Last updated: 2026-06-28

Privacy Policy

Last updated: 2026-06-28

Tape captures your conversations and writes them up for you. The raw material — your audio and its transcript — stays on your device. This policy explains the limited information Tape ("Tape," "we," "us") does collect, what we do with it, and the choices you have.

We've tried to write this so it survives someone reading our code and watching our network traffic. Where the law needs precise wording, we've used it; the rest is in plain language.

The short version

  • Your audio and its transcript live on your device. They're stored on your device, protected by your device's encryption, and are never uploaded as part of normal use.
  • Transcription happens on your device. Speech becomes text using an on-device model. Your audio never leaves your device to be turned into text.
  • Summaries are the only feature that sends conversation content off your device. They're created automatically after a capture for signed-in users whose account includes summaries; if you're signed out, no summary is generated. You choose the engine: Tape's managed summarizer (your transcript goes to Google's enterprise Gemini through the Tape server, then is discarded) or your own Claude key (your transcript goes directly from your device to Anthropic under your own account, never through Tape's servers). Either way it's sent only to write that summary, and Tape doesn't keep it.
  • The account information we hold is small: your name and email from sign-in, your encrypted calendar connection, and usage metadata (counts and timings — never your conversation content).

We don't claim "nothing ever leaves your device," because that wouldn't be true once summaries run. Here is exactly what happens instead.

1. Who we are

Tape is provided by Tape, based in Israel. For privacy questions, or to exercise your rights, contact us at or@usetape.app.

For users in the European Economic Area (EEA), the United Kingdom, or Switzerland, Tape is the data controller for the personal data described here.

2. What stays on your device — always

The following never leaves your device to operate Tape, and we never receive it:

Stays on deviceWhere it lives
The audio you captureOn your device, protected by device encryption
The transcriptOn your device, protected by device encryption
Speaker labels, your edits, your notesOn your device, protected by device encryption

Turning speech into text runs entirely on your device. There is no "send us your audio" step. If you're signed out, or summaries aren't enabled for your account, no conversation content leaves your device through Tape.

Recording and consent

Tape is a tool you control — you decide when to capture a conversation. Where the law requires consent from other participants before a conversation is captured or transcribed, obtaining that consent is your responsibility (see the Terms of Service, Section 4). Any on-screen indicator Tape shows while capturing is a courtesy to the people around you, not a substitute for the consent the law requires.

3. Information we collect

Account information

When you sign in with Google, we receive your name, email address, and (if available) your profile image, plus the identifiers needed to keep you signed in. We use a backend-for-frontend model: our server is the party that holds OAuth credentials, and the app uses short-lived session tokens.

Calendar connection (only if you connect a calendar)

If you connect Google Calendar, our server stores your calendar OAuth tokens, encrypted at rest (AES-256-GCM), along with the calendar's email address and your sync preferences (which sub-calendars are enabled). We use these tokens only to fetch your upcoming events and return them to your device. We do not store your calendar events — they're proxied to your device and not retained on our servers.

Usage and diagnostics (metadata only)

We collect metadata about how Tape performs so we can keep it working: event counts, feature usage, timings, model names, token counts, success/failure, and error codes. This data is metadata only — never your audio, transcript, notes, names, or emails.

  • Product analytics (which features get used) is collected by default on released builds to help us keep Tape working and improve it. It is metadata only — it never carries your conversation content. We don't currently offer an in-app opt-out; to ask us to exclude you, email or@usetape.app.
  • A small set of operational signals (for example, whether an auto-update succeeded) is reported by default, the same posture as crash reporting, so we can tell whether the app is healthy.

Website cookies and analytics

Our website (usetape.app) uses PostHog (EU region) for basic analytics — to see which pages are visited and improve the site. PostHog stores its state in your browser's local storage, not advertising cookies. We honor the Global Privacy Control (GPC) and "Do Not Track" signals your browser sends — if either is set, we don't capture analytics for your visit. We don't use cookies for advertising, and we don't sell your data. This is separate from the in-app product analytics described above.

Summary content (when a summary is generated)

When a summary is generated, your transcript text (plus any title, participant names, and notes you add to steer it) is sent in transit to generate the summary, then discarded — to the Tape server and on to Google's Gemini on the managed engine, or directly to Anthropic on the bring-your-own-key engine. Your name and email are not attached to the content sent to the AI engine. See Section 5.

What we do not collect

  • ❌ Your audio (it never reaches our servers at all)
  • ❌ Your transcripts (sent only to generate a summary you requested, then dropped)
  • ❌ Your generated summaries (returned to you, never archived on our servers)
  • ❌ Conversation content of any kind in our logs or analytics

4. How we use information

We use the information above to:

  • Provide the service — keep you signed in, fetch your calendar events, generate your summaries, and deliver app updates.
  • Keep Tape reliable and safe — diagnose errors, measure performance, prevent abuse, and enforce per-user limits on the cloud summary feature.
  • Improve the product, using metadata and product analytics.
  • Communicate with you — service and security notices are part of using Tape; any product news or marketing is opt-in, and you can unsubscribe at any time.
  • Comply with law and enforce our Terms of Service.

We process this data on these legal bases (GDPR): performance of a contract (providing the service you signed up for, including summaries), legitimate interests (reliability, security, and product improvement through metadata and analytics, balanced against your rights), consent (where you opt in to marketing email), and legal obligation where applicable.

5. The cloud path: summaries

Summaries are created automatically after a capture for signed-in users whose account includes summaries. Tape's managed summarizer is a paid feature, enabled for your account rather than toggled per capture; or you can add your own Claude key and summarize directly from your device. If you're signed out, no summary is generated. You choose the engine — and that choice decides where your transcript goes.

Tape's managed summarizer (the default). Your transcript text (plus any title, participant names, and notes you add to steer it) is sent over an encrypted HTTPS connection to the Tape server, which forwards it to Google's enterprise Gemini (Vertex AI) to write the summary, then discards it. Google does not use it to train its models — a commitment of the enterprise tier — and the server keeps nothing about the summary beyond a per-day usage counter (numbers only, no content).

Your own Claude key (bring your own key). If you add your own Anthropic API key, the same content is sent directly from your device to Anthropic under your own account — it never passes through Tape's servers, and your use is governed by your own agreement with Anthropic. Your key is stored in your device's Keychain and is sent only to Anthropic, never to Tape.

6. How we share information — and our subprocessors

We don't sell your personal data, and we don't share it for advertising. We share information only with the service providers ("subprocessors") that make Tape work, each under contract and only for the purpose described:

ProviderRoleWhat it receives
Google Cloud — Vertex AI / GeminiGenerates summaries on the managed engineTranscript text in transit only, when a summary is generated; never stored, never used for training
Google Calendar APIFetches your eventsCalendar queries; events return to your device and are not stored by us
Google Sign-InAuthenticationIdentity verification (ID-token exchange); your name, email
Google Cloud (Cloud Run)Server hosting / computeProcesses your requests in transit; stores nothing beyond what Neon holds
Firebase Hosting (Google Cloud)Website, API gateway, and app-update deliveryStandard web request data (e.g., IP) for the website (including the beta sign-up form), the gateway in front of our API server, and macOS update downloads
Neon (Postgres)Our databaseOnly the account, calendar-token (encrypted), and usage-counter records described above
PostHogProduct analytics & diagnostics (EU region)Metadata only — a pseudonymous ID, counts, timings, model, error codes; never content
CloudflareDomain name service (DNS)DNS lookups for our domain (e.g., the resolving IP address)
Apple App StoreApp distributionHandled by Apple under Apple's terms when you download the app

If you use your own Claude key: the bring-your-own-key summary engine (Section 5) sends your transcript directly to Anthropic under your own account and key. On that path Anthropic is your processor, not Tape's subprocessor — Tape's servers aren't involved — and your data is handled under your agreement with Anthropic. The subprocessors above apply to Tape's managed services.

We may also disclose information if required by law, to protect rights and safety, or as part of a business transfer (merger or acquisition), in which case we'll honor the commitments in this policy.

A current list of subprocessors is maintained here; we'll update it as it changes.

7. Data retention

  • Audio, transcripts, notes: kept on your device under your control; we never hold them. Delete them in the app, or by removing the app and its data.
  • Transcript sent for a summary: discarded immediately after the summary is generated. Not stored on our server.
  • Account, calendar connection, and usage records: kept while your account is active. When you delete your account, they are removed immediately — your account record, your calendar connection and its encrypted tokens, and your usage counters all cascade-delete together — except where we must retain limited records to meet legal obligations.
  • Usage counters and diagnostics: metadata only (no conversation content). We keep them only as long as useful to operate and improve the service; analytics held by PostHog is retained under its EU-region retention settings.
  • Server logs: metadata only, captured by our hosting provider (Google Cloud) and retained under its operational log-retention settings.

8. How we keep your data secure

  • On-device data is stored on your device and protected by your device's encryption (iOS Data Protection / macOS FileVault).
  • Calendar OAuth tokens are encrypted at rest (AES-256-GCM); refresh tokens never leave our server.
  • All network traffic uses encrypted HTTPS connections.
  • Sessions are short-lived and revocable, and our backend never exposes third-party refresh tokens to the app.
  • Our logs and analytics carry no conversation content — and this is enforced in code (see Section 13).

No method of storage or transmission is 100% secure, but we work to protect your information and to limit how much we hold in the first place. If a security incident affects your personal data, we'll notify you and the relevant authorities as required by law.

9. Your privacy rights

Depending on where you live, you have some or all of the following rights over your personal data. Because your conversations live on your device, you already control most of your content directly — the rights below apply to the limited account data we hold.

Everyone

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data (see Section 10).
  • Withdraw consent where we rely on it (for example, marketing email).
  • Ask us to exclude you from product analytics by emailing or@usetape.app (there's no in-app toggle yet); on the website, we honor Global Privacy Control (GPC) and "Do Not Track" signals automatically.
  • Opt out of marketing email at any time via the unsubscribe link or by emailing us; you'll still get essential service and security notices.

EEA / UK / Switzerland (GDPR)

In addition to the above: the right to restrict or object to processing, the right to data portability, the right not to be subject to decisions based solely on automated processing with legal effects, and the right to lodge a complaint with your local supervisory authority.

California (CCPA/CPRA)

The right to know what we collect and how it's used, to delete, to correct, and to opt out of sale or sharing — we do not sell or share your personal data, and we do not use sensitive personal data for purposes requiring an opt-out. We will not discriminate against you for exercising these rights.

Israel (Privacy Protection Law)

The right to review the personal data we hold about you, to request its correction or deletion, and to contact us with concerns.

To exercise any right, email or@usetape.app. We'll verify your request and respond within the period required by applicable law. You may use an authorized agent where the law allows.

10. Deleting your account and data

  • Your conversations: delete individual tapes in the app, or remove the app and its on-device data, at any time.
  • Your account: you can delete your account and the server-side data tied to it. Deletion cascades — your account record, calendar connection (and its encrypted tokens), and usage counters are removed.

11. International data transfers

We're based in Israel, and our providers (Google, Apple, Cloudflare, Neon, PostHog) may process data in the United States, the European Union, and other regions. Where we transfer personal data out of the EEA/UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and providers' adequacy mechanisms. We've chosen our analytics region (PostHog EU) to keep diagnostic metadata in-region where practical.

12. Children

Tape is not directed to children. You must be at least 16 years old (or the minimum age of digital consent in your country) to use Tape. We don't knowingly collect personal data from children under that age; if you believe a child has provided us data, contact or@usetape.app and we'll delete it.

13. How we keep these promises true

Several promises above aren't just policy — they're enforced in our code and checked on every build: the server has no field that could store your conversation content, our logs and analytics can't carry it, and only the summary path can send content off your device. You can verify the basics yourself, too — transcription runs on-device, and the only conversation content that ever leaves is what's sent to generate a summary.

14. Changes to this policy

We may update this policy as Tape evolves. When we make a material change, we'll update the "Last updated" date and, where appropriate, notify you in the app or by email. Significant new uses of your data will be introduced with clear notice and, where required, your consent.

15. Contact us

Questions, requests, or concerns:

Tape or@usetape.app Israel