Tolmach is a static page. There is no Postern server, no account, no telemetry, and no analytics.
Your API key and settings live in this browser’s localStorage; transcripts and minutes live in this tab’s memory
unless you save them to the encrypted vault. The honest ledger:
◮
Your voice → your browser’s vendor (whenever the mic is on)
Voice input uses the browser’s Web Speech API. In Chrome and most browsers this
sends your audio to the browser vendor’s servers for transcription, under that vendor’s
terms — so speech input is not fully private. In conversation mode the mic is push-to-talk only.
In Listen and Minutes modes the microphone is continuously hot for as long as the mode runs —
the red MIC LIVE banner stays up the whole time, and stopping the mode kills the recognizer immediately.
Want zero audio leaving the machine? Type instead — typed input is fully local until you send
it to Claude. The real fix is the on-device Whisper engine slot, wired but not bundled here.
◮
Transcript & minutes text → Anthropic (when a segment is sent)
Each translation segment and each minutes update is sent from your browser directly to
api.anthropic.com, authenticated with your key — no middleman relays or logs it.
Anthropic processes it under your agreement with them (their usage and data-retention terms apply).
If you never send, nothing is ever transmitted.
●
Spoken translations — on-device
Text-to-speech uses your operating system’s voices via speechSynthesis; audio is generated
locally and does not leave the device. Exception: some OS voices are network voices — the voice picker
marks those “⚠ network voice” so you can avoid them.
●
No speaker identification happens anywhere
The browser has no speaker diarization. Speaker labels in the minutes are either your manual taps or the
model’s content inference, and every inferred label is marked (inferred). Tolmach never
records or stores audio — transcripts only; less data is the default.
●
API key & settings — this browser only
localStorage of this browser, sent only to api.anthropic.com. “Erase everything” in
Settings wipes all of it instantly.
●
The vault — encrypted, local, and honestly limited
Saved sessions are encrypted with AES-256-GCM in this browser’s IndexedDB; the key is derived from a
passphrase we never see and never store (PBKDF2-SHA-256, 600,000 iterations — weaker than
Argon2id against offline GPU attacks on weak passphrases, so pick a strong one). Anyone holding the exported
vault file or the disk sees ciphertext only. Honest limits: a browser origin is not a hardware vault —
whoever controls this browser profile while the vault is unlocked (malware, a malicious extension,
someone at your unlocked machine) can read notes and capture the passphrase as you type it. A forgotten
passphrase means the data is unrecoverable by design . The real-product fix is Postern Vault’s
TEE key-wrap.
—
Postern sees nothing
Static page, no server, no account, no telemetry, no analytics. The only network destinations in this
page’s code: api.anthropic.com, plus the browser’s own speech service when voice input is used.
One readable HTML file — verify it yourself.
What we won’t claim: Tolmach is not “100% private.” Anything you send to a model necessarily
reaches Anthropic, and spoken input may reach your browser vendor. What Tolmach guarantees is no extra
parties : no Postern servers, no resellers, no analytics. And it won’t call itself a simultaneous
interpreter either — it is consecutive, ~1–3 s behind the speaker.
Understood