Privacy isn't a settings toggle you bury at the bottom of a dashboard. For Scriba, it's the default shape of the product: your meetings land in a SQLite database on your Mac, audio sits in a folder beside it, and cloud sync is something you opt into by signing in — not a requirement to get value from day one.
Local-first by default
When you finish a call, the canonical record is on disk under your user profile. Transcripts, summaries, chat history, and Brain memory all live in per-user SQLite. The app works offline. Search works offline. Playback works offline. Managed AI features need network access, but the corpus they read from stays local unless you explicitly sync or export it.
- Per-user database isolation at ~/Library/Application Support/com.scriba.app/users/{user_id}.db.
- Audio stored alongside the database in users/{user_id}/audio/.
- Export to ZIP when you want a portable archive — no vendor lock-in.
- BYOK mode keeps transcription and chat on your own OpenAI key when you want a different trust boundary.
What leaves your Mac
Signing in enables cloud sync: metadata mirrors to DynamoDB, audio to S3, scoped with per-user IAM credentials. Managed transcription and chat route through Supabase edge functions — we proxy to AssemblyAI and Anthropic, but meeting content is not stored in Supabase tables. We see request metadata for billing and abuse prevention; we don't build a searchable archive of your conversations on our side.
We can only protect what we don't hold centrally. Local-first means the blast radius of a breach is your device, not every customer on our servers.
Sync without surrender
Cloud sync exists so you can open another Mac and keep working — not so we can mine your meetings for ads or train public models. Free plans get a 2 GB cap on new signups; paid plans are uncapped. Downgrade from paid and we grandfather your data instead of deleting it. Delete your account and we purge cloud copies through the documented deletion flow.
Preferences that matter
Ghost mode, consent prompts, and Brain consolidation are all user-controlled. We don't train foundation models on your transcripts. Profiles store preferences, not meeting bodies. The product roadmap favors deeper local tooling — better search, faster repair, richer export — over features that require shipping raw audio to more vendors.
Privacy as product shape
Teams evaluating Scriba often ask what we can see. The honest answer: less than a bot-based notetaker that stores everything in a shared tenant. Your Mac is the first home for the data; our cloud role is sync and managed AI when you choose it. That architecture is slower to demo in a sales call, but it's why lawyers, therapists, and founders trust us with conversations they won't put in someone else's SaaS vault.