Privacy Policy

Subtext is a macOS app that turns your iMessage history with someone you choose into a “Wrapped”-style retrospective. This document explains what data the app touches and what leaves your Mac.

We've tried to write this in plain English. If anything's unclear, email hello@subtext.st.

The short version

Subtext analyzes your messages using a cloud AI provider. You choose how:

• Hybrid mode — names, phone numbers, emails, and addresses are scrubbed on your Mac before the cleaned text is sent to the cloud provider. Best effort, not perfect.
• Cloud mode — your message content is sent to the cloud provider as-is, no scrubbing.

In both modes, message content passes through our backend on its way to the AI provider. We don't store it. We don't have user accounts. We send anonymous usage events that you can opt out of.

What Subtext accesses on your Mac

For the app to work, you may need to grant:

• Full Disk Access — required to read your iMessage database at ~/Library/Messages/chat.db. The app reads from it and never writes to it.
• Contacts— used to display contact names instead of phone numbers in the conversation picker. If you decline, the app still works; you'll see handles instead of names.

You can revoke any permission at any time in System Settings → Privacy & Security.

Hybrid mode

If you choose Hybrid mode:

1. Local PII redaction.Before any text leaves your Mac, a local model scrubs names, phone numbers, email addresses, postal addresses, and other identifiers it detects. Detected names are replaced with placeholders such as “Person A” or “[name]”.
2. Best-effort caveat.Automated PII redaction is imperfect. Models miss things — uncommon names, nicknames, indirect references, names embedded in URLs, contextual mentions, misspellings, and identifiers we haven't anticipated. We make a reasonable effort but cannot guarantee that every identifier is removed. By using Hybrid mode, you accept that some personally identifying information may pass through to the cloud AI provider.
3. Transmission. The scrubbed text and aggregated stats (counts, dates, frequencies) are sent over HTTPS to our server backend, which proxies the request to a cloud AI provider.

Cloud mode

If you choose Cloud mode:

1. No scrubbing. Your message content is sent as-is to our backend over HTTPS, which proxies it to a cloud AI provider. Names, phone numbers, addresses, and any other identifying information in your messages will be visible to the AI provider.
2. Tradeoff. Cloud mode produces higher-quality analysis but provides less privacy than Hybrid mode. Choose deliberately. The choice is presented before any data is sent, and can be changed at any time in app settings.

Our backend

In both modes, requests pass through our servers on the way to the AI provider. We do this so we can rate-limit, route to different providers, and protect our API keys. Our servers:

• Process requests in memory and forward them to the AI provider
• Do not persist message content, scrubbed text, or analysis results
• Log only anonymized request metadata (timestamp, install ID, status code, response size) for rate-limiting and debugging
• Discard message content immediately after the provider responds

Cloud AI providers

We currently use Anthropic's Claudefor analysis. We may use it via Anthropic's API directly, and we may add or substitute other comparable providers (such as OpenAI or Google) over time as we evaluate quality and cost.

Whichever provider receives your request:

• We send requests using configurations that disable provider-side training on your datawhere the provider supports this (e.g., Anthropic's standard API terms).
• We send requests with retention disabled or minimized where the provider supports it.
• We do not consent to your data being used for model training on your behalf.

Each provider has its own privacy practices that apply once data reaches them. As of this writing:

• Anthropic — anthropic.com/legal/privacy
• Additional providers, if added, will be listed here when they are.

We will update this document when we change providers or add new ones. Material changes will be announced in-app.

What we store on our servers

We store:

• A random install ID generated on your device (a UUID, not derived from any personal information)
• A bearer token issued to your install for API authentication
• Anonymous request logs: timestamps, install ID, status, response size — used for rate limiting and debugging
• Aggregated counts used for monitoring (e.g., total requests this week)

We do not store:

• Message content (raw or scrubbed)
• Contact names, phone numbers, or other contact information
• Analysis results
• IP addresses (we discard these after rate-limit checks)
• Any data that identifies you personally

Anonymous usage analytics

To understand how Subtext is used, we send anonymous events from the app:

• App installed
• Mode chosen (Hybrid / Cloud)
• Run started / completed / cancelled
• Share action used

These events are associated with your random install ID, not with you personally. We use them in aggregate.

You can opt out of analytics in Settings → Privacy in the app. The app continues to function normally if you do.

Sharing

Subtext can export individual slides as PNG images. By default, image export is fully local — the file is saved or copied to your clipboard, and Subtext does not see what you do with it.

If we add a server-hosted “share via link” feature in the future, this section will be updated to describe what is uploaded, how to revoke shares, and how long they are retained. As of this writing, no such feature is enabled.

Children

Subtext is not intended for users under 17. We do not knowingly collect data from anyone under 17. If you are under 17, please do not use Subtext. If we learn that we have collected data from someone under 17, we will delete it.

Your rights

Because we don't collect identifying information, we have nothing tied to you specifically that we could retrieve, correct, or delete. If you want us to revoke your install token (which will stop the app from making cloud requests under your current install), email hello@subtext.stwith your install ID (visible in app Settings) and we'll revoke it within a reasonable time.

Security

We use industry-standard practices: HTTPS for all network requests, server-side keys stored in secrets management, signed app binaries, and the macOS Keychain (Data Protection Keychain) for storing your install token locally.

No system is perfectly secure. If you discover a security issue, email hello@subtext.st.

Changes to this policy

We may update this policy. Material changes will be announced in-app and the “Last updated” date at the top will change. Continuing to use Subtext after a change means you accept the updated policy.

Contact

Questions, concerns, or revocation requests: hello@subtext.st

Subtext is a project by The Human Prior, Inc.