Your voice belongs to you.

Privacy is not a compliance line item for us. It is the principle QuillMic was designed around. Everything within our power has gone into making local-only operation the default, the easy path, and a working configuration on every Mac we support.

• A competent on-device speech-recognition model ships in the bundled installation, so your first dictation never needs the network.
• Audio buffers live in volatile memory only. Once the transcript has been delivered to the focused app, the audio is gone.
• We retain no transcript history, no usage log, and no operator-side record of what you said.
• We operate no server that touches your content. There is no account to create and no profile to opt out of.

In the default configuration, the following data never leaves your Mac:

• the audio captured from your microphone;
• the transcript produced from that audio;
• your custom vocabulary, hotkeys, and presets;
• the speech-recognition models QuillMic uses, which are stored in the application support directory allocated to QuillMic by macOS;
• any metadata associated with a dictation session, including timing, energy levels, or endpointing decisions.

QuillMic does not phone home with telemetry, crash reports, or feature-flag exposure data. There is no analytics pipeline. No advertising SDK is embedded. No background process reaches the network unless an Optional Cloud Service has been turned on by you for a specific workflow (see below).

We recognise an honest limit: not every Mac is powerful enough to run the largest local models at the quality some users need, and some workflows genuinely benefit from a frontier cloud model. We do not think it is our place to deny that choice to the people who need it. So QuillMic offers Optional Cloud Services, and it offers them on terms we want you to understand without ambiguity.

How we treat that choice:

• Off by default. No Optional Cloud Service is active when you first launch QuillMic. Local mode works immediately and stays the default until you change it.
• Two affirmative actions required. You must (i) provide your own API key for the provider you choose, and (ii) explicitly enable the feature for the workflow you want to use it on. We will never enable cloud on your behalf.
• Clearly labelled in the interface. Presets and toggles that depend on a cloud service are identified as such in the Application. Where applicable, an in-window indicator shows you when audio is about to leave the device. Nothing happens silently.
• Direct from your device.When an Optional Cloud Service is active, the payload travels directly from your Mac to the chosen provider over Transport Layer Security (TLS 1.2 or later). We do not proxy it, mirror it, tee it, intercept it, log it, store it, or retain a copy.
• Reversible at any time. Disable the toggle, remove the key, and QuillMic returns to local-only processing on your next dictation.

The trade-off is real, and it is yours to weigh. We have done what we can to make the trade-off visible. The choice itself is strictly yours.

We do not assist any party — law-enforcement bodies, advertisers, data brokers, analytics providers, employers, insurers, family members, or any third party whatsoever — in accessing your audio, your transcripts, your vocabulary, your configuration, or any derivative thereof. The mechanism by which we honour this commitment is simple: QuillMic is built so that we are not in possession of that information in the first place, and we therefore have no capability to disclose it.

We have not implemented and will not implement backdoors, lawful-intercept hooks, silent capture, transcript exfiltration, or any other mechanism designed to defeat the local-first guarantees described on this page and codified in our Privacy Policy.

• Distribution. Exclusively through the Apple Mac App Store, or as a developer-signed and notarized build where permitted. Every release is code-signed.
• Sandbox. The Application runs inside the macOS application sandbox. Filesystem access is limited to the directories macOS allocates to QuillMic.
• Hardened runtime. Library validation, no JIT, no executable memory pages writeable at the same time — the standard hardened-runtime entitlements are in force.
• Minimum network entitlement. The outgoing network entitlement is restricted to the minimum necessary to support Optional Cloud Service use. With cloud disabled, the Application does not initiate outbound connections during dictation.
• Transport security.Any outbound communication occurs over TLS 1.2 or later, using the certificate stores trusted by macOS.
• Permissions you control. Microphone and Accessibility access are requested only as needed, are governed by macOS, and can be revoked from System Settings at any time.
• No long-lived credentials at rest. Provider API keys you supply for Optional Cloud Services are stored in the macOS Keychain and used only at the moment of a cloud-bound request.

No security control is absolute. However, because we hold no personal data of yours on any system we operate, the maximum impact on your personal information from a breach of our infrastructure is, by design, nil.

If you believe you have found a security issue in QuillMic, we would like to know. Please send the details through the contact form on this site, with enough information to reproduce the issue. Marking your subject line "Security" routes the report to the right people on our side. We will acknowledge receipt promptly and work in good faith to address valid findings.

Please do not disclose unpatched issues publicly until we have had a reasonable opportunity to investigate and respond.