Security

DuckType can run local transcription on your device. Local dictations, local recordings, shortcuts, dictionaries, and settings remain on your device unless you choose a feature that sends data to DuckType or another provider.

DuckType Cloud sends only the data needed for the requested transcription or AI feature through DuckType infrastructure and relevant processors. The desktop cloud transcription path is designed not to persist recordings or transcript content in the DuckType API path.

• Accounts support email verification, passkeys, two-factor authentication, and social sign-in providers.
• Dashboard routes validate sessions server-side before account data is shown.
• Sign-in tokens are treated as sensitive and are redacted from privacy mode displays.

Product analytics are optional. DuckType telemetry uses event names, coarse settings, and performance metrics. It does not include dictation text, recordings, API keys, full file paths, or custom prompt content.

The desktop app includes controls for deleting local dictations, recordings, scratchpad data, skill results, and statistics. Account deletion is confirmed by email and removes cloud account data subject to limited records needed for billing, security, abuse prevention, or legal obligations.

Report security concerns to hello@app.duck-type.com. Please include enough detail to reproduce the issue, but do not include secrets, unnecessary personal data, or third-party data you do not have permission to share.