tailroom

Tailroom

Privacy

Last updated: 20 May 2026

Tailroom is a voice-first app for clearing what's still running in your head. We built it on the principle that what you say into the app is yours, and we should hold as little of it as possible. This policy is a plain statement of what that means in practice.

If something in this policy is unclear, email us at privacy@tailroom.app. We will answer.

The short version

  • Audio recordings never leave your device. They are captured, transcribed on your phone, and discarded.
  • Transcripts leave your device once, to generate the reflection. They are sent over an encrypted connection to a small Tailroom proxy at tailroom.app that forwards them to Anthropic (the company that makes the AI we use). Anthropic retains API inputs and outputs for up to 30 days for trust-and-safety review under their commercial terms, then deletes them. The proxy does not persist the transcript itself.
  • Reflections live on your phone. SwiftData, encrypted at rest by iOS. If you have iOS device-level iCloud Backup turned on (Settings → Apple ID → iCloud → iCloud Backup, controlled by iOS, not by Tailroom), your encrypted device backup includes Tailroom's local store along with everything else iOS backs up; we have no access to it.
  • We have no accounts, no analytics, no telemetry, no advertising, and no third-party tracking. We do not collect your name or email. The proxy attaches a per-install device-attestation identifier (issued by Apple's App Attest service — see below) so we can rate-limit abuse without an account; that identifier is not linked to any human identity we hold.
  • We do not sell, share, or licence your data to anyone. There is nothing to sell.

If that's enough for you, you can stop reading. The rest of the document is the detailed version for people who need it.

What we collect, why, and what happens to it

Audio. When you record a session, your iPhone captures audio through its microphone, transcribes it using Apple's on-device Speech framework (or, if on-device recognition fails on your device, Apple's cloud Speech service — which you can disable in Settings), and then releases the audio. The audio is never saved to disk by Tailroom and is never sent off-device by us.

Transcripts. The text of what you said is generated on your device. When you complete a session, the transcript is sent over an encrypted connection (TLS 1.3) to a small Tailroom proxy at tailroom.app/api/reflect, which forwards it to Anthropic's API to generate the reflection. Our proxy does not persist the transcript — it is held only for the duration of the API call. The transcript is not accompanied by your name, your email, your IP address (see "What we do not collect" below), or any human-identifying data; the only request-level identifier is the App Attest keyId described below, which is per-install and not linked to your identity. Anthropic's API terms state that data submitted via the API is not used to train their models by default; under their commercial terms they retain API inputs and outputs for up to 30 days for trust-and-safety review and then delete them. You can read Anthropic's current API privacy terms at https://www.anthropic.com/legal/aup.

App Attest registration. On first launch, the app generates a Secure-Enclave-backed keypair via Apple's App Attest framework and registers the public key (with a SHA-256 identifier called the keyId) with our proxy at tailroom.app. We store this record — keyId, public key, a monotonic signature counter, the attestation environment (production or development), and a creation timestamp — in our Upstash key-value store for up to 365 days from the most recent successful reflection. The signature counter is updated on each reflection. The record's sole purpose is to confirm that requests come from a genuine Tailroom install on a real iPhone and to enable per-device rate limits without requiring an account. It is not linked to your identity, and we cannot use it to look up your name, email, or any other personal information about you. If your install is inactive for 365 days the record is deleted automatically; deleting and reinstalling Tailroom forces re-registration with a fresh keypair.

Reflections. The structured reflection that Anthropic returns — the "What I heard" sentence, the sorting cards, the session-close line — is stored on your device using SwiftData, which is encrypted at rest as part of iOS device storage. Tailroom does not run iCloud sync. If you have iOS device-level iCloud Backup turned on (Settings → Apple ID → iCloud → iCloud Backup, controlled by iOS, not by Tailroom), your encrypted device backup will include Tailroom's local store along with everything else iOS backs up; we have no access to it.

Apple Health (optional, Plus only). If you turn on "Write to Apple Health" in Settings → Settings and grant the system permission, each completed session is written to Apple Health as a Mindful Minutes sample containing only its start time, end time, and duration. Nothing else is written; we never read from Health. The data lives in your HealthKit store, which is controlled by iOS and Apple's privacy model — not by us.

Subscription status. If you subscribe to Tailroom Plus, Apple's App Store handles the transaction. We receive from Apple a receipt indicating that your device has an active subscription. The receipt does not contain your name, email, or payment details. We never see your payment information.

Operational telemetry. On each app launch and when returning to the foreground, the app fetches a small public JSON file at tailroom.app/kill-switch.json so we can pause the reflection feature in an emergency (for example, if the AI produces something harmful). This is a static asset request; Vercel logs it the same way it logs the public website.

Diagnostic data. Tailroom does not collect crash reports or analytics. If you have iOS-level Analytics & Improvements sharing enabled (Settings → Privacy & Security → Analytics & Improvements), Apple may share aggregated, anonymised crash and usage data with us through Apple's standard developer tools. This data is anonymised by Apple and never includes anything you said.

Waitlist email (website only). If you submit your email address to the waitlist form on tailroom.app before the app is available, we store: your email address, the date and time you signed up, the originating user-agent string (e.g., "Safari on iPhone"), and the referring website host (e.g., "news.ycombinator.com"). We do not store your IP address, your name, your full referring URL, or any other identifier. We store the data in an encrypted-at-rest key-value store operated by Upstash on Vercel's marketplace; we do not share it with any other party. We use the address for exactly one purpose: a single email when the app is available on the App Store. We do not send a newsletter, a welcome sequence, or any other email. Once the launch email has been sent, the waitlist data is retained for 30 days for delivery verification and then deleted; you can request earlier deletion by emailing privacy@tailroom.app at any time. Submitting your email is opt-in; nothing about the website otherwise requires it.

What we do not collect

To be explicit:

  • We do not collect your name, phone number, or any account identifier. The single exception is if you voluntarily submit your email to the pre-launch waitlist form on tailroom.app — covered above and used only for the launch-day notification.
  • We do not collect, log, or analyse your IP address. As a standard part of TLS routing, Vercel sees the IP of every request to tailroom.app. We use it only for short-lived, ephemeral counters: a per-IP rate limit on the reflection proxy (the App Attest keyId is the primary rate-limit key; the IP-based limit is a fallback for the brief rollout window before App Attest is fully enabled), and a per-IP brute-force throttle on the operator admin login that you never interact with. These counters live in Upstash for at most an hour and are not joined to any other data.
  • We do not collect your device's unique identifier (IDFA, IDFV).
  • We do not collect your location.
  • We do not collect your contacts, photos, calendar, or any other data on your phone.
  • We do not collect demographic data — age, gender, occupation, anything.
  • We do not use cookies. (We're a native app; there are no cookies. The tailroom.app website also does not set cookies.)
  • We do not use any third-party analytics service — Mixpanel, Amplitude, PostHog, Google Analytics, Firebase Analytics, none of them.
  • We do not use any advertising network or attribution SDK.

This is unusual for a consumer app. We mean it.

Third parties we work with

Short list:

Anthropic. The AI company that powers the reflection. Your transcripts pass through their API to generate the reflection. Anthropic's data handling is governed by their published API privacy terms. They do not train on data submitted via the API. Under their commercial terms they retain API inputs and outputs for up to 30 days for abuse monitoring and then delete them; longer retention applies only if a request is flagged for trust-and-safety review. We do not share anything else with them — no identifying information, no IP address, no App Attest keyId, no usage patterns, no metadata beyond what's required to make the API call.

Apple. Your device manufacturer and the operator of the App Store. Apple handles your subscription if you have one, surfaces the app to you in the App Store, and provides the on-device frameworks (Speech, SwiftData, iCloud, StoreKit, HealthKit, App Attest, LocalAuthentication) that Tailroom uses. Apple's privacy policy governs anything they collect from you as your device manufacturer; it is independent of Tailroom.

Vercel. Hosts tailroom.app (the marketing site), the reflection proxy at /api/reflect, the App Attest registration and challenge endpoints at /api/attest/*, and the operator admin under /admin. Vercel processes incoming requests — including, as a standard part of TCP routing and abuse protection, the requesting IP — but apart from the ephemeral rate-limit counters described above, Tailroom does not query, retain, or process those request logs. Vercel's privacy terms govern what they hold on our behalf as a sub-processor.

Upstash. Operates the Redis-compatible key-value store (KV) we use, via Vercel's marketplace integration, to persist (a) the pre-launch waitlist, (b) App Attest key records as described above, (c) ephemeral rate-limit and brute-force-throttle counters, and (d) a short-lived store of single-use server-issued challenge nonces (≤2 minutes TTL) that the App Attest verification flow consumes. Upstash is the sole server-side data store Tailroom uses; we do not duplicate the data anywhere else.

That's it. There is no analytics processor, no error tracking service, no marketing automation tool, no customer data platform, no CRM, no email service provider (other than the one we use for support@tailroom.app correspondence and the operator's personal email tool used to send the one-time waitlist launch notification, both of which only see email you choose to send us or have voluntarily added to the waitlist).

Your rights

Because we hold so little, most data-rights requests are simple.

To see what we hold about you: in most cases, nothing. Your data is on your phone, accessible through the app. If you've corresponded with us at support@ or privacy@, we may have those emails in our inbox. Email us and we'll tell you what we have.

To export your data: in the app, go to Settings → Data → Export all sessions as JSON. The file contains everything we stored about your usage, because it is everything we have.

To delete your data: in the app, go to Settings → Data → Delete all sessions. This is a hard delete. There is no archive, no trash, no recovery. If you've corresponded with us by email, you can request deletion of those records by emailing privacy@tailroom.app.

To stop using the app: uninstall Tailroom. Your local data goes with the uninstall.

Specific jurisdictional rights:

  • EU users (GDPR): You have the rights of access, rectification, erasure, data portability, restriction of processing, objection to processing, and to lodge a complaint with your supervisory authority. Most of these are exercised through the in-app controls described above. The legal basis we rely on for processing is your consent (when you tap record) and contract performance (delivering the reflection you asked for). Where personal data leaves the EU/EEA — Anthropic API calls, Vercel hosting, the Upstash key-value store that holds App Attest records and short-lived rate-limit counters — each transfer is covered by Standard Contractual Clauses with the respective processor.
  • California residents (CCPA/CPRA): You have the rights to know, delete, correct, and opt-out of sale or sharing. We do not sell or share your personal information. The "Do Not Sell or Share My Personal Information" link is not required because we don't do either.
  • Australian users (Australian Privacy Principles): Tailroom is an Australian product subject to the Privacy Act 1988 and the Australian Privacy Principles. The Office of the Australian Information Commissioner (OAIC) is the regulator; you can contact them if you have a complaint we have not resolved.
  • UK users (UK GDPR): Same substantive rights as EU users; the Information Commissioner's Office (ICO) is the regulator.

Children's privacy

Tailroom is not designed for and is not intended to be used by people under 17. The App Store age rating is 17+, partly because the content of a session is user-generated and can include adult themes, and partly because mental load is not a problem we want to mediate for minors. If you are under 17, please do not use Tailroom.

If we become aware that we have inadvertently received personal information from a person under 17 — for example, in correspondence to support@ — we will delete it from our records.

Data retention

On your device: your sessions are kept until you delete them or uninstall the app. We do not automatically expire or delete sessions.

In our records (server-side):

  • App Attest key records — up to 365 days from the last successful reflection, then deleted. Each successful reflection rolls the expiry forward; an inactive install drops out automatically. Deleting and reinstalling Tailroom voids the prior record by issuing a fresh keypair.
  • Rate-limit and brute-force-throttle counters — at most one hour, often less. These are ephemeral counters indexed by App Attest keyId (for the reflection limiter) or IP (for the operator-admin login throttle and the pre-App-Attest fallback) and are auto-expired by Upstash.
  • Single-use App Attest challenges — at most two minutes, and deleted the moment the device consumes one.
  • Pre-launch waitlist emails — retained for 30 days after the launch email has been sent, then deleted.
  • Correspondence — emails you send to support@, privacy@, or hello@tailroom.app are retained for up to two years for support continuity, then deleted, unless you request earlier deletion or the correspondence relates to an ongoing matter.

Security

The honest summary: the strongest security guarantee a piece of software can offer is not collecting data in the first place, and that is the guarantee Tailroom offers. There is no server to breach, no database to leak, no backup to lose.

For the limited data that does exist:

  • The app stores data on your device using SwiftData; the device storage is encrypted at rest by iOS.
  • Face ID locking is enabled by default; you can disable it in Settings.
  • Network traffic between your phone and our proxy uses TLS 1.3, and so does the proxy's onward connection to Anthropic.
  • The Anthropic API credential is held server-side on our proxy. It is never shipped in the iOS binary.
  • Every request to the reflection proxy is verified via Apple App Attest, so a third party can't forge requests on behalf of a Tailroom install. Replays are blocked by single-use server-issued challenges and a monotonic per-device signature counter.
  • We do not maintain a bug bounty program at v1 but welcome responsible disclosure of security issues. Email security@tailroom.app with details. We will acknowledge within 5 business days.

Changes to this policy

If we change this policy, we will update the "Last updated" date at the top and, for material changes, mention the change on the tailroom.app website and in the app's About screen. We will not email you about policy changes because we don't have your email address — that's the trade-off of the privacy posture we've chosen.

What constitutes a material change: adding any new third party that receives user data, adding any new category of data we collect, or changing the legal basis on which we process data. Cosmetic changes — clarifying language, fixing typos, updating contact addresses — are not material.

Contacting us

  • General questions: hello@tailroom.app
  • Support: support@tailroom.app
  • Privacy questions and rights requests: privacy@tailroom.app
  • Security disclosure: security@tailroom.app

We are based in Perth, Western Australia. Our postal address is provided on request to facilitate formal correspondence.