Privacy Policy
Last updated: June 14, 2026
At a glance. TextDictator reads text from your macOS clipboard (only when you press the hotkey), sends it to our backend, which forwards it to a text-to-speech provider (OpenAI or Deepgram) for speech synthesis, then streams the audio back. We do not store the text from your clipboard. We do not store the audio output. We do not sell your data or run advertising trackers. For the website we use Vercel Web Analytics — cookieless, aggregate page-view and visitor counts with no cross-site tracking or personal profiles. We collect only what we need to keep the Service running and to bill subscriptions.
This Privacy Policy explains how TextDictator (“TextDictator,” “we,” “us”) collects, uses, shares, and protects personal information when you use the TextDictator macOS application or the website at textdictator.com(together, the “Service”). It applies to all users worldwide. Capitalized terms not defined here have the meanings in our Terms of Service.
1. Clipboard Data
Because clipboard handling is the most sensitive part of how TextDictator works, it gets its own section.
- We read the clipboard only on demand.The macOS app reads your system clipboard only when you press the speak hotkey or click “Speak” in the menu bar. We do not poll the clipboard, monitor it continuously, or read it in the background.
- We do not access selected text.The app does not use macOS's Accessibility API to read highlighted text, does not simulate key presses to trigger copy operations, and does not request Accessibility permissions. The only way text reaches the app is through your clipboard, after you copied it.
- The clipboard contents are not stored. The text is sent over HTTPS to our backend, forwarded to the TTS provider, and discarded after the audio is returned. We do not persist clipboard text in our database, in our logs, or in any other system we control.
- We do not modify the clipboard. The app reads from the clipboard but never writes to it.
- The Mac app does not retain a local history. We don't maintain a local cache, history, or log of what you've had read aloud.
2. Information We Collect
2.1 Account information
When you create an account, our authentication provider (Neon Auth, powered by Stack Auth) collects your email address and a sign-in credential (currently a one-time email code). When you subscribe, we additionally store a Stripe customer identifier, the tier you signed up for, your subscription status, and the end date of your current paid period.
2.2 Usage events (signed-in users only)
For each text-to-speech request from a signed-in account, we store a row containing: your internal user ID, the number of characters in the request, the voice and voice model used, the app version, build number, and operating-system version that made the request, and a timestamp. The character count enforces a per-hour anomaly cap that protects us against runaway scripts and helps us size our infrastructure; the app and OS version help us troubleshoot issues and understand which app versions are in active use. We do not store the actual text or the audio output in this row or anywhere else.
2.3 Server logs
Our hosting provider (Vercel) records standard request logs: timestamp, IP address, request path, user agent, response status, and response time. These are used for debugging, performance monitoring, and security. They are retained for up to 30 days. The bodies of requests and responses (your text, the audio) are not logged.
2.4 Communications
If you email us, we'll have your email address, the message, and any attachments — kept as long as needed to respond and follow up.
3. What We Do Not Collect
This is an inclusive list, not an exhaustive one — but it covers the categories people most commonly ask about:
- The text you submit for synthesis. Sent through, not stored.
- The audio output. Streamed back to you, not retained on our side.
- Your clipboard at any other time. Only read on demand, and never written to.
- Payment-card details. Stripe holds them entirely; we never see your full card number, CVC, or expiry.
- Keystrokes outside configured hotkeys. The app uses the macOS Carbon framework to register up to three configurable global hotkeys (speak, pause, and stop — pause and stop are unbound by default). It does not log or transmit keystroke data, and does not intercept keystrokes outside the specific combinations you configure.
- The contents of your screen. No screen recording or screenshotting.
- Your microphone or camera. Not used. No system prompts will appear for these permissions.
- Your file system. The app does not read or write files anywhere outside its own preferences and the standard macOS Keychain.
- Your location. Not requested, not used.
- Hardware identifiers.We do not read your Mac's serial number, MAC address, IDFV, or any system identifier.
- Behavioral or cross-user analytics.No Mixpanel, Amplitude, Google Analytics, or similar per-user behavioral tracking, no first-party event-tracking pipeline, and no web fingerprinting. The only analytics we run is Vercel's cookieless, aggregate Web Analytics — see Sections 7 and 14.
- Advertising trackers. None on the website, none in the app.
4. macOS Permissions
The Mac app requests only one entitlement at install time:
- Outgoing network access (
com.apple.security.network.client) — required to reach our backend.
The app does not request the following permissions, and macOS will not prompt for them under normal operation: Accessibility, Automation / Apple Events, Full Disk Access, Files and Folders, Microphone, Camera, Screen Recording, Input Monitoring, Contacts, Calendar, Reminders, Photos, or Location.
5. How We Use Information
We use the information we collect to:
- Provide and operate the Service;
- Authenticate you and manage your account;
- Process payments and manage your subscription;
- Enforce usage limits (per-hour anomaly cap) and prevent abuse;
- Send transactional emails — sign-in codes, billing receipts, important Service notices;
- Diagnose and fix problems, secure the Service against attacks, and improve performance;
- Comply with legal obligations.
For users in the European Economic Area, the United Kingdom, and Switzerland, our legal bases under the GDPR are: performance of our contract with you (to provide the Service and bill you); our legitimate interests in securing and maintaining the Service and preventing fraud and abuse; compliance with legal obligations; and your consent where consent is the appropriate basis (which you can withdraw at any time without affecting the lawfulness of prior processing).
6. Cookies and Local Storage
On the website, we use one signed, HTTP-only session cookie set by our authentication provider to keep you logged in. We do not use cookies for advertising, third-party analytics, or cross-site tracking.
On the Mac app, we use:
- macOS Keychain to store your access and refresh tokens after sign-in;
- macOS user defaults (UserDefaults) to store non-sensitive preferences (voice choice, speed, hotkey bindings).
We do not use IndexedDB, localStorage, or third-party SDKs for tracking either on the website or in the app.
7. Third-Party Providers (Subprocessors)
We use a small number of third-party providers to operate the Service. Each receives only the data necessary for its role.
- OpenAI(United States) — receives the text you submit for synthesis and our model/voice parameters, and returns audio. We pass an API key and the request payload; we do not pass a user identifier. OpenAI's handling of API traffic is governed by its API data-usage policy.
- Deepgram(United States) — receives the text you submit for synthesis and our model/voice parameters, and returns audio. We pass an API key and the request payload; we do not pass a user identifier. Deepgram's handling of API traffic is governed by its API data-usage policy.
- Stripe (United States) — processes payments, holds your payment-method details, and runs the hosted billing portal.
- Neon (United States; data may be replicated across regions) — provides the Postgres database that stores your account record, subscription state, and usage-event rows, and operates the auth backend.
- Vercel (United States) — hosts the website and the serverless API functions, records standard request logs, and provides cookieless Web Analytics (aggregate page-view and visitor counts; no cookies, no cross-site tracking).
8. Disclosures to Third Parties
We do not sell personal information and do not share it for cross-context behavioral advertising. We disclose personal information only:
- To the subprocessors listed above, to operate the Service;
- To comply with applicable law, regulation, legal process, or enforceable governmental request — and only to the extent required;
- To enforce our Terms of Service, to protect our rights or the rights, safety, or property of you or anyone else;
- In connection with a corporate transaction such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case we will give you notice before your personal information becomes subject to a different privacy policy.
9. International Data Transfers
Our subprocessors are primarily based in the United States. If you use the Service from outside the United States, your personal information will be transferred to, and processed in, the United States and other countries that may have different data-protection laws than your home country. Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent transfer mechanisms.
10. Data Retention
- Account record — kept while your account exists. After deletion, we erase the record within 30 days, except where retention is required by law (e.g. tax records tied to past subscription receipts, typically retained 7 years).
- Subscription records — kept as long as needed to administer your subscription and to comply with tax and accounting laws.
- Usage events— automatically deleted with your account record (foreign-key cascade). We do not maintain long-term usage history beyond what's needed for the anomaly cap.
- Server logs — retained for up to 30 days.
- Email correspondence — retained as long as needed to handle the inquiry and any follow-up; we periodically prune support inboxes.
11. Security
We protect your information with measures appropriate to its sensitivity:
- HTTPS / TLS for all traffic in transit;
- Encryption at rest for our managed database;
- Signed, HTTP-only session cookies and signed tokens for authenticating the Mac app to our backend;
- Stripe-managed payment-card storage, so card data never enters our infrastructure;
- Scoped API keys and least-privilege infrastructure access;
- Industry-standard webhook signature verification, token validation, and rate limiting on sensitive endpoints.
No system can be perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you as required by applicable law.
12. Your Rights
12.1 Everyone
Regardless of where you live, you can:
- Access the personal information we hold about you;
- Correct inaccurate information;
- Delete your account and associated data;
- Receive a copy of your data in a portable format;
- Cancel your subscription (see the Terms).
Send a request to maxim@megatalk.com from the email address associated with your account.
12.2 California residents (CCPA / CPRA)
In the last 12 months we have collected the following categories of personal information (as defined by the CCPA): identifiers (email, internal user ID, IP address), commercial information (subscription tier and status), and internet or other electronic network activity (request logs). We collect this information for the business purposes described in Section 5 and disclose it only to the subprocessors in Section 7.
We do not sell personal information and have not done so in the preceding 12 months. We do not share personal information for cross-context behavioral advertising. We do not knowingly process sensitive personal information for purposes that would require an opt-out. We do not disclose personal information to third parties for their own direct marketing purposes.
You have the right to know, the right to delete, the right to correct, and the right to non-discrimination for exercising any of these rights. To submit a request, email maxim@megatalk.com. We will acknowledge your request within 10 business days and respond within 45 days. You may designate an authorized agent to submit requests on your behalf; we'll ask the agent for written authorization.
12.3 EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)
You have the rights of access, rectification, erasure, restriction of processing, objection (including to processing based on legitimate interests), and data portability. You also have the right to lodge a complaint with your local supervisory authority. To exercise these rights, email maxim@megatalk.com. We will acknowledge your request within 10 business days and respond within 30 days (extendable by up to two additional 30-day periods where permitted by law).
13. Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. The app does not include a technical age-verification mechanism; we rely on users' representation that they meet the minimum age requirement. If we learn that we have collected information from a child under 13, we will delete it. If you believe a child under 13 has provided us with personal information, contact us at maxim@megatalk.com.
14. Do Not Track and Global Privacy Control
We honor Global Privacy Control (GPC) signals where applicable by treating them as a request to opt out of any sale/sharing — although, as noted, we do not engage in such practices in the first place. The only analytics we use is Vercel's cookieless, aggregate Web Analytics (page-view and visitor counts, with no cross-site tracking or personal profiles), and we run no advertising, so “Do Not Track” browser signals do not affect what we collect.
15. Changes to This Policy
If we make material changes to this Policy, we will notify you by email or in the app at least 30 days before the change takes effect (or such shorter period as required by law). The “Last updated” date at the top tracks the latest revision.
16. Contact
For privacy questions, requests, or complaints: maxim@megatalk.com.
Our Terms of Service are here.