TASE — Your Privacy Matters

• Sign-in identifiers: When you create an account we collect your email address (via Firebase Authentication) and, depending on the sign-in method you choose, your name and profile photo. TASE supports Email/Password, Google Sign-In, and Sign in with Apple.
• Authentication tokens: Session tokens issued by Firebase Auth, OAuth identity tokens, and (for Google Sign-In) refresh tokens needed to maintain your session.

TASE stores the content you generate so that your assistant can sync across devices and recall context over time. This includes:

• Chats & voice transcripts: Text messages exchanged with the assistant, transcripts of voice sessions, and metadata about each conversation (project, timestamps, length).
• AI Brain content: Notes, ideas, knowledge entries, custom prompts, and extracted memories. Memories are short third-person statements automatically extracted from your conversations to personalize future responses.
• Productivity data: Tasks (quests), goals, milestones, projects, and reminders you create.
• Health & fitness data: Medications, supplements, workouts, sleep entries, calories/nutrition, lab results, and habits that you choose to log. If you grant permission, TASE can also read selected health and fitness metrics from Apple HealthKit (for example, step count or workout summaries) to display in the app. HealthKit data is processed on your device and is never used for advertising.
• Finance data: Expenses, incomes, budgets, and savings goals that you manually enter. TASE does not connect to your bank accounts or process payments.
• Audio data: Short voice recordings captured for transcription, and live audio streamed during real-time voice sessions. See Section 4 for how audio is processed.
• User-uploaded images and files that you attach to chats or notes.

If you choose to connect a third-party service through the Connectors feature, TASE accesses data from that service on your behalf. See Section 5 for the full Connectors disclosure, including the specific scopes requested for each provider.

• Device & diagnostic data: Device model, operating system version, app version, language and region settings, and a device identifier used to link diagnostics to your account.
• Crash & performance data: Stack traces, error logs, and performance metrics collected through Firebase Crashlytics and Firebase Performance Monitoring. Crash data is collected in a form not linked to your identity.
• Product interaction analytics: Aggregate events such as feature usage, screen views, and session length, collected through Firebase Analytics for the purpose of improving the app.
• Approximate and precise location: If you grant location permission, TASE may use your coarse and/or precise location to enrich features such as calendar context, weather, or location-aware reminders. Location is used only for in-app functionality and is not shared for advertising.

• What is sent: Your text messages, relevant context from the AI Brain (such as recently used memories or notes), and — for voice mode — your live microphone audio streamed over a secure WebSocket connection to wss://api.x.ai/v1/realtime.
• Purpose: Generating chat responses, voice replies, image creation/edits, and tool calls used by the assistant.
• Provider terms: Data sent to xAI is governed by xAI's privacy policy and terms of service available at x.ai/legal.

• What is sent: Short voice recordings that you create using the in-app voice recorder are uploaded to OpenAI's Whisper transcription endpoint to convert speech to text.
• Purpose: Producing text transcripts of your voice notes so they can be processed by the assistant.
• Provider terms: Governed by OpenAI's privacy policy at openai.com/policies/privacy-policy.

• Gmail (Google): Requests the OAuth scope https://www.googleapis.com/auth/gmail.readonly in order to list recent messages, read message metadata (sender, subject, date) and the plain-text body of messages you ask the assistant to summarize. Sending email and creating drafts via the assistant also use this token to call the Gmail API.
• Google Calendar: Requests the OAuth scope https://www.googleapis.com/auth/calendar.readonly to list your calendars and read upcoming events. When you ask the assistant to create, update, or delete a calendar event, the same authorized session is used to call the Google Calendar API on your behalf.
• Google Drive: Requests the OAuth scope https://www.googleapis.com/auth/drive.readonly to list and search files by name and read basic metadata (name, type, modified time).
• Apple Reminders: Uses the iOS EventKit framework with your permission to read incomplete reminders. No OAuth, no Google account, and no data is sent off your device for this connector.

• When you tap “Connect” for a Google connector, you are taken to Google's sign-in screen to grant the requested scope. TASE never sees your Google password.
• Google returns an OAuth access token and refresh token to the app. These tokens are stored securely on your device's iOS Keychain and a reference to the connected account (email, display name, connection status) is saved in your Firestore account so the connection persists across your devices.
• Tokens are sent only to the relevant Google API endpoint (e.g. gmail.googleapis.com, www.googleapis.com/calendar/v3, www.googleapis.com/drive/v3) and to Google's token-refresh endpoint when they expire. They are never sent to any other third party.
• Connector data fetched from Google (e.g. an email summary you asked about) may be passed into the AI processing pipeline described in Section 4 in order to answer your prompt.

• You can disconnect any connector at any time from AI Brain → Connectors in the app. Disconnecting deletes the stored tokens for that service and updates the connector status in your account.
• When you disconnect the last connected Google service, TASE additionally revokes the underlying Google OAuth session via the Google Sign-In SDK so that no residual authorization remains.
• You can also revoke TASE's access from Google's side at any time at myaccount.google.com/permissions.
• Connector data we fetched is not permanently mirrored into our database in bulk; we fetch on demand. Any data we did cache (for example, the last set of events used to render a screen) is cleared when you disconnect.

• Cloud Firestore (Google Cloud) — primary database for chats, AI Brain content, tasks, goals, health, finance, and connector state.
• Firebase Storage — for images, audio files, and other binary assets you attach.
• Firebase Authentication — for account identifiers and session management.
• iOS Keychain — for OAuth tokens and other secrets that should stay on-device.

Firebase services are operated by Google LLC. Data may be processed in data centers operated by Google in the United States and other regions where Google operates.

• Encryption in transit: All communication between the app and our backends uses HTTPS / TLS. Real-time voice traffic is sent over an encrypted WebSocket (WSS) connection.
• Encryption at rest: Data stored in Firestore and Firebase Storage is encrypted at rest by Google Cloud.
• Firebase App Check is used to help verify that requests come from a genuine, unmodified TASE app.
• Access controls: Firestore security rules restrict each user's data to their own account.
• OAuth tokens are stored on the device in the iOS Keychain rather than in plaintext.

• We retain your data for as long as your account is active.
• When you delete your account, your content (chats, AI Brain entries, tasks, goals, health, finance, connector tokens) is deleted from our active systems within approximately 30 days. Encrypted backups may persist for a limited additional period before being overwritten.
• Aggregated, de-identified analytics may be retained beyond this period as it is no longer associated with you.
• Some records may be retained longer if required to comply with legal obligations, resolve disputes, or enforce our agreements.

• Google LLC — Firebase Authentication, Cloud Firestore, Firebase Storage, Firebase Analytics, Firebase Crashlytics, Firebase Cloud Messaging, Firebase App Check, and Google Sign-In. (Google Privacy Policy)
• xAI Corp. — Grok chat and realtime voice APIs that power the assistant. (xAI Legal)
• OpenAI, OpCo, LLC — Whisper speech-to-text transcription for voice notes. (OpenAI Privacy Policy)
• Apple Inc. — App Store, Sign in with Apple, in-app purchases / subscriptions, and APNs push notifications. (Apple Privacy Policy)

Each of these providers is contractually bound to handle data only for the purposes for which we engage them.

We may disclose information if we believe in good faith that disclosure is required to comply with applicable law, legal process, or government request; to enforce our Terms of Service; or to protect the rights, property, or safety of TASE, our users, or the public.

If TASE is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (e.g. via email or in-app notice) before your information becomes subject to a different privacy policy.

We do not sell personal information to third parties, and we do not share it for cross-context behavioral advertising.

• Access & edit: You can view and edit your AI Brain notes, ideas, knowledge entries, memories, tasks, goals, health and finance entries directly within the app.
• Delete content: You can delete individual chats, notes, memories, tasks, or connector links at any time from the relevant section of the app.
• Disconnect connectors: Disconnect Gmail, Google Calendar, Google Drive, or Apple Reminders from AI Brain → Connectors.
• Revoke OS permissions: You can revoke microphone, photo, location, HealthKit, calendar, contacts, or notification permissions at any time from the iOS Settings app.
• Delete your account: Account deletion is available from within the app and removes your data from our active systems within approximately 30 days.

You may also write to privacy@tase.app to:

• Request a copy of the personal information we hold about you;
• Ask us to correct inaccurate information;
• Ask us to delete your account and associated data;
• Ask us to restrict or object to certain processing; or
• Withdraw consent where processing is based on consent.

We will respond to verifiable requests within the timeframes required by applicable law (typically within 30 days).

If you are located in the EEA, the UK, or Switzerland, you have the following rights regarding your personal data: access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection to processing, and the right not to be subject to solely automated decisions producing legal effects. Where we rely on your consent (for example, for optional location access), you may withdraw that consent at any time.

Our legal bases for processing are: (a) performance of a contract with you, when we process data necessary to operate the assistant; (b) our legitimate interests in improving and securing the service; (c) your consent, where required (e.g. optional analytics); and (d) compliance with legal obligations.

You have the right to lodge a complaint with your local data protection authority.

California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the “sale” or “sharing” of personal information. TASE does not sell your personal information and does not share it for cross-context behavioral advertising. You also have the right to non-discrimination for exercising these rights. To exercise any of these rights, contact privacy@tase.app.

Türkiye'de ikamet eden kullanıcılarımız için, 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK) kapsamında; kişisel verilerinizin işlenip işlenmediğini öğrenme, işlenmişse buna ilişkin bilgi talep etme, işlenme amacını öğrenme, eksik veya yanlış işlenmiş verilerinizin düzeltilmesini veya silinmesini isteme ve KVKK md. 11 kapsamındaki diğer haklarınızı kullanma hakkına sahipsiniz. Taleplerinizi privacy@tase.app adresine iletebilirsiniz.

If your jurisdiction grants you additional rights regarding your personal data, we will honor them to the extent required by applicable law. Please contact us to exercise such rights.