Privacy Policy

Last updated: March 14, 2026

Migas is a local-first meeting transcription app built by Blackpilled Software LLC ("we", "us", "our"). We designed it to keep your data on your device. This policy explains what data we collect, what stays local, and what leaves your machine.

Data controller

Blackpilled Software LLC is the data controller for the personal data processed through Migas and the migas.ai website. You can reach us at support@migas.ai.

What stays on your device

All meeting transcripts, speaker profiles, voice embeddings, and meeting history are stored locally in ~/Library/Application Support/Migas/. We never upload, access, or store your transcript content or meeting audio on our servers.

AI chat relay (api.migas.ai)

When you use the meeting chat feature, your question and relevant transcript context are sent through a Cloudflare Workers relay at api.migas.ai and forwarded to OpenRouter, which routes the request to an AI model. The relay handles rate limiting and authentication; it validates message structure (count and total size) but does not log or persist message content.

• Free tier: A SHA-256 hash of your device's hardware identifier is sent for rate limiting. The original identifier never leaves your device.
• Pro tier: Your license key is exchanged for a short-lived session token (refreshed hourly) via a dedicated authentication endpoint. Only the opaque session token is sent on subsequent AI requests. The license key is not included in chat traffic.
• Bring Your Own Key (BYOK): If you configure your own OpenRouter API key in Preferences, requests go directly to OpenRouter and bypass the relay entirely.

Refer to OpenRouter's privacy policy for how they handle data once it leaves the relay.

Crash reporting (Sentry)

Migas uses Sentry to automatically report crashes and errors. This helps us fix bugs quickly. Crash reports include:

• Stack traces and error messages
• App version and OS version
• Basic device information (architecture, memory)

Crash reports do not include transcript content, meeting data, audio, speaker names, or any personally identifiable information from your meetings.

License validation (Polar)

If you purchase a Pro license, your license key is validated against the Polar.sh API. This sends your license key to Polar to confirm it is active. No other data is sent during validation.

Model downloads

On first launch, Migas downloads speech recognition models. These downloads are standard HTTPS requests. We do not control or log these requests.

Product analytics (PostHog)

Migas collects anonymous usage analytics via PostHog to help us understand how the app is used and where users encounter friction. Analytics events include:

• App opens, setup completion, and feature usage (recordings started, chat messages sent)
• Checkout and license activation events
• App version, OS version, and license tier

Analytics data does not include meeting content, transcript text, audio, speaker names, or any personally identifiable information. Data is sent to PostHog's US servers.

You can disable analytics at any time in Preferences → Privacy within the desktop app. When disabled, no analytics events are sent.

Legal basis for processing

We rely on the following legal bases under the GDPR for each type of processing:

• Local transcription and speaker identification: Legitimate interest. All processing happens on your device to provide the core product functionality. No data leaves your machine for this purpose.
• AI chat relay: Contract performance. Sending transcript context to the relay is necessary to deliver the chat feature you chose to use.
• Crash reporting (Sentry): Legitimate interest. We collect minimal diagnostic data to maintain software quality and fix bugs. No meeting content is included.
• License validation (Polar): Contract performance. Validating your license key is necessary to deliver the Pro tier you purchased.
• Product analytics (PostHog): Consent. Analytics are disabled by default in the desktop app and gated behind a consent banner on the website. You can withdraw consent at any time.
• Device identifier hash (free tier): Legitimate interest. A one-way hash of your hardware identifier is used solely for rate limiting to prevent abuse.

Data recipients

We share personal data only with the following categories of service providers, and only as described in this policy:

• OpenRouter (AI model routing): receives chat messages and transcript context when you use the chat feature
• Sentry (error tracking): receives crash reports and diagnostic data
• Polar.sh (licensing): receives your license key for validation
• PostHog (analytics): receives usage events if you have opted in
• Cloudflare (hosting and relay): processes requests to api.migas.ai and migas.ai

All of these providers are based in the United States. Where data is transferred outside the European Economic Area, we rely on the provider's standard contractual clauses or other appropriate safeguards.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

Data retention

• Local data (transcripts, speaker profiles, meeting history): retained on your device until you delete it.
• Chat relay: message content is forwarded in real time and not persisted on our servers.
• Crash reports: retained by Sentry for 90 days.
• Analytics events: retained by PostHog for 1 year.
• License validation logs: retained by Polar.sh per their retention policy.

What we do not do

• We do not track which meetings you attend or how long they last
• We do not use your data to train AI models
• We do not make automated decisions that produce legal or similarly significant effects

Your rights

If you are in the European Economic Area or the United Kingdom, you have the following rights under the GDPR:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate personal data.
• Erasure: request deletion of your personal data. For local data, you can delete ~/Library/Application Support/Migas/ at any time. For data held by our service providers (crash reports, analytics), contact us and we will initiate deletion.
• Restriction: request that we limit processing of your personal data.
• Portability: request your data in a structured, machine-readable format. Your local SQLite database is already in a portable format.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: where processing is based on consent (analytics), you can withdraw at any time via Preferences in the app or by clearing your browser's local storage for migas.ai.

To exercise any of these rights, email support@migas.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Contact

Questions about this policy? Email support@migas.ai.