Is Willow Voice Safe? Private Mode, HIPAA & Enterprise Verdict (2026)

TL;DR: Willow Voice is one of the more privacy-protective cloud dictation products in 2026 — its Private Mode is the default opt-out for training data collection, the most privacy-protective default among major cloud dictation peers. Willow Voice's privacy policy, effective April 30, 2025, states: “In private mode, Willow only collects basic technical and account-related data needed to run the app and nothing else.” If a new individual subscriber never touches a setting, their dictated text is NOT collected for training. Three structural caveats matter:

• Cloud-first by default. Audio is transmitted to Willow's servers for transcription in both Private Mode and the opt-in mode. Private Mode controls what happens after processing, not whether processing happens in the cloud.
• Offline Mode is not addressed in the privacy policy. Willow has shipped an optional Offline Mode on Mac and iOS, but the privacy policy effective April 30, 2025 does not document how data is handled in that mode — a documentation gap relative to the marketed feature.
• HIPAA is marketed but absent from the policy text. Willow advertises HIPAA compliance on its homepage and pricing page; the privacy policy mentions only SOC 2 and GDPR. BAA availability and scope are not documented in the public privacy text.

For users who cannot accept any audio leaving their Mac, on-device dictation tools like Voibe eliminate the cloud surface entirely. Voibe runs Whisper 100% on-device on Apple Silicon and costs $198 lifetime — versus $432 for 3 years of Willow Individual annual ($144/yr × 3), a $234 saving (54% cheaper) over 3 years and $522 saving over 5 years (72% cheaper).

This article walks through what Willow Voice actually does with your voice, the default-on Private Mode mechanics, the training opt-in framework, the HIPAA marketing-versus-policy gap, the Enterprise zero-data-retention claim, a five-step decision framework, and the on-device alternatives that sidestep the question entirely. Every claim is sourced to Willow's own privacy policy, TechCrunch coverage, Product Hunt, or named third-party platforms.

Disclosure: Voibe is our product. We compare Voibe to other tools using verifiable facts — Willow Voice's own privacy policy, TechCrunch coverage, Y Combinator company page, and Product Hunt. Where Willow's posture is stronger than Voibe's on a specific dimension (cross-platform reach to Windows + iPhone + Android, training opt-out default, AI Mode feature), we say so.

The rest of this article walks through each row in detail and gives you a five-step Willow Voice Safety Audit to make your own call.

Willow Voice is a cloud-first dictation product launched in March 2025 by Allan Guo and Lawrence Liu, two Stanford dropouts in Y Combinator's spring 2025 batch (X25). The audio you speak into your Mac, Windows PC, iPhone, or Android device is encrypted, transmitted across the public internet, processed on Willow's cloud infrastructure, and only then returned to your device as text. This is the structural fact that defines Willow's safety profile, and it is the right starting point before any other analysis.

Willow has also shipped an optional Offline Mode on Mac and iOS that runs a smaller local model when activated. The privacy policy effective April 30, 2025 does not address Offline Mode specifically — a documentation gap relative to the marketed feature. In practice, the default experience is cloud-routed, and Offline Mode is an opt-in fallback for connectivity-limited environments.

What the Willow Voice privacy policy documents:

• Private Mode (the default). “In private mode, Willow only collects basic technical and account-related data needed to run the app and nothing else.” No dictated text, audio, or screen content is saved on Willow's servers in this mode.
• Opt-in training mode. When the user opts in, Willow collects "Recognized dictated text" described as "fully anonymized" and used to "improve speech-to-text accuracy." The policy adds: “This data is never shared or sold beyond our model training system.”
• Transcript History. “Stored locally on your device.” Not on Willow's servers.
• Compliance. Willow follows “standards like GDPR and SOC 2.”
• Retention in opt-in mode. Anonymized text and usage data is retained “only as long as needed to train and improve the app.”

What the policy does not document:

• Specific subprocessor names. Peer cloud dictation products like Wispr Flow publish full subprocessor lists naming Baseten, OpenAI, Anthropic, and AWS regions; Willow's public document does not.
• HIPAA framework specifics. The privacy policy effective April 30, 2025 mentions only SOC 2 and GDPR. HIPAA is advertised on willowvoice.com but the policy text does not document the BAA scope, plan-tier availability, or the contractual flow-down to subprocessors.
• Enterprise zero-data-retention contractual specifics. Marketed as an Enterprise feature but not documented in the public privacy policy.
• Offline Mode data handling. Shipped on Mac and iOS, not addressed in the privacy policy text.
• Specific retention windows. Opt-in mode retention is described as "only as long as needed" — no number of days or months is specified.

This is a reasonable cloud SaaS architecture overall, with the most privacy-protective training default among major peers. The documentation gaps are normal for early-stage YC-backed startups — many companies publish privacy policies that focus on data categories and processing purposes without separately answering subprocessor or HIPAA-specific questions. The risk that compounds for sensitive content is the combination of cloud-only architecture (in default mode) plus undocumented Offline Mode handling plus the HIPAA marketing-versus-policy gap. Each one in isolation is a small concern; together they leave the safety question more open than the policy text alone suggests.

Willow Voice's flagship privacy feature is Private Mode, and its default behavior is the standout strength of Willow's safety posture. Per the privacy policy effective April 30, 2025: “In private mode, Willow only collects basic technical and account-related data needed to run the app and nothing else.” The policy explicitly designates Private Mode as the “(DEFAULT Opt-Out)” — meaning new individual subscribers start with Private Mode enabled and their dictated text NOT collected for training Willow's speech-to-text models.

This is materially better than the major cloud-dictation peers we have investigated in this series:

• Aqua Voice's Privacy Mode is OFF by default for individual users — transcripts may be stored on Aqua Voice's servers until the user manually flips the toggle. See our is Aqua Voice safe? investigation.
• Superwhisper's local audio recording is ON by default — 23 votes on the public UserJot feedback board to make it opt-in. See our is Superwhisper safe? investigation.
• Otter trains on de-identified user data by default per Otter's Privacy & Security page. See our is Otter safe? investigation.
• Wispr Flow's Privacy Mode is off by default for individuals, with paid org-tier admin enforcement available. See our is Wispr Flow safe? investigation.

Willow's design choice — making the privacy-protective state the default — is the right one for a category where most users never open settings. The mechanics of Private Mode:

• Default state for individual users. Private Mode is ON by default. An individual subscriber who never opens settings has dictated text NOT collected for training.
• What Private Mode does not collect. Per the policy: "no dictated text, audio, or screen content" is collected by Willow when Private Mode is on.
• What Private Mode does collect. Per the policy: "basic technical and account-related data needed to run the app." This is account metadata, authentication, usage analytics — not the dictation content itself.
• What Private Mode does not stop. Audio still routes through Willow's cloud servers for transcription. Private Mode governs what happens to the data after processing, not whether processing happens in the cloud. The dictation pipeline is: device → Willow cloud → text returned → audio/transcript discarded (in Private Mode).
• The opt-in path: training data collection. If you turn on data sharing, Willow collects "Recognized dictated text" described as "fully anonymized," used to "improve speech-to-text accuracy," and the policy adds: "This data is never shared or sold beyond our model training system."

The pragmatic individual mitigation here is the inverse of every other cloud-dictation product we have investigated: with Willow, you do not need to actively enable Private Mode — you need to actively decide whether to opt out of Private Mode (by enabling training data sharing). The default-on design genuinely protects users who never open settings.

Willow Voice advertises HIPAA compliance on its pricing page and homepage as of May 2026. The privacy policy effective April 30, 2025, however, mentions only SOC 2 and GDPR — not HIPAA, not Business Associate Agreement, not any healthcare-specific data-handling commitments. This is a documentation gap that matters for regulated workflows, and it follows a familiar pattern: many YC-backed early-stage SaaS companies advertise HIPAA compliance on their marketing pages before the privacy policy text is updated to reflect the contractual framework.

The marketing-side facts:

• Homepage and pricing page reference HIPAA compliance. Willow markets it as available, particularly for Team and Enterprise tiers.
• Enterprise tier markets zero data retention. A reasonable complement to a HIPAA BAA for healthcare customers who need both no-training and no-retention contractual guarantees.
• Heidi Health is a named enterprise customer per TechCrunch's November 2025 coverage — a healthcare AI scribe company that would presumably require BAA coverage to deploy Willow internally.

The privacy-policy-side facts:

• The policy text only references "GDPR and SOC 2" — no mention of HIPAA, BAA, PHI handling, or healthcare-specific safeguards.
• BAA availability by plan tier is not documented publicly. Healthcare procurement teams typically want this in writing before signing.
• Subprocessor flow-down for PHI is not documented. A HIPAA BAA requires every subprocessor that handles PHI to operate under flow-down BAA terms. Willow's privacy policy does not name subprocessors.
• Enterprise zero-data-retention contractual specifics are not in the public policy. Marketed but not documented.

The pragmatic procurement framework for HIPAA-bound deployments:

1. Request the BAA from Willow sales in writing. Confirm which plan tier it covers (Team? Enterprise only?), what contractual flow-down to subprocessors looks like, and whether it covers all dictation traffic or specific feature surfaces.
2. Request the SOC 2 Type II report. The privacy policy references SOC 2 — request the actual report through Willow's trust center or sales contact, review the scope, controls tested, and audit window.
3. Verify the auditor and trust center. The privacy policy does not name the SOC 2 auditor. Reputable auditors include A-LIGN, Schellman, BDO, and the Big 4 — request the auditor name before committing.
4. Route through your healthcare compliance team. The BAA terms and SOC 2 scope determine HIPAA risk in practice; this is not a check the marketing page alone can answer.

The honest framing: Willow's HIPAA marketing is consistent with peer YC-backed cloud dictation products (Wispr Flow markets HIPAA similarly, with a similar documentation gap in the privacy policy text). It does not mean the BAA does not exist — it means the BAA is a contract that lives outside the public privacy policy. For regulated workflows, the BAA is the document; the marketing claim is just the headline.

The Willow Voice privacy policy effective April 30, 2025 documents what happens if a user opts in to share data for training, as a clear inverse to the Private Mode default. The policy framework:

• What's collected: "Recognized dictated text" — the text output of Willow's transcription. Audio itself is described as stored locally on device only and used "for re-transcription" rather than being collected by Willow's servers in the opt-in mode.
• Anonymization: "Fully anonymized" per the policy. Even in this opt-in mode, the policy states the user's account is anonymized — meaning personal identity is not connected to any transcript data.
• Purpose: "To improve speech-to-text accuracy." The data feeds Willow's internal model training pipeline.
• Sharing constraint: "This data is never shared or sold beyond our model training system." A categorical commitment against third-party sharing or sale.
• Retention window: "Only as long as needed to train and improve the app." The policy does not specify a number of days or months.

The honest analysis of these commitments:

1. Anonymization is a documented safeguard, not an absolute guarantee. Re-identification risk exists for any dictation corpus that contains unique entity names, technical vocabulary, location-specific content, or rare phrasings. For most general dictation (drafts, emails, casual notes), the anonymization commitment is meaningful. For confidential, privileged, or regulated content, anonymization is not a substitute for not-sharing.
2. "Never shared or sold beyond our model training system" is a strong commitment. It rules out the secondary-market risk pattern that has hit other AI products (data sold to third parties for separate AI training, marketing analytics, or partnerships). The phrase "beyond our model training system" does leave open use within Willow's first-party training infrastructure.
3. "Only as long as needed" is the weakest part of the framework. Without a documented retention window in days or months, the user cannot verify when their opt-in contribution is purged. For comparison, Anthropic publishes a 30-day default retention for API users and a 5-year retention for consumer Claude.ai users who allow training (a transparent number, even if longer than ideal). Willow's "only as long as needed" gives the company flexibility but leaves the user unable to predict the practical retention window.

The pragmatic decision framework for the opt-in:

• Keep Private Mode on (the default) if any of the following apply: you dictate confidential or privileged content; you dictate under NDA; you dictate regulated content (PHI, attorney-client communications, NDA-bound source code); you cannot accept the documented retention ambiguity.
• Consider opting in if all of the following apply: you dictate general non-sensitive content; you want to contribute to model improvement; you accept the anonymization commitment and the unspecified retention window.
• The fully architectural alternative: on-device dictation tools like Voibe sidestep the opt-in question entirely. Per Voibe's privacy policy: “The Voibe application processes your voice entirely on your device. No audio is transmitted to our servers at any point.” If audio never leaves the Mac, there is nothing to train on. The training question does not require a contractual answer when the architectural answer already removes the possibility.

The deeper lesson from comparing Willow Voice's posture against on-device alternatives is the same as it is for every cloud dictation product: there is a difference between architectural privacy and audited privacy. Cloud dictation is a policy-and-trust product — you trust the vendor's commitments, the auditor's verification, the subprocessors' diligence, and the policies' continuity. On-device dictation is an architecture-and-physics product — the audio is processed on your device's chip, never crosses the network, and is discarded after transcription.

Willow Voice is a better-than-average cloud dictation product on the policy-and-trust dimension. Private Mode default-on is the most privacy-protective default in its category. The anonymization commitment is documented. The third-party sharing constraint is documented. SOC 2 is referenced (though the auditor and trust center are not named publicly).

But five things audit-based privacy cannot do that on-device architecture can:

• Survive a policy change. A privacy policy can be updated with 30 days' notice. The same servers operating under "Private Mode default-on" today can change defaults tomorrow under a revised policy. Audio that never crosses your network boundary cannot be re-classified by a future policy. Willow's privacy policy is already 13 months old at publication and has not been updated to address Windows, Cursor, or Teams — the next policy revision could materially alter the framework, and the next user reading the policy will need to re-evaluate from scratch.
• Survive a subprocessor incident. Willow does not publicly name its subprocessors. The cloud architecture means at least a hosting provider, a payments processor, an analytics platform, and a customer support system handle account-linked data. Each is its own risk surface. On-device processing has zero subprocessors for dictation data.
• Survive an acquisition. When a YC-backed cloud SaaS startup is acquired, customer data becomes an asset under new governance. The 50% month-over-month growth that TechCrunch reported in November 2025 means Willow is on a trajectory where acquisition or major dilution is a realistic outcome over a 3–5 year horizon. A privacy-first startup's commitments do not necessarily survive a change in ownership. On-device data has nothing to transfer.
• Survive a documentation gap. The current Willow privacy policy does not address Offline Mode, does not name subprocessors, does not document the HIPAA BAA framework, and does not specify retention windows. A user who decides Willow is safe today is making that decision under documentation uncertainty. On-device dictation has nothing to document because there is nothing to send.
• Survive legal compulsion. A subpoena or national security letter can compel a vendor to preserve and disclose data normally discarded. On-device processing removes this vector — there is no preserved data, and the vendor cannot produce what it never had.

None of this means cloud dictation is unusable. It means cloud dictation is a contract-driven privacy product, and the contract is only as strong as the documentation, the auditor, and the policies' continuity. For most general dictation, that is acceptable — and Willow is one of the better-positioned cloud products in 2026 on the documentation discipline. For confidential, privileged, regulated, or compliance-audited work, architecture is the stronger guarantee. For a deeper treatment of this distinction, see our cloud vs. local dictation guide and voice data privacy guide.

Use the Willow Voice Safety Decision Tree to decide whether Willow is safe enough for your specific situation. The five questions, in order, take you from the lowest-risk use case to the highest. Stop at the first question where you cannot accept the answer Willow currently provides.

1. Are you dictating only general content (drafts, emails, notes, AI prompts, casual messages)? If yes — Willow with Private Mode on (the default) is reasonable. Willow's training opt-out default is the most privacy-protective in its category. Continue to question 2 if you want a fuller safety review.
2. Will you confirm Private Mode is enabled and resist opting in to share data for training? If yes — Willow does not collect your dictated text. Continue to question 3. If you would like to opt in, accept the anonymization commitment, the unspecified retention window, and that the data feeds Willow's first-party training pipeline.
3. Do you need Willow's optional Offline Mode on Mac or iOS, and are you comfortable that the privacy policy does not address Offline Mode data handling? If yes — accept the documentation gap, and treat Offline Mode as undocumented territory; consider requesting written confirmation from Willow support about Offline Mode data handling. Continue to question 4.
4. Is the content covered by HIPAA, attorney-client privilege, NDA, or compliance regulation? If no — Willow with Private Mode is a reasonable cloud product. If yes — the HIPAA framework is not documented in the privacy policy effective April 30, 2025; request a signed BAA from sales, route through your compliance team, and verify which plan tier it applies to before deploying. Skip to question 5 to evaluate the architectural alternative.
5. Are you comfortable with audio leaving your device under any circumstances? If yes — Willow's cloud-first architecture is acceptable for most workflows with Private Mode on. If no, only on-device dictation will satisfy you. Voibe, VoiceInk, and Apple Dictation are the three Mac-native options.

The pattern: the further you progress through the tree, the more on-device architecture wins. For the first three questions, Willow is one of the better cloud products available. By question 4, the absence of HIPAA in the policy text and the Offline Mode documentation gap become structural blockers for regulated work. By question 5, the architectural answer beats the policy answer.

If Willow Voice's cloud-first architecture, undocumented Offline Mode handling, HIPAA marketing-versus-policy gap, or undisclosed subprocessor list concerns you, the architectural answer is on-device dictation. Three Mac-native options process audio entirely on Apple Silicon's Neural Engine using OpenAI Whisper models — audio never leaves the device, no Private Mode toggle is needed, and the training question is moot because there is nothing to train on.

Side-by-side cost picture against Willow Individual Annual ($144/year):

• After 1 year: Willow = $144; Voibe lifetime = $198. Willow is $54 cheaper in year 1.
• After 2 years: Willow = $288; Voibe lifetime = $198. Voibe is now $90 cheaper.
• After 3 years: Willow = $432; Voibe lifetime = $198. Voibe is $234 cheaper (54% saving).
• After 5 years: Willow = $720; Voibe lifetime = $198. Voibe is $522 cheaper (72% saving).
• Voibe pays for itself against Willow Individual annual at ~17 months, then keeps working forever with no recurring cost.

For a deeper Willow Voice pricing breakdown, see our Willow Voice pricing guide. For an open-source on-device option with an auditable codebase, see VoiceInk pricing. For the cross-tool roundup, see our best offline dictation apps.

Honest tradeoffs: Willow's cross-platform reach (Mac + Windows + iPhone + Android) is genuinely broader than Voibe's Mac-only focus, and Willow's AI Mode (transforming brief verbal notes into polished messages) plus style memory across apps are real productivity wins that Voibe does not match. If you need iOS or Android dictation, Willow remains a reasonable cloud choice — particularly given its category-leading training opt-out default. Voibe's architectural advantage is concentrated in Mac-only workflows where privacy-by-architecture and one-time payment matter more than cross-platform breadth.

Voibe is a Mac-native dictation app built around a single architectural principle: your audio never leaves the device. Voibe runs OpenAI Whisper models on Apple Silicon's Neural Engine. When you press your hotkey, audio is captured into memory, transcribed by the local Whisper model, written into the active text field, and discarded. No cloud servers, no third-party LLM providers, no transcript storage, no Private Mode toggle to remember, no training opt-in to verify because there is no audio to train on.

Mapped against the safety questions raised by the Willow Voice profile:

• Architecture. Voibe processes audio on the Apple Silicon Neural Engine. There are no cloud servers, no transcription endpoints, no third-party LLM providers in the dictation path.
• Private Mode default. Not applicable. Voibe's privacy posture is the same regardless of any setting. There is no Private Mode toggle because there is no transcript storage to toggle off.
• Training disclosure. Not applicable. Voibe's privacy policy at getvoibe.com/privacy states: “The Voibe application processes your voice entirely on your device. No audio is transmitted to our servers at any point.” If audio never leaves the Mac, there is nothing to train on.
• Subprocessor list. Voibe has no subprocessors for dictation data because none is transmitted. There is nothing to list.
• HIPAA framework. Voibe does not require a Business Associate Agreement for PHI dictation because PHI never leaves the clinical device. The architectural HIPAA posture sidesteps the BAA framework that cloud products need. For regulated workflows, our HIPAA dictation guide walks through the architectural HIPAA framing.
• Offline Mode policy gap. Not applicable. Voibe has only one mode — offline — and it is documented as such in the privacy policy.
• Permissions. Voibe requests microphone access and macOS accessibility permission — the minimum surface required to capture audio and paste text into the active field. No screen recording, no camera, no full-disk access.
• Network monitor. Run Little Snitch during a Voibe dictation session. Outbound traffic from Voibe during transcription is zero.
• Account. Voibe does not require an account to dictate.

Pricing: $9.90/month, $89.10/year, or $198 lifetime for unlimited dictation on Apple Silicon Macs (M1 through M4). Voibe also includes a Developer Mode for VS Code and Cursor with file/folder name resolution — useful for technical workflows where Willow's general-purpose cloud transcription is the typical choice.

Try Voibe for Free — install, grant microphone and accessibility permissions, and dictate. No account, no credit card, no audio leaving your Mac, no Private Mode toggle to remember.

Willow Voice is one of the more privacy-protective cloud dictation products in May 2026, with appropriate configuration. Its Private Mode default-on is the most privacy-protective default among the major cloud dictation peers — Aqua Voice, Superwhisper, Otter, and Wispr Flow all require user action to achieve the equivalent posture. Willow's training framework is documented (anonymization commitment, no third-party sharing or sale), SOC 2 is referenced in the policy text, and the cross-platform reach (Mac + Windows + iPhone + Android) is genuinely broader than peers at the same price point. For most non-regulated users who want the convenience of cloud dictation with a privacy-protective default, Willow is a reasonable choice.

It is not the right tool for several use cases. The privacy policy effective April 30, 2025 does not document Offline Mode data handling, does not name subprocessors, does not specify the HIPAA framework or BAA scope, and does not specify a retention window for opt-in training data. The HIPAA compliance claim on the marketing pages is not reflected in the privacy policy text — a documentation gap that matters for healthcare procurement. The Enterprise zero-data-retention claim is similarly absent from the public policy. The cloud-first architecture means every default-mode dictation requires audio to leave your device — there is no architectural-on-device fallback in the default experience.

The pattern this represents — "defaults are stronger than peers, but documentation has not kept up with product expansion" — is broader than Willow Voice. The single highest-leverage step a new Willow user can take is to do nothing — Private Mode is already on. The single highest-leverage step a regulated workflow can take is to request the BAA, the SOC 2 report, the subprocessor list, and explicit Offline Mode confirmation from Willow sales in writing, and to route those documents through a healthcare or legal compliance team. The single highest-leverage step for users who cannot accept any cloud surface is to switch to on-device dictation and remove the question entirely.

If Willow Voice is on your shortlist, run the Willow Voice Safety Audit: confirm Private Mode is on, skip the training opt-in unless your content type is acceptable, request the BAA and SOC 2 report from sales for regulated work, request explicit Offline Mode confirmation, and revisit on each privacy-policy revision date. If those steps feel like more diligence than you want to spend on a $144/year subscription that grows to $720 over 5 years, Voibe at $198 lifetime sidesteps every one of them by removing the cloud surface entirely.

For further reading, see our Willow Voice pricing breakdown and Willow Voice review. For sibling safety investigations in the same series, see Is Wispr Flow Safe? (cloud subprocessors + BAA framework + Delve audit scandal), Is Superwhisper Safe? (on-device modes + cloud-mode gap + local recordings default-on), Is Aqua Voice Safe? (Privacy Mode default-off + training silence + SOC 2 via Advantage Partners), Is Otter Safe? (meeting transcription + visible-bot consent class action), and Is Dragon Safe? (Microsoft-owned three-product line). For the broader privacy-investigation pattern, see our Typeless privacy issues piece and our Apple Dictation privacy guide. For comparisons, see the broader comparison hub. For a continuously-updated cross-product reference covering ChatGPT, Claude, Gemini, Cursor, Copilot, Voibe, Willow, and the rest of the cloud dictation peer set on training, retention, and on-device support, see our AI Tool Privacy Tracker. For deeper architectural framing, see the voice data privacy guide, the cloud vs. local dictation guide, the offline dictation privacy on Mac explainer, and the complete dictation privacy hub.