Voxtyper Privacy Policy
Last updated: May 21, 2026

SHORT VERSION
We do not store your audio recordings. We do not store the text that Voxtyper transcribes for you. The only personal data we keep on our servers is what we need to recognize you between sessions (your email if you sign in), enforce your monthly free quota and prevent abuse (an anonymous device identifier, a count of seconds dictated, and your IP address), and process payment if you subscribe (handled by Stripe).

1. WHO WE ARE
   Voxtyper is a browser extension that converts speech into properly-punctuated text in web text fields. This Privacy Policy describes how we collect, use, and protect information when you use the Voxtyper browser extension and the website at voxtyper.app (together, the "Service").
2. WHAT WE COLLECT
   2.1 Account information (only if you sign in): If you choose to sign in, we store the email address you provided. If you signed in via Google, we receive your verified email from Google as part of the OAuth flow; we do not request your Google profile photo, contacts, or any other Google data. We never ask for or store a password - sign-in is via emailed magic-link or Google OAuth.
   2.2 Anonymous device identifier: On install, the extension generates a random UUID stored locally in your browser, sent with each backend request so we can count seconds of dictation used against the monthly free quota. It is not derived from personal information, is not a browser fingerprint, and cannot identify you across other sites.
   2.3 Usage metadata: For each dictation request the backend records date/time, the device or user identifier, duration in seconds, the transcription provider used, round-trip latency, the request IP address, and the browser (Chrome or Firefox). This is for quota accounting, operational monitoring, and abuse prevention (per-IP rate limits). We do not record the content of the audio or the transcribed text.
   2.4 Billing data: If you upgrade to Unlimited, payment is processed by Stripe. We store the Stripe customer identifier and current subscription status (active, canceled, renewal date). We do not see or store your card number, billing address, or any payment instrument data.
   2.5 Session cookie: If you sign in, we set a single HTTP-only session cookie containing a random session token, used only to recognize you on subsequent requests. It expires after 30 days of inactivity or immediately on sign-out.
3. WHAT WE DO NOT COLLECT OR RETAIN
   Your audio is never stored: it is sent to our backend, forwarded once to a transcription provider, and immediately discarded after the transcript is returned.
   Your transcribed text is never stored: it is returned to your browser and inserted into the field you focused. Our backend does not log it, save it, or look at it.
   We also do not collect: the contents of any web page or any text already in the field you dictate into; your browser fingerprint, installed extensions, or browsing history; microphone audio outside the moments you are actively dictating.
4. HOW A DICTATION REQUEST FLOWS
   You press the record shortcut; the extension captures audio in your browser. You press it again; the browser sends the audio (and your anonymous device identifier or session cookie) to our backend over HTTPS. The backend checks your quota, forwards the audio to a transcription provider, returns the text to your browser, records the duration against your quota, and discards the audio. The extension inserts the text into the field you focused. Providers process audio only for the duration of the request and, per their terms, do not use it to train their models.
5. THIRD-PARTY SERVICES
   OpenRouter (primary transcription routing); OpenAI (transcription provider and emergency fallback); Cloudflare (fallback transcription, plus backend, database, and website hosting); Stripe (payment processing); Resend (transactional email for magic-link sign-in); Google (only if you choose Continue with Google to sign in). Each service's own privacy policy applies to the data it processes.
6. DATA RETENTION
   Audio: not retained. Transcribed text: not retained. Account record: kept while you have an account; deleted on request. Anonymous device identifier: kept while the device is active. Usage metadata (date, seconds, provider, latency, IP, browser): retained for billing reconciliation, analytics, and abuse prevention - never the content dictated. Session cookies: 30 days from last use. Magic-link tokens: 15 minutes. Standard HTTP logs: up to 30 days.
7. YOUR RIGHTS
   You can access, delete, or export the personal data we hold (email, plan, usage metadata) by emailing support@voxtyper.app. You can sign out at any time from the settings page, and you can use the free anonymous tier without ever providing an email. EEA, UK, and California users have additional rights under GDPR, UK GDPR, and CCPA.
8. MICROPHONE PERMISSION
   Voxtyper requires microphone access to function. The microphone is accessed only during an active dictation - never on page load or install - and is closed the moment you stop or cancel a recording. You can revoke microphone permission at any time in your browser settings.
9. CHILDREN
   Voxtyper is not directed at children under 13 and we do not knowingly collect their data.
10. SECURITY
    All traffic between your browser and our backend is encrypted with TLS. The session cookie is HTTP-only and Secure. The design minimizes sensitive data: we cannot lose audio or transcripts we never stored.
11. INTERNATIONAL DATA TRANSFER
    Our backend runs on Cloudflare's global edge network and may route requests to data centers in the US, EU, or other regions.
12. CHANGES TO THIS POLICY
    We may update this policy and will notify signed-in users by email of material changes.
13. CONTACT
    Privacy questions, data-access or deletion requests: support@voxtyper.app