Privacy

Voice disappears. The thought stays.

The 24-hour rule and why we do not train on your recordings.

Audio is processed to create text and tasks, then deleted within 24 hours unless you opt into longer retention.

> Voice data is intimate. People speak half-finished thoughts, worries they have not told anyone, plans they are embarrassed to write down. We designed deletion-first because that is what the use case demands, not because it is the easiest path operationally.

## The default is delete

When you record a voice capture in KeptMind, three things happen. The audio is sent to our processing pipeline. The pipeline transcribes it, extracts the task, and saves the structured result to your account. Twenty-four hours later, the audio file is removed from our systems.

No advertiser sees your captures. No model is trained on your voice for third-party products. If you export or delete your account, the text goes with you — on our timeline, in writing.

This is not the cheapest possible architecture. Keeping the audio would be free in storage cost and would let us improve our models more quickly using user data. We chose the more expensive path because the use case demanded it. Voice data is intimate. People speak half-finished thoughts, worries they have not told anyone, plans they are embarrassed to write down. The product asks the user to be vulnerable in a way that text input does not. The privacy posture has to match the vulnerability.

The intimacy of voice goes beyond content. Voice carries emotional state — trembling, hesitation, relief, frustration — in ways that text does not. A typed task "call therapist" is neutral. A spoken capture where the user's voice cracks while saying "I need to call my therapist, I keep putting it off" carries information the user did not consciously choose to share. Retaining that audio indefinitely would mean retaining emotional artifacts the user never intended to store. The twenty-four-hour window respects the difference between what the user meant to externalize (the task) and what they incidentally revealed (the emotional context). We keep the former and delete the latter.

There is also a chilling effect to consider. If users believe their voice recordings are stored permanently, they self-censor. They capture fewer personal thoughts, fewer vulnerable moments, fewer of the half-formed worries that are often the most important things to externalize. The product becomes less useful precisely because it retained too much. Deletion-first is not just a privacy feature — it is a product feature. Users who trust the deletion policy capture more freely, which means the tool does its job better.

## What "delete" actually means

Deletion in KeptMind is not a soft flag. The audio is removed from primary storage, removed from backups within seven days, and is not present in any model training corpus at any point. Our infrastructure provider rotates encryption keys regularly; once a key is rotated, the prior data becomes cryptographically inaccessible even if a backup were somehow retained.

The text version of the capture stays under your account. That is what the user actually wanted out of the recording — the externalized thought, structured as a next step. The audio was scaffolding. The text is the product.

## What we do not do

We do not train third-party models on your voice for sale or licensing. Your captures are not part of a corpus that becomes a generic speech model.

We do not show advertising. We do not have advertising customers, partners, or contracts. The business model is straightforward subscription pricing.

We do not sell aggregated data. There is no anonymization-then-resale pipeline. The data simply does not leave the systems that serve your account.

We do not do anything with the audio that we have not described to you in the privacy policy. The privacy policy is short on purpose. Short policies are policies people can actually read, and policies people can read are the only ones that meaningfully constrain a company.

The length of a privacy policy is itself a signal. A ten-thousand-word policy is not more protective than a one-thousand-word policy — it is more obscuring. Length creates the illusion of thoroughness while ensuring that no user will ever read the document end to end. We wrote ours to be readable in under five minutes, with plain language, no legal jargon where avoidable, and a table of contents that lets you jump to the section you care about. If we cannot explain a data practice in plain English, we probably should not be doing it.

We also publish a data-flow diagram alongside the policy. It shows exactly where audio goes after you press the capture button: from your device to our processing endpoint, through the transcription service, into the task extraction layer, and then to deletion. The diagram is not a legal document — it is a trust document. It exists because "we delete your audio" is a claim, and claims without evidence are just marketing.

## The opt-in for longer retention

Some users want their voice captures searchable for longer than twenty-four hours. The opt-in to longer retention exists for them. It is off by default. It is a single toggle in Settings → Privacy. When enabled, audio is retained for thirty days for your search and replay only — never for our model training.

We default to delete because most people do not think about data retention until they should have. The thirty-day option is for the smaller group of users who actively want it, after considering the trade-offs. Defaults are policy. The default we ship sets the floor.

The design of the opt-in itself reflects our privacy philosophy. The toggle is not buried in a sub-menu or presented during onboarding when the user is clicking through screens without reading. It lives in Settings → Privacy, clearly labeled, with a one-sentence explanation of what changes when you enable it. We do not use dark patterns — no pre-checked boxes, no "recommended" labels, no friction on the path to shorter retention. The default is the private option, and changing it requires a deliberate, informed action. About 15% of users enable longer retention; the rest either prefer deletion or never think about it, which is exactly the outcome a good default should produce.

## What about transcription accuracy?

A reasonable concern: if you delete the audio in twenty-four hours, what happens when the transcription is wrong and you discover it later? You lose the ability to verify against the source.

In practice this is a smaller problem than it sounds. The transcription is shown to you immediately after capture, before the structured task is saved. You can correct it on the spot. The window where you might want to revisit the audio after the fact — to argue that the AI misheard — is short and rare. Within twenty-four hours you have the audio. After that, the text is what was committed.

For users who want a longer audit window, the thirty-day opt-in covers the realistic range. We do not believe a multi-year audio retention policy serves the user. It serves the company.

## On model training

Training generative models on user voice without consent is one of the bright lines we will not cross. There are companies that do — that record voice "to improve the service" and use it ambiguously across product categories. KeptMind is not one of them.

If we ever needed user data to train a model, we would ask explicitly, scope narrowly (e.g. transcription quality only), make the opt-in clearly differentiable from the core feature, and let users opt out without losing functionality. None of this is currently in the product. If it ever is, you will see it on a separate consent screen, not buried in a terms-of-service update.

## Export and deletion

You can export your KeptMind data — captures (text), tasks, energy logs, nudge history — at any time. The export is a JSON file that any text editor can read. Account deletion removes everything. Both flows are documented in Settings.

We commit to honoring deletion within thirty days, including from backups. The exact mechanics are documented in the privacy policy. We update that policy infrequently, and when we do, the change is announced in advance via email.

## Frequently asked questions

### How long is voice stored?

Deleted within 24 hours unless you opt into longer retention in settings (30-day option, off by default). Backups are purged within seven days of primary deletion.

### Do you train AI models on my voice?

No. We do not train any generative or third-party model on your voice. The transcription model that processes your audio is the same off-the-shelf model serving every user; your data does not improve it.

### What about the transcribed text?

The text stays under your account until you delete it or export it out. Deleting your account removes the text everywhere. The text is yours.

### Where is the data stored?

Inside the EU on infrastructure compliant with GDPR. Specific provider and region details are listed in the privacy policy and the data processing agreement available on request for business users.

### What happens if I delete a single capture?

It is removed immediately from your account view, scrubbed from primary storage within minutes, and from backups within seven days. The same applies to any structured task that was created from that capture if you delete the task.

## Related reading

If this article was useful, these related guides cover adjacent ground and are worth reading next:

- [ADHD Productivity Apps 2026](/blog/adhd-productivity-apps-2026) - [Voice To Task ADHD Guide](/blog/voice-to-task-adhd-guide) - [Executive Dysfunction ADHD Guide](/blog/executive-dysfunction-adhd-guide)

Each of the linked articles approaches the topic from a slightly different angle, and reading two or three of them together usually produces a more complete picture than any single article can. The shared underlying neurology means that improvements in one area often unlock progress in others, which is why the topics interconnect even when they appear separate at first glance.