Short answer: yes, your keyboard can technically see everything you type — that's what a keyboard is. The real questions are whether it records what it sees, whether anything leaves your phone, and how you'd know. Android shows every third-party keyboard user a warning about exactly this, most people tap past it, and almost nobody could say what their current keyboard's data policy actually is.
This guide explains what keyboards can and can't access, what the system warning really means, where the genuine risks are, and how to check any keyboard (including ours) in five minutes.
What a keyboard app can actually see
A keyboard is an Android input method: an app that receives your keystrokes and hands the resulting text to whatever field is focused. From that position it can observe:
- Everything you type in normal text fields: messages, emails, searches, names, addresses.
- The text already in the field it's attached to, which is how autocorrect fixes the word before your cursor.
- Which app you're typing in, so it can adjust (search layout in a browser, emoji row in a chat app).
What it cannot see is just as important:
- Your screen in general. A keyboard reads the text field it serves, not other apps' content, not your photos, not your notifications.
- Password fields, mostly. When a field is marked as a password input, Android suppresses learning and suggestions and typically hands input to a secure mode. Reputable keyboards additionally don't retain anything typed there.
- Anything while another keyboard is active. A keyboard that isn't the current input method receives nothing. Installed-but-switched-away keyboards are dormant.
So the surface is real: the active keyboard sits in the flow of nearly everything personal you write. Which is why the next question matters more than this one.
The scary warning, translated
Enable any third-party keyboard and Android shows a notice that the app "may be able to collect all the text you type, including personal data like passwords and credit card numbers."
Three things about that screen:
- It appears for every keyboard ever installed — Gboard, SwiftKey, all of them. You never saw it for your phone's pre-installed keyboard only because it came pre-enabled.
- It describes capability, not behavior. It says "may be able to", not "does". It's Android being honest about what the input-method position permits.
- It is not a malware verdict on the app you just installed. Play Protect scanning is a separate system and runs regardless of where you got the APK.
The warning's actual job is to make you ask: do I trust this developer? That's the right question, and it has a checkable answer.
Where the real risks are
Keyboard privacy incidents over the years fall into three buckets, none of them exotic:
Careless cloud sync. Several keyboards (including big-name ones) have shipped with cloud features that uploaded more than users expected — typing history synced for "personalization", contact names slurped for prediction dictionaries. Usually legal, buried in the policy, and more than most people would consent to if asked plainly.
Monetized typing data. Free keyboards with no visible business model sometimes have an invisible one. Aggregated typing data, app-usage patterns, and ad identifiers are sellable. A flashlight-app economics problem, on the most sensitive app position on your phone.
Actual breaches. The worst real-world case: in 2017 a popular keyboard app left a server unsecured and exposed data on tens of millions of users, including contacts data it had no obvious need to hold. The lesson isn't "keyboards are spyware"; it's that a keyboard developer's server hygiene becomes your problem the moment your data leaves the device.
Notice what's common across all three: the risk lives in what gets transmitted and stored, not in the typing itself. A keyboard that keeps typing on the device has nothing to leak.
The 5-point keyboard privacy check
Run any keyboard through these five questions. It takes about five minutes and separates the trustworthy from the vague.
- Does the developer state, in plain words, what leaves the device? Not boilerplate — an actual sentence like "typing stays local; only X is transmitted when you do Y". If the privacy policy can't produce that sentence, assume the answer is "more than you'd like".
- Is there a business model you can see? Paid app, visible credits/subscription, or a big company subsidizing it. "Completely free forever" with no revenue story is the red flag.
- What permissions does it request? Settings → Apps → the keyboard → Permissions. A keyboard needs very little. Contacts access might serve name-prediction; location and SMS access serve nothing a keyboard should be doing.
- How does it handle AI features? Anything AI runs in the cloud, so the honest design is explicit invocation: nothing uploads until you deliberately trigger an action on chosen text. Always-on cloud "assistance" means a continuous stream of your typing leaving the phone.
- What happens in password fields? The policy should say suggestions and learning are disabled there. You can verify half of this yourself: open any login screen and watch the suggestion bar go inert.
How Synapse answers those five
We make Synapse, an AI keyboard, so here is our own scorecard in the same order — and the same plain sentences we're telling you to demand from everyone else:
- What leaves the device: normal typing, nothing. Keystrokes are processed locally and no typing history is uploaded. The only text that leaves your phone is text you explicitly select and send to an AI prompt, and only at that moment.
- Business model: visible and boring. The app is a free APK; AI usage costs energy credits (20,000 free on signup, top-ups $5–$30, optional subscription for heavy users). You are the customer, not the product being aggregated.
- Permissions: the input-method basics. No location, no SMS, no call logs.
- AI invocation: explicit only. You select text, open the prompt section, and tap a prompt — that selection is what gets sent, processed, and returned. Never tap a prompt on a message and that message never touches the network. The features page shows the flow.
- Password fields: handled by Android's secure input, no learning, no suggestions, nothing retained.
Judge us by the same checklist as everyone else. That's what it's for.
Practical settings, whatever keyboard you use
A few habits that lower your exposure regardless of brand:
- Audit what's enabled. Settings → search "keyboard" → keyboard list. Disable keyboards you don't use; dormant is good, uninstalled is better.
- Turn off cloud sync of typing history if your keyboard offers it and you never consciously wanted it. The personalization gain is small; the stored-forever transcript is not.
- Use a password manager's autofill instead of typing credentials. Autofill bypasses the keyboard entirely, which makes the password-field question moot.
- Be deliberate in sensitive apps. For banking or medical portals, nothing stops you from flipping to a plain offline keyboard for that session — two taps via the keyboard icon in the navigation bar.
- Update the keyboard like any security-relevant app. Input methods are exactly where you want patches applied promptly.
FAQ
Can a keyboard read my passwords?
Android marks password fields for secure input: suggestions and learning are disabled and well-behaved keyboards retain nothing. The stronger guarantee is architectural — use a password manager's autofill and the keyboard never touches credentials at all.
Is Gboard private? It's from Google, after all.
Gboard's core typing runs on-device, and Google documents which features (like sync and cloud search) send data when enabled. The same five-point check applies: read what leaves the device and decide if the trade suits you. Big-company keyboards are usually competent about security; whether you like the data relationship is a separate, personal call.
Do AI keyboards have to send my typing to the cloud?
The AI processing itself runs in the cloud, but there's a world of difference between designs. Explicit-invocation keyboards send only the text you select, only when you trigger a prompt. Always-on designs stream context continuously. Ask which one you're installing.
Is installing a keyboard from an APK less safe than the Play Store?
The install channel matters less than the developer. Play Protect scans APK installs on-device too, and the Play Store has hosted its share of misbehaving keyboards. Get APKs from the developer's own site, never from mirror sites, and apply the five-point check either way.
How do I remove a keyboard I no longer trust?
Uninstall it like any app (Settings → Apps → uninstall). Android falls back to a pre-installed keyboard automatically; you can't end up keyboard-less. Learned words and history stored by that app go with it.
Trust is a checklist, not a vibe
Your keyboard sees more of your life than almost any app on your phone, so it deserves five minutes of actual scrutiny instead of a reflexive tap through the warning. Run your current keyboard through the five questions above. If you're shopping for one that answers them cleanly and adds AI you invoke on your own terms, Synapse is a free download from the homepage — 20,000 credits included, and the policy says the quiet part out loud: your typing stays yours.