Privacy architecture
This page describes the implementation as it stands at the effective date of the Privacy Policy. It may change as the app evolves. If anything here conflicts with the Privacy Policy, the Privacy Policy controls.
The Privacy Policy describes what Gistlist does with personal information in legal terms — categories, purposes, recipients, retention, rights. This page is the technical companion: where bytes live, what processes touch them, and which network calls leave your machine.
Audio capture
Section titled “Audio capture”Microphone capture uses a bundled native CoreAudio helper for clean USB-mic input, with a bundled FFmpeg AVFoundation fallback when the helper isn’t available. macOS system audio is captured by AudioTee, a CoreAudio tap helper.
Files are written as WAV during the meeting. After processing finishes, the app compacts them according to your Settings → Storage → Audio Storage choice — see Audio storage & retention. Audio always lives on your disk; nothing here is uploaded by the app.
Transcription
Section titled “Transcription”On Apple Silicon, the default transcription engine is Parakeet — a local Python subprocess running via mlx_audio.stt.generate on your hardware. No audio leaves your machine.
If you select OpenAI Whisper in Settings instead, the audio file is uploaded to OpenAI’s API using your OpenAI API key. Whisper is the only transcription path that sends audio off your device, and it runs only when you choose it. See LLM & transcription providers.
Language-model inference
Section titled “Language-model inference”The Software supports three LLM providers:
- Anthropic Claude (cloud) — when selected, transcripts and prompt text are sent to Anthropic’s API using your Anthropic API key, directly from your machine.
- OpenAI (cloud) — same pattern, using your OpenAI API key.
- Ollama (local) — a daemon on your machine listening at
127.0.0.1:11434. Open-weight models (Qwen, Llama, Mistral, and others) run on your hardware. Nothing leaves your machine.
Switch providers at any time in Settings → Models.
Storage paths
Section titled “Storage paths”The engine writes the following on your disk:
- Configuration, prompt files, the meetings index database, and any speech-recognition weights — under
~/.gistlist/. - Wizard-installed binaries and updater state — under macOS’s Application Support directory for Gistlist.
- Per-meeting folders (audio, transcript, summary, prompt outputs) — in the folder you choose during setup. The default is
~/Documents/Gistlist/. If you point Gistlist at an Obsidian vault, per-meeting folders live inside the vault.
None of this is mirrored to a Gistlist server. We do not operate one.
API keys you enter into the Software are stored in the macOS Keychain under the service name gistlist.
Renderer hardening
Section titled “Renderer hardening”The app’s UI runs in an Electron renderer with a strict Content Security Policy (default-src 'self'). No external fonts, CDNs, scripts, or analytics. Sandbox and context isolation are on.
Setup-wizard downloads
Section titled “Setup-wizard downloads”The Setup Wizard downloads a small set of binaries and model weights so the local pipeline can run. These happen during setup, not during meetings. Each binary in the wizard’s manifest is pinned by URL and verified against a committed SHA-256 before install; downstream package downloads use the integrity checks built into their respective package managers.
- FFmpeg and FFprobe from
evermeet.cx(LGPL static build), pinned URL and SHA-256. - Ollama binary from the Ollama release host on GitHub, pinned URL and SHA-256, plus codesign verification.
- Managed Python runtime (Apple Silicon only) from the Astral python-build-standalone release host on GitHub, pinned URL and SHA-256. Used as a sub-step of the Parakeet install chain.
- Python packages (such as
mlx-audio, used by the Parakeet transcription path) installed through pip frompypi.orgover TLS, into a venv at~/.gistlist/parakeet-venv. - Parakeet model weights (
mlx-community/parakeet-tdt-0.6b-v2) from the Hugging Face model registry, downloaded bymlx-audioon first transcription. - Ollama model weights from
registry.ollama.aiwhen you pull a model. Outbound: just the model name.
These are standard package downloads. We do not include any tracker, beacon, or callback in them.
Auto-update
Section titled “Auto-update”Builds of Gistlist that ship through GitHub Releases include an auto-update check. The app contacts GitHub Releases at startup (after a short delay) and on a periodic basis while running, asking whether a newer version exists. Update requests may include the app version, the platform, and standard HTTPS request metadata, but do not include an account identifier or a device identifier. GitHub’s privacy practices apply to those requests.
The updater never downloads or installs a new version without your explicit consent. You can turn the periodic check off in Settings → Other → Updates; the only requests then are the ones you initiate by clicking “Check for updates.”
The updater is also paused during recording. Downloads and installs that arrive mid-meeting are deferred until recording stops.
What the app does not do
Section titled “What the app does not do”- No accounts, no sign-up, no login.
- No usage telemetry, crash telemetry, or behavioral analytics from inside the app. (The app does make the outbound calls described above — auto-update checks against GitHub Releases, and Setup Wizard / model downloads from the hosts listed — but it does not phone home with information about how you use the app.)
- No cloud sync or backup operated by Gistlist.
- No advertising or profiling.
- No calendar, email, Drive, or other third-party integrations that read your data on your behalf.
If any of this changes in a future release, the Privacy Policy and this page will be updated to match.