Wispr Flow
Wispr AI
Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.
Pricing / Contract Route
USD pricing varies by plan
Enterprise Features
Privacy Mode/ZDR enforcement, HIPAA BAA, SOC 2 Type I (A-LIGN), ISO 27001:2022 re-audit in progress
Last Updated
June 23, 2026
Wispr Flow - GDPR & Data Privacy Overview for European Clients
Version: June 2026 - prepared by WAIMAKERS B.V.
1 Purpose
This overview explains how Wispr Flow (Free, Pro, Enterprise) handles data in relation to GDPR, with a focus on European customers. Wispr Flow is a voice-to-text dictation tool by Wispr AI, Inc. (San Francisco) offering optional Privacy Mode with zero data retention.
2 Comparison of Wispr Flow Tiers (EU focus)
| Tier | Privacy Mode (ZDR) | HIPAA BAA | Training on data? | EU residency | Compliance | Price |
|---|---|---|---|---|---|---|
| Free | ✅ Optional | ✅ Available in-app | ⚠️ No if Privacy Mode on; may be used if off | ❌ No | SOC 2 Type I (A-LIGN), ISO 27001:2022 re-audit in progress, HIPAA | €0 (2,000 words/week) |
| Pro | ✅ Optional | ✅ Available in-app | ⚠️ No if Privacy Mode on; may be used if off | ❌ No | SOC 2 Type I (A-LIGN), ISO 27001:2022 re-audit in progress, HIPAA | $15/user/month ($12/user/month annual; 14-day free trial, no seat minimum) |
| Enterprise | ✅ Available; can be enforced | ✅ Enterprise BAA / ZDR enforcement | ✅ No when Privacy Mode/ZDR enforced | ❌ No | SOC 2 Type I (A-LIGN), ISO 27001:2022 re-audit in progress, HIPAA | Contact sales (not publicly listed) |
Notes for Europe
- Privacy Mode: When enabled, your dictation content is not used to evaluate, train, or improve AI models. Full zero data retention (audio/transcripts processed and discarded, nothing stored) requires Privacy Mode ON together with Cloud Sync OFF. Individual users enable these in Settings → Data & Privacy unless their organization enforces ZDR.
- HIPAA BAA / ZDR: Signing a BAA locks Privacy Mode ON. Enterprise customers can enforce zero data retention organization-wide; Team/Pro users rely on individual toggles.
- Enterprise data controls: Wispr's May 2026 documentation also describes enterprise controls for local transcript storage and Context Awareness. These are separate from server-side Privacy Mode and should be configured in addition to ZDR where local-device retention matters.
- Infrastructure: 100% US-based cloud processing. No EU data centers available.
- Data retention:
- Privacy Mode ON: Zero retention at Wispr and third parties
- Privacy Mode OFF: standard retention periods apply per Wispr's Privacy Policy; dictation data may be used to evaluate, train, and improve Flow
- Enterprise pricing: Contact sales (not publicly listed; billed annually).
- Pro plan: Supports teams with no seat minimum at $15/user/month ($12/user/month annual); all new accounts get a 14-day free Pro trial.
- Android app: Launched February 2026.
- ISO 27001: Wispr's prior ISO/IEC 27001:2022 certificate (issued Sep. 8, 2025) was proactively invalidated in March 2026 after auditor-integrity concerns at the original auditor; re-certification with A-LIGN is in progress (Stage 1 completed April 2026, Stage 2 scheduled June 2026).
- Pricing: Global pricing in USD.
3 Is Wispr Flow GDPR-Compliant?
Short answer: ⚠️ Partial compliance. Usable for EU personal data only with Privacy Mode enabled and proper US transfer safeguards (DPA with SCCs). All plans support Privacy Mode but require manual activation. US-only infrastructure.
What applies to all plans:
- Privacy Mode (ZDR) - When enabled, no audio/transcripts stored; no training by Wispr or third parties
- HIPAA compliance - BAA available on ALL plans (expanded August 2025); accepting BAA auto-enables and locks Privacy Mode ON
- Certifications - SOC 2 Type I (A-LIGN, 2026); SOC 2 Type II and ISO 27001:2022 re-audits in progress
What's plan-dependent:
- Privacy Mode enforcement - Free/Pro: user-optional. Enterprise: can enforce ZDR organisation-wide
- DPA availability - Public DPA with EU SCCs and UK Addendum published by Wispr; applies regardless of tier (review and execute before EU personal-data use)
Infrastructure limitations (all plans):
- US-only processing - All transcription occurs in US cloud; no EU data residency option
- DPA/SCCs published - Public DPA at wisprflow.ai/legal/dpa incorporates EU SCCs (Module 2) and the UK Addendum; review before EU personal-data use
- Subprocessors disclosed - Public list in the DPA (Annex 2) and Trust Center; subprocessors include AWS, OpenAI, Anthropic, Google, Cerebras, Supabase, Stripe and Cloudflare, all US-located
What that means in practice:
- For non-sensitive work content (drafts, emails): Pro/Teams acceptable with Privacy Mode
- For EU personal data (employee/customer info): Enterprise recommended; require DPA with SCCs and Transfer Impact Assessment
- For special category data (Art. 9 GDPR): Not recommended even with Privacy Mode due to US infrastructure
Buyer's note: Only suitable for EU use if Privacy Mode is enforced organisation-wide, DPA with SCCs obtained, and Transfer Impact Assessment permits US processing.
4 Details by Offering
Free Plan
- Privacy Mode: Optional (manual toggle)
- Data collection: With Privacy Mode: only usage stats (word count). Without: audio, transcripts, may be used for training.
- Training: No training if Privacy Mode ON; may be used if OFF
- Retention: Zero if Privacy Mode ON; standard retention policy applies if OFF
- Pricing: Free (2,000 words/week limit)
- When to use: Testing, non-sensitive personal use
- When not to use: EU personal data (no contractual protections likely available at Free tier)
Pro Plan ($15/user/month)
- Privacy Mode: Optional (manual toggle); per-user, not centrally enforced
- Important limitation: User can disable Privacy Mode at any time; no admin enforcement
- Pricing: $15/user/month ($12/user/month annual; unlimited dictation; supports teams, no seat minimum)
- When to use: Individual professionals with non-regulated workflows, comfortable with manual Privacy Mode management
- When not to use: Regulated data, team deployments requiring enforced controls
Enterprise Plan (Contact sales)
- Privacy Mode: Available; can negotiate enforced Privacy Mode (not user-optional)
- Additional features: Dedicated support, custom integrations, DPA with SCCs (negotiable)
- Compliance: SOC 2 Type I (A-LIGN, 2026), SOC 2 Type II and ISO 27001:2022 re-audits in progress, HIPAA BAA with enforced zero retention
- Pricing: Contact sales (not publicly listed; billed annually)
- When to use: Regulated industries, EU personal data processing, need for contractual DPA/SCCs
- When not to use: Organisations with strict "EU-only" data processing policies (no EU infrastructure available)
5 Data Processing Flow
[User dictates via app (Mac/Windows/iPhone/Android - Android added Feb 2026)]
↓
[Audio streamed to US cloud infrastructure] 🇺🇸
↓
[Speech-to-Text AI processing]
├─ Context understanding
├─ Editing/formatting
└─ Command execution
↓
[Privacy Mode + Cloud Sync check]
├─ Privacy Mode ON + Cloud Sync OFF: zero retention (audio/transcripts discarded)
├─ Privacy Mode ON + Cloud Sync ON: no model training, but transcripts stored on encrypted US servers
└─ Privacy Mode OFF: may be stored/used for training (standard retention applies)
↓
[Transcript returned to app]
↓
[Local insertion in target application]
*All transcription is cloud-based (not on-device)*
*No EU data centers available*
6 Recommendations (GDPR-first)
- For EU personal data, Privacy Mode is mandatory. Enterprise tier recommended to obtain DPA with SCCs.
- Complete a Transfer Impact Assessment (TIA) documenting US data transfer risks and safeguards.
- Do not use Wispr Flow for special category data (Art. 9 GDPR) or in environments with "EU-only" policies.
- If US transfers prohibited by your risk assessment, consider EU-based alternatives (Speechmatics, Philips SpeechLive) or on-device transcription (Apple Dictation, Windows Speech Recognition).
7 EU Rollout Checklist (Practical)
- Contractual safeguards - Request DPA with Standard Contractual Clauses from Wispr (Enterprise sales)
- Enable Privacy Mode - Activate on all accounts before first use (Settings → Data & Privacy → Privacy Mode ON)
- Transfer Impact Assessment - Document legal basis for US data transfers under GDPR Art. 46
- Internal policy - Document Privacy Mode as mandatory; establish incident response for accidental disablement
- Art. 30 records - Add Wispr Flow to processing records; note Privacy Mode enforcement as technical measure
8 Procurement Quick Answers (EU)
Can we use Wispr Flow for EU personal data?
⚠️ With restrictions. Requires: (1) Privacy Mode enabled, (2) DPA with SCCs, (3) Transfer Impact Assessment permitting US transfers, (4) enforcement via internal policy. Not recommended for special category data.
How do we enable Privacy Mode?
Settings → Data & Privacy → Toggle Privacy Mode to ON. Note: Not the default setting; must be manually enabled by each user.
Is there EU data residency?
❌ No. All processing occurs in US cloud infrastructure. No EU data centers available or announced.
Who are the subprocessors?
✅ Publicly disclosed in Wispr's DPA (Annex 2) and Trust Center. Includes AWS (US storage), OpenAI, Anthropic, Cerebras, Google, Supabase (auth) and Stripe (payments), among others - all US-located.
What happens if Privacy Mode is disabled?
Audio and transcripts may be stored and used for training. Standard retention periods apply under Wispr's Privacy Policy. No automatic alerts.
Is a DPA available?
✅ Yes. Wispr publishes a public DPA at wisprflow.ai/legal/dpa (updated May 21, 2026) incorporating EU SCCs (Module 2) and the UK Addendum, with a subprocessor list (Annex 2). Review and execute it for EU personal-data use (US storage means a TIA is still required).
9 Notes & Caveats
- Privacy Mode is optional - Not the default; users must manually enable and can disable at any time (except HIPAA BAA customers, where it's auto-locked).
- No EU data centers - All processing in US; unsuitable for strict "EU-only" data localisation requirements.
- DPA/SCCs published - Public DPA at wisprflow.ai/legal/dpa (updated May 21, 2026) incorporates EU SCCs (Module 2) and the UK Addendum; review and execute before EU personal-data use. US storage means a TIA is still required.
- Retention without Privacy Mode - Wispr's retention is setting-dependent (governed by Cloud Sync); content sent to third-party LLM providers is not used to train their models and, per Wispr's Privacy Policy, is generally deleted within 30 days.
- HIPAA BAA / ZDR lock - Signing a BAA locks Privacy Mode ON; Enterprise admins can enforce ZDR organisation-wide.
- Local storage and Context Awareness - Enterprise admins can lock local transcript storage settings and disable Context Awareness. Privacy Mode controls server-side dictation retention; local device history must be governed separately.
- ISO 27001 re-certification in progress - Wispr's prior ISO/IEC 27001:2022 certificate was invalidated in March 2026; re-certification with A-LIGN is underway (Stage 1 April 2026, Stage 2 scheduled June 2026).
- Android app (Feb 2026) - Wispr Flow launched Android app, expanding the platform beyond Mac/Windows/iPhone.
10 Disclaimer
This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Wispr Flow in production environments - especially when processing EU personal data. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.
Prepared and issued by WAIMAKERS B.V. - June 2026.
References
- https://wisprflow.ai/privacy-policy - Wispr Flow Privacy Policy
- https://wisprflow.ai/data-controls - Wispr Flow Data Controls (Privacy Mode Documentation)
- https://docs.wisprflow.ai/articles/6274675613-privacy-mode-data-retention - Privacy Mode & Data Retention
- https://docs.wisprflow.ai/articles/6939510703-compliance-certifications-standards - Compliance Certifications & Standards
- https://wisprflow.ai/legal/dpa - Wispr Flow Data Processing Addendum (public, EU SCCs + UK Addendum)
- https://docs.wisprflow.ai/articles/3467817258-security-and-compliance-faq - Security & Compliance FAQ
- https://docs.wisprflow.ai/articles/1163060507-wispr-flow-it-guide-on-privacy-and-security - Wispr Flow IT Guide on Privacy and Security
- https://docs.wisprflow.ai/articles/4608289566-hipaa-support - Wispr Flow HIPAA Support Documentation
Disclaimer
This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Wispr Flow in production environments - especially when dictation data or voice recordings are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.
Prepared and issued by WAIMAKERS B.V. - June 2026.