Privacy & Security

1. Overview

TalkFold is designed with privacy as a core principle. Audio transcription happens entirely on your device — your recordings and transcripts never leave your Mac. This policy explains exactly what data we collect, why we collect it, and how it is handled and secured.

2. Data That Stays on Your Device

The following data is stored only on your Mac in a local SQLite database and never transmitted anywhere:

• Audio recordings — saved locally in the app's data directory.
• Transcripts — generated entirely on-device by the Whisper AI model and stored in a local SQLite database.
• AI summaries — once returned by the server, summaries are saved locally and never re-uploaded.
• Dictionary entries and shortcuts — stored locally, used only for on-device post-processing.
• App settings — stored in macOS UserDefaults on your device.

3. One-Way Communication — Your Device Talks to Us, Not the Other Way Around

The app communicates with our API only when you explicitly trigger a Pro feature (AI summarization or sending a summary by email). This communication is strictly one-way and outbound:

• Only the app itself initiates requests to our servers.
• Our servers have no ability to connect back to your Mac, read files, access your database, or retrieve any data from your device.
• No background sync, no push connections, no remote access of any kind.

4. Data Sent to Our Server (Pro Features Only)

When you use AI summarization (Pro), the following is sent to our Cloudflare Worker API:

• Transcript text — sent only when you explicitly click "Summarize." It is forwarded to an AI service for processing and is not stored on our server at any point — not in transit, not in logs, not in any database.
• License key — sent with each request to verify your subscription. Required to authenticate the request.
• Device ID — a stable hardware identifier (macOS IOPlatformUUID) used to enforce single-device license binding. Not linked to your personal identity.

Audio is never sent to any server. Only the text transcript is transmitted, and only when you explicitly request a summary.

When you use the "Send Summary" feature, the summary text and the email addresses in your local Email Groups are sent to our server for delivery. The email addresses are used solely to dispatch that message and are not stored on our servers afterward.

5. What We Store on Our Servers

We store the minimum data required for subscription management in Cloudflare KV:

• Your email address — from the payment provider (Ko-fi), used only to deliver your license key.
• Your license key — a randomly generated identifier tied to your subscription.
• Subscription status and payment dates — to determine whether your Pro access is current.
• Device ID — to enforce single-device license binding.
• Request count — a monthly count of summarization requests, used only for statistical analysis of aggregate usage. This number contains no content.

We do not store transcripts, summaries, audio, dictionary entries, shortcuts, or any content you create in the app.

6. API Security

All API endpoints that perform meaningful actions are secured and inaccessible without authentication:

• License key + device ID required — every request to secured endpoints must include a valid license key and matching device ID. Requests without valid credentials are rejected.
• LLM API keys stored as secrets — our AI API keys are stored as encrypted Cloudflare Worker secrets, never in source code or configuration files, following industry best practices.
• Admin endpoints additionally protected — the admin API requires a separate secret token and has IP-based rate limiting (5 failed attempts triggers a 10-minute lockout).
• No unauthenticated data access — there is no endpoint that returns user data, transcripts, or summaries without a valid authenticated session.

7. Email Handling

Emails sent by TalkFold (license key delivery, summary sharing) are dispatched via Resend, a third-party transactional email service:

• We do not operate our own email infrastructure or SMTP servers.
• Recipient email addresses are not stored on our servers after the email is dispatched.
• Only your subscription email (from Ko-fi) is retained for license management purposes — see Section 5.

Resend's privacy policy applies to email delivery: resend.com/legal/privacy-policy.

8. Third-Party AI Services

When you request an AI summary (Pro only), the transcript text is forwarded to one of the following AI providers:

• OpenAI (GPT-4o mini) — primary provider. Subject to OpenAI's Privacy Policy.
• Google Gemini — fallback provider if OpenAI is unavailable. Subject to Google's Privacy Policy.

The transcript text is sent only for the purpose of generating your summary. We do not control how these providers handle data on their end — please review their policies if this is a concern. Avoid summarizing recordings that contain highly sensitive personal information.

9. Other Third-Party Services

• Ko-fi — processes payments for Pro subscriptions. Subject to Ko-fi's Privacy Policy.
• Cloudflare — hosts our API and stores subscription data in Cloudflare KV and D1. Subject to Cloudflare's Privacy Policy.

10. Cookies and Tracking

The app does not use cookies. The website (talkfold.app) may use analytics for aggregate traffic analysis. No personal data from the app (transcripts, recordings, notes) is ever connected to website analytics.

11. Data Retention

• Subscription data (email, license key, status, device ID) is retained while your subscription is active and for up to 90 days after expiration.
• Transcript text sent for summarization is never stored — it is processed by the AI service and discarded immediately.
• Request counts are retained as aggregate statistics with no associated content.
• Local data (recordings, transcripts, notes) persists on your device until you delete it.

12. Your Rights

You have the right to:

• Request a copy of the data we hold about you.
• Request deletion of your subscription data.
• Cancel your subscription at any time.

To exercise these rights, contact us at [email protected].

13. Children's Privacy

The app is not directed at children under 13. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

15. Contact

For privacy or security questions, contact us at [email protected].