Is Notta a Chinese company, and does my audio go to China?

Notta is operated by NetEase-affiliated Notta Inc. Their public Privacy Policy and infrastructure documentation indicate AWS-based hosting with regional data center options. Customers concerned about specific data-residency requirements should verify against the current Trust documentation and their account's regional configuration before transcribing sensitive content.

Does Notta train its AI on my recordings?

Notta's policies historically reserve the right to use de-identified content for service improvement, with opt-out via support. Default behavior for individual plans is opt-in. Enterprise contracts can negotiate stricter terms. Unlike on-device tools, the user has no audit trail confirming exclusion from past training runs.

Is Notta HIPAA compliant?

Notta's published compliance posture has historically not included a HIPAA BAA for the standard plans. Healthcare professionals using Notta to transcribe protected health information without an executed BAA are out of compliance — a common, costly mistake.

Where are Notta recordings stored, and for how long?

On Notta's cloud (AWS-based). Default retention is indefinite — recordings persist until you manually delete them or close your account. There is no built-in auto-delete-after-N-days policy on standard plans.

What is the most private alternative to Notta on Mac?

An on-device transcription tool like Hapi, where audio is captured by a menu-bar app, transcribed locally on the Neural Engine, and stored in a local SQLite database. There is no account, no upload, no sub-processor chain to audit.

2026 · 05 · 08

Is Notta Safe? Privacy & Security Review (2026)

What Notta does with your meeting audio: data flow, retention, AWS infrastructure, AI training defaults, and HIPAA-eligibility — compared to a fully local alternative.

5 min read·Privacy

Notta is a popular cloud-based transcription service with a strong free tier, broad language coverage, and a meeting-bot integration. If you record sensitive conversations — client interviews, therapy sessions, legal calls, internal HR discussions, investor updates — it is worth understanding what Notta actually does with that audio after upload.

This review reads Notta's public Privacy Policy, Terms of Service, and Trust documentation, then translates them into the operational questions most users actually ask.

What Notta Does With Your Audio

When you record or upload audio in Notta, three things happen:

Audio is uploaded to Notta's cloud infrastructure. Their stack runs on AWS with regional data center options. Audio leaves your device the moment you press record (or attach a file).
Speech-to-text runs on their servers. Notta uses a combination of proprietary and third-party speech models, including for languages where their primary engine is weaker. The exact provider chain is published in their sub-processor documentation.
Recordings, transcripts, summaries, and meeting metadata are stored persistently on their infrastructure, indexed in your account, and accessible via web, mobile, browser extension, and API.

This pattern is standard for cloud transcription SaaS — the implications matter only when the conversation is regulated, privileged, or simply not something you want a third-party processor to retain.

Notta's Free Plan Trade-Off

Notta's free tier is generous (significant monthly minutes and a real product, not a demo). The trade-off:

Free-tier audio is the most likely candidate for training-data inclusion, since enterprise contracts typically negotiate stricter terms
Retention policies are uniform across tiers — your free recordings persist on Notta's cloud just as long as paid recordings do
HIPAA / regulated workflows are not appropriate on the free tier under any circumstances, because no BAA is in place

If your usage is low-stakes (public meetings, podcast prep, brainstorms) the free tier is competent. For anything sensitive, free is exactly the wrong tier.

Data Retention: How Long Notta Keeps Your Recordings

Notta retains audio and transcripts indefinitely until you act:

Action	What gets deleted	Timeline
Delete a single conversation	Transcript + audio for that meeting	Immediate per policy
Cancel paid subscription	Recordings stay; access shifts to free-tier limits	Indefinite
Close account	All user content	Within the retention window stated in policy
Inactivity	No automatic deletion documented	Indefinite

There is no "auto-delete after N days" toggle on standard plans. If you record 50 client calls and never log in again, those calls sit on Notta's servers until somebody closes the account.

AI Training: Default Is Opt-In

Notta's privacy policy reserves the right to use de-identified user content to improve their models. As of 2026, the default for individual accounts is enrolled — opting out is via support request, not a settings checkbox.

Two important caveats:

"De-identified" is defined by Notta, not by you. Voice biometrics, speech patterns, and unredacted proper nouns can survive a typical de-identification pipeline.
The opt-out is by request, not by audit. There is no transparent log confirming your audio was excluded from any training run already in progress.

Compliance Status — Plan by Plan

Compliance	Free	Pro	Business	Enterprise
SOC 2 status	Org-wide	Org-wide	Org-wide	Org-wide
HIPAA / BAA	❌	❌	❌	Available on request
GDPR DPA	Standard	Standard	Standard	Custom on request
Data residency	Limited	Limited	Limited	Configurable
Training opt-out	Support request	Support request	Support request	Contractual

If you transcribe PHI on Free, Pro, or Business and there is no executed BAA, you are not HIPAA compliant — full stop.

When Cloud Transcription Is Fine

To be clear: cloud transcription is fine for plenty of use cases.

Public-facing podcast or video transcripts
Internal meetings with no protected data
Brainstorms, retros, all-hands
Educational content

If your threat model is "I would rather not type this up myself," Notta works.

When You Should Not Use Notta

Use a fully local tool, or a vendor with a signed BAA and a no-training contract, when:

You record patients, clients, or anyone protected by professional privilege
Your recordings include attorney work product, source-protected journalism, or active litigation material
You operate under HIPAA, GDPR Article 9 special-category data, FERPA, or PCI scope
Your IT or compliance team has not approved Notta as an authorized sub-processor

Comparison With a Fully Local Alternative

Hapi takes the opposite architectural approach. Audio is captured by the menu-bar app on your Mac, transcribed locally using Apple Silicon, and stored in a local SQLite database. There is no account, no upload, no sub-processor chain.

Dimension	Notta	Hapi (local)
Audio destination	Notta's AWS infrastructure	Stays on the Mac
Account required	Yes	No
AI training default	Opt-in (opt out via support)	Not possible — no data leaves device
Sub-processors	Multiple cloud + AI providers	None
HIPAA-ready without BAA	No	Yes (no covered transmission occurs)
Works offline	No	Yes
Internet exposure	Required	Zero
Cost	Free / paid tiers	Free

Bottom Line

Notta is a competently built SaaS product with a generous free tier. It is not a private tool — your audio leaves your device, persists on US-based AWS infrastructure, and may be used to improve their models unless you explicitly opt out. For regulated industries or confidential conversations, the only architecturally honest answer is to keep the audio on your device.