1. Overview
Your privacy matters. This Privacy Policy explains what information Murmur collects, how it is used, where it is stored, and what choices you have. Murmur is designed with a local-first approach — your data lives on your device first and syncs to the cloud only to support multi-device access and backup.
2. Information We Collect
a. Account Information
When you register, we collect:
- Your email address and password (managed by Supabase Auth; passwords are never stored in plain text).
- Your optional display name and profile photo.
- Optional usage preferences you provide during onboarding (e.g., intended use cases).
b. Voice Recordings and Transcriptions
- When you use voice capture, the App records audio from your microphone.
- Audio is sent to our hosted transcription service to produce a text transcript.
- Audio files are not permanently stored on our servers. Only the resulting transcription text and structured entry data are retained.
- Raw transcription text is stored as part of your entry record.
c. Entries and Notes
All entries you create — including tasks, reminders, meetings, financial notes, shopping lists, habits, health logs, travel plans, and ideas — are stored:
- Locally in a SQLite database on your device.
- In the cloud via Supabase (when you are signed in and connected), to enable sync and backup.
d. Calendar Data
- If you grant calendar permissions, the App reads event data from Apple Calendar and/or Google Calendar.
- Calendar events are cached locally on your device and stored as snapshots in your Supabase account to support offline access.
- We do not modify, create, or delete calendar events.
e. Device Permissions
We request the following permissions:
| Permission | Purpose |
|---|---|
| Microphone | Voice capture for transcription |
| Speech Recognition | On-device speech processing |
| Calendar (Read) | Viewing calendar events alongside entries |
| Photos / Camera | Uploading a profile picture |
| Notifications | Local reminders for tasks, meetings, habits |
All permissions are optional except as needed for core features. You can revoke any permission from your device Settings.
f. Integration Credentials
- Notion:Your Notion API token is stored in your device's secure enclave (iOS Secure Store / Android Keystore). Connection metadata (workspace name, status) is synced to your Supabase account.
- Obsidian: Your Obsidian Local REST API key is stored securely on your device. Obsidian sync communicates directly between the App and your local vault; no Obsidian data passes through our servers.
- Google Calendar: Your Google OAuth tokens are managed in-memory during a session and persisted in your Supabase account to maintain Calendar access across sessions.
3. How We Use Your Information
| Data | Use |
|---|---|
| Email / account | Authentication, account recovery, notifications |
| Voice recordings | Transcription (transient; not retained post-processing) |
| Transcription text & entries | Core app functionality; sync and backup |
| Calendar events | Display alongside your entries; not analyzed by AI |
| Profile photo | Displayed in your profile and widgets |
| Notification preferences | Scheduling local reminders |
We do notuse your data for advertising, sell it to third parties, or share it beyond what is necessary to provide the App's services.
4. Data Storage
Local Storage
- SQLite database on your device stores all entries, calendar snapshots, sync metadata, and notification inbox items.
- Secure Store (iOS Keychain / Android Keystore) stores your session credentials and third-party integration tokens.
- File system:calendar event cache files and exported data files are stored in your app's document directory.
Cloud Storage (Supabase)
When you are signed in, the following data is synced to Supabase (hosted on Supabase infrastructure):
- Your account profile
- Entries (including transcription text)
- Notification inbox items
- Calendar event snapshots
- Integration connection metadata
- Google Calendar OAuth tokens
- Profile images (stored in Supabase Storage)
Supabase's infrastructure is hosted on AWS. For Supabase's own privacy practices, see supabase.com/privacy.
5. Third-Party Services
| Service | Data Shared | Purpose |
|---|---|---|
| Supabase | Account, entries, calendar snapshots, tokens | Auth, sync, storage |
| Hosted Voice API | Audio recordings (transient) | Transcription and categorization |
| OAuth tokens, calendar read access | Calendar integration | |
| Notion | Entry content (when sync is enabled) | Note export/sync |
Obsidian integration is entirely local — no data is shared with Obsidian or any remote server through this integration.
6. Analytics and Tracking
Murmur does not use third-party analytics services. We do not embed advertising SDKs, behavior tracking, or crash reporting services that transmit your personal data externally.
7. Data Security
- All communications with Supabase and our voice processing service use HTTPS/TLS encryption.
- Sensitive credentials (session tokens, API keys) are stored in the device's hardware-backed secure storage.
- We follow security best practices in our backend infrastructure; however, no system is 100% secure.
8. Data Retention
- Your data is retained in Supabase as long as your account is active.
- If you delete your account, your cloud data will be deleted within 30 days.
- Locally stored data is removed when you uninstall the App or manually clear app data.
- Audio recordings sent for transcription are deleted from our processing servers immediately after a transcription result is returned.
9. Your Rights
You have the right to:
- Access your data via the in-app export feature (CSV or Markdown).
- Correct your profile information from the Profile screen.
- Delete your account and associated cloud data by contacting us or via the account deletion flow in Settings.
- Revoke any device permission (microphone, calendar, camera, notifications) at any time from device Settings.
- Disconnect third-party integrations (Google Calendar, Notion, Obsidian) from the Settings screen at any time.
10. Children's Privacy
Murmur is not intended for children under 13. We do not knowingly collect personal information from children under 13.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via an in-app notice. Continued use of the App following the update constitutes acceptance.
12. Contact
If you have questions or concerns about your privacy, contact us at: privacy@murmurapp.io