The privacy choice we made before we built anything else

The moment we stopped thinking like everyone else

When you work in conversations, you're holding things that shouldn't be transmitted. A sales call about a failed deal. A therapy session. Legal advice. A researcher's methodology notes. Your phone contains some of the most sensitive information you generate in a week, and yet most note-taking apps treat audio like email, which is to say, they send it somewhere immediately.

The therapist's question wasn't about features. It was about trust. She didn't ask if we had encryption or compliance badges. She asked if the audio stayed on her phone. That's the question that matters.

So we made a decision: the free tier of Scribr would use on-device transcription only. Not as a loss leader. Not as a limitation to upsell from. As the foundation. Your audio stays on your phone. Full stop. We use Whisper on iOS, Apple's own Speech framework as backup. The transcription happens locally. Nothing leaves your device unless you choose to send it somewhere.

Why everyone else got the architecture wrong

The standard model is backwards. Build a web-first tool, add a mobile app later, send everything to the cloud because that's where the smart stuff happens. Sell the premium tier as the one with AI and security. Keep the free tier basic and cloud-dependent.

That model works fine if you're taking notes about your to-do list. It's catastrophic if you're recording your therapist.

We started from the phone, not the server. That meant accepting that some things wouldn't work instantly, and that was fine. Transcription takes a few seconds on-device. You wait. No server latency. No network request. No audio file sitting in transit. You hit record, you speak, you get a transcript. That's it.

The cloud stuff, if you want it, comes later. Pro users get access to Deepgram for longer audio files and fuller features. But that's opt-in, and it happens after you've already transcribed on your phone. You own the first copy. You decide if the second copy goes anywhere.

What changes when you stop sending everything up

The moment we locked this in, other things became possible. We could add biometric authentication across the app because the data was already secured at the source. We could build Vault Mode for Pro users, using AES-GCM encryption, because we weren't relying on cloud infrastructure to do the heavy lifting on confidentiality.

The Quick Record widget and Siri shortcuts started making sense too. You can start recording without even unlocking your phone, because your phone is the secure perimeter. The transcript appears directly on your device. No network dependency. No privacy exhale.

Knowledge workers, consultants, students, legal professionals, researchers, sales teams. They all have the same need: they speak into their phone during high-stakes moments, and the transcript needs to stay private by default. Not encrypted-in-transit. Not behind a paywall. Private from the moment the audio hits the processor.

The hard part: explaining what we didn't build

We're not Otter. We're not a web-first tool with a mobile wrapper. We're not a meeting bot that hooks into your calendar and transcribes calls you didn't consciously start recording. We're not Android-first; we shipped iOS because that's where the privacy architecture made sense first.

And on the free tier, you don't get AI summaries or action-item extraction. Not because we're gatekeeping intelligence. Because those features require cloud processing, and cloud processing means sending your audio somewhere. If you want summaries and action items, you move to Pro, and you make that choice deliberately. You see what's happening. You consent.

The free tier does one thing well: it keeps your conversations private. Five audio uploads a month. Two platform connections so you can export to your note system if you want. That's the whole tier. It's not a handicapped version of Pro. It's a different product for a different question. 'I need my phone to transcribe what I say, and I need it to stay on my phone.'

Why this matters more than it sounds

There's a privacy marketing problem in software. Every company claims to care about privacy, and then sells a product that harvests everything the moment you touch it. The words become noise. Compliance badges become decoration.

So we stopped saying we care about privacy and instead built a tier where privacy is the default, not a feature. It's not something you unlock with a premium subscription. It's not something you have to understand cryptography to believe in. You press record. The transcript stays on your phone. Done.

That's it. That's the entire story. The therapist who asked the question can use Scribr free, with full transcription, and know that the session notes never leave her phone. The student recording a lecture. The lawyer taking call notes. The consultant after a client conversation. They're not choosing between privacy and features. They're getting both.

That only works if you build from the phone first, not from the cloud. Once you've decided the architecture, everything else follows.