Privacy Policy

Last updated: 23 April 2026

1. Who we are

Loose Tongues is a one-person operation run by Stephen Simpson, a sole trader based in Australia. "We" and "us" in this policy mean Stephen — there's no team behind the curtain. Under data protection law, we are the data controller for information collected through the app. This policy explains what we collect when you use Loose Tongues, how we use it, and the choices you have. You can reach us at privacy@loose-tongues.com.

2. What we collect

Account data

• Email address (for sign-in)
• Authentication identifiers from your chosen sign-in provider (Apple, Google)
• Display name and profile image, if you set one

Note content

• Audio recordings you make in the app
• Transcripts generated from those recordings
• AI-refined versions of those transcripts
• Any text you type, edit, or append to a note
• Metadata: timestamps, titles, tags, sharing / collaborator information

Device and diagnostic data

• App version, OS version, device model
• Crash reports and error traces (via Sentry)
• Approximate language / locale settings

We do not collect: contacts, calendar, location, or photo library. Microphone access is requested only for the duration of a recording.

3. Local-first by default

Loose Tongues is designed so you can use it without any of your content touching our backend. When you create a note in local mode, the audio file, transcript, and any refinements are stored only on your device, in the app's private storage.

You may opt in to cloud mode per note, which syncs that note to our backend so it is available on your other devices and to collaborators you invite.

4. Transcription

Loose Tongues supports two transcription modes, which you control in Settings:

• On-device (Whisper / Moonshine / Sherpa-ONNX). Your audio is transcribed locally using models that run on your phone. The audio never leaves the device for transcription.
• Cloud (Speechmatics). Your audio is sent to our backend, forwarded to Speechmatics for transcription and, optionally, speaker identification, and deleted as soon as the transcription job finishes, whether it succeeded or failed. Speechmatics acts as a data processor on our behalf and does not retain the audio for training.

5. AI refinement and Ask AI

If you enable AI features, your transcripts and notes are sent to Google's Gemini models via the Google AI API to produce the cleaned-up version of your note, to generate titles and summaries, to rewrite in alternate formats, and to answer questions across your notes ("Ask AI"). The Google AI API is configured so that your content is not used to train Google's models and is retained only for the short operational window defined in Google's API data policy.

You can disable AI refinement at any time. Raw transcripts remain available either way.

6. Where your data is stored

The authoritative copy of your notes lives in Google Firebase, in Australia. We also use Cloudflare for our edge API, search, and transient audio storage; our Cloudflare account is configured with the EU jurisdiction, which keeps that data on Cloudflare infrastructure in the European Union. Both providers encrypt data at rest using AES-256 and in transit using TLS.

For a full list of what each service does and which data it touches, see our subprocessors page.

Local data on your device is stored in the app's private sandbox. On iOS with a device passcode set, and on modern Android devices, this storage is additionally protected by the operating system's disk encryption.

7. Subprocessors

We rely on a small number of third-party providers to run Loose Tongues. At a high level:

• Google Firebase — authentication and authoritative note storage (Australia).
• Cloudflare — edge API, search, and transient audio storage (EU jurisdiction).
• Google AI (Gemini) — AI rewrites, summaries, and Ask AI answers.
• Speechmatics — cloud transcription and optional speaker identification (EU / UK).
• Sentry — crash and error reporting.
• Apple and Google Play — sign-in and app store billing on their respective platforms.

For the full list with exact data categories, retention notes, and locations, see our subprocessors page. We update that list before engaging any new provider that processes your content.

8. Encryption

• In transit: all communication between the app and our backend, and between our backend and subprocessors, uses TLS 1.2 or higher.
• At rest (cloud): AES-256, managed by Google Firebase and Cloudflare.
• At rest (device): the local notes database is encrypted with AES-256; the encryption key is stored in the iOS Keychain / Android Keystore and never leaves your device.
• End-to-end encryption: Loose Tongues is not currently end-to-end encrypted. Cloud features (transcription, AI refinement, sharing, search) require our systems to be able to read your content. If you need a zero-knowledge setup, use local-only mode — in that mode we have no access to your notes.

9. How we use your data

• To provide the core functionality of the app (recording, transcription, refinement, sync, sharing)
• To authenticate you and keep your account secure
• To diagnose crashes and fix bugs
• To communicate with you about the service (e.g. account or billing issues)

We do not use your notes, audio, or transcripts to train AI models, to serve advertising, or for any purpose beyond operating the service you asked for.

10. Sharing and collaborators

When you invite a collaborator to a note, that note becomes readable (and, depending on the permissions you grant, editable) by the people you invite, within the app. We do not share your notes with anyone you have not explicitly invited.

11. Retention and deletion

• Notes you delete in the app are removed from our backend immediately. We don't maintain separate user-controlled backups of your note content — what you see in the app is the only copy on our side.
• Audio files are not retained on our backend. When you use cloud transcription, your recording is uploaded to Firebase Storage, processed by our transcription function, and then deleted automatically — whether transcription succeeded or failed. The audio only persists in the local copy on your device.
• Account deletion. You can delete your account directly from Settings → Danger zone → Delete account. This permanently removes your notes, transcripts, profile, and any derived search data immediately. If you'd rather do it by email, write to privacy@loose-tongues.com and we'll process the request within 30 days.
• Local data stays on your device until you delete it or uninstall the app.

12. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Export your data in a portable format
• Delete your data
• Object to, or restrict, certain processing
• Withdraw consent previously given
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email us at privacy@loose-tongues.com. We aim to respond within 30 days.

13. International transfers

Your data may be transferred to, and processed in, countries other than the one you live in. Notes are stored in Australia (Firebase). Our Cloudflare services are in the European Union. AI processing (Google Gemini) and crash reporting (Sentry) may happen in the United States. Speechmatics processes audio in the EU or the UK. Where required by law, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

14. Children

Loose Tongues is not directed at children under 13 (or under the minimum age required by your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

15. Security and incidents

We protect your data with reasonable technical and organisational measures, including access controls, encryption in transit and at rest, logging, and automated dependency scanning. If something goes wrong and a breach is likely to put your rights at risk, we'll tell you and the relevant authority within the timeframes required by law.

16. Changes to this policy

We may update this policy as the app evolves or as the law requires. When we make material changes, we will notify you in the app or by email and update the "last updated" date at the top of this page.

17. Contact

Questions, requests, or complaints: privacy@loose-tongues.com.