KimiTalk Privacy Policy

Date: 2026-05-26
Version: 1.2
Controller: KIMIKON e.U., Amalienstraße 29, 1130 Vienna, Austria
Contact: privacy@kimikon.cc

§ 1 — Controller and Contact

Controller under GDPR is:

KIMIKON e.U. Address: Amalienstraße 29, 1130 Vienna, Austria Email: privacy@kimikon.cc (data protection) / support@kimikon.cc (general) / legal@kimikon.cc (LGPL source offers) Web: https://kimikon.cc/kimitalk/

KIMIKON e.U. has no appointed DPO because GDPR Art. 37 / Austrian DSG § 5 thresholds are not met.

§ 2 — Principle: On-Device Processing

KimiTalk is a macOS application designed to process dictation audio, transcription, local text enhancement, local AI chat inference, speech output, and voice profiles primarily locally on your Mac. KIMIKON e.U. does not receive audio recordings, transcripts, AI-generated text, or voice embeddings unless you voluntarily transmit such content, for example in a support context.

Exceptions to this local content processing are described separately in this Privacy Policy: license activation, update checks, model/helper downloads through KIMIKON endpoints, optional AI Chat web research, checkout/license service providers, and support communication.

This on-device architecture is a privacy-by-design measure (GDPR Art. 25). It is technically verifiable: you may monitor your application's network traffic at any time with Little Snitch, Lulu, or tcpdump.

§ 3 — Data KIMIKON Actually Processes

KIMIKON e.U. acts as controller only for the following processing operations:

3.1 KimiTalk License Server

• Data: license key, hardware-bound activation IDs, computer/device name (instance_name), activation/deactivation timestamps, optional recovery email.
• Purpose: activation, deactivation, re-activation of Pro licenses; protection against abusive multi-use.
• Legal basis: Art. 6(1)(b) GDPR (performance of contract).
• Retention: during license term, then 7 years per Austrian bookkeeping law.
• Recipients: KIMIKON license worker on Cloudflare infrastructure; Lemon Squeezy as server-side commerce/license service provider; Cloudflare request metadata under the Cloudflare Data Processing Addendum.

3.2 Sparkle Update Check / Install Heartbeat

• Data: anonymous install identifier kt_install (SHA-256 of bundle ID + local random UUID, stable per installation), ordinary HTTP/CDN request metadata including IP address and requested appcast path. Sparkle system profiling is not enabled; KimiTalk does not transmit a separate OS version, CPU architecture, or language-preference profile parameter in this path.
• Purpose: update delivery; aggregated active-install estimate as an early-warning signal for Boson compliance (§ 8).
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest in update delivery and license compliance).
• Retention: raw log 30 days; aggregated active-install statistic indefinite without individual attribution.
• Recipients: updates.kimikon.cc on Cloudflare Pages / Cloudflare infrastructure.

3.3 Support Requests

• Data: email address, voluntarily transmitted diagnostic logs.
• Purpose: request handling.
• Legal basis: Art. 6(1)(b) GDPR.
• Retention: up to 1 year after case closure.

Beyond the processing operations described in § 3, KIMIKON does not collect content data for analytics and does not perform advertising tracking. In particular, no audio recordings, transcripts, AI inputs or AI outputs, and no crash-reporting pipeline with content are shipped to KIMIKON servers. The technical update heartbeat in § 3.2 is used for update delivery and license compliance, not for advertising tracking or content analytics.

§ 4 — Data Your Mac Transmits to Third Parties

The following data flows may occur to third parties that KIMIKON does not control:

4.1 Model Downloads via KIMIKON/R2

Release ASR/TTS/LLM models are served through KIMIKON's model mirror models.kimikon.cc (Cloudflare R2). This includes Kokoro base weights and voice packs, all active Whisper CoreML release presets with active Whisper tokenizer support files, the active local LLMs, and Qwen3-TTS, Qwen3-TTS Clone, and OmniVoice. KimiTalk downloads manifests and model files from models.kimikon.cc, verifies SHA-256 checksums, and caches the files locally on your Mac.

For a model-mirror download, IP address, technical request headers, requested model/manifest paths, download bytes, timestamps, and CDN/request metadata may be transmitted to Cloudflare, Inc. as KIMIKON's service provider. Cloudflare processes these data to deliver, secure, and protect models.kimikon.cc against abuse.

The product build does not start direct model-weight downloads from huggingface.co for actively offered models. HuggingFace may still appear in license, source, and provenance notices because some upstream models are published there; that does not make HuggingFace an active download recipient in the current release.

4.2 Apple OS Telemetry (System Voices)

When using Apple System Voices (AVSpeechSynthesizer), the respective pipeline steps run via the macOS subsystem of Apple Inc. Apple may collect anonymized OS-level telemetry per macOS Privacy Policy. KimiTalk has no influence on this.

Apple Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

4.3 In-App Update via Sparkle

Version check against updates.kimikon.cc (see § 3.2).

4.4 Optional AI Chat Web Research

If you enable or trigger web research in AI Chat, KimiTalk locally creates a search query from your message and, where applicable, the chat context. The selected local AI model may locally rewrite that query. KimiTalk then transmits the search query to DuckDuckGo HTML Search (https://html.duckduckgo.com/html/) and fetches selected result webpages to provide source context for local answer generation.

• Data: search query or rewritten search query, technical request metadata, fetched URLs/domains, HTTP/fetch status, and content returned by target pages. Search queries may contain personal data, professional secrets, or confidential information if you enter such content into the chat.
• Recipients: DuckDuckGo for search; operators of the respective fetched result webpages; technical network, hosting, and CDN participants of those providers.
• Purpose: user-triggered web research, source retrieval, and provision of context for local AI answers.
• Legal basis: Art. 6(1)(b) GDPR for user-triggered research functions; alternatively or additionally Art. 6(1)(f) GDPR for technical security, error analysis, and abuse prevention. To be confirmed by counsel.
• Retention: KIMIKON does not store these search queries or fetched webpage contents server-side. Local AI Chat storage is described in § 5.2. Storage by DuckDuckGo or target websites is governed by their own privacy terms; KIMIKON does not control that processing.
• Use notice: Do not use web research for content that should not be transmitted to external search or website providers.

§ 5 — Special Data Types

5.1 Dictation / Speech Input

• Processing: audio captured by Apple Audio Subsystem (AVAudioEngine), transcribed on-device by WhisperKit / Whisper CoreML. Audio buffers discarded after transcription (no disk persistence).
• Recipients: none. Stays on your Mac.
• Retention: none.

5.2 AI Text Enhancement / AI Chat Input

• Processing: text input goes on-device to Google Gemma 4, Alibaba Qwen 3.5 / Qwen3-Coder (depending on selected local backend in Settings). KimiTalk does not use Apple Foundation Models for text enhancement. If AI Chat web research is enabled, § 4.4 also applies.
• Recipients: none for local text enhancement and local AI Chat inference. For enabled web research, see § 4.4.
• Local storage: rewrite/enhancement operations are not permanently transmitted to KIMIKON. AI Chat sessions may be stored locally through SwiftData, including user/assistant messages, context references, text snapshots, and generation metadata.
• Retention: transient rewrite operations: no permanent storage by KIMIKON. Local AI Chat sessions: until you delete the respective session or remove the local app data.

5.3 Optional: Local History / Snippets

• Processing: if enabled, KimiTalk stores transcripts and AI outputs in ~/Library/Application Support/Kimitalk/History/ on your Mac.
• Recipients: none.
• Retention: until you delete.
• Deletion: Settings -> History -> "Clear history".

§ 6 — Text-to-Speech and Voice Cloning — Biometric Data Processing

Important (GDPR Art. 9): Speaker embeddings generated during voice cloning are biometric data uniquely identifying a person (Art. 4(14)) and fall under the special category in Art. 9(1).

6.1 Processing Architecture

• When creating a voice profile, KimiTalk captures 3-15 s of reference audio, computes the speaker embedding in the on-device speech-helper process, and stores embedding + reference audio under ~/Library/Application Support/Kimitalk/SpeechOutput/VoiceProfiles/<profile-id>/.
• No transmission to KIMIKON or third parties. Neither embedding nor reference audio nor synthetic output is transmitted.
• KIMIKON e.U. does not process these local voice data for its own purposes, has no access to them, and does not operate server-side processing for them. KIMIKON's view is that you are responsible for the concrete use of your locally processed voice profiles.

6.2 Legal Basis of Your Consent

When creating a voice profile you give your explicit consent (Art. 9(2)(a) GDPR) in the in-app consent flow. This includes: (1) explicit consent to local creation and storage of a speaker embedding, (2) acknowledgement of AI marking and anti-misuse rules, and (3) self-attestation whether the voice is your own or whether documented consent of the affected person exists. Before each voice-cloning generation KimiTalk additionally asks for a non-persisted job confirmation.

6.3 Generated Audio Outputs

Exportable helper-backed synthetic audio outputs receive technical marking per EU AI Act Art. 50(2):

• BWF-bext metadata tag in the WAV header with provider/model identification.
• Filename suffix -ai.wav as human-readable marking.
• Additional provenance layers AudioSeal watermarking and C2PA manifests are mandatory for helper-backed AI audio.

The technical marking (BWF-bext + -ai.wav + AudioSeal/C2PA for helper-backed AI audio) is non-disableable. If the mandatory provenance layers cannot be created, AI-audio WAV export fails. When distributing, you as deployer (EU AI Act Art. 50(4)) must additionally disclose the AI generation in a clearly recognisable manner.

6.4 Voice-Clone Activity Log

KimiTalk keeps a local JSONL audit trail at ~/Library/Application Support/Kimitalk/SpeechOutput/voice-clone-activity.jsonl capturing embedding hash (not embedding), profile ID, timestamp, own/third-party choice, text length, output-path hash and output-filename hash. Raw text, raw audio, embeddings and output paths are not stored in the log. Retention: 90 days. Used solely for your own traceability; not transmitted.

6.5 Deletion

Voice profile, reference audio and corresponding local activity-log entries are removed via Settings -> Speech Output -> "Delete voice profile". If log cleanup fails for technical reasons, only hash/metadata entries without raw text, raw audio, embedding or output path remain and expire after no more than 90 days.

6.6 DPIA Notice

KIMIKON e.U. has produced an internal Data Protection Impact Assessment (DPIA) under GDPR Art. 35 for voice cloning (docs/legal/dpia-voice-cloning.md). Prior consultation of the Austrian DPA under Art. 36 was not performed because the internal DPIA concludes that local processing, non-transmission, and local deletion controls leave no high residual risk that KIMIKON cannot mitigate.

§ 7 — Apple System Voices — License Restriction Notice

Apple System Voices available in KimiTalk are governed by the macOS Software License Agreement of Apple Inc., restricting their use to personal, non-commercial purposes. KimiTalk uses Apple Speech only for in-app playback and does not create exportable WAV files using Apple System Voices (see EULA § 12).

§ 8 — Aggregated Active-Install Estimate (Boson Compliance for OmniVoice)

For the Boson Higgs Audio 2 Community License (EULA § 14), KIMIKON conservatively evaluates annual active users of the products or services made available by KIMIKON e.U. and its affiliates as an aggregate population. That aggregate population must not exceed 100,000 annual active users in the preceding calendar year unless Boson AI grants an expanded license.

• Data basis: anonymous Sparkle update-check frequency for KimiTalk (§ 3.2). A unique install ID (hash-stable per installation, not hardware-based) is counted in server logs; rolling 30-day window as an operational early-warning signal, not as OmniVoice usage telemetry, advertising tracking, or content analytics. As long as KimiTalk is KIMIKON e.U.'s only publicly provided product/service and no affiliates are added, that signal equals the relevant KIMIKON aggregate population.
• No linkage to license key, email, or user profile.
• Evaluation: internal active-install statistic used to assess annual-active-user risk. If further products/services or affiliates are added, their active users will be included in the internal compliance assessment, or Boson-dependent features will remain disabled until a reliable aggregate assessment or expanded license exists. KIMIKON contacts Boson AI with a safety margin before the threshold is reached; without an expanded license, OmniVoice is paused or disabled before an exceedance.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in Boson license compliance).

§ 9 — Your Rights

Against KIMIKON e.U. you have the right to:

• access (Art. 15);
• rectification (Art. 16);
• erasure (Art. 17);
• restriction (Art. 18);
• data portability (Art. 20);
• objection (Art. 21);
• withdraw consent (Art. 7(3)).

Right to lodge a complaint with the Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at.

Requests: privacy@kimikon.cc.

§ 10 — Third-Country Transfers (USA)

Server locations entail the following potential US transfers:

• Cloudflare, Inc. — hosting kimikon.cc, Sparkle update delivery, license server, and model mirror models.kimikon.cc (§ 4.1).
• Apple Inc. — OS-level system telemetry (§ 4.2).
• DuckDuckGo and external website operators — only when AI Chat web research is enabled (§ 4.4); depending on provider, processing may occur in the US or other third countries.

Standard Contractual Clauses (EU 2021/914), EU-US Data Privacy Framework status, processor/recipient role, and retention must be reviewed separately for each provider in the respective processing context. Direct HuggingFace model downloads are not an active release path.

§ 11 — Changes to this Privacy Policy

Material changes are announced in the application and at kimikon.cc/kimitalk/privacy at least 30 days before they take effect. Version history:

• v1.2 (2026-05-26): updated model-transfer language for the KIMIKON/R2 release path; active model-weight downloads from huggingface.co are not part of the release path; aligned license-server/Sparkle data categories with the code; aligned AudioSeal/C2PA wording with helper provenance support.
• v1.2 draft update (2026-05-27): added optional AI Chat web research, external recipients, and local AI Chat storage. To be confirmed by counsel.
• v1.0 (2026-05-21): consolidated master version with TTS/voice-cloning section.
• Older versions are documented in the Sparkle update channel