Privacy Policy
Last updated: May 17, 2026
Short version. We do not store your audio recordings. We do not store the text that Voxtyper transcribes for you. The only personal data we keep on our servers is what we need to recognize you between sessions (your email if you sign in), enforce your monthly free quota (an anonymous device identifier and a count of seconds dictated), and process payment if you subscribe (handled by Stripe). The full text of this policy explains each of these in detail.
1. Who we are
Voxtyper ("Voxtyper", "we", "us", or "our") is a browser extension that converts speech into properly-punctuated text in web text fields. This Privacy Policy describes how we collect, use, and protect information when you use the Voxtyper browser extension and the website at voxtyper.app (together, the "Service"). By using the Service you agree to the practices described here. If you do not agree, do not use the Service.
2. What we collect
2.1 Account information (only if you sign in)
If you choose to sign in, we store the email address you provided. If you signed in via Google, we also receive your verified email from Google as part of the OAuth flow; we do not request or store your Google profile photo, your contacts, or any other Google data. We do not store passwords because we never ask for one - all sign-in is via emailed magic-link or Google OAuth.
2.2 Anonymous device identifier
When the extension is installed, it generates a random identifier (a UUID) and stores it locally in your browser. This identifier is sent with each request to our backend so we can count how many seconds of dictation a given browser has used against the monthly free quota. It is not derived from any personal information, is not a browser fingerprint, and cannot be used to identify you across other websites or services.
2.3 Usage metadata
For each dictation request, our backend records the date and time, the device identifier or user identifier responsible, the duration in seconds, the upstream transcription provider used, and the round-trip latency. We record this information solely for quota accounting and for operational monitoring (detecting outages and provider failures). We do not record the content of the audio or the transcribed text.
2.4 Billing data
If you upgrade to the Unlimited plan, payment is processed by Stripe. We store the Stripe customer identifier and the current subscription status returned by Stripe (active, canceled, renewal date) so we can show this information to you and grant the appropriate plan. We do not see, receive, or store your credit card number, billing address, or any other payment instrument data. Stripe's own privacy practices apply to payment processing; see stripe.com/privacy.
2.5 Session cookie
If you sign in, we set a single HTTP-only session cookie on our backend domain so we can recognize you on subsequent requests. This cookie contains a random session token only; it is not used for tracking and we do not share it with any third party. It expires automatically after 30 days of inactivity, or immediately when you sign out.
3. What we do NOT collect or retain
Your audio is never stored. When you dictate, the audio is sent to our backend, forwarded once to a transcription provider, and immediately discarded after the transcript is returned. We do not write your audio to disk, do not back it up, and have no copy of it after the request completes.
Your transcribed text is never stored. The text produced by transcription is returned to your browser and inserted into the text field you focused. Our backend does not log it, does not save it, and does not look at it. We do not have a record of what you have dictated.
In addition, we do not collect:
- The contents of any web page you use Voxtyper on, or any text already present in the field you dictate into.
- Your IP address beyond what is temporarily visible in standard HTTP request logs for abuse prevention (see Section 4).
- Your browser fingerprint, your installed extensions, your browsing history, or any other behavioral profile.
- Microphone audio outside the moments you are actively dictating. The extension requests microphone access only when you press the record shortcut, and stops capturing the moment you press it again or cancel.
4. How a dictation request flows
So that you have a complete picture of what happens with your voice, here is the full path of a single dictation:
- You press the record shortcut. The extension captures audio in your browser.
- You press the shortcut again. The browser sends the captured audio (and your anonymous device identifier or session cookie) to our backend over HTTPS.
- Our backend checks that you have remaining quota, then forwards the audio to a transcription provider (currently OpenRouter routing OpenAI Whisper; secondary providers include Cloudflare Workers AI and OpenAI directly as fallbacks). The provider returns transcribed text.
- Our backend returns the text to your browser, records the duration in seconds against your quota, and discards the audio.
- The extension inserts the text into the text field you focused. Nothing about the text leaves your browser after this point.
We choose transcription providers on the basis of accuracy, latency, and stated privacy practices. The providers we use process audio only for the duration of the request and do not, per their terms, use it to train their models. Provider terms are linked in Section 5.
5. Third-party services
We use a small number of third-party services to run Voxtyper. Each is named here along with a link to that service's own privacy policy:
- OpenRouter (primary transcription routing): openrouter.ai/privacy
- OpenAI (Whisper model and emergency fallback): openai.com/policies/privacy-policy
- Cloudflare Workers AI (fallback transcription): cloudflare.com/privacypolicy
- Cloudflare Workers + D1 + Pages (backend, database, and website hosting): cloudflare.com/privacypolicy
- Stripe (payment processing for the Unlimited plan): stripe.com/privacy
- Resend (transactional email for magic-link sign-in): resend.com/legal/privacy-policy
- Google (only if you choose Continue with Google to sign in): policies.google.com/privacy
6. Data retention
- Audio: not retained. Discarded after each transcription request completes (typically under one second).
- Transcribed text: not retained. Returned to your browser and forgotten by our backend.
- Account record: retained for as long as you have an account. Deleted on request (see Section 7).
- Anonymous device identifier: retained on our backend for as long as the device is active. Removed when you uninstall the extension and reset its local storage (or you can request deletion - see Section 7).
- Usage metadata (date, seconds, provider, latency): retained indefinitely for billing reconciliation and operational analytics. This data is anonymous at the account level - it identifies the user or device but never the content.
- Session cookies: 30 days from last use, or immediately on sign-out.
- Magic-link tokens: 15 minutes, after which they expire and are pruned automatically.
- Standard HTTP logs (IP address, timestamp, request path): retained for up to 30 days for abuse-prevention and security purposes, then automatically pruned.
7. Your rights
You can:
- Access the personal data we hold about you (just your email, your plan, and your usage metadata). Email us at support@voxtyper.app.
- Delete your account and the personal data associated with it. Email us at the same address. We will confirm and process the deletion within 30 days.
- Export your account and usage data in a machine-readable format. Email us at the same address.
- Sign out at any time from the Voxtyper settings page. Your session is destroyed immediately.
- Use without an account for the free anonymous tier. You can use Voxtyper without ever providing an email address.
If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under the GDPR, the UK GDPR, and the CCPA respectively, including the right to lodge a complaint with your local data protection authority.
8. Microphone permission
Voxtyper requires microphone access from your browser to function. The microphone is accessed only during an active dictation - it is not opened on page load, is not opened on installation, and is closed the moment you stop or cancel a recording. You can revoke microphone permission at any time through your browser settings; Voxtyper will simply stop being able to record until you re-grant it.
9. Children
Voxtyper is not directed at children under the age of 13, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@voxtyper.app and we will delete it.
10. Security
All traffic between your browser and our backend is encrypted with TLS. The session cookie used to recognize signed-in users is HTTP-only and marked Secure. Our backend runs on Cloudflare Workers and Cloudflare D1, which apply industry-standard physical and operational security controls. No system is perfectly secure, but the design of the Service intentionally minimizes the surface of sensitive data we hold: we cannot lose audio or transcripts we never stored in the first place.
11. International data transfer
Voxtyper's backend runs on Cloudflare's global edge network, which routes requests to the nearest available data center. This may include data centers in the United States, the European Union, or other regions. By using the Service you consent to this routing.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes that meaningfully affect how we handle your data, we will notify signed-in users by email and update the "Last updated" date at the top of this page. Continued use of the Service after a change constitutes acceptance.
13. Contact
For any privacy questions, data-access or deletion requests, or other inquiries: support@voxtyper.app.