Security & Trust

How SpeechButton is built, signed, distributed, and audited.

Code-signed & notarized by Apple

Every SpeechButton release is signed with our Apple Developer ID and submitted to Apple’s notary service before publication. Gatekeeper recognizes the signature; macOS does not show the “app cannot be opened because it is from an unidentified developer” warning.

Developer: Pavel Taran

Team ID: UFZPV6F5H9

Certificate: Developer ID Application: Pavel Taran (UFZPV6F5H9)

Notarization: Apple notary – ticket stapled to the DMG

You can verify the signature locally on any Mac:

$ codesign -d -vvv /Applications/SpeechButton.app

$ spctl -a -vv /Applications/SpeechButton.app

Distributed from GitHub Releases

The DMG you download is hosted on GitHub. Anyone can inspect the release history, see the exact build that’s currently published, and confirm the file you just downloaded matches the one on the release page.

· Release page: github.com/speechbutton/speechbutton-dist/releases/latest
· Direct download (always latest): /releases/latest/download/SpeechButton-release.dmg
· Homebrew cask: speechbutton/homebrew-tap

The Homebrew cask pulls the same DMG and verifies the Apple signature before installing.

100% on-device transcription

Audio capture, voice-activity detection, and speech-to-text inference all run locally on your Mac. The default models (Whisper, Parakeet) are bundled with the app; no audio is uploaded to a server for transcription on the Free plan.

Pro users who explicitly opt into a cloud transcription model (e.g. for the highest-accuracy tiers) see this clearly in settings before any audio leaves the device. The default install does not send audio anywhere.

What we collect

Marketing site: Cloudflare Web Analytics (cookieless, aggregate pageviews and traffic sources) and a Google Ads conversion tag running in Consent Mode v2 default-denied. No tracking cookies are set in any browser; no third-party trackers other than the disclosed Google Ads tag run on the LP.

From the desktop app: nothing. The macOS app has no telemetry, no crash reporting, and makes no outbound network connections. The audio you record and the text we transcribe never leave your device.

Full details are in the Privacy Policy.

Reporting a vulnerability

If you find a security issue, email [email protected]. We acknowledge reports within two business days and aim to ship a fix within seven days for confirmed issues; we’ll credit you in the release notes if you’d like.

Please don’t test against shared infrastructure (e.g. our analytics endpoint) or against accounts that aren’t yours.