Your audio never leaves your Mac. Anthropic only ever sees the prospect's last sentence as text — never your voice, never your script, never the rest of the conversation. Below is exactly how AP Sales Coach handles your data, your credentials, and your privacy.
Audio captured by your microphone is processed in flight by Deepgram (real-time speech-to-text) and discarded the moment the call ends. Neither Deepgram nor AP Sales Coach store the raw audio. The desktop app holds it in memory only for the duration of the call.
The transcript text — produced from the audio — is sent to Anthropic Claude Haiku 4.5 for script-tree routing. We send only the prospect's last utterance, plus the IDs of nodes in your tree. We do not send your script content, prior transcript, or call metadata.
Stored in Supabase (EU-hosted):
Stored on your Mac (never sent to us): every per-call session JSON snapshot, your script tree, your dispositions, your call history. You own this data; we never see it.
All data in transit is encrypted with TLS 1.2+. All data at rest in Supabase is encrypted at the disk level (Supabase infrastructure default). Your Anthropic and Deepgram API keys are stored encrypted in the macOS Keychain — never in plain text on disk, never sent off your machine.
Every third-party service that processes any data on our behalf is listed publicly at /sub-processors. We give 14 days' notice before adding any sub-processor that materially changes how data is handled.
If you find a security issue, email security@apsalescoach.com. Don't post it publicly until we've patched. We respond within 48 hours and will credit you publicly when the fix ships, unless you ask us not to.
We're a small team and don't currently run a paid bounty program. We will, the moment our cash position allows.
UK GDPR + EU GDPR:compliant. We're the data processor; you're the data controller for any audio you capture. Read the Data Processing Agreement for the full contract.
PECR Regulation 21 (UK B2B cold calling): AP Sales Coach is built to support compliant outbound. We publish the full UK cold-calling legal framework explaining how PECR, UK-GDPR Article 6(f) legitimate interest, TPS/CTPS, and the Sole Trader Trap interact — plus the Pardoe Framework, our eight-protocol technical specification operators run against the desktop app.
SOC 2: evidence collection in progress (via Vanta). Type I audit is targeted for Q3 2026, Type II to follow 12 months later. No SOC 2 report yet — this is an active roadmap item, not a quiet skip.
HIPAA, FedRAMP, ISO 27001:not in scope. AP Sales Coach isn't aimed at healthcare or government buyers.
Two-factor authentication enforced on every founder + admin account (Supabase, Stripe, GitHub, Google Workspace, Vercel, Apple Developer). Production secrets stored only in Vercel environment variables and Supabase secrets manager — never in source. No hard-coded API keys in the desktop app or the website code.
Stripe webhooks are signed and verified on every request. The magic-link activation flow uses Supabase's OAuth-style hash-fragment tokens — JWTs never hit our server logs.