Last updated July 7, 2026
This Privacy Notice for Mb Core Habits ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you: download and use our desktop application Typally (the "App"); visit our website typally.com and use the free browser tools available on it (the "Site"); or engage with us in other related ways, including any sales, marketing, or events.
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].
This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by using the table of contents below to find the section you are looking for.
What personal information do we process? When you use our Services, we process the information needed to operate your account and subscription: your email address, your subscription status, and monthly usage counters. What you create with Typally — your transcripts, dictation history, statistics, and coaching data — stays on your device and is not stored on our servers. Learn more in "WHAT INFORMATION DO WE COLLECT?"
How is my voice handled? Audio you dictate or upload is sent over an encrypted connection to our backend and relayed to our speech-recognition provider solely to convert it to text. The audio is processed transiently and is not retained after transcription. Learn more in "VOICE AND AUDIO DATA."
Do we process any sensitive personal information? We do not ask for sensitive personal information. Because you control what you say, your dictation may incidentally contain any kind of information; it is processed transiently to produce your transcript and is not stored by us.
Do we collect any information from third parties? We do not collect any information about you from third parties. Our payment provider (Stripe) shares transaction metadata with us so that we can manage your subscription.
How do we process your information? We process your information to provide, improve, and administer our Services, to manage accounts and subscriptions, to enforce usage limits, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal reason to do so.
In what situations and with which types of parties do we share personal information? We share information only with the service providers needed to operate the Services — currently our AI infrastructure provider (Groq), our authentication and database provider (Supabase), our payment processor (Stripe), and our hosting providers (Fly.io and Cloudflare). We do not sell your personal information.
How do we keep your information safe? We have adequate organizational and technical processes and procedures in place to protect your personal information, including encryption of data in transit. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.
What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.
How do you exercise your rights? The easiest way to exercise your rights is by contacting us at [email protected]. We will consider and act upon any request in accordance with applicable data protection laws.
WHAT INFORMATION DO WE COLLECT? · HOW DO WE PROCESS YOUR INFORMATION? · WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION? · WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION? · VOICE AND AUDIO DATA · FREE BROWSER TOOLS · IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY? · HOW LONG DO WE KEEP YOUR INFORMATION? · HOW DO WE KEEP YOUR INFORMATION SAFE? · DO WE COLLECT INFORMATION FROM MINORS? · WHAT ARE YOUR PRIVACY RIGHTS? · CONTROLS FOR DO-NOT-TRACK FEATURES · DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS? · DO WE MAKE UPDATES TO THIS NOTICE? · HOW CAN YOU CONTACT US ABOUT THIS NOTICE? · HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
In Short: We collect the personal information needed to operate your account and subscription.
Account Information. To use the App you create an account with an email address and a password. Passwords are stored only as secure cryptographic hashes by our authentication provider (Supabase); we never see or store your plaintext password.
Email Address and Communications. When you contact us (for example, by email at [email protected]), we collect your email address and the contents of your message in order to respond to you. We may also use your account email address to send you transactional messages about your account and subscription (such as receipts, renewal notices, or important service announcements). We do not send marketing email without your consent, and every marketing message would include an easy way to unsubscribe.
Payment Data. We may collect data necessary to process your payment if you choose to subscribe. All payment data is handled and stored by Stripe. We never receive your payment card details — only transaction metadata such as the product purchased, the amount, and the subscription status. You may find Stripe's privacy notice here: https://stripe.com/privacy.
Usage Counters. To enforce fair-use limits, we record aggregate usage counters associated with your account: minutes of audio transcribed and the number of AI feature calls per calendar month. These counters contain no content — no audio, no text.
The following content is created and stored locally, in the App's private storage on your computer, and is not transmitted to or stored by us: your transcripts and dictation history; your usage statistics and insights; your daily and weekly summaries; your speech-coaching analyses and score history; your custom vocabulary; and your app settings, hotkey configuration, and preferences. This content is removed when you delete it in the App or uninstall the App and its data. Because this content never reaches our servers, we cannot access, restore, or recover it — please make your own backups if it matters to you.
In Short: Limited technical information is processed automatically when you use our Services.
Like most online services, our servers automatically process basic technical information when the App or Site communicates with them, such as your IP address, request timestamps, and request outcomes. We use this information to operate the Services, to enforce rate limits and daily limits on the free tools (using a short-lived, in-memory counter per IP address), and to detect and prevent abuse. We do not currently use third-party analytics, advertising trackers, or advertising cookies on the Site or in the App. We do not collect your precise location, contacts, files, or the contents of your screen or clipboard.
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes only with your prior explicit consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including: To deliver and facilitate delivery of services to the user. We process your audio transiently to convert it to text, and your transcripts transiently to produce the polish, summaries, and coaching feedback you request; the results are returned to your device. To manage accounts. We process your email address and credentials so you can sign in and use your subscription. To manage subscriptions and billing. We process transaction metadata from Stripe to determine your subscription status and entitlement. To enforce usage limits. We process usage counters and IP-based rate information to enforce fair use and free-tool limits. To improve our Services. We may review aggregate, non-content operational metrics (such as call volumes and latency) to improve reliability. For security and fraud prevention. We may process technical information to protect the Services against abuse. To comply with law. We may process your information where necessary to comply with our legal obligations.
In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.
If you are located in the EU or UK, this section applies to you. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information: Performance of a Contract. Most of our processing — operating your account, transcribing your audio, managing your subscription, enforcing the usage terms you agreed to — is necessary to fulfill our contractual obligations to you. Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose, such as receiving marketing email. You can withdraw your consent at any time. Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests — such as securing the Services, preventing abuse of the free tools, and improving reliability — and those interests do not outweigh your interests and fundamental rights and freedoms. Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as tax and accounting requirements applicable to payments, to cooperate with a law enforcement body or regulatory agency, or to exercise or defend our legal rights. Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party.
If you are located in Canada, this section applies to you. We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.
In Short: We share information only with the service providers needed to operate the Services, in the specific situations described in this section.
Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organization apart from us, and they commit to protect the data they hold on our behalf and to retain it only for the period we instruct.
The categories of third parties we may share personal information with are as follows: AI and Machine Learning Infrastructure Providers — currently Groq, Inc. — which transiently receive the audio you dictate or upload in order to convert it to text, and the transcript text in order to produce the polish, summaries, and coaching feedback you request; audio and text are processed to serve your request and are not retained by us after processing. Authentication and Database Services — currently Supabase — which store your account email, password hash, subscription status, and usage counters. Payment Processing Services — currently Stripe — which process your payments and hold your billing details; Stripe acts as an independent controller of the payment data it collects. Cloud Computing and Infrastructure Services — currently Fly.io (which hosts our backend) and Cloudflare (which hosts the Site and provides networking services); these providers process technical traffic data as part of hosting. Software Distribution Services — currently GitHub — which host the App's installer downloads and automatic updates; when the App checks for or downloads updates, GitHub processes standard technical request data.
We also may need to share your personal information in the following situations: Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. Legal Obligations. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.
We do not sell your personal information, and we have not sold or shared personal information for advertising purposes. We do not use your audio or transcripts to train AI models, and our contracts with providers do not permit them to use your content for training.
Voice is the core of Typally, so we want to be precise about how it is handled. The App records audio only while you actively invoke recording — for example, while you hold the push-to-talk hotkey or after you deliberately start a recording — and when you upload an audio file for transcription. Recording is always user-initiated; the App does not listen in the background.
When you dictate or upload audio, the audio is sent over an encrypted connection (TLS) to our backend, which relays it to our speech-recognition provider (currently Groq) solely to convert it to text. The transcript is returned to your device, where it is typed into your target application and/or saved into your local history according to your settings. The audio itself is processed transiently in memory and is not written to storage on our servers; it is not retained after transcription by us. Similarly, when the App produces AI polish, summaries, or coaching feedback, the relevant transcript text is sent to the same provider transiently to generate the result and is not stored server-side by us.
Voice characteristics can be biometric in nature. We do not perform speaker identification, voice printing, or biometric analysis of any kind; your audio is used exclusively to produce text. If you record audio that includes other people, you are responsible for complying with applicable recording-consent laws, as described in our Terms of Use.
The free tools on the Site (audio-to-text converter and online voice-to-text) work the same way as the App: your audio is sent over an encrypted connection to our backend, relayed to our speech-recognition provider for transcription, and discarded after the text is returned. The resulting text exists only in your browser tab; we do not store it. No account is required. To enforce daily limits, we keep a temporary, in-memory counter per IP address; this counter is not written to disk and resets at least daily.
In Short: We may transfer, store, and process your information in countries other than your own.
Our service providers are located in the European Union, the United States, and other countries. In particular, account data is stored in the European Union (Ireland), our backend runs in the European Union (Sweden), and speech recognition is performed on infrastructure in the United States. If you are accessing our Services from other countries, please be aware that your information may be transferred to, stored by, and processed in the facilities of the third parties with whom we share your personal information (see "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?" above).
If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then some of these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law. In particular, we rely on the European Commission's Standard Contractual Clauses and/or adequacy decisions (including the EU–US Data Privacy Framework, where applicable) for transfers of personal information to our third-party providers outside the EEA. These mechanisms require recipients to protect personal information originating from the EEA in accordance with European data protection laws and regulations. Further details can be provided upon request.
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). In practice: audio is not retained at all after transcription; account data (email, password hash) is kept while your account exists and deleted when your account is deleted; subscription records and transaction metadata are kept for as long as required for tax and accounting purposes; usage counters are kept per calendar month for entitlement enforcement; and server logs containing IP addresses are retained only briefly for security and operations. Content stored on your device is kept until you delete it or uninstall the App. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
In Short: We aim to protect your personal information through a system of organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process, including encryption of all data in transit (TLS), secure credential storage (password hashing by our authentication provider, and operating-system credential storage for session tokens on your device), scoped access credentials for our infrastructure, and server-side enforcement of authentication on every request. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
In Short: We do not knowingly collect data from or market to children under 16 years of age or the equivalent age as specified by law in your jurisdiction.
We do not knowingly collect, solicit data from, or market to children under 16 years of age or the equivalent age as specified by law in your jurisdiction, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 16 or the equivalent age as specified by law in your jurisdiction, and that if you are under 18 you use the Services with the permission and supervision of a parent or guardian. If we learn that personal information from users under 16 years of age or the equivalent age as specified by law in your jurisdiction has been collected, we will take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 16 or the equivalent age as specified by law in your jurisdiction, please contact us at [email protected].
In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information.
In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.
We will consider and act upon any request in accordance with applicable data protection laws.
If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority. Our processing is supervised by the State Data Protection Inspectorate of the Republic of Lithuania (vdai.lrv.lt). If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Account deletion: You can request deletion of your account and all associated server-side data (account, subscription record, usage counters) at any time by emailing us at [email protected]. Content stored on your device is under your direct control and can be deleted in the App or by uninstalling it.
If you have questions or comments about your privacy rights, you may email us at [email protected].
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online — noting that we do not employ tracking on the Site in the first place. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice. California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.
In Short: If you are a resident of California, Colorado, Connecticut, Utah, Virginia, or certain other US states, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. More information is provided below.
Categories of Personal Information We Collect. In the past twelve (12) months, we have collected the following categories of personal information, as described in more detail in "WHAT INFORMATION DO WE COLLECT?": Identifiers (email address; account identifier; IP address in transient server logs) — YES. Personal information as defined in the California Customer Records statute — NO. Protected classification characteristics under state or federal law — NO. Commercial information (transaction metadata about subscriptions, handled by Stripe) — YES. Biometric information — NO; we do not perform voice identification or biometric analysis. Internet or other similar network activity (usage counters; transient technical logs) — YES. Geolocation data (precise device location) — NO. Audio, electronic, sensory, or similar information — processed transiently only, as described in "VOICE AND AUDIO DATA"; not retained. Professional or employment-related information — NO. Education information — NO. Inferences drawn from collected personal information — NO. Sensitive personal information (account log-in credentials, held as a password hash by our authentication provider) — YES, solely to authenticate you.
We will use and retain the collected personal information as needed to provide the Services or as described in "HOW LONG DO WE KEEP YOUR INFORMATION?" We may also collect other personal information outside of these categories where you interact with us directly, for example through customer support channels.
Will your information be shared with anyone else? We may disclose your personal information to our service providers pursuant to a written contract between us and each service provider, as described in "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?" We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months.
Your Rights. You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include: Right to know whether or not we are processing your personal data. Right to access your personal data. Right to correct inaccuracies in your personal data. Right to request the deletion of your personal data. Right to obtain a copy of the personal data you previously shared with us. Right to non-discrimination for exercising your rights. Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling") — we do not engage in these activities. Depending upon the state where you live, you may also have the right to obtain a list of the categories of third parties to which we have disclosed personal data, and the right to limit use and disclosure of sensitive personal data.
How to Exercise Your Rights. To exercise these rights, you can contact us by emailing us at [email protected]. Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.
Request Verification. Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system — typically by confirming control of the email address associated with your account. We will only use personal information provided in your request to verify your identity or authority to make the request.
Appeals. Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at [email protected]. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.
California "Shine The Light" Law. California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. We do not disclose personal information to third parties for their direct marketing purposes. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?"
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.
If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:
Mb Core Habits
Republic of Lithuania
Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. Most of the content you create with Typally is stored only on your device and can be deleted directly in the App or by uninstalling it. To request to review, update, or delete the personal information we hold server-side — your account, subscription record, and usage counters — please email [email protected].