Privacy Policy
Last updated: 14 May 2026
This Privacy Policy explains how Weeve B.V. i.o. ("Weeve", "we", "us") collects, uses, and protects your personal data when you use the Weeve macOS app (the "App") and the website at https://getweeve.io (the "Site").
We've written this in plain language because we believe you should actually understand it. If anything is unclear, email us at stefan@getweeve.io.
TL;DR
Weeve runs on your Mac. Your audio recordings and transcripts stay on your device by default.
We use a small backend (Supabase) for account login, subscription status, and usage limits — that's it.
We use Stripe to handle payments (we never see your card details).
We use PostHog to understand which features people use. This is anonymous-by-default product analytics.
On our website, we use Google Ads (conversion tracking and remarketing) and the LinkedIn Insight Tag to measure how well our ads work. These only run if you accept marketing cookies in the banner.
We do not sell your data and we do not train AI models on your recordings.
1. Who we are
The data controller is:
Weeve B.V. i.o.
MediArena 2, 1114 BC Amsterdam-Duivendrecht, Netherlands
KvK number: registration in progress ("in oprichting")
Email: stefan@getweeve.io
2. What data we collect
2.1 Data you give us when you create an account
Email address — used to sign in (we use a one-time code sent to your inbox; we do not store passwords).
2.2 Data we generate when you use the App
Authentication tokens — short-lived access tokens stored on your Mac so you stay signed in.
Subscription and billing metadata — your plan, trial start/end dates, subscription status, and a Stripe customer ID. We do not store your card number, CVC, or full card details. Stripe handles all of that.
Usage counters — the number of transcriptions you've made in the current billing period, used to enforce plan limits.
2.3 Data that stays on your Mac (we never see it)
Audio recordings (microphone and system audio) you create.
Transcripts and AI-generated summaries.
Speaker labels from the on-device diarization service.
Notes, voice memos, templates, and insights you create in the App.
App preferences (theme, hotkey, model choice, etc.).
These are stored locally in ~/Library/Application Support/Weeve/Users/<your-user-id>/. They are not uploaded to our servers and are not backed up by us.
2.4 Product analytics (PostHog)
If product analytics is enabled in your build of the App, we send anonymous, aggregated event data to PostHog (hosted in the EU). Examples of events:
App opened
Recording started (with the type: meeting / voice memo / quick paste)
Transcription completed (duration, model used)
Insight generated
Onboarding completed
These events are linked to a random ID. If you're signed in, that ID is your Weeve user ID; if not, it's a random anonymous ID generated locally. Events do not contain the contents of your recordings, transcripts, notes, or any other personal content.
2.5 Advertising measurement on the Site
When you visit our website, and only if you accept marketing cookies in the cookie banner, we use:
Google Tag Manager — a container that loads our other marketing tags.
Google Ads conversion tracking and remarketing — measures whether a click on one of our Google ads led to a sign-up, and lets us show ads to people who have already visited the Site.
LinkedIn Insight Tag — measures whether a click on one of our LinkedIn ads led to a sign-up, and lets us build audiences for LinkedIn campaigns.
These tools may use your IP address, device/browser info, the pages you visited on our Site, and a randomly generated ID to attribute your visit to an ad campaign. They are operated by Google LLC and LinkedIn Ireland Unlimited Company (Microsoft) as independent controllers for their own purposes too. See the Cookie Policy for the exact cookies set and their durations.
The App itself does not contain Google Ads, LinkedIn, or any advertising trackers.
3. What we do NOT collect
We do not record, store, or transmit your audio or transcripts to our servers.
We do not use your audio, transcripts, or notes to train AI models — ours or anyone else's.
We do not sell your personal data.
We share visit data with ad networks only for the purpose of measuring our own ads and reaching potential customers — and only when you consent on the website.
4. Why we process your data (legal bases under the GDPR)
Purpose | Data | Legal basis |
|---|---|---|
Provide the App and your account | Email, auth tokens | Contract (Art. 6(1)(b) GDPR) |
Bill you and manage your subscription | Subscription metadata, Stripe IDs | Contract (Art. 6(1)(b)) |
Enforce plan limits | Usage counters | Contract (Art. 6(1)(b)) |
Improve the App | Anonymous product analytics | Legitimate interests (Art. 6(1)(f)) |
Measure ad performance and remarketing on the Site | Google Ads + LinkedIn Insight cookies | Consent (Art. 6(1)(a)) |
Detect abuse and protect the service | Logs, rate-limit counters | Legitimate interests (Art. 6(1)(f)) |
Comply with legal obligations | Billing records | Legal obligation (Art. 6(1)(c)) |
5. Who we share your data with
We share the minimum amount of data needed to run the service. Our processors and ad partners are:
Recipient | Role | What for | Where |
|---|---|---|---|
Supabase | Processor | Authentication, subscription metadata, usage counters | EU |
Stripe | Processor | Payment processing and subscription management | US/EU (DPF-certified) |
Hugging Face | Processor | Downloading AI models to your Mac | US |
PostHog | Processor | Anonymous product analytics | EU |
Framer | Processor | Hosting our website | EU/US |
Google (Ads + Tag Manager) | Independent controller | Ad conversion tracking and remarketing on the Site | US/EU (DPF-certified) |
LinkedIn (Microsoft) | Independent controller | LinkedIn ad conversion tracking | EU/US (DPF-certified) |
We have data-processing agreements with each processor where the GDPR requires one. We never share your audio or transcripts with any of them.
We may also disclose data if required by law (e.g., a valid court order) or to protect our rights and users.
6. International transfers
Some of our recipients are based outside the EU/EEA (notably Stripe, Hugging Face, Google, and LinkedIn). When data is transferred outside the EEA, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework, or other safeguards required by the GDPR.
7. How long we keep your data
Account data (email, auth): for as long as your account exists, plus a short retention period after deletion to handle disputes.
Subscription/billing records: retained as long as legally required (typically 7 years under Dutch tax law).
Product analytics events: up to 24 months in PostHog, then deleted or anonymized.
Advertising cookies on the Site: between 15 minutes and 13 months depending on the cookie — see the Cookie Policy for the exact list.
Local content on your Mac: stays on your Mac until you delete it. We have no way to access or delete it for you.
When you delete your account, we delete or anonymize the account-side data within 30 days, except for records we're legally required to keep.
8. Your rights
Under the GDPR, you have the right to:
Access the personal data we hold about you
Correct inaccurate data
Delete your account and associated data ("right to be forgotten")
Restrict or object to certain processing
Port your data to another service
Withdraw consent at any time (where processing is based on consent) — for advertising cookies, use the "Cookie settings" link in the website footer
Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority
To exercise any of these rights, email stefan@getweeve.io. You can also delete your account directly from the App: Settings → Account → Danger Zone.
9. Security
All connections between the App and our backend use HTTPS/TLS.
Authentication uses one-time codes (no passwords to leak) and short-lived JWT tokens.
Supabase encrypts data at rest.
Stripe is PCI-DSS Level 1 certified.
Local data on your Mac is protected by macOS user-level permissions and (if you enable it) FileVault disk encryption.
No system is perfectly secure. If a breach affects you, we'll notify you and the Dutch DPA within 72 hours, as required by the GDPR.
10. Children
Weeve is not intended for users under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we'll delete it.
11. Changes to this policy
If we materially change this policy, we'll notify you by email and/or in the App at least 14 days before the change takes effect. The "Last updated" date at the top will always reflect the current version.
12. Contact
Questions, requests, or complaints:
Weeve B.V. i.o.
MediArena 2, 1114 BC Amsterdam-Duivendrecht, Netherlands
Privacy & legal: stefan@getweeve.io
Support: dylan@getweeve.io