This Privacy Policy explains how Matt L Smith ("we," "us," or "our") collects, uses, shares, and protects information when you use the Gray Matter mobile application (also marketed as "Embedded Smart Voice Recorder," referred to here as "the App"). By creating an account or using the App you agree to the practices described in this policy.
We believe privacy policies should be readable, so we've written this in plain English. If anything is unclear, please contact us.
1. What Data We Collect and How
| Data Type | How Collected | Where Stored |
|---|---|---|
| Email address & display name | Provided during account creation (email/password or Apple Sign In) | Firebase Authentication (Google) |
| Audio recordings | Captured when you tap Record in the App | Firebase Cloud Storage (Google) |
| Voice training samples | Recorded when you opt in to speaker identification training | Firebase Cloud Storage (Google) |
| Transcriptions & summaries | Generated automatically by AI after you record a memo | Firestore (Google) & Supabase |
| Search embeddings (vectors) | Generated automatically from transcription text | Supabase (pgvector) |
| Memo metadata | Created automatically (timestamps, categories, tags) | Firestore (Google) |
| Basic usage analytics | Collected passively (app opens, feature usage, crash reports) | Firebase Analytics (Google) |
We do not collect precise location data, contacts, photos, browsing history, or any data from other apps on your device.
2. How We Use Your Data
We use the data listed above exclusively to:
- Authenticate your identity and secure your account
- Record, transcribe, summarize, categorize, and store your voice memos
- Identify speakers in multi-speaker recordings (when you opt in)
- Generate vector embeddings that power semantic search across your memos
- Diagnose bugs, prevent abuse, and improve App performance
- Communicate with you about service updates or support requests
We do not use your data for advertising, profiling, or marketing to third parties.
3. Third-Party AI Services That Receive Your Data
To deliver its core features, the App sends certain user data to the following third-party artificial intelligence services. Each service receives only the minimum data necessary for its function.
3.1 OpenAI (San Francisco, CA, USA)
| Data sent | Audio recordings |
| Purpose | Whisper API — speech-to-text transcription; GPT-4o-mini — generates brief summaries of transcriptions |
| Data retention | Data sent via the API is processed in real time and is not used to train OpenAI models (per OpenAI API Data Usage Policy) |
3.2 Google Gemini / Google AI (Mountain View, CA, USA)
| Data sent | Transcription text |
| Purpose | Gemini Embedding API — generates semantic search vectors so you can search memos by meaning |
| Data retention | API data is not used to train Google models (per Google AI API Terms) |
3.3 Pyannote.ai (Paris, France)
| Data sent | Audio recordings and voice training samples |
| Purpose | Speaker diarization — identifies who is speaking in multi-speaker recordings; creates voice profiles from training audio |
| Data retention | Audio is processed for the API request only and is not retained after processing (per Pyannote.ai) |
3.4 Equivalent Data Protection
We select third-party AI services that provide equivalent or greater data protection compared to our own practices. Specifically:
- None of the AI services listed above use your data to train their models.
- All data is transmitted over encrypted connections (TLS/HTTPS).
- Each provider publishes a privacy policy and data-processing agreement that commits to industry-standard security controls.
- We review these policies periodically and will update this page if a provider changes its practices in a material way.
4. Other Infrastructure Providers
In addition to the AI services above, the App relies on:
- Firebase (Google) — Authentication, Cloud Storage (audio files), Firestore (memo metadata), and Cloud Functions (processing orchestration). Firebase Privacy Policy
- Supabase — Stores transcriptions and embedding vectors for semantic search. Supabase Privacy Policy
All user data is organized and isolated by user ID. No infrastructure provider has access to another user's data.
5. Data Storage and Security
- API keys and service credentials are stored in Google Cloud Secret Manager — never in client-side code.
- Our database enforces row-level security (RLS) so that each user can only access their own records.
- All data in transit is encrypted with TLS/SSL; data at rest is encrypted by the underlying cloud providers.
- Your data is stored on servers in the United States (Firebase and Supabase infrastructure).
While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
6. Data Retention
- Account data, transcriptions, summaries, and embeddings are retained for as long as your account is active.
- Audio recordings are retained in cloud storage so you can replay them. They are permanently deleted when you delete a memo or your account.
- Voice training samples are retained until you delete your voice profile or your account.
- If you delete your account, all data is deleted immediately and irreversibly (see Section 7 below).
7. Account Deletion
You can delete your account entirely from within the App by navigating to Profile & Settings > Delete Account. This permanently and immediately deletes:
- All audio recordings
- All voice training profiles
- All transcriptions, summaries, and tags
- All search embeddings
- Your user account and authentication credentials
Deletion is immediate and irreversible. Once confirmed, no data can be recovered.
8. Your Rights
Depending on your jurisdiction (including under GDPR and CCPA), you may have the right to:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request correction of inaccurate or incomplete data.
- Deletion — Request deletion of your data (or use the in-app Delete Account feature).
- Portability — Request your data in a structured, machine-readable format.
- Withdraw consent — Withdraw consent for data processing at any time.
- Object — Object to certain types of processing.
- Non-discrimination (CCPA) — We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, email us at privacy@mattlsmith.com. We will respond within 30 days (or sooner if required by applicable law).
9. California Privacy Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose.
- Request deletion of your personal information.
- Opt out of the "sale" of personal information — we do not sell your personal information.
- Not be discriminated against for exercising these rights.
In the preceding 12 months we have not sold personal information and have not shared personal information for cross-context behavioral advertising.
10. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA) or the United Kingdom:
- Our legal basis for processing your data is contractual necessity (to provide the App's features) and your consent (which you give when creating an account).
- Your data may be transferred to the United States, where our infrastructure providers operate. We rely on Standard Contractual Clauses and provider certifications to ensure adequate protection.
- You have the right to lodge a complaint with your local data protection authority.
11. Data Sharing
- We do not sell, rent, or trade your personal information.
- We do not share your data with advertisers.
- We do not use your data to train AI models.
- We share data only with the third-party service providers named in Sections 3 and 4, and only to the extent necessary to provide the App's functionality.
We may disclose your information if required by law or in response to valid legal process (e.g., a subpoena or court order).
12. Children's Privacy
The App is not intended for use by anyone under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you through the App or by email before the changes take effect.
14. Contact Us
If you have questions about this Privacy Policy, your data, or want to exercise your rights:
- Email: privacy@mattlsmith.com
- Developer: Matt L Smith
- Website: mattlsmith.com
- LinkedIn: linkedin.com/in/matthewlsmith