Privacy Policy
Effective: June 4, 2026
Tap Five, LLC (“Tap Five”, “we”, “us”) makes Moment Notes, an iOS app that records voice notes and turns them into transcripts and summaries. This policy explains, in plain English, what data the app and our servers handle, and what we don’t do with it.
If something here is unclear, email us at privacy@tapfive.dev.
TL;DR
- No accounts. No email, no password, no Apple ID. Your device proves it’s yours using Apple’s App Attest — we never see your name, email, or Apple ID.
- Privacy mode runs entirely on-device. When privacy mode is on, audio, transcripts, summaries, and “Ask” queries all stay on your iPhone — Apple Speech and Apple Intelligence do the work locally.
- Audio is short-lived on our servers. When you use enhanced mode, your recording lives on our infrastructure only long enough to be transcribed, then it’s deleted.
- No AI training on your content. None of our AI or transcription providers train their models on your recordings, transcripts, or queries.
- No ads, no cross-app tracking. The only third-party SDKs are privacy-preserving usage analytics (TelemetryDeck — on by default, opt out anytime in Settings) and crash reporting (Sentry). Neither ever receives your recordings, transcripts, or queries, and we don’t sell or share your data.
- You can request deletion. Email us with your device’s anchor ID (shown in the app) and we’ll erase your data, keeping only a pseudonymous usage counter so the same identity can’t reset its free-tier quota by re-requesting deletion.
1. Who we are
Moment Notes is built and operated by Tap Five, LLC, a US company. For any privacy question or request, reach us at privacy@tapfive.dev. Postal correspondence is available on request.
2. What we collect and why
We separate this into three groups so it’s clear what stays on your device, what reaches us, and what we generate ourselves.
On your device only
Everything below is stored locally on your iPhone, and — if you have iCloud enabled — synced through your own iCloud account using Apple’s CloudKit. We can’t see it.
- Audio recordings, transcripts, summaries, action items, and any names or tags you assign.
- Speaker labels you edit, daily recaps, and the semantic-search index used by the “Ask” feature.
- Your choice of transcription and AI mode.
When you choose privacy mode, the entire recording pipeline runs on your iPhone: Apple Speech transcribes the audio, and Apple Intelligence produces summaries, daily recaps, and answers for the per-recording “Ask” feature. No audio, transcript, or query about that recording is sent to our backend.
Sent to our backend
- Audio file (enhanced-mode transcription only). Uploaded directly to our object storage via a short-lived upload link. Held only while transcription is running, then deleted (see Retention).
- Transcript text (enhanced mode only) when you ask the app to summarize a recording, generate a daily recap, or run an “Ask” query. In privacy mode these features run on-device via Apple Intelligence and no text is sent. When sent in enhanced mode, we forward just the text and minimal context (title, date, tag list, your question).
- App Attest attestation generated by your device’s Secure Enclave. This is a cryptographic proof your app is genuine. It contains no personal information about you.
- StoreKit transaction receipt when you start or renew a subscription, so we can verify it with Apple and unlock premium features.
- IP address, used in the moment to rate-limit abuse. Not stored against your activity; logged only when a limit is exceeded.
Generated by us
- Pseudonymous device ID (a UUID) and an anchor ID — a one-way hash of your App Transaction identifier from Apple’s StoreKit, with no link back to your Apple ID — so we can apply the correct quota and respect your premium status across reinstalls.
- Subscription tier (free or premium) and expiry date, mirrored from Apple’s notifications.
- Quota counters — how many transcription minutes and AI queries you’ve used.
- Operational logs — request method, path, status, duration, and the device ID involved. We do not log request or response bodies, transcript content, audio metadata, or AI prompts. Logs are retained 30 days for debugging and abuse prevention.
Sent to analytics and crash-reporting services
These help us understand how the app is used and fix crashes. Neither ever receives your recordings, transcripts, summaries, or “Ask” queries, and both operate the same way regardless of whether you’re in privacy or enhanced mode.
- Usage analytics (TelemetryDeck). Privacy-preserving, pseudonymous events about how the app is used — for example, that a recording was started and its rough length (in buckets, never an exact duration), which mode you’re in, which screens and features you use, and subscription events — plus basic technical context (app version, OS version, device model, language). TelemetryDeck identifies sessions with a rotating, non-reversible signal rather than a stable identifier, does not store IP addresses, and does not track you across other apps or websites. Analytics is on by default; you can turn it off anytime in Settings → Privacy.
- Crash and app-hang diagnostics (Sentry). When the app crashes or freezes, we receive a diagnostic report — the stack trace, plus device model, OS version, and app version — so we can fix the bug. We’ve configured Sentry not to attach IP addresses or other personal identifiers, and we drop hang reports that don’t involve our own code. A stack trace can occasionally include a small fragment of in-memory data; we never intentionally send recordings, transcripts, or queries. Crash reporting runs to keep the app stable; it is currently always on.
3. Enhanced mode vs. privacy mode
Moment Notes can run in two modes, and you choose which.
- Privacy mode (on-device). Apple Speech transcribes audio locally, and Apple Intelligence produces summaries, daily recaps, and answers for the per-recording “Ask” feature on your iPhone. Nothing about a recording leaves your device. The app still talks to our backend for authentication, subscription verification, and to report anonymous usage counters (numeric totals, no content) so we can apply your free-tier limits — but no audio, transcripts, or queries are sent. The privacy-preserving analytics and crash diagnostics described in Section 2 (separate from the backend usage counters above) also run independently of the mode you choose, but they never include your recordings, transcripts, or queries.
- Enhanced mode. Audio is uploaded to our object storage, transcribed by a provider (ElevenLabs, or AssemblyAI as failover), and the transcript is sent through our AI provider for summaries, daily recaps, and “Ask” queries.
The app shows the active mode and lets you change it. Quota counts the same way in both modes.
4. Subprocessors
These are the third-party services that help us run Moment Notes. We’ve named each one and the data they touch. Their links go to their own privacy policies.
| Provider | What it does | Data it sees | Region |
|---|---|---|---|
| Apple (policy) | App Store distribution, App Attest, StoreKit, optional CloudKit sync | App Attest attestations, subscription transactions, content you sync via your iCloud | US |
| Railway (policy) | Backend hosting, PostgreSQL, S3-compatible object storage | All data processed by our backend, including transient audio | US |
| ElevenLabs (policy) | Speech-to-text transcription (primary) | Your audio recording, briefly | US |
| AssemblyAI (policy) | Speech-to-text transcription (failover) | Your audio recording, briefly | US |
| Anthropic (policy) | Claude AI for summaries, daily recaps, and “Ask” queries | Transcript text, queries, recording metadata | US |
| OpenAI (policy) | AI failover when Claude is unavailable | Transcript text, queries, recording metadata | US |
| Better Stack (policy) | Operational log storage | Request metadata only — no content, no transcripts | EU |
| TelemetryDeck (policy) | Privacy-preserving usage analytics | Pseudonymous app-usage events and basic device/app info — no content, no IP | EU (Germany) |
| Sentry (policy) | Crash and app-hang diagnostics | Crash/diagnostic reports (stack traces, device model, OS/app version) — no content, no IP | US |
We’ll update this list before adding or replacing a provider that handles your content. None of these analytics or diagnostics providers receive your recordings, transcripts, or queries.
5. AI processing and training
This is the question we get asked most, so the answer is direct: none of our providers train their models on your content.
- Anthropic (Claude API): Does not train on commercial API inputs or outputs.
- OpenAI API: Does not train on API inputs or outputs.
- ElevenLabs: We have opted our account out of model training, so your audio is not used to improve their models.
- AssemblyAI: We have opted our account out of their Model Improvement Program, so your audio and transcripts are not used to train or benchmark their models.
Separately from training, Anthropic and OpenAI may retain commercial API inputs and outputs for up to 30 days for service delivery and abuse monitoring before automatic deletion — with longer retention (up to 2 years) only if a request is flagged as violating their usage policies. Retention windows for our other subprocessors are described in the policies linked in Section 4.
Our agreements with each provider also forbid them from using your data for any purpose other than delivering the service to us. We do not create voiceprints or any biometric identifier from your recordings.
6. What we don’t do
- No advertising IDs, no IDFA, no advertising profiles.
- No cross-app or cross-site tracking. We do use privacy-preserving analytics (TelemetryDeck) and crash reporting (Sentry) — see Section 4 — but neither receives your recordings, transcripts, or queries, and neither is used to track you across other apps or for advertising.
- No collection of your Apple ID, email address, phone number, contacts, photos, or location.
- No sale of personal information. No sharing for cross-context behavioral advertising (CCPA/CPRA “sharing”).
- No automated decision-making that produces legal effects or similarly significant effects on you, as described in GDPR Article 22.
- No voiceprints, speaker identification across recordings, or other biometric identifiers.
7. Retention
| What | How long |
|---|---|
| Audio in our object storage | Deleted within minutes of transcription finishing. A safety sweep removes any file older than 90 minutes regardless. |
| Server-side transcript JSON | Deleted after your device receives it, or within 24 hours of completion at the latest. Summaries and other AI outputs are never written to our database — they pass through and return to your device. |
| Device record and subscription state | Kept while your device remains active. Up to 7 years after your final subscription event for tax and audit obligations under US federal and state law. |
| Quota counters | Retained indefinitely, linked only to the pseudonymous anchor, so the same anchor cannot reset its quota through reinstallation or a deletion request. No personal data remains associated with the counter after a deletion request. See Section 9 for the fraud-prevention basis. |
| Operational logs (Better Stack) | 30 days, then deleted. |
| Usage analytics (TelemetryDeck) | Retained by TelemetryDeck per their policy (linked in Section 4); pseudonymous events with no stable identifier, never recording content. |
| Crash & hang diagnostics (Sentry) | Retained by Sentry per their policy (linked in Section 4); their standard retention is 90 days, then deleted. |
| Apple App Attest challenges | 5 minutes. |
If you ask us to delete your data sooner, we will (see Section 9).
8. Security
- All traffic between the app and our servers uses HTTPS (TLS).
- Data at rest is encrypted by our hosting provider.
- Device identity is bound to your iPhone’s Secure Enclave via Apple App Attest. We can’t impersonate your device, and a stolen device token can’t be reused from another device.
- Webhooks from Apple and our subprocessors are authenticated using cryptographic signatures, compared in constant time.
- API keys for third-party providers live on our backend only and are never sent to the app.
No system is perfect. If we discover a breach affecting your data, we’ll notify you in-app and by the channels regulators require.
9. Your rights
Because we don’t collect names or emails, “your data” on our side is whatever is tied to your device anchor ID — a value the app can show you in Settings.
You can ask us to:
- Access or export the data we hold about your device.
- Correct anything inaccurate.
- Delete your device record, any pending transcripts, and your privacy-mode usage history from our backend. We retain one pseudonymous counter — a record of how much free-tier usage your anchor consumed, with no link back to you — so the same identity can’t reset its free-tier allotment by repeatedly requesting deletion. We rely on our legitimate interest in preventing fraud and abuse of free-tier limits (GDPR Article 6(1)(f), recognized in Recital 47 as a legitimate interest) and California Civil Code § 1798.105(d)(2), which permits retention “to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity.”
- Receive a portable copy of your data in a structured, commonly used, machine-readable format (data portability).
- Restrict or object to specific processing.
- Withdraw consent to anything you previously agreed to.
To exercise a right, email privacy@tapfive.dev from any address with your anchor ID in the message. We respond within 30 days. We won’t refuse service or charge you for making a request.
California (CCPA/CPRA): You have the rights to know, delete, correct, and limit sensitive personal information processing. We do not sell or share your personal information.
Under the CCPA’s statutory categories, we collect: Identifiers (device ID, anchor ID, IP for rate limiting); Commercial information (subscription status and quota counters); Internet or other electronic network activity information (request metadata, plus pseudonymous in-app usage analytics and crash diagnostics that contain no content); and, in enhanced mode only, Audio, electronic, visual, or similar information (your audio recording, briefly, and the transcript text you send for AI processing). We collect these for the service-delivery purposes described in Section 2 and do not use them for any other purpose.
EU/EEA, UK, Switzerland (GDPR/UK GDPR): Our legal bases are (a) performance of a contract to deliver the service you requested, (b) our legitimate interest in operating, securing, and improving the service, and (c) your consent where required. You can lodge a complaint with your national supervisory authority — a list of EEA authorities is at edpb.europa.eu/about-edpb/about-edpb/members_en.
Other US states: If your state grants additional rights (Virginia, Colorado, Connecticut, Utah, Texas, and similar), we honor equivalent requests through the same email above.
10. Recording other people
Recording laws vary by jurisdiction. Some require all parties to consent; others require only one. You are responsible for complying with the law where you record. If a person asks you to delete a recording, you can delete it in the app; if you have iCloud sync enabled, the deletion will sync across your devices.
11. Children
Moment Notes is not directed at children under 13 (US) or under 16 (EEA/UK). We do not knowingly collect personal information from children. If we learn we have collected such information without verifiable parental consent, we will delete it promptly. If you believe a child has used the app and want their data removed, email privacy@tapfive.dev and we’ll act on it.
12. International transfers
Our backend runs in the United States. If you use Moment Notes from the EEA, UK, or Switzerland, your data is transferred to the US to be processed. Operational logs (request metadata only — no content) are stored by Better Stack in the European Union, and usage analytics (TelemetryDeck) are processed in the European Union; crash diagnostics (Sentry) are processed in the United States. The subprocessors we use offer GDPR-compliant transfer mechanisms — such as Standard Contractual Clauses or EU-US Data Privacy Framework certification — in their data processing agreements. If you want to confirm the specific safeguards for a particular provider, contact us at privacy@tapfive.dev.
13. Changes
We may update this policy as the product evolves. The effective date at the top reflects the current version. For material changes — for example, adding a new category of data or a new subprocessor handling your content — we’ll provide reasonable advance notice in the app, typically at least 30 days before the change takes effect. For changes that require your consent under applicable law, we’ll request new consent before applying them to your data. A changelog is kept at the bottom of this document.
14. Contact
Tap Five, LLC
Privacy requests and questions: privacy@tapfive.dev
Changelog
- 2026-06-04 — Initial version.