01. Summary
MinineSTT (“we”, “us”, the “app”) is an iOS recording and transcription app published by Minine Inc. We’re built so that, by default, your recordings stay on your iPhone or iPad. The only times your audio or text leaves your device are explicit and obvious:
- You pick a cloud transcription engine (Whisper, AssemblyAI, or Studio).
- You enable cross-device sync after signing in.
- You share a session into a team.
- You request a cloud translation (DeepL).
We don’t serve ads, we don’t embed analytics or advertising SDKs, we don’t ask for the IDFA, we don’t look at your location, contacts, photos, calendar or health data, and we don’t use your recordings to train any AI model.
If you only use the on-device Apple Speech engine and don’t sign in, no recording, transcript or translation ever leaves your device through us.
02. Who we are
Minine Inc is the data controller for MinineSTT. Our
registered address is 18952 MacArthur Blvd, Irvine, CA 92612, United
States. Our backend runs on Amazon Web Services in the us-west-2
region (Oregon, USA).
For privacy questions you can reach us at [email protected], or use any of the channels listed in Contact.
03. Data we handle
The table below is the complete list of personal data the app collects or processes. We’ve tried to keep it short on purpose.
3.1 On-device data
The following lives in the iOS sandbox of your installed app and never leaves your device unless one of the triggers in §3.2 is met:
| Data | When created | Where it lives |
|---|---|---|
Recorded audio (.m4a) |
You start a recording | Documents/Audio/ |
| Transcript text | Transcription completes | Documents/sessions.json |
| Translations | Translation completes | Documents/sessions.json + cache |
| Preferences (engine, language, theme…) | You change a setting | UserDefaults |
| Self-issued JWT (after sign-in) | You sign in | iOS Keychain (not iCloud-synced) |
| Subscription cache | StoreKit verifies purchase | UserDefaults |
3.2 Server-side data
The following exists on our backend (AWS, us-west-2) only after you trigger it:
| Data | Trigger | Stored in |
|---|---|---|
| Account record (provider, email, display name) | Signing in with Apple or Google | AWS DynamoDB (account store) |
| Session metadata, transcripts, translations | Enabling sync (signed-in only) | AWS DynamoDB (session store) |
| Audio file | Choosing a cloud engine, or syncing audio | AWS S3 (object storage) |
| Team info, membership, activity | Creating or joining a team | AWS DynamoDB (team store) |
| Transcription job ticket | Cloud transcription request | AWS SQS (transient job queue) |
3.3 What we do not collect
Listed explicitly because it shapes the rest of the policy:
- Location (we don’t link
CoreLocation). - Contacts, photos, calendar, health data, motion data.
- IDFA / IDFV; we never present an App Tracking Transparency prompt.
- Any third-party analytics, attribution, or advertising SDK.
- Crash logs (we don’t embed Sentry, Crashlytics, or similar).
- Browsing history, keystrokes, microphone outside an active recording session.
- Bluetooth, NFC, or camera data.
If we ever add any of the above (for example a crash reporter), this policy will be updated before the change ships, and the in-app changelog will highlight it.
04. Third parties
We use a small number of vendors. We do not sell, rent, or trade your data to anyone. The vendors below are processors: they handle data on our behalf, only for the purpose listed.
| Vendor | Purpose | Data shared | Trigger | Their policy |
|---|---|---|---|---|
| Apple (Sign in with Apple, StoreKit, Translation, Speech) | Identity, billing, on-device speech & translation | Apple identity token; StoreKit transaction | You sign in / subscribe / use Apple engines | apple.com/legal/privacy |
| Google (Sign in with Google) | Identity | Google identity token; email; display name | You tap “Sign in with Google” | policies.google.com/privacy |
| Amazon Web Services | Hosting, storage, queues | Everything in §3.2 (encrypted at rest) | Any cloud feature | aws.amazon.com/privacy |
| OpenAI (Whisper API) | Cloud transcription | The recording you submit | You pick the Whisper engine | openai.com/policies/privacy-policy |
| AssemblyAI | Cloud transcription + speaker diarisation | The recording you submit; optional hint params | You pick AssemblyAI or Studio | assemblyai.com/legal/privacy-policy |
| DeepL | Cloud translation | Transcript text only (never audio) | You request a cloud translation | deepl.com/en/privacy |
Calls to OpenAI, AssemblyAI, and DeepL are routed through our backend so that their systems do not learn your account identity — they see a request from our service, with the audio or text payload. Their independent retention and handling rules apply to that payload; we have selected each vendor’s API tier with appropriate data-handling commitments where available.
05. Retention
- On-device data stays until you delete it from the app or uninstall the app.
- Account record persists until you delete your account.
- Sessions, transcripts, translations on our servers persist until you delete them in the app, or until your account is deleted (whichever comes first).
- Audio in S3 is removed within 14 days of the corresponding session being deleted.
- Team data (membership, activity log) persists while you remain a member; leaving a team removes your membership row immediately.
- Backups of our DynamoDB tables roll over within 35 days; deleted records age out of those backups within that window.
- Job queue messages in SQS are transient (max 14 days) and contain only the references needed to process a transcription, not the audio itself.
When you request account deletion (see §6), we wipe everything in §3.2 within 14 days, except where we are required by law to keep a minimum trail of financial records (e.g. proof of subscription purchase). Apple, not us, holds those subscription records.
06. Your rights
Regardless of where you live, you can:
- Access your data — every transcript can be exported as text, SRT, bilingual SRT, or JSON from inside the app.
- Delete a session — this also removes the corresponding audio from S3 and the row in DynamoDB if sync is on.
- Delete your account — until the in-app self-service flow is shipped, send a request to [email protected] from the email tied to your account; we will action it within 14 days.
- Export your data — ask us at the same address; we will return a ZIP containing your account record, all sessions (JSON), and audio files.
- Object / restrict / correct — correct your displayed name in Settings → Account; for any other objection, write to us.
We will respond to verifiable requests within statutory windows (typically 30 days under GDPR, 45 under CCPA). We do not charge for these.
If you live in a region with a supervisory authority (e.g. an EU Data Protection Authority), you also have the right to lodge a complaint with them directly. We’d appreciate the chance to fix things first — just write to [email protected].
07. Regional notes
7.1 European Union / EEA / United Kingdom (GDPR / UK GDPR)
Our legal bases are: contract (we cannot give you sync, cloud transcription
or teams without processing your audio and account data); legitimate interest
(we need to operate, secure, and improve the service); and consent, where
you affirmatively select a cloud feature. Data is processed in the United States
(AWS us-west-2); we rely on Standard Contractual Clauses with our
processors and AWS’s GDPR Data Processing Addendum for these international
transfers.
7.2 California, USA (CCPA / CPRA)
We do not “sell” or “share” personal information as those terms are defined under the CCPA. The categories of personal information we collect map directly to §3 above. California residents have the right to know, delete, correct, and opt out of sharing — you can exercise these by writing to [email protected].
7.3 Mainland China (PIPL)
For users in mainland China: your data, when you choose any cloud feature, is transferred to and processed in the United States, and may be transmitted onward to OpenAI, AssemblyAI, or DeepL as listed in §4. By using a cloud feature, you provide separate consent for this cross-border transfer. You may withdraw your consent at any time by switching to on-device engines and disabling sync, and you may exercise your PIPL rights at the address above.
7.4 Other jurisdictions
We aim to honour equivalent rights wherever you live. Reach out and we’ll do our best.
08. Children
MinineSTT is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has used the app and submitted data, please contact us so we can remove it.
09. Security
We use TLS for everything in transit. Audio in S3 and content in DynamoDB are encrypted at rest with AWS-managed keys. Authentication uses short-lived tokens; you can sign out from any device at any time. Third-party API keys (for the processors listed in §04) live exclusively in our backend environment and are never embedded in the iOS binary.
No system is perfectly secure. If you believe you’ve found a vulnerability, please reach out at [email protected] — we welcome responsible disclosure and will work with you on a fix.
10. Changes to this policy
When we change this policy, we update the “Effective” date at the top and bump the version number. Material changes (new vendors, new categories of data, new uses) will be surfaced in the app on next launch and described in the App Store release notes.
11. Contact
Privacy questions: [email protected]
Account deletion / data export: [email protected]
Security disclosure: [email protected]
General support: [email protected]