mmumble is a voice keyboard. You talk, we transcribe and clean
the text, it shows up at the cursor. This page explains what
we collect, where it goes, and how to make it stop.
The short version: we do not store your audio, your
transcripts, or your cleaned text. We don't log keystrokes.
Accounts are optional and only exist to sync your personal
vocabulary, dictation stats, and subscription tier across
your iOS devices. If you don't sign in, mmumble works
anonymously against a per-device identifier and nothing
syncs anywhere. The personally identifying things we may
hold — depending on what you do — are an email address (if
you put it in our waitlist form, or if you sign in by email
or OAuth), your first and last name (only if Apple's "Sign
in with Apple" relays them on your very first sign-in), your
subscription state, and the small synced datasets listed
below.
Who we are
mmumble is provided by Covalet LTD
(“Covalet”, “we”, “us”),
a company registered in England and Wales under company
number 15869880. Covalet is the data controller for the
personal data described on this page. Our registered office
is on file with Companies House and can be looked up at
find-and-update.company-information.service.gov.uk/company/15869880.
For any privacy question, write to
support@mmumble.com.
What gets sent when you dictate
When you tap the mic, your device uploads to our backend a
short audio recording together with a small set of request
metadata needed to produce a useful cleaned result:
Audio recording — the recording of what
you just said, in a compressed format.
Style preference — the cleanup style you
picked (e.g. plain, polished), so we know how much the
cleanup model should tidy the transcript.
Expletive-handling preference — whether
you've asked us to keep, soften, or remove profanity in
the cleaned output.
Per-request identifier — a random ID we
generate for the request, used for debugging and to
de-duplicate retries.
Language and locale hints — the language
codes iOS suggests for your audio and your English locale
preference, so the speech-to-text and cleanup models can
pick the right language.
Your saved personal vocabulary — the
spellings you've taught mmumble, sent to bias the model
toward your preferred forms. See the next section.
A short snippet of text near the cursor
— the small fragment iOS exposes to keyboard extensions
around the insertion point, sent so the cleanup model can
resolve pronouns and continue your sentence in the right
tense. See the keyboard-extension section below.
A signature flag — whether to append
your dictation signature to the cleaned text.
The backend hands the audio to one of several speech-to-text
providers, sends the resulting transcript along with the
metadata above to one of several language-model providers
for cleanup, and returns the cleaned text to your device.
The audio, the transcript, the metadata, and the cleaned
text exist in transit only — none of them is written to
disk, a database, or a log on our side. Which speech-to-text
or cleanup provider handles a given request can vary by
audio length, language, region, capacity, or A/B test; the
full set is listed under “Third parties that touch
your data” below. Every provider we use is
contractually limited to fulfilling the request and is
prohibited from training models on your data.
Each request is signed by a per-device key generated through
Apple's App Attest. We see a device-level
identifier we issue at first launch — no Apple ID, email,
name, or device serial. The identifier is used to apply
rate-limits, remember your subscription, and attribute
installs to ad campaigns. It is not linked to any other
profile.
Personal vocabulary
The words you teach mmumble to spell correctly are stored on
your device. They are sent with each dictation request to
bias the model toward your spellings, then discarded by our
backend along with the rest of the request. If you are not
signed in, your vocabulary stays on your device between
dictations — there is no mmumble account to sync it to — but
it is still sent transiently with each dictation request and
discarded immediately after the request completes. If you
are signed in, your vocabulary is additionally stored in
your mmumble account so it can sync across your devices, as
described in the next paragraph.
If you are signed in, your vocabulary is also synced to your
mmumble account so that the same word list is available on
any other iOS device where you sign in. Sign-out clears the
vocabulary from that device; the cloud copy stays with the
account until you delete the account or remove the word.
The keyboard extension does not read what you type with the
system keyboard, what app you're in, what's on your screen,
or any text beyond the small snippet immediately adjacent to
the cursor that iOS hands keyboard extensions for context.
When you dictate, that snippet itself may be sent with the
request so the cleanup model can resolve pronouns and
continue your sentence in the right tense. Like the audio
and the transcript, the snippet exists in transit only and
is discarded as soon as the request completes — we do not
store it, log it, or use it for any other purpose.
Accounts and cross-device sync (optional)
mmumble works fully anonymously. If you want your vocabulary,
dictation stats, and paid subscription tier to follow you to
a second iOS device, you can create an mmumble account by
signing in with Apple, Google,
or a one-time code sent to your email address. Sign-in is
handled by Supabase. We don't see your password, ever.
When you create or use an account we receive and store:
Email address — from the provider you
signed in with, or the address you typed for the
one-time-code flow. With Sign in with Apple you may choose
the "hide my email" relay; in that case we only see Apple's
relay address, not your real one.
An internal account identifier — issued
by our auth provider. It's the key we use to attach your
synced data to your account.
First and last name — only if you sign in
with Apple and only on the very first sign-in for that
Apple ID, because Apple sends them to us only once. We
store them so the app can address you by name and don't
re-request them.
Your personal vocabulary, dictation counters, and
recent words-per-minute samples — synced to your
account so they show up on every device you sign in on.
A list of devices linked to the account —
the same per-device identifier described earlier, so we
know which devices to sync data to. We never receive your
Apple ID, device serial, or phone number.
What we don't store at the account level: your audio, your
transcripts, your cleaned text, or what you typed with the
keyboard. The sync layer only carries the small datasets
listed above.
You can sign out at any time. Signing out keeps your data
in your account in the cloud (so you can sign back in on
another device) but clears the local vocabulary and stats
cache from that device. You can delete your account from
inside the app — see the “Your rights” section
below for what that does.
Subscriptions
If you subscribe, Apple handles all billing. We never see your
card details. Apple notifies us of subscription events
(purchase, renewal, cancellation, refund) so we know whether
you're on the free or paid tier. We store your subscription
tier and expiry date against the device-level identifier
described above.
If you're signed in to an mmumble account when you purchase
or first surface a subscription, the subscription is linked
to that account so the paid tier follows you to other
devices you sign in on. The link is permanent and there is
no in-app flow to move a subscription to a different mmumble
account afterward.
Advertising and attribution
To measure whether our ad campaigns work, the app sends a
small set of events to advertising partners:
Meta (for Facebook and Instagram ads) —
when you complete an onboarding milestone, start a free
trial, or subscribe
Google (Firebase Analytics linked to
Google Ads) — the same events
Apple Search Ads — a one-time attribution
token from Apple, sent shortly after install
These events include the device-level identifier we issued,
the event name, and for purchases the price and currency.
They never include audio, transcripts, cleaned text,
vocabulary, contacts, or your email.
We do not display ads inside the app. We do not sell your
data. We do not combine your in-app activity with your
browsing history on other sites or apps. We can switch off
any of these advertising integrations remotely; if a privacy
concern arises we don't need to ship an app update.
App tracking permission (ATT)
During onboarding, mmumble asks for the iOS
App Tracking Transparency permission with
the prompt: “mmumble shares some app activity with
advertising partners so they can measure ad campaign
performance.” You can decline in the iOS prompt or
change your answer later in iOS Settings → Privacy &
Security → Tracking.
If you allow tracking, the advertising SDKs bundled in the
app — currently Meta and
Google (Firebase Analytics) — may include
your Apple advertising identifier (IDFA) in the attribution
events they send to their servers, so they can match an
install or purchase to an ad campaign. If you decline the
prompt or have tracking turned off in iOS Settings, the IDFA
is not read and is not sent.
Our own backend never reads or stores the IDFA, regardless of
your ATT choice. The only device identifier we issue and hold
is the per-device key generated through Apple's App Attest at
first launch, described above. Apple Search Ads attribution
is IDFA-free by design — it uses Apple's AdServices
framework, which returns an install-attribution token without
identifying you across apps.
Referral codes from marketing campaigns
If you arrive via a referral link (e.g. a podcast or
influencer campaign), we record the short campaign code so we
can attribute the install. The code is a marketing slug, not
a personal identifier.
Usage tracking
To enforce the free-tier weekly word allowance, we record how
many words mmumble has cleaned for your device this week. The
record is keyed by the same device-level identifier — no
Apple ID, name, email, or serial — and contains only the
identifier, the week-start date, the running word count, and
a last-updated timestamp. It does not contain your audio,
your transcripts, your cleaned text, or which apps you used
mmumble in. Records roll over weekly and are deleted after a
short retention window.
Analytics
The companion app and this website send anonymous
product-usage events to our analytics provider (e.g. "user
opened settings", "transcription succeeded", "visited
privacy page"). These events do not include audio,
transcripts, vocabulary, contacts, or email. App events are
tied to the same device-level identifier; website events are
tied to an in-memory session that does not persist across
visits.
Waitlist email
If you submit your email on the waitlist form, we keep it
until we email you when the cohort opens, or until you ask
us to delete it — whichever comes first. We do not sell it,
share it, or add it to a marketing list.
Third parties that touch your data
Each provider below is contractually bound to use the data
only to deliver the service we contract them for. We require
every provider that receives personal data through mmumble
to protect it with privacy and security protections at least
equivalent to those described in this policy, including the
prohibition on training models on your data.
Cloudflare — hosts our backend and this
website. Also speech-to-text via Workers AI. Audio only;
not retained for model training.
Groq — speech-to-text. Audio only; not
retained for model training.
OpenRouter — speech-to-text. Audio only;
not retained for model training.
DeepInfra — speech-to-text. Audio only;
not retained for model training. Hosted in the United
States.
Alibaba Cloud (Singapore) — language-model
cleanup via the International edition of Alibaba Cloud
Model Studio (DashScope). Transcripts only; not retained
for model training. Requests are routed to Alibaba Cloud's
Singapore region.
Anthropic — language-model cleanup.
Transcripts only; not retained for model training.
Microsoft Azure (Azure OpenAI Service) —
language-model cleanup. Transcripts only; not retained for
model training, and not shared with OpenAI under Microsoft's
Azure OpenAI terms.
Supabase — database for subscription
state, usage counters, and (if you sign in) your account
identity and synced vocabulary, stats, and style prompt.
Also brokers Sign in with Apple, Sign in with Google, and
email one-time-code sign-in. Hosted in the EU.
Apple — App Attest (per-device key),
StoreKit (subscription billing), Apple Search Ads (install
attribution), and Sign in with Apple (if you choose it as a
sign-in method).
Meta — receives advertising events. No
audio, no transcripts.
Google — Firebase Analytics and Google
Ads; also Sign in with Google (if you choose it as a
sign-in method, in which case Google receives the sign-in
request and returns a signed identity token to Supabase).
No audio, no transcripts.
Resend — delivers the one-time sign-in
code to your email address if you choose email sign-in.
Receives the address and the code, nothing else.
PostHog — anonymous product analytics.
Tally — powers the waitlist form on this
site. If you submit your email, Tally receives and stores
it on our behalf.
Cross-border note for users in the EU and UK: several of
these providers store or process data in the United States,
and Alibaba Cloud processes cleanup requests in Singapore.
Standard contractual clauses or equivalent transfer
mechanisms apply.
What we don't do
We don't show ads inside the app.
We don't read your Apple advertising identifier in our own backend (see the App Tracking Transparency section above for what the bundled advertising SDKs may do if you allow tracking).
We don't sell your personal information.
We don't read your contacts, photos, calendar, or other apps.
We don't log your keystrokes.
We don't train any model on your voice or text.
We don't require an account to use the keyboard. Sign-in is optional and only enables cross-device sync.
We don't see your password for any sign-in provider — Apple, Google, and the email one-time-code flow all return a signed token to Supabase without exposing credentials to us.
Children
mmumble is not directed at children under 13. We do not
knowingly collect data from anyone under 13. If you believe a
child has used the waitlist form, email us and we'll delete
the record.
Your rights
Because we don't keep transcripts or audio, there is nothing
of that kind to export or delete. For the limited data we do
hold — waitlist email, subscription state, usage counter,
referral code, analytics, and (if you signed in) your
account profile + synced vocabulary, stats, and style — you
can:
Ask us what we hold against your device identifier or account
Ask us to delete it
Ask us to stop sharing your purchase events with advertising partners
If you have an account, delete it directly from inside
the app. Account deletion removes your synced vocabulary,
stats, style, the device links, and your account identity.
The device-level free-tier usage counter is unaffected —
it's keyed to the device, not the account, and rolls over
weekly on its own. If you also bought a subscription, the
subscription record stays in our database for audit and
tax purposes but is unlinked from any account; the Apple
subscription itself is cancelled through Apple (see the
Subscriptions section).
If you're in the EU, UK, or California, you have additional
rights under GDPR, UK GDPR, or CCPA respectively — including
the right to opt out of sharing with advertising partners.
The same email address handles those requests.
Legal basis (EU / UK)
Under the GDPR and UK GDPR we rely on the following bases to
process the limited personal data described above:
Performance of a contract — to deliver
the speech-to-text and cleanup service you ask for when
you tap the mic, to deliver the subscription you purchase,
and to enforce the free-tier word allowance.
Legitimate interests — to keep the
service running and prevent abuse (App Attest signing,
rate-limiting), to measure whether our advertising works
(sending purchase and onboarding events to ad partners),
and to understand product usage at an aggregate level
(anonymous analytics). You can object to any of these by
emailing support and we will stop where the law requires.
Consent — if you submit your email on the
waitlist form, or if you choose to enable optional
analytics. You can withdraw consent at any time.
Legal obligation — to retain limited
subscription and payment records to the extent required by
tax and consumer-protection law.
Right to complain
If you believe we have handled your data improperly, please
tell us first and we will try to put it right. You also have
the right to lodge a complaint with a data-protection
supervisory authority. In the United Kingdom this is the
Information Commissioner's Office (ico.org.uk/make-a-complaint).
In the European Economic Area, complaints go to the
supervisory authority in the country where you live, where
you work, or where the issue occurred.
Changes
If we change this policy, we'll update the effective date at
the top. For material changes — anything that broadens what
we collect or who we share with — we'll surface a notice in
the app the next time you open it.
Contact
Questions, deletion requests, opt-outs, or anything else:
support@mmumble.com.
Changelog
v5 — May 20, 2026
Updated the list of speech-to-text providers mmumble may
route a dictation request to. The full set is now
Groq, OpenRouter,
Cloudflare (via Workers AI), and
DeepInfra. Audio is still handled in
memory only and discarded as soon as a request completes;
none of these providers retain it for model training. No
change to what's collected, what's stored (still nothing
— audio, transcripts, and cleaned text remain in transit
only), or your account data.
v4 — May 20, 2026
Disclosure and clarity improvements. No new collection,
no new sharing, no new providers — this revision just
makes the existing data flow easier to verify against
what the app actually does:
What gets sent when you dictate now
spells out every field that travels with a dictation
request: audio, style preference, expletive preference,
per-request identifier, language and locale hints,
saved personal vocabulary, the short text snippet near
the cursor, and the signature flag.
Personal vocabulary — corrected the
line that previously read “your vocabulary never
leaves your device” if you weren't signed in.
Unsynced vocabulary isn't stored in any account, but
it is still sent transiently with each dictation
request and discarded after the request completes,
same as the audio.
Nearby-text snippet — clarified that
the small text fragment iOS hands keyboard extensions
around the cursor may be sent with a dictation request
so the cleanup model can resolve pronouns and tense,
then discarded along with the rest of the request.
Third-party processors — added an
explicit sentence that we require every provider that
receives personal data through mmumble to protect it
with privacy and security protections at least
equivalent to those described in this policy.
App Tracking Transparency — removed a
stale mention of a “pre-prompt”; the app
shows the iOS ATT prompt directly during onboarding.
v3 — May 18, 2026
Added DeepInfra as the primary
speech-to-text provider. Audio is processed in memory only
and discarded as soon as the request completes; DeepInfra
does not retain it for training. Groq
stays in the system as a fallback when DeepInfra is
unavailable. No change to what's collected, what's stored
(still nothing — audio and cleaned text remain in transit
only), or your account data.
v2 — May 17, 2026
Added Microsoft Azure (Azure OpenAI
Service) and Alibaba Cloud (Model Studio /
DashScope, Singapore region) as language-model cleanup
providers alongside Anthropic. Cleanup may be routed to any
of these providers based on language, region, capacity, or
A/B test. Updated the cross-border note to mention
Singapore. No change to what's collected, what's stored
(still nothing — audio and cleaned text remain in transit
only), or your account data.
Corrected the App Tracking Transparency description: the
previous version said we don't ask for tracking permission
and don't read the IDFA. In reality, we show an ATT prompt
during onboarding, and if you allow tracking, the bundled
advertising SDKs (Meta and Firebase Analytics) may include
the IDFA in the attribution events they send to their
servers. Our own backend still does not read or store the
IDFA. Added a new “App tracking permission
(ATT)” section that lays this out in full.
v1 — May 17, 2026
First publication under the in-app legal versioning system.
Codifies what mmumble collects, shares, and stores at
launch: a device-level identifier issued via Apple's App
Attest, optional accounts with synced personal vocabulary
and dictation stats, the weekly free-tier usage counter,
subscription state, anonymous product analytics,
advertising-attribution events to Meta and Google and Apple
Search Ads, and the third-party processors that touch each.
Future changes to this policy will be tracked under this
same versioning scheme and surfaced in-app on next open.
Earlier — pre-launch revisions
Notable revisions to this policy during development, before
formal version tracking went live:
May 15, 2026 — Added Tally
as the waitlist-form processor on this site.
May 14, 2026 — Disclosed optional mmumble
accounts and cross-device sync via Sign in with Apple,
Sign in with Google, and Supabase email one-time codes.
Listed Supabase, Google (as sign-in provider), and
Resend (one-time-code email delivery) as sub-processors.
Documented what we receive from sign-in (email, internal
account identifier, first/last name on first Apple
sign-in) and what gets synced (personal vocabulary,
dictation counters, recent words-per-minute samples).
May 13, 2026 — Named Covalet
LTD as the data controller and added its
Companies House registration. Mapped the GDPR and UK
GDPR legal bases for each kind of processing and added
the right-to-complain section pointing at the ICO and EEA
supervisory authorities. Disclosed advertising-attribution
events to Meta (Facebook and Instagram ads), Google
(Firebase Analytics linked to Google Ads), and Apple
Search Ads, with the explicit note that we do not show
ads inside the app. (The accompanying claim that we
don't read the IDFA / don't show an ATT prompt was
inaccurate and was corrected in v2.)
May 12, 2026 — Disclosed
PostHog as the anonymous product-analytics
provider for the companion app and this website.
May 10, 2026 — Published the companion
Terms of Use and surfaced Covalet
LTD's Companies House registration in legal-page footers.
May 7, 2026 — Initial public draft.
Documented the weekly free-tier usage counter, the
per-device identifier model via App Attest, the
speech-to-text and language-model cleanup providers
(Groq and Anthropic), and the “what we don't
do” list (no ads in-app, no keystroke logging,
no model training on your data).