Thanks for bringing this up. The message about spellcheck using Google is a custom message added by Sonic many years ago which is no longer accurate. At one point, Roundcube did use a (anonymous) Google spell check service but this has since changed.
We are using the default Roundcube settings for spell check which means it goes through a server hosted by Roundcube itself at https://spellcheck.roundcube.net
. You can see this in the source code here
and desribed in the configuration here
Our default setting disables spell check before send, meaning it is only sent to the 3rd party server when the spell check button is clicked, and after agreeing to the prompt you originally pointed out.
Internally we'll have to discuss whether to run an in-house spell check server and stop sending to Roundcube, or disable the feature completely since modern browsers have good spell check capabilities built in now. The data is anonymized in the sense that it is proxied through our server so your IP and browser information is not visible to spellcheck.roundcube.net. Of course the content of the email may de-anonymize you; we can only hope that Roundcube does not store this information and only uses it to run through the spell check engine.
We'll get the message updated to change "Google" to "Roundcube". If the idea of sending any email content to a 3rd party isn't acceptable, avoid using the spell check option and use the browser's built in capabilities. Just to reiterate, by default we do not
enable spell check so it would only be sent through that service when you explicitly click the spell check button and agree to the prompt about it being sent to a 3rd party.
I hope this helps. Any additional ideas or feedback are welcome.