apps, and the two stores' disclosure labels disagree. Ask Voicy in writing which commitments apply to mobile before using it for anything sensitive. If you're on desktop, continue.
  5. Is your content under HIPAA, attorney-client privilege, NDA, or compliance audit? If yes β€” Voicy is disqualified: no SOC 2, no ISO 27001, no HIPAA BAA, and no terms of service to negotiate. Use the HIPAA pathway or on-device dictation. If no, Voicy is acceptable for your work.

The pattern: Voicy clears the everyday-use bar comfortably β€” better than several indie cloud peers β€” and stops hard at the verification and compliance bar, like every unaudited cloud tool.

Cross-Product Privacy Posture Comparison

Voicy sits on the cloud side of the dictation privacy spectrum, with better deletion documentation than most indie peers but weaker placement of the promises that matter. Here is the peer picture from this investigation series.

ProductData PathSubprocessorsTraining StanceVerdict for Sensitive Work
VoibeOn-device on Apple SiliconNoneNo training β€” nothing transmittedStrong (no cloud surface)
VoiceInkOn-device by default (open-source GPL v3)None by default; BYOK opt-inNo server path by designStrong (auditable code)
HandyOn-device (open-source MIT)None; no cloud STT path existsNo server path by designStrong (auditable code)
VoicyCloud-only via Voicy servers β†’ GroqGroq + Mixpanel + Heroku (named)Marketing-page claim only; both policies silentEveryday use only; no audit, no BAA
VoiceDashCloud-only, provider-direct to OpenAIOpenAI (named)Written no-training claim in policy surfacesEveryday use only; no audit
Blip AICloud-only (GPT-powered)Not namedSilentVerify in writing before regulated use
Wispr FlowCloud-onlyDisclosed (Baseten, OpenAI, Anthropic, Cerebras, AWS)Opt-out available; audited controlsAcceptable with BAA (SOC 2 II + ISO 27001 + HIPAA BAA)

The instructive contrast is Voicy vs VoiceDash: both are young, solo-founder, cloud-only tools with favorable deletion claims. VoiceDash puts its no-training commitment in its policy surfaces and routes provider-direct; Voicy's equivalent commitment lives on its homepage while its policies stay silent, and its path crosses its own servers first. Against the audited end of the field, Wispr Flow's SOC 2 and HIPAA BAA show what closing the verification gap actually looks like β€” see Is Wispr Flow Safe?. For the full cross-tool matrix across 30 AI tools, see our AI Privacy Tracker.

Compliance: No SOC 2, No HIPAA BAA, No Named Framework

Voicy's compliance posture is quickly summarized: there isn't one, and β€” in its binding documents β€” it doesn't claim one.

  • No attestations. No SOC 2 Type II report, no ISO 27001 certificate, no HIPAA Business Associate Agreement, and no independent security audit of any kind is published or referenced anywhere on usevoicy.com.
  • No named framework. The security policy's compliance section cites “adherence to international data protection standards” without naming GDPR, CCPA, or any other framework. The privacy policy contains no data-subject-rights language at all β€” no access, deletion, or portability process is described beyond emailing the founder.
  • EU transfers are undocumented. Every dictation is a transfer to US infrastructure (Heroku, Groq). Neither policy documents a lawful-transfer mechanism β€” Standard Contractual Clauses, the EU-US Data Privacy Framework, or otherwise. EU users handling personal data under GDPR would need this clarified in writing before production use.
  • For healthcare and legal work, the answer is already no. Without a BAA there is no lawful way to route PHI through Voicy, and without any attestation a law firm's security review has nothing to review. Our doctors and lawyers guides cover the tools that clear those bars β€” architecturally or contractually.

Credit where due: unlike some young cloud peers, Voicy's policies do not market compliance they can't back β€” no HIPAA badge, no “SOC 2 in progress.” The one blemish is the blog's “medical-grade security” line, which its own sibling post contradicts. Treat the policies as the truth: Voicy is a consumer-grade cloud tool, and it should carry consumer-grade content.

The Five-Step Voicy Safety Audit

Run this five-step audit before committing Voicy to any work where data handling matters. Each step takes 2–15 minutes.

  1. Read both Voicy documents and note which promise lives where. Open the security policy and the privacy policy, and confirm the deletion commitments still read as quoted here. Note that the no-training promise appears on the homepage only β€” if that placement matters to you, ask Voicy to confirm it in writing.
  2. Read Groq's data documentation too. Your audio's second perimeter runs on Groq. Confirm Groq's default retention (up to 30 days on audio endpoints) and understand that Voicy's Zero Data Retention claim is an account setting you cannot see. If ZDR matters for your use, request written confirmation from Voicy that it is enabled.
  3. If you're on mobile, ask what applies. The security policy's scope predates the iPhone and Android apps, and the Apple and Google disclosure labels disagree about audio collection. Email Voicy support and ask which security commitments cover the mobile apps before dictating anything sensitive from a phone.
  4. Opt out of analytics if that matters to you. Voicy names Mixpanel for anonymous usage analytics with an opt-out available. Usage events are not audio, but if minimal telemetry is your standard, exercise the opt-out.
  5. Apply the regulated-content disqualifier. PHI, privileged material, NDA-bound source, or compliance-audited content: Voicy is out β€” no SOC 2, no ISO 27001, no BAA, no terms of service. Use the HIPAA pathway or on-device dictation, and accept that a network monitor like Little Snitch will always show outbound traffic during Voicy dictation, because the architecture requires it.

If any step fails or feels uncomfortable, the fix is architectural: on-device tools have no Voicy perimeter and no Groq perimeter to audit, because the audio never leaves your machine.

Voibe: On-Device, No Second Perimeter

Voibe on-device Mac dictation app interface β€” OpenAI Whisper models run locally on Apple Silicon's Neural Engine with no cloud route, no Voicy-style server hop, and no Groq perimeter in the audio path
Voibe (getvoibe.com) β€” the same Whisper model family Voicy rents from Groq, running locally. No first perimeter, no second perimeter, nothing to take on faith.

Voibe is a Mac-native dictation app built around one architectural principle: your audio never leaves the device. Voibe runs OpenAI Whisper models locally on Apple Silicon's Neural Engine β€” the same model family Groq hosts for Voicy, minus the network. When you press your hotkey, audio is captured into memory, transcribed on-device, typed into the active field, and discarded.

Mapped against the Voicy questions raised above:

  • Perimeters. Zero. There is no Voicy-style server hop and no Groq in the path β€” no intersection of two policies to evaluate, and no self-attested ZDR setting to take on faith.
  • Retention. Nothing is transmitted, so there is nothing server-side to delete. Per Voibe's privacy policy: “The Voibe application processes your voice entirely on your device. No audio is transmitted to our servers at any point.”
  • Training. Voibe does not train AI on your dictation β€” committed in writing, not on a marketing page that both policies decline to repeat.
  • Offline. Voibe works with no internet connection β€” planes, secure facilities, dead Wi-Fi β€” because there is no API to reach. Voicy's architecture cannot offer this at any price.
  • Verification. Run Little Snitch during a Voibe dictation session: outbound traffic during transcription is zero. That is the test no cloud tool can pass.

Pricing: $7.50/month, $59/year, or $149 lifetime for unlimited on-device dictation on Apple Silicon Macs, all features at every tier. Against Voicy's $260 lifetime, Voibe's $149 lifetime is $111 less (43% cheaper) β€” with the privacy question removed rather than promised away. For the full cost math, see our Voicy pricing guide and Voicy alternatives.

Try Voibe for Free β€” install, grant microphone and accessibility permissions, and dictate. No account, no credit card, no cloud, no second perimeter.

Frequently Asked Questions

Is Voicy safe to use in 2026?

Voicy is reasonably safe for everyday, non-sensitive dictation. Its security policy makes specific deletion commitments β€” audio β€œpermanently deleted immediately after processing,” transcripts β€œimmediately deleted after delivery” β€” and names its subprocessors (Groq, Mixpanel, Heroku). The limits: it is 100% cloud across two US-hosted perimeters, the no-training promise appears only on marketing pages rather than in either policy, there are no compliance attestations, and the security policy hasn't been updated to cover the 2026 mobile apps. For regulated or confidential work, it is ruled out.

Does Voicy store your voice recordings or transcripts?

Not according to its policies. Voicy's security policy (v1.3, July 31, 2025) states β€œNo audio recordings are stored by Voicy or Groq - all audio data is permanently deleted immediately after processing” and β€œAll transcribed content is immediately deleted after delivery to the user.” Transcripts are kept only on your device. These are policy commitments rather than auditable architecture β€” there is no on-device mode to verify against and no third-party audit of the deletion path.

Does Voicy use your dictation to train AI?

Voicy's homepage says no: β€œWe do not use your recordings to train an AI model.” However, neither the security policy nor the privacy policy contains any training language β€” the commitment lives on a marketing page, not in a governing document. Groq, the transcription processor, does not train on customer API data, and Voicy states it has enabled Groq's Zero Data Retention setting. If the training commitment matters for your work, ask Voicy to confirm it in writing.

Where does Voicy send your audio?

Every dictation makes a two-hop trip: audio is encrypted in transit (TLS 1.3) and sent to Voicy's servers hosted on Heroku in the USA, then β€œimmediately forwarded to Groq.com,” which runs the open-source Whisper V3 model and Voicy's AI-command post-processing. The transcript returns through Voicy to your device. Both perimeters are US-hosted; for EU users, neither policy documents a lawful-transfer mechanism such as Standard Contractual Clauses.

Does Voicy work offline or on-device?

No. Voicy is 100% cloud at every tier β€” there is no offline mode, no local model option, and no BYOK path, and the 2026 changelog shows no local-mode feature in development. When your connection drops, dictation stops. If you need offline or no-transmission dictation, you need an architecturally different tool: on-device options include Voibe, VoiceInk, and Handy.

Is Voicy HIPAA compliant?

No. Voicy has no HIPAA Business Associate Agreement, no SOC 2 Type II report, and no ISO 27001 certificate, and its policies β€” to their credit β€” make no HIPAA claim. One Voicy blog post asserts general-purpose tools like Voicy offer β€œmedical-grade security for healthcare applications,” but a same-day Voicy post correctly says not to treat it as a healthcare compliance product. Without a BAA, routing protected health information through Voicy is not lawful for covered entities. See our HIPAA dictation guide for compliant pathways.

Are the Voicy iPhone and Android apps covered by its security policy?

Not visibly. The published security policy (v1.3) is dated July 31, 2025 and scopes itself to the Mac, Windows, Linux, and Chrome extension apps β€” the iOS app shipped in April 2026 and the Android app followed, and no updated policy covers them. The app stores' own labels also disagree: Apple's privacy label declares Audio Data collected (not linked to identity), while Google Play's Data Safety section declares no audio collected. Ask Voicy in writing which commitments apply to mobile before dictating sensitive content from a phone.

Who is behind Voicy, and is the company established?

Voicy is built by solo founder Kourosh Ghaffari, operating through Pishi LLC FZ, a UAE free-zone entity with operations described as London and Dubai. The entity appears in the security policy but not the privacy policy, and the iOS App Store seller of record is the founder personally. There is no terms-of-service document. Third-party signal is thin but real: 4.7/5 from 101 Chrome Web Store ratings and about 10,000 Chrome users, though the Product Hunt listing has 17 upvotes with zero reviews and the iOS app has no ratings yet. No public incidents are on record.

How does Voicy compare to Voibe on privacy?

Architecturally opposite. Voicy routes every dictation through two US cloud perimeters (its own Heroku-hosted servers, then Groq) and asks you to trust documented deletion promises plus a self-attested Zero Data Retention setting. Voibe runs the same Whisper model family entirely on-device on Apple Silicon β€” audio never leaves the Mac, so there are no perimeters, no deletion promises to trust, and offline dictation works by default. On cost, Voibe's $149 lifetime is $111 less (43% cheaper) than Voicy's $260 lifetime. Disclosure: Voibe is our product.

Ready to type 3x faster?

Voibe is the fastest, most private dictation app for Mac. Try it today.

  • 100% offline
  • Free to try
  • No subscription
  • Native Apple Silicon
  • 90+ languages

Prefer to go Pro? Save 20% on any plan with code VOIBE20 View pricing β†’