Privacy

Private by default. Explicit when Cloud is used.

Tonecast has two modes: direct BYOK mode, where requests go from your Mac to your AI provider, and optional Tonecast Cloud, where Tonecast processes requests for users who do not want to manage API keys.

How Tonecast processes your data

Tonecast runs entirely on your Mac as a native application. When you activate it, it reads the conversation on your screen using browser APIs, accessibility APIs, or screenshot analysis depending on the app. This happens locally on your machine.

In direct BYOK mode, conversation text is sent from your Mac to the AI provider you configure. In Tonecast Cloud mode, request content is sent to Tonecast servers, then forwarded to our AI subprocessors so we can provide managed generation and transcription.

Bring Your Own Key (BYOK)

Tonecast uses a BYOK model. You provide your own API keys for Anthropic and Groq (or other supported providers). API calls are made directly from your Mac to the provider using your key. We never see your API keys, your prompts, or the responses.

This means your data is governed by your agreement with the AI provider, not ours. Anthropic's API does not use your data for training. Groq's API does not use your data for training. You can verify this in their respective privacy policies.

Tonecast Cloud

Tonecast Cloud is optional. If you enable it, Tonecast processes the content needed to complete your request. This can include selected text, email or chat context, voice-profile snippets, recipient/contact context, and microphone audio for transcription.

We do not store raw prompts, generated replies, transcripts, or audio by default. We keep account, billing, device, entitlement, and usage metadata so the service can authenticate users, enforce spend caps, prevent abuse, and provide support.

Tonecast Cloud is hosted in the United States at launch. Users outside the United States may use the service, but request data may be processed in the United States and by subprocessors listed on our Subprocessors page.

What's stored on your Mac

All Tonecast data is stored locally at ~/Library/Application Support/Tonecast/:

  • API keys - stored as plain text files on disk, not transmitted anywhere
  • Voice profiles - markdown files describing your writing style, per channel and per contact
  • User preferences - your settings, model choices, and feature toggles
  • Usage statistics - local token counts for your own cost tracking
  • Debug logs - diagnostic output that stays on your machine

In BYOK mode, no Tonecast account or server sync is required. If you delete the application support folder, local Tonecast data is gone permanently. Tonecast Cloud account and billing records are handled separately through the account console and Stripe.

Gmail access and Google API usage

The Tonecast macOS app can optionally connect your Google account to provide context-aware reply drafts for Gmail (the app's "Reply" feature). When you connect Gmail, Tonecast uses the Gmail API with the single read-only scope https://www.googleapis.com/auth/gmail.readonly, solely so it can generate a relevant draft reply to the message you are currently viewing. Tonecast requests read-only access only and cannot send, modify, label, or delete your email.

What Google user data Tonecast accesses. When you trigger the Reply feature on an open Gmail message, Tonecast reads only the data needed to draft that one reply:

  • Message content - the subject line and body text of the email thread you are actively viewing
  • Message headers - the sender, recipient, and other addressees (To/Cc) and the timestamp of that thread, used to address the draft correctly
  • Your Google account email address - returned during sign-in to identify which account is connected

Your email data is processed on your device. Tonecast does not store your email content on its servers, does not sell or transfer it to third parties, does not use it for advertising, and does not use it to train generalized AI models. OAuth tokens for your Google account (including the refresh token) are stored locally on your Mac in access-restricted files (0600 owner-read/write-only permissions) under ~/Library/Application Support/Tonecast/gmail/tokens/, not on Tonecast servers. Because these are local files rather than the macOS Keychain, they are not hardware-backed: any process running as your macOS user, or an unencrypted device backup, could read them. We recommend full-disk encryption (FileVault) and excluding this folder from untrusted backups.

Tonecast does not read your full mailbox, your contact list, your Google profile beyond the account email address, attachments, or any message other than the thread you are actively replying to. It does not access any other Google service (Drive, Calendar, Contacts, etc.).

How Tonecast protects this data. Google user data is treated as sensitive data and is protected with the following mechanisms:

  • Encryption in transit - all requests to the Gmail API and any traffic to Tonecast Cloud are sent over HTTPS/TLS
  • Access-restricted credential storage - OAuth access and refresh tokens are stored in owner-only (0600) files on your Mac and are never transmitted to third parties; they remain on your device. As noted above these local files are not hardware-backed, so we recommend enabling FileVault full-disk encryption
  • No server-side retention of content - in direct (BYOK) mode email content is processed entirely on your Mac and never reaches Tonecast servers; in optional Tonecast Cloud mode it is relayed over TLS on a zero-retention basis - used only to generate the draft, held in memory for the duration of the request, and not stored, logged, or used for any other purpose
  • Least-privilege access - only the read-only scope is requested, and content is read on demand when you trigger Reply, never continuously monitored
  • Access controls and revocation - access is limited to the authenticated account holder; you can revoke Tonecast's access at any time by disconnecting your Google account in the app or via your Google Account permissions, which deletes the stored tokens and removes Tonecast's access to your Gmail data

Tonecast does not sell or transfer your Google user data to third parties, does not use it for advertising, and does not use it to train generalized or personalized AI models. Connecting Gmail is entirely optional.

Limited Use:Tonecast's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Screen reading and accessibility

Tonecast reads on-screen content through three methods depending on the app:

  • Browser DOM - JavaScript injection in Chrome to read email/chat UI elements
  • Accessibility APIs - macOS AX framework to read app content (WhatsApp, Slack, iMessage)
  • Screenshot + Vision - screen capture analyzed by AI when other methods aren't available

All three methods operate locally. Screen content is read on demand when you press a hotkey - Tonecast does not continuously monitor or record your screen. The content is held in memory only long enough to generate a response, then discarded.

Telemetry and diagnostics

The native app does not send product analytics in direct BYOK mode. Tonecast Cloud records metadata needed to operate the paid service, such as request IDs, provider usage, estimated cost, device IDs, account status, and error codes. Raw content is not intentionally logged.

If browser analytics are added to tonecast.ai, they should be disclosed and gated where legally required.

Deleting your data

To delete all Tonecast data, remove the application support directory:

rm -rf ~/Library/Application\ Support/Tonecast/

This removes your API keys, voice profiles, preferences, and local usage data. Tonecast Cloud users can request account deletion from the account console or by contacting support. Deletion revokes devices and cancels active billing before account records are removed or anonymized.

Your rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to processing of personal data. You can contact us to exercise those rights. We aim to respond to verified requests within 30 days.

Subprocessors

Tonecast Cloud relies on third-party subprocessors for hosting, authentication, billing, AI inference, observability, and transactional email. The current list is published at /subprocessors.

Transparency

We aim to be plain about how Tonecast handles your data. The behaviour described in this policy - what we store, what we don't, and where your data goes - is exactly how the app is built. If anything here is unclear, ask us and we will explain it.

Contact

Tonecast is built by Codefox AI. If you have questions about privacy or data handling, reach out at privacy@codefox.ai.

Last updated: June 23, 2026