Why Europe.

A Belgian lawyer opens her laptop on a Tuesday morning, presses a shortcut, and dictates a memo about a client's pending acquisition. She holds the button, speaks for forty seconds, releases. The polished text lands in her email draft. She sends it.

She has just exported confidential client data to a foreign jurisdiction. She did not know she did this. Her firm did not authorise it. Her bar association did not approve it. The dictation tool she used did not warn her, because from the tool's perspective nothing went wrong.

This is the unmarked default of modern AI software. The audio travelled through a US-incorporated company, was processed in US-operated infrastructure, and is now subject to US law. The lawyer's intent does not matter. Her firm's compliance policy does not matter. The physical location of the server does not matter. Once her voice crosses into a US provider's pipeline, the legal posture of her client's data has changed.

Most of the people who build these tools, and most of the people who use them, find this fact uncomfortable enough that they prefer not to look at it directly. So nobody marks it. So it stays the default.

There is a piece of US legislation from 2018 called the Clarifying Lawful Overseas Use of Data Act, usually shortened to the CLOUD Act. It does one thing European users should know about. It compels US-incorporated companies to hand over data to US law enforcement on a valid request, regardless of where the data physically sits.

Read that sentence again. The server can be in Frankfurt. The company can have a Dutch subsidiary, a French DPO, a Belgian sales office. None of that matters. If the parent is incorporated in Delaware, the data is reachable by US authority. The CLOUD Act also includes provisions that can prevent the provider from telling the customer the request was made at all.

In 2020 the European Court of Justice ruled, in the case usually called Schrems II, that EU-US data transfers under the previous Privacy Shield framework were not adequate. The court's reasoning, in part, was that European users had no effective legal remedy against US surveillance powers. The court did not invent this concern. It described a structural reality that the CLOUD Act had already confirmed in statute two years earlier.

The GDPR adds its own pressure. Article 32 obliges every data controller to ensure the security of processing, including against unauthorised disclosure. If you are a controller, and your processor is US-incorporated, you have a question on your hands that no Terms of Service can fully answer.

You can argue with how serious any individual case is. You cannot argue with the architecture. US-routed dictation is not a policy problem that a better contract can resolve. It is a jurisdictional problem that requires the data to never cross the border in the first place.

I write code for a living, and I dictate everything I write. For the better part of last year I used Wispr Flow. It works very well. The team behind it is talented and the product is genuinely good.

Then one evening I read the part of their documentation that explains where the audio actually goes. I read it twice. I closed the laptop. I sat on the balcony for a while.

The data path was exactly what I should have expected: a US-incorporated company, processing through a US-hosted model provider, with audio decisions made by US engineers under US law. There was nothing wrong with the engineering. There was nothing wrong with the team. There was a thing wrong with the defaults, and the defaults applied to me, and the defaults applied to every Belgian and Dutch and German consultant I had ever forwarded the link to.

I had been dictating client emails through it for months. So had they.

I rebuilt it.

Voxa runs on Mistral models hosted in the EU. The API is a Fastify server in a Hetzner datacentre in Nuremberg. Authentication is Supabase in Frankfurt. The audio bytes stream straight into the Voxtral request body and are discarded the moment the response arrives. There is no S3 bucket, no warm cache, no transcript that lives on a disk anywhere outside your own machine. The architecture is the brand, and the brand is the architecture.

If any of that ever stops being true, the brand is over. I am that serious about it.

Voxa is one company's answer for one product category. Dictation is a narrow surface. The point of this page is not to argue that European users should switch their dictation tool. The point is to argue that European users should stop treating US-default routing as inevitable, in every product category they touch.

The European software industry, for the most part, has not built around this assumption. The American software industry, for understandable reasons, has not built around it either. So somebody has to start, and the starting point is small useful products that take a position and prove the position can be held.

Voxa is mine. There will be others. Demand them from the software you use.