AI DPO: Willow
Hi, this is AI DPO, providing data protection reviews of AI startups to showcase best practices. In these reviews, we assess basic compliance and transparency signals from public sources.
If you are anything like me you might have been interacting with tech a bit differently lately. In particular I’ve started to notice my preference towards dictation over typing when sending a text or day to day admin. While many users utilize their OS’s native tools, one tool lately caught my eye to be more efficient when working at my desk: Willow.
Willow, is a speech-to-text tool that is activated by pressing ‘fn’ or the keyboard shortcut you choose. Once recording, you dictate while holding fn. On release, the text is inserted in the place you have selected.
Here’s a data protection-first look at Willow to highlight what’s working (and suggest easy wins to build more trust with their users).
I) How Assenteo Reviews Companies
Through AI DPO, we’re here to help AI companies build data protection practices that are both compliant and customer-friendly.
When we review a company, we follow three simple principles:
We stick to what’s public: Our reviews focus only on public-facing privacy practices, not private strategies, product features, or confidential details (those deeper insights are reserved for Assenteo users).
We’re here to raise the bar, not rank companies: Our goal isn’t to criticize. It’s to lift the overall standard of data protection across the AI space and help everyone build stronger, more trusted products.
We’re a snapshot in time: Our reviews reflect what we see on the date we publish. Companies change and grow, and so will their privacy practices.
We believe good data protection is good business and we’re excited to be part of helping AI companies get it right.
Assenteo scoring: To help guide you we give a score between 0-25. The closer a company is to 25, the more Assenteo considers it as a Privacy Leader.
1. Assenteo’s Take
As a productivity tool, data protection may not appear essential for Willow on the face of it. However, AI scribes function by recording your voice, and transcribing the input through processing. More privacy-centric users, or larger organizations, will be vigilant to ensure any provided data is stored, transferred and processed with privacy in mind. Under EU and US laws, voice recordings which identify an individual are considered personal data. While this is not sensitive data like health information, a company which collects and processes any personal data is required to have a level of organizational and security compliance in place. This is before any consideration of the content of recordings.
Furthermore, if handled incorrectly, voice data can be manipulated and abused to impersonate an individual, which can have far reaching ramifications on a person's reputation and life.
Companies like Willow therefore must ensure data protection practices are in place and transparent to ensure users data remains secure.
Willow is working to keep customers informed about how their personal data is used and is building a privacy-focused tool. However, there’s still room to build more trust and explain clearly how user data is handled.
2. Assenteo's AI DPO Assessment
In total Willow scored: 12/25
Privacy Policy and documentation
3/5
Willow hosts a Privacy Policy for the personal data and data collection of Willow users.
The Privacy Policy was updated in the last year.
Willow does not have a Privacy or Security hub on their website. However, on signing up to the tool, they inform the user how data is used.
Data Collection
3/5
The Privacy Policy clearly describes how data is collected.
The Privacy Policy clearly lists the data categories collected, including account information, dedicated text and usage data.
Data Processing
2/5
Willow outlines under what circumstances your personal data will be processed.
Willow does not share which third-party service providers are used.
Willow does not address whether EU data is transferred to the US.
User controls
1/2
Users are prompted to choose their preference around the use of their data during onboarding. Either you can allow your anonymized transcripts to be used for model and feature improvement, or keep all data local on your device.
An email address is provided for privacy questions.
Users are not informed of their rights and are able to request access, deletion, correction and other rights despite where they live.
AI-Specific Disclosures
2/5
Willow does provide information in their onboarding flow and privacy policy how they use input and output from the product for model training.
Cookie Handling and Data Sale
1/3
Willow uses cookies on their website to track users, but does not show a cookie banner.
Willow however does give users options on how they are tracked and their usage used for platform improvement when using the scribe.
3. Highlights
Privacy-first design: Willow defaults to not tracking users through ‘private mode’. Willow only collects basic technical and account-related data to run the app in this setting. This gives an option for users who want to maintain full privacy and control over their data the possibility to do so.
In-app privacy information: Willow does not hide privacy choices that the user should make. Instead they have embedded how a user’s data will be used and given the user that choice during the onboarding flow.
4. Where Trust Can Grow
Willow is doing a good job in privacy for such a new company. These opportunities could build more trust with users that Willow handles personal data safely and securely:
Transparency in product functionality and data flows: Willow does not outline how the platform works, or services they share data with for the scribe to work.
User-friendly privacy information (pre-app): While Willow explains the difference between private mode and sharing usage data for scribe improvement, this is not highlighted on their home page. There is a mention of the scribe being privacy and security first, but the statement doesn’t fully describe the functionality or user flow.
Last updated