Wispr Flow - GDPR & Data Privacy Overview for European Clients

Version: May 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Wispr Flow (Free, Pro, Teams, Enterprise) handles data in relation to GDPR, with a focus on European customers. Wispr Flow is a voice-to-text dictation tool by Wispr AI, Inc. (San Francisco) offering optional Privacy Mode with zero data retention.

2 Comparison of Wispr Flow Tiers (EU focus)

Tier	Privacy Mode (ZDR)	HIPAA BAA	Training on data?	EU residency	Compliance	Price
Free	✅ Optional	✅ Available in-app	⚠️ No if Privacy Mode on; may be used if off	❌ No	SOC 2 Type II, ISO 27001:2022, HIPAA	€0 (2,000 words/week)
Pro	✅ Optional	✅ Available in-app	⚠️ No if Privacy Mode on; may be used if off	❌ No	SOC 2 Type II, ISO 27001:2022, HIPAA	$15/month (14-day free trial for teammates, Nov 2025)
Teams	✅ Optional (per user)	✅ Available in-app	⚠️ No if Privacy Mode on; may be used if off	❌ No	SOC 2 Type II, ISO 27001:2022, HIPAA	$10/user/month (min 2)
Enterprise	✅ Available; can be enforced	✅ Enterprise BAA / ZDR enforcement	✅ No when Privacy Mode/ZDR enforced	❌ No	SOC 2 Type II, ISO 27001:2022, HIPAA	$24/user/month

Notes for Europe

Privacy Mode: When enabled, zero data retention for dictation content (audio/transcripts are processed and discarded; not stored or used for model training). Individual users must enable it in Settings → Data & Privacy unless their organization enforces ZDR.
HIPAA BAA / ZDR: Signing a BAA locks Privacy Mode ON. Enterprise customers can enforce zero data retention organization-wide; Team/Pro users rely on individual toggles.
Infrastructure: 100% US-based cloud processing. No EU data centers available.
Data retention:
- Privacy Mode ON: Zero retention at Wispr and third parties
- Privacy Mode OFF: standard retention periods apply per Wispr's Privacy Policy; dictation data may be used to evaluate, train, and improve Flow
Enterprise pricing: $24/user/month (now publicly available).
Pro plan (Nov 2025): Restructured for teams; includes free 14-day trial for teammates.
Android app: Launched March 2026.
ISO 27001: Wispr states it is ISO/IEC 27001:2022 certified, with certificate validity through Sep. 7, 2026.
Pricing: Global pricing in USD.

3 Is Wispr Flow GDPR-Compliant?

Short answer: ⚠️ Partial compliance. Usable for EU personal data only with Privacy Mode enabled and proper US transfer safeguards (DPA with SCCs). All plans support Privacy Mode but require manual activation. US-only infrastructure.

What applies to all plans:

Privacy Mode (ZDR) - When enabled, no audio/transcripts stored; no training by Wispr or third parties
HIPAA compliance - BAA available on ALL plans (expanded August 2025); accepting BAA auto-enables and locks Privacy Mode ON
Strong certifications - SOC 2 Type II, ISO 27001

What's plan-dependent:

Privacy Mode enforcement - Free/Pro/Teams: user-optional. Enterprise: can enforce ZDR organisation-wide
DPA availability - Status unclear for lower tiers; Enterprise should include DPA with SCCs

Infrastructure limitations (all plans):

US-only processing - All transcription occurs in US cloud; no EU data residency option
DPA/SCCs unclear - Not publicly documented; must be requested from Enterprise sales
Subprocessors undisclosed - List not publicly available

What that means in practice:

For non-sensitive work content (drafts, emails): Pro/Teams acceptable with Privacy Mode
For EU personal data (employee/customer info): Enterprise recommended; require DPA with SCCs and Transfer Impact Assessment
For special category data (Art. 9 GDPR): Not recommended even with Privacy Mode due to US infrastructure

Buyer's note: Only suitable for EU use if Privacy Mode is enforced organisation-wide, DPA with SCCs obtained, and Transfer Impact Assessment permits US processing.

4 Details by Offering

Free Plan

Privacy Mode: Optional (manual toggle)
Data collection: With Privacy Mode: only usage stats (word count). Without: audio, transcripts, may be used for training.
Training: No training if Privacy Mode ON; may be used if OFF
Retention: Zero if Privacy Mode ON; standard retention policy applies if OFF
Pricing: Free (2,000 words/week limit)
When to use: Testing, non-sensitive personal use
When not to use: EU personal data (no contractual protections likely available at Free tier)

Pro Plan ($15/month)

Privacy Mode: Optional (manual toggle)
Important limitation: User can disable Privacy Mode at any time; no admin enforcement
Pricing: $15/month (unlimited dictation)
When to use: Individual professionals with non-regulated workflows, comfortable with manual Privacy Mode management
When not to use: Regulated data, team deployments requiring enforced controls

Teams Plan ($10/user/month)

Privacy Mode: Optional per user (manual toggle)
Important limitation: Each user controls their own Privacy Mode; no centralised enforcement
Pricing: $10/user/month (minimum 2 users = $20/month total)
When to use: Small teams with clear internal policies mandating Privacy Mode
When not to use: Environments requiring technical enforcement of data protection controls

Enterprise Plan ($24/user/month)

Privacy Mode: Available; can negotiate enforced Privacy Mode (not user-optional)
Additional features: Dedicated support, custom integrations, DPA with SCCs (negotiable)
Compliance: SOC 2 Type II, ISO 27001:2022, HIPAA BAA with enforced zero retention
Pricing: $24/user/month (publicly available pricing)
When to use: Regulated industries, EU personal data processing, need for contractual DPA/SCCs
When not to use: Organisations with strict "EU-only" data processing policies (no EU infrastructure available)

5 Data Processing Flow

[User dictates via app (Mac/Windows/iPhone/Android - Android added Feb 2026)]
  ↓
[Audio streamed to US cloud infrastructure] 🇺🇸
  ↓
[Speech-to-Text AI processing]
  ├─ Context understanding
  ├─ Editing/formatting
  └─ Command execution
  ↓
[Privacy Mode check]
  ├─ ON: Immediate deletion after transcription
  └─ OFF: May be stored/used for training (standard retention policy applies)
  ↓
[Transcript returned to app]
  ↓
[Local insertion in target application]

*All transcription is cloud-based (not on-device)*
*No EU data centers available*

6 Recommendations (GDPR-first)

For EU personal data, Privacy Mode is mandatory. Enterprise tier recommended to obtain DPA with SCCs.
Complete a Transfer Impact Assessment (TIA) documenting US data transfer risks and safeguards.
Do not use Wispr Flow for special category data (Art. 9 GDPR) or in environments with "EU-only" policies.
If US transfers prohibited by your risk assessment, consider EU-based alternatives (Speechmatics, Philips SpeechLive) or on-device transcription (Apple Dictation, Windows Speech Recognition).

7 EU Rollout Checklist (Practical)

Contractual safeguards - Request DPA with Standard Contractual Clauses from Wispr (Enterprise sales)
Enable Privacy Mode - Activate on all accounts before first use (Settings → Data & Privacy → Privacy Mode ON)
Transfer Impact Assessment - Document legal basis for US data transfers under GDPR Art. 46
Internal policy - Document Privacy Mode as mandatory; establish incident response for accidental disablement
Art. 30 records - Add Wispr Flow to processing records; note Privacy Mode enforcement as technical measure

8 Procurement Quick Answers (EU)

Can we use Wispr Flow for EU personal data?

⚠️ With restrictions. Requires: (1) Privacy Mode enabled, (2) DPA with SCCs, (3) Transfer Impact Assessment permitting US transfers, (4) enforcement via internal policy. Not recommended for special category data.

How do we enable Privacy Mode?

Settings → Data & Privacy → Toggle Privacy Mode to ON. Note: Not the default setting; must be manually enabled by each user.

Is there EU data residency?

❌ No. All processing occurs in US cloud infrastructure. No EU data centers available or announced.

Who are the subprocessors?

⚠️ Not publicly disclosed. Request list from Enterprise sales (likely includes cloud provider and speech-to-text APIs).

What happens if Privacy Mode is disabled?

Audio and transcripts may be stored and used for training. Standard retention periods apply under Wispr's Privacy Policy. No automatic alerts.

Is a DPA available?

⚠️ Not found in public documentation. Enterprise customers should request DPA with SCCs and subprocessor notification rights.

9 Notes & Caveats

Privacy Mode is optional - Not the default; users must manually enable and can disable at any time (except HIPAA BAA customers, where it's auto-locked).
No EU data centers - All processing in US; unsuitable for strict "EU-only" data localisation requirements.
DPA/SCC status unclear - Not publicly available; must negotiate with Enterprise sales.
Retention without Privacy Mode - Standard retention periods apply under Wispr's Privacy Policy; the current public docs do not state a fixed 30-day retention period for all non-Privacy Mode dictation data.
HIPAA BAA / ZDR lock - Signing a BAA locks Privacy Mode ON; Enterprise admins can enforce ZDR organisation-wide.
ISO 27001 certified - Wispr states it is ISO/IEC 27001:2022 certified.
Android app (Feb 2026) - Wispr Flow launched Android app, expanding the platform beyond Mac/Windows/iPhone.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Wispr Flow in production environments - especially when processing EU personal data. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - May 2026.

References

https://wisprflow.ai/privacy-policy - Wispr Flow Privacy Policy
https://wisprflow.ai/data-controls - Wispr Flow Data Controls (Privacy Mode Documentation)
https://docs.wisprflow.ai/articles/6274675613-privacy-mode-data-retention - Privacy Mode & Data Retention
https://docs.wisprflow.ai/articles/6939510703-compliance-certifications-standards - Compliance Certifications & Standards
https://docs.wisprflow.ai/articles/1163060507-wispr-flow-it-guide-on-privacy-and-security - Wispr Flow IT Guide on Privacy and Security
https://docs.wisprflow.ai/articles/4608289566-hipaa-support - Wispr Flow HIPAA Support Documentation

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Wispr Flow in production environments - especially when dictation data or voice recordings are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - May 2026.

Wispr Flow

Need help navigating AI?

Wispr Flow

Need help navigating AI?