Home

Privacy Policy

Last Updated: March 24, 2026

1. Introduction

Your privacy is fundamental to mrmr. We built mrmr to help you control your Mac with your voice, and that means we have to handle some sensitive data carefully and transparently.

This policy explains what data mrmr processes, what we store on your device, what we store on our servers, what we send to third-party providers, and what changes now that mrmr supports Action Mode and connected workspace integrations.

mrmr is operated by Mohammad Hamza Suhail, based in Ireland. For the purposes of applicable data protection law, including the EU General Data Protection Regulation (GDPR), mrmr acts as the data controller for the personal data described in this policy.

2. How mrmr works

mrmr offers several modes, including dictation, search, and Action Mode.

  • In dictation mode, your audio is sent to third-party AI transcription providers to convert speech to text.
  • In search mode, your spoken request is transcribed and used to generate a web search.
  • In Action Mode, your spoken request may be transcribed, parsed into structured actions, matched against connected workspace data, shown to you for confirmation, and then executed in services you connect such as Slack, Linear, Google Calendar, Google Tasks, Google Meet, and Zoom.

3. Audio, transcripts, and text

When you use voice features in mrmr:

  • Your audio is sent securely to third-party AI providers for transcription.
  • For normal dictation, the transcribed text may also be sent to a language model for cleanup and polishing.
  • For Action Mode, the transcribed text may be sent to a language model to determine what actions you want to take.

We do not store your raw audio on mrmr's servers. Audio is transmitted to third-party providers for processing and is not retained on our infrastructure.

However, mrmr does store some content locally on your device:

  • Transcript history is stored locally in the app.
  • Associated audio files may also be stored locally with transcript history.
  • This local history can be deleted from the app, and it is cleared on logout or account deactivation.

4. Action Mode and connected integrations

If you connect external services to mrmr, we access and process data from those services so Action Mode can understand your command, show accurate suggestions, and execute the action you approve.

We currently support integrations including:

  • Slack
  • Linear
  • Google Calendar
  • Google Tasks
  • Google Meet
  • Zoom

We use a third-party integration platform, Composio, to manage OAuth connections and execute integration actions. mrmr does not store your raw OAuth access tokens. Instead, we store a connection reference that lets us use the connected account through Composio.

5. Workspace data we access and cache

To make Action Mode usable, mrmr caches a limited set of workspace metadata on our servers. This cached data is used for three main purposes:

  • To populate dropdowns and confirmation cards in the app
  • To help the AI match spoken names to real people, channels, calendars, projects, or task lists
  • To resolve human-readable names into the IDs required by external APIs

Depending on the integration, cached workspace data may include:

  • Slack: channel names and IDs, channel privacy flags, member names, display names, user IDs, avatar URLs, and timezones
  • Linear: team names and IDs, member names and IDs, project names and IDs, workflow statuses, priorities, and organization metadata
  • Google Calendar: calendar names and IDs, timezone, and attendee email addresses derived from recent or upcoming events; if you query or edit an event, event details may also be processed
  • Google Tasks: task list names and IDs; if you query, create, update, or delete tasks, task titles, notes, due dates, and completion state may also be processed
  • Google Meet and Zoom: connected status, default meeting provider preference, and meeting details for meetings you create through mrmr

This workspace cache is stored on mrmr's servers and refreshed periodically.

6. Commands, execution history, and uploaded images

When you use Action Mode, we may store:

  • The summary of the action you asked mrmr to perform
  • The structured actions generated from your request
  • The execution results returned by connected services

This information powers the in-app execution history. It may include sensitive workspace content such as Slack message text, Linear issue titles or descriptions, Google Calendar event titles or attendees, Google Tasks titles or notes, and links returned by integrations.

Execution history is stored on our servers until you delete it, clear it in the app, or delete your account.

If you attach screenshots or other images to an Action Mode request:

  • The images are uploaded to mrmr-managed cloud object storage
  • mrmr stores a reference so those images can be retrieved during action execution and in related UI flows
  • These uploads may contain sensitive information visible in the image
  • Uploaded images are deleted when the associated execution history entry is deleted, when you clear all execution history, or when you delete your account

7. What we collect

Information you provide

  • Account information such as your name and email address
  • Commands, text, and content you choose to send through Action Mode
  • Optional screenshots or image attachments you upload

Information collected automatically

  • Basic device and app information such as app version, macOS version, and hardware details
  • Integration connection metadata, such as which services you have connected and when they were connected
  • Usage analytics and product metrics if you leave analytics enabled

Analytics and product usage data

If analytics are enabled, mrmr may collect product usage data such as:

  • Recording counts, durations, and word or character counts
  • Search usage and selected search engine
  • Action Mode usage, completion rates, action counts, and which integrations were used
  • The category of app where dictation occurred (for example, "messaging app" or "code editor") - not the specific app name or content
  • Session-level product analytics and feature usage events

You can opt out of analytics in the app settings. When you do, mrmr stops sending analytics events and stops recording new usage stats, but previously collected analytics or cached stats are not automatically deleted.

8. What we do not store

We do not store the following on our servers:

  • Raw OAuth access tokens for your integrations
  • Raw audio recordings

We also do not ingest your entire workspace by default. For example, we do not pull your full Slack message history or full Linear issue history just to build the workspace cache. Instead, we cache a narrower set of metadata needed for Action Mode and process richer content only when you ask mrmr to perform or query a specific action.

9. Lawful basis for processing

Under the GDPR, we process your personal data on the following lawful bases:

  • Contract: Processing your account information, executing voice commands, and delivering the mrmr service is necessary to perform our contract with you (our Terms of Service).
  • Legitimate interest: Caching workspace metadata to make Action Mode functional, collecting basic device information for debugging and service stability, and maintaining execution history to provide you with a record of past actions. We balance these interests against your rights and only process data that is necessary for these purposes.
  • Consent: Connecting third-party integrations (Slack, Linear, Google Calendar, etc.) and enabling analytics collection. You can withdraw consent for integrations by disconnecting them and for analytics by disabling them in settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

10. Third-party service providers

mrmr relies on third-party providers to deliver key parts of the service. These may process data you send through the product.

  • AI providers, including providers used for transcription and language-model processing
  • Composio, which manages integration connections and executes actions against connected services
  • Connected services themselves, such as Slack, Linear, Google Calendar, Google Tasks, Google Meet, and Zoom
  • Cloud infrastructure providers used to host the API, database, and image storage
  • Analytics providers, if you have analytics enabled

These providers process data under their own terms and privacy practices. Where required, we have data processing agreements in place with providers who process personal data on our behalf.

11. Data retention

Retention depends on the type of data:

  • Local transcript history and local audio files remain on your device until you delete them, log out, or deactivate your account
  • Workspace metadata caches remain on our servers while your integration is connected, and are removed when the integration is disconnected or your account is deleted
  • Execution history remains on our servers until you delete individual entries, clear history in the app, or delete your account
  • Uploaded image attachments are deleted when the associated execution history is deleted, or when you delete your account
  • Account information is retained while your account is active and removed when your account is deleted, subject to any legal obligations
  • Analytics data is retained for up to 24 months from collection, after which it is deleted or anonymized

12. Data security and breach notification

We use reasonable safeguards to protect your data, including:

  • Encryption in transit for data sent between the app, our API, and third-party services
  • Separation between local on-device storage and server-side storage
  • Limited workspace metadata caching rather than broad workspace replication
  • Third-party OAuth token handling through Composio rather than storing raw integration tokens ourselves

No system is perfectly secure, and connected workplace tools can expose sensitive information. If you use Action Mode with company systems, you should evaluate whether your organization's policies allow that use.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR. If the breach is likely to result in a high risk to you, we will notify you directly by email without undue delay.

13. Your rights

Under the GDPR and applicable data protection law, you have the following rights:

  • Access: You can request a copy of the personal data we hold about you.
  • Rectification: You can ask us to correct inaccurate personal data.
  • Erasure: You can ask us to delete your personal data. You can also delete your account, execution history, and local data directly through the app.
  • Restriction: You can ask us to restrict processing of your personal data in certain circumstances.
  • Data portability: You can request your personal data in a structured, commonly used, machine-readable format.
  • Objection: You can object to processing based on legitimate interest. We will stop processing unless we have compelling legitimate grounds that override your interests.
  • Withdraw consent: Where processing is based on consent (integrations, analytics), you can withdraw consent at any time through the app.

To exercise any of these rights, contact us at h@getmrmr.com. We will respond within 30 days.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at dataprotection.ie, or with your local supervisory authority if you are based in another EU/EEA member state.

14. Your in-app choices

You can:

  • Disconnect integrations at any time
  • Delete transcript history stored locally on your device
  • Delete single execution records or clear all execution history in the app
  • Turn analytics collection off in settings
  • Delete your account and associated server-side account data

15. International data transfers

mrmr's servers and some third-party providers are located outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to ensure your data is protected in accordance with GDPR requirements.

16. Children

mrmr is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, contact us at h@getmrmr.com.

17. Changes to this policy

We may update this Privacy Policy as mrmr evolves, especially as we add new integrations, new AI capabilities, or new ways to store or process user data. If we make material changes, we will update the date at the top of this page and notify users in the app or by email.

18. Contact

If you have questions about this Privacy Policy or mrmr's data practices, contact us at h@getmrmr.com.

mrmr banner