
July 1, 2026 · 17 min read
If you transcribe interviews, patient consultations, legal calls or sensitive research, one question should come first: where does my audio actually go? A voice recording is personal data. It can reveal who someone is, what they believe, their health, their finances. Your instinct may tell you to keep recordings off the cloud and run everything on your own machine. But "local" and "private" aren't quite the same thing, and "online" doesn't automatically mean "risky". This guide zooms in on how capable the local tools are, where they face difficulties, what separates a trustworthy cloud service from a careless one, and how to check for yourself.

Under the GDPR, a recording of someone's voice is personal data. The moment it touches health, political opinions, religion or biometric identification, it can become special category data with stricter rules. In practice, that means:
Get this wrong and it's not just an awkward conversation with an ethics board, it's a compliance problem. So before comparing features, it's worth being precise about what each option actually does with your audio.
Local (on-device) transcription runs the speech-to-text model on your own computer. The audio never leaves the machine. You trade convenience for control.
Online (cloud) transcription uploads your audio to a provider that processes it on their servers and returns a transcript — usually with an editor, exports and extra features. Here you're placing trust in the provider, so which provider matters enormously.
Both can be done well. Both can be done badly. Let's take them in turn.
Local transcription has come a long way, and the open-source models behind it deserve real credit.
If your requirement is nothing leaves this laptop, full stop, these tools deliver on it. That's a real strength, and no cloud service can honestly claim to match it.
For a developer, a hobbyist, or an organisation with a hard air-gap requirement and the IT support to back it up, local transcription is a legitimate choice, and sometimes the only one.
The catch with "run it yourself" is that it quietly hands you a list of jobs that a service would otherwise do for you. Before committing, be honest about whether these fit your situation.
1. You need real hardware. The large, accurate models are slow on a CPU and hungry on a GPU. A one-hour interview can take a long time on a typical laptop, and the best accuracy, especially on accents and smaller languages, comes from the biggest models, which need a capable graphics card (Whisper large-v3 needs around 10 GB of GPU memory).
2. Setup and maintenance are on you. Raw Whisper means Python, model downloads, CUDA drivers and dependency clashes; inference can break when the GPU driver and runtime disagree. The desktop apps remove most of this pain, but you're still the one keeping things updated.
3. No speaker labels out of the box. Whisper treats a three-person focus group as one long stream of text. To get "who said what" you bolt on a separate diarisation tool like pyannote.audio, which adds its own setup and extra processing time.
4. Hallucinations on silence and noise. Local Whisper is known to occasionally invent text on quiet or low-signal segments. A Cornell-led study presented at ACM FAccT found entirely fabricated phrases in roughly 1% of audio segments tested, typically triggered by pauses and silences (Koenecke et al., Careless Whisper). It's a small share of files, but if you're not proofreading against the audio, you may never notice.
5. You get raw text, and nothing else. No editor, no click-to-play, no clean subtitle exports, no collaboration, no summaries. For a one-off transcript that's fine; for a weekly workflow, you end up building tooling around the model.
6. "Local" is not the same as "GDPR-compliant". Running on your own device makes you the data controller with all the obligations that brings: access control, encryption, secure backups, retention rules and breach handling. An unencrypted laptop left on a train is a data breach. Local removes the cloud risk and replaces it with your own security posture. This may be excellent, or may be a folder called interviews_final on an unencrypted drive.
None of this makes local transcription a bad idea. It just means "private by default" still requires discipline, time and often hardware. Which brings us to the alternative.
The fear of "the cloud" is really a fear of bad defaults — providers that store your audio in another jurisdiction, keep it indefinitely, or quietly use it to train their models. Those concerns are valid, because some tools do exactly that. But online transcription is a spectrum, not a single thing.
Whatever tool you're considering, these are the questions worth answering before you upload anything sensitive:
Where is the data stored? For GDPR purposes, EU data residency keeps things simpler. US storage isn't automatically unlawful, but it adds legal complexity you'll have to account for.
Is your audio used to train AI models? Read the privacy policy, not the marketing page. "We may use your data to improve our services" usually means yes. The best answer is never, with no opt-out to remember.
Can you permanently delete your files? Deletion on demand — not "after 90 days", not "on request to support" — is what you want for consent forms and ethics reviews.
Is data encrypted in transit and at rest? Table stakes, but worth confirming.
What certifications and audits back the claims? GDPR compliance is a legal posture; SOC 2 Type II or HIPAA compliance (directly or via infrastructure partners) shows someone has actually checked.
Will they sign a data processing agreement (DPA)? If you're transcribing on behalf of an organisation, you'll likely need one.
Policies change, so always verify the current terms yourself, but at the time of writing, roughly:
The takeaway: the real question isn't "cloud: yes or no?" It's "which cloud, under which laws, with what defaults?" Choose carefully and you get the convenience of online with privacy that stands up to an ethics review.
| Local (e.g. Whisper / MacWhisper) | Otter.ai | Happy Scribe | Scribewave | |
|---|---|---|---|---|
| Where data lives | Your device | US servers | EU data centre | EU servers |
| Trains on your data? | No | Yes (de-identified, per policy) | Anonymised training unless you opt out | No — never, by default |
| GDPR posture | Entirely your responsibility | US-based | GDPR + SOC 2 Type II | GDPR; partners HIPAA & SOC 2 Type II |
| Speaker diarisation | Add-on (e.g. pyannote) | Built in | Built in | Built in |
| Editor with word-level audio sync | No | Limited | Yes | Yes |
| Languages | 99 | English, French, Spanish | 150+ | 99 |
| Specific hardware needed | Capable GPU / Apple Silicon | None | None | None |
| Setup effort | High (or a paid app) | Low | Low | None — upload & go |
| Cost model | Free/one-time + your hardware | Subscription | Subscription | Pay-as-you-go, with subscription discounts |
Be honest with yourself about the trade-off, because there genuinely is one.
Go local if you have the hardware and the technical comfort, you face a strict air-gap or no-third-parties requirement, or transcription is occasional enough that a bit of fiddling is acceptable, even enjoyable. The models are excellent and the privacy is absolute, provided your own device security is too: full-disk encryption, access control, sensible retention. Whisper on an encrypted machine is a perfectly defensible setup.
Go with a privacy-first online tool if you need speed, speaker labels, clean exports and a proper editing workflow, and you don't want to become your own IT and compliance department. For most researchers, journalists, clinicians and teams handling sensitive audio regularly, this is the realistic pick, as long as you vet the provider with the checklist above.
Scribewave was built for exactly this middle ground: people who need their transcription to survive a privacy review but don't have time to run their own models. Concretely, that means your audio is stored on European servers, encrypted, never used to train our AI or for human annotation, and permanently deletable at any time. You still get automatic, editable speaker labels, a word-synced editor, 90+ languages and dialects, custom vocabulary for names and jargon, polished exports, and an AI assistant whose answers link back to exact timecodes so you can verify everything against the audio.
If a local setup fits your constraints better, use it. If it doesn't; we've tried to make sure you don't have to trade privacy for a usable workflow.
Is online transcription GDPR-compliant? It can be — it depends entirely on the provider. Look for EU-based storage, a clear commitment not to train on your files, encryption, permanent deletion, and a willingness to sign a DPA. The vetting checklist above covers the essentials.
Is local transcription more private than online? Local keeps audio off the cloud, which removes one risk — but it makes you fully responsible for security, backups, retention and breach handling under the GDPR. A well-secured local setup is very private; an unencrypted laptop is a breach waiting to happen. A privacy-first online service shifts part of that burden onto a provider with audited infrastructure.
What's the most accurate local transcription model right now? OpenAI's Whisper large-v3 remains the multilingual benchmark, covering 99 languages. NVIDIA's Parakeet TDT 0.6B v3 posts a lower error rate on English benchmarks (6.34% average on the Open ASR Leaderboard, per NVIDIA) and is dramatically faster, but covers only 25 European languages.
Does Scribewave use my data to train its AI? No. Your files are never used to train our models or for human annotation, and you can permanently delete them at any time. There's no setting to find and no opt-out to remember; it's simply how the service works.
Where does Scribewave store my data? On European servers. Scribewave is a European company operating under EU data-protection law, working with partners that are GDPR, HIPAA and SOC 2 Type II compliant.
Can I use online transcription for medical, legal or ethics-reviewed research data? Yes, provided the provider meets the bar: EU storage, encryption, no AI training on your files, permanent deletion and audited infrastructure. Document the provider's policies in your data-management plan and get a DPA where required.
If you've read this far, you know what to look for, wherever you land. And if you want to see how a privacy-first online workflow feels in practice, your first transcript with Scribewave is free, no credit card required. Upload a file, check the speaker labels, and delete everything afterwards if you like.
Related reading: The state of transcription in 2025 · Accurate transcription in local languages · OpenAI launches GPT-4o-transcribe: powerful yet limited · What is transcription?
About the author
In a world where Ulysse can't out-flex The Rock or out-charm Timothée Chalamet, he triumphs as the mastermind behind Scribewave, fiercely defending his throne as the king of nerds in beautiful Antwerp, Belgium.
Discover more articles about transcription, subtitling, and translation