Local-first by design
Speech-to-text and AI cleanup both run on your device. Audio is transcribed on the Apple Neural Engine, and cleanup runs in-process — the raw audio, the transcript, and the cleaned output stay in your Mac’s memory and never cross the network. Because there is no cloud transcription pipeline, there is no server that holds your dictation to be compromised. The full data-handling statement is in the Privacy and local-first doc.
Data at rest on your Mac
Your dictation history is stored in a local SQLite database, and your vocabulary, hotkey choice, and settings live in local app storage. None of it is synced to a server. macOS does not protect these files at rest unless you enable FileVault, the system-wide macOS setting that encrypts your whole disk. We recommend turning FileVault on; it is the right control for at-rest protection of anything on your Mac, evoglyph included.
The network surface
evoglyph is local-first but not network-free. It makes a small, fixed set of network calls — for the one-time model download, license activation and re-validation, update checks, and (only if you opt in) crash reporting. Each one is enumerated, with what it sends and why, in the four network calls section of the Privacy doc. Crash reporting is off by default and is never enabled without your explicit opt-in.
License and account security
Your license key is stored in the macOS Keychain, not in a plain-text file. Activation and periodic re-validation happen over HTTPS against the licensing service. Each license covers two devices; to free a slot, open the LICENSE section on evoglyph’s Home screen and choose Deactivate this device, which releases the Mac you’re currently using. evoglyph can’t reach a device you no longer control, so if you lose access to a Mac while both slots are in use, email [email protected] and we’ll free the slot for you. The website is served over HTTPS with HSTS.
The licensing and billing records tied to your purchase — your email, license key, order references, and the device labels for your activations — are stored server-side in Cloudflare D1. The Privacy and local-first doc describes exactly what is stored, who processes it, and for how long. If a security breach ever affects your personal data, we will notify affected users without undue delay and, where the law requires, the relevant supervisory authority.
Payment security
Payments are processed by Stripe, a PCI-DSS Level 1 provider. Your card details are entered directly with Stripe; evoglyph and Eluketronic never see or store your full card number.
Updates and dependencies
evoglyph checks for updates so security fixes can reach you quickly. You can disable automatic update checks in Settings, but we recommend leaving them on. We update the third-party components evoglyph ships — including the on-device models — when we become aware of relevant fixes.
Reporting a vulnerability
If you believe you have found a security vulnerability in evoglyph or this website, please email [email protected] with “Security” in the subject line and enough detail to reproduce the issue. We aim to acknowledge reports within a few business days. Please give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly, and do not access or modify other users’ data while testing. We appreciate responsible disclosure.