Does it record my calls?

Locally only. Transcripts are stored on your Mac. We never upload audio. Deepgram processes the stream in flight then drops it. Anthropic only sees the prospect's last sentence as text — never your voice.

What about the prospect's consent?

You're responsible for the consent rules in your jurisdiction. UK and most US states allow one-party consent. Check before you dial.

Will it work on Zoom / Teams / RingCentral / etc?

Yes — anything that comes through your Mac speakers and mic. We listen to system audio. We don't integrate with the call platform.

For now, yes. Apple Silicon. Windows is on the roadmap once we hit £30k MRR.

What if Claude or Deepgram is down?

The matcher falls back to keyword routing on your script branches. The teleprompter still works. The call still goes out.

Can I write my own scripts?

That's the entire point. The script editor is built into the app. You write the tree once, it runs forever.

What happens after the trial?

It locks. The app stays installed but the panel won't show prompts until you subscribe. Your scripts stay safe.

One click in the app. Your subscription ends at the next renewal. Founding-member price-lock is yours forever as long as you don't cancel.

AP/COACH · SECURITY

Local-first by design.

Your audio never leaves your Mac. Anthropic only ever sees the prospect's last sentence as text — never your voice, never your script, never the rest of the conversation. Below is exactly how AP Sales Coach handles your data, your credentials, and your privacy.

Audio handling

Audio captured by your microphone is processed in flight by Deepgram (real-time speech-to-text) and discarded the moment the call ends. Neither Deepgram nor AP Sales Coach store the raw audio. The desktop app holds it in memory only for the duration of the call.

The transcript text — produced from the audio — is sent to Anthropic Claude Haiku 4.5 for script-tree routing. We send only the prospect's last utterance, plus the IDs of nodes in your tree. We do not send your script content, prior transcript, or call metadata.

What we store

Stored in Supabase (EU-hosted):

Your email address (sign-in)
A hardware-fingerprint hash that binds your licence to one Mac
Subscription state mirrored from Stripe
Anonymous analytics events (cta_click, signin_completed, etc.)

Stored on your Mac (never sent to us): every per-call session JSON snapshot, your script tree, your dispositions, your call history. You own this data; we never see it.

Encryption

All data in transit is encrypted with TLS 1.2+. All data at rest in Supabase is encrypted at the disk level (Supabase infrastructure default). Your Anthropic and Deepgram API keys are stored encrypted in the macOS Keychain — never in plain text on disk, never sent off your machine.

Sub-processors

Every third-party service that processes any data on our behalf is listed publicly at /legal/subprocessors. We give 14 days' notice before adding any sub-processor that materially changes how data is handled.

Vulnerability disclosure

If you find a security issue, email security@apsalescoach.com. Don't post it publicly until we've patched. We respond within 48 hours and will credit you publicly when the fix ships, unless you ask us not to.

We're a small team and don't currently run a paid bounty program. We will, the moment our cash position allows.

Compliance posture

UK GDPR + EU GDPR:compliant. We're the data processor; you're the data controller for any audio you capture. Read the Data Processing Agreement for the full contract.

SOC 2: evidence collection in progress (via Vanta). Type I audit is targeted for Q3 2026, Type II to follow 12 months later. No SOC 2 report yet — this is an active roadmap item, not a quiet skip.

HIPAA, FedRAMP, ISO 27001:not in scope. AP Sales Coach isn't aimed at healthcare or government buyers.

Operational practices

Two-factor authentication enforced on every founder + admin account (Supabase, Stripe, GitHub, Google Workspace, Vercel, Apple Developer). Production secrets stored only in Vercel environment variables and Supabase secrets manager — never in source. No hard-coded API keys in the desktop app or the website code.

Stripe webhooks are signed and verified on every request. The magic-link activation flow uses Supabase's OAuth-style hash-fragment tokens — JWTs never hit our server logs.

Reporting + responding

Security disclosure: security@apsalescoach.com
GDPR / data subject rights: privacy@apsalescoach.com
Data Processing Agreement execution: dpa@apsalescoach.com
DMCA notices: dmca@apsalescoach.com