Privacy Model
Steno is local-first by design.
- audio capture and transcription happen locally on your Mac
- optional cloud cleanup sends transcript text only
- audio files are not uploaded for cleanup
If cloud cleanup is disabled or unavailable, Steno falls back to local cleanup.
Data Storage
Key local files include:
- transcript history:
~/Library/Application Support/Steno/transcript-history.json
- cloud budget tracking:
~/Library/Application Support/Steno/budget.json
Steno UI displays recent history from the last 30 days, while persistent history is capped by entry count in storage logic.
API Key Handling
OpenAI API keys are stored in macOS Keychain using service/account keys in source.
Behavior summary:
- empty or whitespace-only keys are not persisted
- Clear API Key removes current stored value
- legacy keychain service names are migrated if found
This keeps secret handling aligned with platform-native storage instead of plain-text settings files.
Security Reporting
For vulnerabilities and sensitive disclosures:
- follow
SECURITY.mdin the Steno repository - avoid posting exploit details in public issues
For non-security bugs, use standard issue reporting with reproducible steps.
Permission implications
Code-signing identity changes can invalidate macOS TCC grants. After rebuild/signing changes, re-check permission status before assuming runtime regressions.