Through Compose

← Back to home

Privacy Policy

Last updated: June 14, 2026 · Closed beta

This Privacy Policy explains how Through Compose (the “Service,” “we,” “us,” or “our”) collects, uses, and shares information. Through Compose is a macOS application and related website (throughcompose.com) that let you control your Mac by voice — including dictation, on‑screen assistance, an autonomous background agent, and optional control of your Mac from your phone. During the closed beta, the Service is provided by Philippe Mallette, an individual based in California, USA. Questions or requests: hi@throughcompose.com.

Privacy at a glance

• Your voice is processed on your Mac. Audio is transcribed locally and is never uploaded to us or stored on our servers.

• We don’t store the text you dictate. Transcripts stay on your device.

• When you ask the assistant to do something, we send what it needs (relevant text and/or screenshots) to a third‑party AI provider to fulfill your request. This is the core of how the product works.

• We don’t sell your data, and we don’t use your content to train AI models.

• We keep minimal account and usage records — your email, and metadata about how much you use the Service — not the content of your requests.

• This is beta software. Avoid using it for highly sensitive or irreversible tasks without supervision.

1. Who this policy covers

This policy applies to the Through Compose macOS app (including the dictation, computer‑use, agent, and phone‑relay features) and the throughcompose.com website. It does not cover third‑party services you reach through the Service — for example, the websites or apps the assistant interacts with on your behalf, or AI providers you connect with your own API key. Those are governed by their own policies.

2. Information we collect

Account information. When you sign in, we use Google Sign‑In through our authentication provider (Supabase). We receive your email address and basic Google account identifier, plus authentication tokens to keep you signed in. Your refresh token is stored in the macOS Keychain on your device; short‑lived access tokens are held in memory. We never receive your Google password.

Voice and audio. Microphone audio is captured only while you activate dictation and is held in memory on your device. Transcription runs on your Mac using a local speech‑to‑text model. Audio is not sent to us or any cloud service, and it is not written to disk. We do not store transcript text.

Content you ask the assistant to act on. To deliver its core features, the Service sends the instruction text derived from your voice or typing, screenshots of your screen (when computer‑use or agent features need to see what you see), and relevant task context to a third‑party AI provider. Screenshots are used to answer your request and are not stored by us. By default requests route through our secure proxy using our API key; if you choose “bring your own key” (BYOK), your requests go directly to the provider you configured.

Usage and billing metadata. For each completed AI request routed through our proxy, we record metadata (not content) — your user ID, the model used, token counts, computed cost, a request identifier, the request source/type, and a timestamp — to operate the free‑beta credit system and prevent abuse. We do not store your prompts, audio, or screenshots in this log.

Phone‑relay data (optional). If you pair your phone to control your Mac, text and screenshots/status updates are relayed between the two devices through our relay infrastructure (Cloudflare). The connection is encrypted in transit (TLS/WSS). During the closed beta the relayed payload is not yet end‑to‑end encrypted, so please avoid relaying highly sensitive content until it is. Pairing tokens for trusted phones are stored locally on your Mac.

Stored locally on your device. The app writes certain files to your Mac (not to us), including settings, downloaded AI models, paired‑phone tokens, and — only if you explicitly enable an off‑by‑default debug setting — saved screenshots for troubleshooting.

Support, feedback, and website analytics. If you email us or send beta feedback, we keep that correspondence to respond and improve the product. The app uses no advertising cookies; the website may use privacy‑friendly, cookieless analytics to understand aggregate traffic. We do not use cookies to track you across other websites.

3. How we use information

We use the information above to provide and operate the Service (transcribe your voice locally, fulfill computer‑use and agent requests, and relay between your devices); to authenticate you; to enforce free‑beta limits and prevent abuse; to provide support; to improve the Service using your feedback and de‑identified usage metrics (not your prompts, audio, or screenshots); and to comply with the law. We rely on your consent (for example, the macOS microphone and screen permissions you grant), the need to perform our agreement with you, and our legitimate interests as legal bases where applicable.

4. AI providers and sub‑processors

The Service depends on third parties to function. We share only what each needs for its role, and we require our providers to protect your information. We do not sell your data, and we do not use your content to train AI models. The providers that process your requests do so under their own terms:

• Google — sign‑in (OAuth): basic identity and email.

• Supabase — authentication and database: email, user ID, usage metadata.

• Cloudflare — proxy and phone‑relay infrastructure: requests in transit; does not store request content.

• OpenRouter — default AI gateway: instruction text and screenshots needed to fulfill a request.

• Moondream — optional cloud visual‑grounding (off by default; on‑device by default): screenshots, when enabled.

• Upstash — rate limiting: user ID in short‑lived counters.

• Hugging Face — model downloads to your device: a download request from your device; no request content.

We do not currently use a payment processor (the beta is free). If you use BYOK, the AI provider you configure receives your requests directly under your own account and their privacy policy, and the list above does not apply to those requests.

5. How we share information

We share information only with the service providers above (to operate the Service), for legal reasons (if required by law or valid legal process, or to protect rights, safety, and security), or in a business transfer (if the Service’s assets are involved in a merger, acquisition, or similar transaction, in which case this policy will continue to apply). We do not sell your personal information, and we do not share it for cross‑context behavioral advertising.

6. Data retention and deletion

Audio is never retained (processed in memory on your device). Transcript text is not retained by us. Account data (email, profile) is retained while your account is active. Usage metadata is retained while your account is active and for a reasonable period afterward for security, accounting, and abuse‑prevention, then deleted or aggregated. Local files remain on your device until you delete the app’s data or uninstall.

You can request deletion of your account and associated data by emailing hi@throughcompose.com. We will action verified deletion requests within 30 days, except where we must retain certain information to comply with law.

7. Security

We use industry‑standard measures to protect your information, including encryption in transit (TLS/HTTPS, WSS), storage of your refresh token in the macOS Keychain, isolation of our API keys on the server so they are never shipped in the app, and row‑level security so you can only access your own records. No method of transmission or storage is perfectly secure, and this is beta software — please keep that in mind when deciding what to do with it.

8. Your privacy rights

Depending on where you live, you may have rights regarding your personal information. If you are in the EEA/UK (GDPR): access, rectification, erasure, restriction, data portability, and objection to processing. If you are in California (CCPA/CPRA): the right to know, access, delete, and correct your information, and to opt out of “sale” or “sharing” (we do not sell or share your information for advertising). To exercise any right, email hi@throughcompose.com from the address associated with your account so we can verify the request.

9. International users

We are based in the United States, and our service providers may process information in the United States and other countries. If you access the Service from outside the U.S., you understand that your information will be processed in the U.S., where data‑protection laws may differ from those in your country.

10. Children

The Service is not directed to children under 16, and you must be at least 16 years old to use it. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.

11. Changes to this policy

We may update this policy as the product evolves (for example, when we add end‑to‑end encryption to the phone relay, enable payments, or form a company). If we make material changes, we will update the “Last updated” date and, where appropriate, notify you in the app or by email.

12. Contact us

Through Compose (currently operated by Philippe Mallette), California, USA. Email: hi@throughcompose.com.

Through Compose

Privacy

Terms

hi@throughcompose.com

© 2026 Through Compose. All rights reserved.

Private beta · Built for macOS