Privacy Policy for MyApp Studio
Last updated: July 11, 2026
This Privacy Policy explains how MyApp Studio, a product of Clearbrook Software LLC ("the App," "we," "us," or "our"), collects, uses, stores, and shares information when you use our Android and iOS applications and related backend services.
MyApp Studio is an AI-powered app builder. You describe an app you want by voice or text, and the App generates a working mini-application ("a MyApp") that runs inside MyApp Studio and can optionally be installed as a standalone Progressive Web App (PWA) on your device.
1. Information We Collect
1.1 Account Information
We use Google Sign-In and, on iOS, Sign in with Apple (both via Firebase Authentication) as the only ways to sign in. When you sign in, we receive and store:
- Your account's user ID, as provided by Google or Apple
- Your name and email address, as provided by the sign-in provider. With Sign in with Apple, you can choose Apple's Hide My Email option, in which case we receive Apple's private relay address instead of your real email address; Apple also only shares your name and email on your first sign-in.
We do not have or use any other login method, and we never receive your Google or Apple password.
1.2 Content You Create
To build and edit your MyApps, we collect and store:
- The text or voice prompts you type or speak describing the MyApp you want to build or change
- The generated application data itself: app names, themes, table/column definitions, and the row data you enter into your MyApps (e.g., a workout log's exercise names and rep counts, or photos you capture/upload into an image field, which are compressed before being stored as part of that MyApp's data)
- Custom code generated for "custom" view types (HTML/CSS/JavaScript produced by the AI to render your MyApp)
- Metadata about elements you tap on in the live preview (e.g., which column or row you selected), sent to power AI-assisted, targeted edits
Voice input: If you use voice mode, your speech is transcribed into text by your device's built-in speech recognition service (on Android, the system speech recognizer, typically provided by Google; on iOS, Apple's speech recognition service). Depending on your device and its settings, that platform service may process the audio on-device or on the platform provider's (Google's or Apple's) servers, according to your device's own configuration and the platform provider's terms. Your raw voice audio is never sent to our backend; only the resulting text transcript is, and from there it is handled exactly like a typed prompt. To speak the assistant's replies aloud, the reply text is sent through our backend to Google's Gemini text-to-speech model, which generates the audio played back to you. We do not record or retain raw audio recordings; the text transcripts and responses are what gets stored as part of your conversation and app data.
Before the microphone is ever activated, the App shows an in-app "Use Microphone" / "Type instead" prompt — your microphone is never opened automatically, and the operating system's microphone permission dialog is never triggered, without you first explicitly choosing "Use Microphone" in this prompt. This in-app confirmation is requested again every time you switch from typing back to voice mode, not just the first time.
The App requests camera access only so that generated MyApps can offer a "take photo" option for image fields, as described above.
1.3 Application Data Storage
All MyApps you build, including their schema, custom code, and the data you enter into them (table rows, form submissions, etc.), are stored in:
- Locally on your device, in the App's private local storage, so the app works offline.
- Remotely, in our Google Firestore database, tied to your account's user ID, so your MyApps sync across your devices.
1.4 End-to-End Encryption of Personal Table Data
When a table inside a MyApp is identified as personal — for example a journal, mood log, or health measurement tracker — the row content of that table is end-to-end encrypted on your device before it ever leaves it:
This classification is made automatically by the AI as it designs your MyApp (based on cues like "journal," "log," or "history" versus static reference content such as recipes or presets), not something you manually tag yourself. It's a best-effort classification: the AI can occasionally misclassify a table (marking personal content as non-personal, or vice versa), so we cannot guarantee that every sensitive table you create will be encrypted, or that every encrypted table actually contains sensitive data. If a table is misclassified, you can ask the AI assistant to fix the classification as a follow-up edit, the same way you'd request any other change to your MyApp.
- Each device generates an AES-256 encryption key, protected by your device's secure, operating-system-managed credential storage (the Android Keystore system on Android; the Keychain on iOS), with no setup required.
- Personal table row values are encrypted (AES-256-GCM) on-device prior to being saved locally or synced to Firestore. Column/table structure (names, types) is not encrypted, since the AI needs to see the *shape* of your data to build and edit the MyApp — only the row *content* is opaque.
- Our backend and Firestore database only ever see ciphertext for these rows. When the AI model regenerates or modifies a MyApp's schema, the backend always discards whatever the model echoed back for personal rows and restores your real (still-encrypted) data instead — personal row content is never sent to, or reconstructed by, the Gemini model. Before a personal table is included as context in any AI prompt, its rows are replaced with a placeholder (e.g., "[personal data omitted: 4 encrypted row(s)]").
- Multi-device sync is opt-in. By default, your encryption key lives only on your device, protected by that device's OS-managed credential storage — personal data will not appear on a second device until you explicitly enable sync. If you choose to enable it, you set a passphrase; your key is then wrapped using that passphrase and the wrapped (still-encrypted) copy is stored on our servers so you can unlock it on another device. We never transmit or store your passphrase itself, and we cannot derive your encryption key or read your personal data without it. If you forget your passphrase, your personal data cannot be recovered by you or by us.
- To detect when a device holds a different encryption key than the one your account's data was encrypted with (for example, after signing in on a new device), we store a one-way cryptographic fingerprint (SHA-256 hash) of your encryption key on our servers. This fingerprint cannot be reversed to recover the key and reveals nothing about your data; it only lets your devices recognize whether their local key matches your account's.
Tables you don't mark as personal are not end-to-end encrypted and are visible to our backend and AI models in the ordinary course of generating and editing your MyApp, as described elsewhere in this policy.
1.5 Usage and Activity Logs
We maintain two layers of operational logging, both of which are accessible only to us (no third party) and used to run, debug, and manage the cost of the service:
- Per-user activity log (
/users/{uid}/logs): every create/chat action you take is logged with a timestamp, action type, the relevant app ID, your prompt text, and AI token counts. - Pipeline event log (
eventLogs): a more granular, cross-user log capturing each step of the AI generation pipeline (chat, design, coding, automated QA checks, AI quality review, text-to-speech, and runtime errors reported by a running MyApp), each tagged with your account ID, app ID, outcome (success/failure), AI model and cost, and — for troubleshooting — a truncated prompt summary (first 200 characters) and, on failure, error/diagnostic detail (up to 2,000 characters, which may include an error message and code-level stack trace). This log powers an internal admin analytics dashboard (usage, cost, and failure trends) that only we, as operators, can access via an admin-restricted account; it is not exposed to other users or third parties. - Flag log (
flags): if you flag a MyApp for review, we record the app, your account ID and email, the app owner's account ID and email (if it's not your own app), and the reason you provided, and send an email alert to the developer. We review flagged reports within 24 hours.
Because personal table rows are end-to-end encrypted before they reach our backend (Section 1.4), this content is never present in either log. A prompt summary could include personal information only if you directly typed or spoke it into a chat prompt (as opposed to entering it into an encrypted personal table).
1.6 AI Credits and Subscription Data
The App includes a free usage-tracking system: every account is granted a starting allotment of AI "tokens" and a subscription period, and we store and update:
- Your current token balance and subscription expiration date and status (
/users/{uid}/billing/account) - The token-equivalent cost of each AI action you take, deducted from your balance as you use the App
We do not collect or process any payment information. There is currently no real purchasing mechanism — options to buy additional tokens or renew a subscription are placeholders that are currently disabled and do not transmit any payment details, because none are collected. If we introduce real payments in the future, we will update this Privacy Policy first and handle any payment data through a dedicated, PCI-compliant payment processor rather than storing it ourselves.
1.7 Sharing Features
If you choose to share a MyApp with another user, we collect and store the recipient's email address (so the system can deliver the share) and a copy of the shared MyApp's data, scoped to the recipient's account inbox until they accept or decline it.
Personal tables are excluded from shares by default. When you share a MyApp, any table the AI has classified as personal (Section 1.4) is automatically left out of the copy sent to the recipient — they receive the table structure but no rows. An "Advanced" option in the share dialog lets you manually opt a specific personal table back in; if you do, that table's row data is included in what the recipient receives, the same as any other shared table.
Blocking and flagging. You can block another user (from the Sharing Settings screen, or when declining a shared app); this also immediately removes any apps that user has already shared with you from your library. You can also flag any MyApp in your library — your own or one shared with you — for our review; if the flagged app came from another user, flagging it also blocks that user and removes their other apps from your library, the same as blocking them directly. You're shown this consequence in the app before you confirm either action.
1.8 Notifications
If you grant notification permission, the App can:
- Schedule local, on-device reminders (e.g., a timer you set inside a MyApp) using your device's local notification scheduling system. These reminders are scheduled and fired entirely on your device and are not sent to our servers.
- Receive push notifications (e.g., when another user shares a MyApp with you, or when your AI credits are running low or your subscription is about to expire, per Section 1.6) via Firebase Cloud Messaging. To enable this, we store a device push token associated with your account.
1.9 Information We Do Not Collect
We do not use any advertising SDKs, analytics/tracking SDKs (e.g., no Firebase Analytics, no Crashlytics, no ad networks), and we do not collect device identifiers, location data, contacts, or browsing history. We do not sell your data.
2. How We Use Your Information
We use the information described above to:
- Authenticate you and keep your MyApps in sync across devices
- Generate, render, and modify your MyApps using Google's Gemini AI models
- Encrypt and, if you opt in, sync your personal table data across your own devices
- Let you share MyApps with, and receive MyApps from, other users you choose to interact with
- Let you block other users and flag MyApps for review, to support trust and safety — including automatically removing apps from a blocked or flagged sender
- Track your AI token balance and subscription status, and notify you when your balance is low or your subscription is expiring (Section 1.6)
- Deliver notifications you've requested or that relate to sharing activity
- Maintain audit and pipeline-event logs for debugging, abuse prevention, reliability monitoring, and to track AI usage costs (visible only to us via an internal admin dashboard)
- Operate, maintain, and improve the reliability of the App and backend services
3. How We Share Your Information
We do not sell, rent, or trade your personal information. We share information only as follows:
- Google Cloud / Firebase (our infrastructure provider): Authentication, Firestore (database), Cloud Functions (backend logic), Cloud Messaging (push notifications), and Hosting (for installing MyApps as PWAs) are all built on Google Firebase. Google processes this data on our behalf, subject to Google's own data processing terms. End-to-end encrypted personal data stored in Firestore is unreadable to Google as well as to us.
- Google Gemini API: The text of your prompts (including on-device transcripts of your spoken prompts in voice mode) and the current MyApp schema (with any personal table rows redacted to a placeholder, per Section 1.4) are sent to Google's Gemini models so the AI can generate or modify your MyApp and provide a quality review. In voice mode, the assistant's reply text is also sent to a Gemini text-to-speech model to generate the spoken audio you hear. Google's handling of API data is governed by the Gemini API terms in effect at the time of use.
- Other users you choose to share with: If you share a MyApp with someone by email, that person (once signed in with a matching account) will receive a copy of that MyApp's data in their inbox. Personal tables are excluded by default, unless you manually choose to include one, per Section 1.7.
- Flag reports: If you flag a MyApp, the report (app name/ID, your identity, the app owner's identity, and your stated reason) is visible only to us as the developer/operator — never to other users or third parties.
- Legal requirements: We may disclose information if required to do so by law, or in good faith belief that such action is necessary to comply with legal process, protect our rights, or protect the safety of users or the public.
We do not have any other third-party advertising, analytics, or data-broker integrations.
4. Data Retention and Deletion
- Your MyApps, logs, and account data are retained for as long as your account exists, so that your MyApps remain available and synced.
- Deleting a MyApp from the Dashboard removes it from your local device storage; it does not automatically delete the same MyApp's copy stored in Firestore unless you delete it from your account entirely or contact us.
- You may delete your account and all associated data (MyApps, your per-user activity log, shares, notifications, push tokens, and any passphrase-wrapped encryption key copy) at any time, in one of three ways: directly within the App via the account menu's Delete Account option, by submitting our account deletion request form, or by contacting us at the email below. Account deletion permanently removes your Firebase Authentication record and all Firestore data stored under your account.
- Pipeline event log and flag log entries are retained after account deletion. The entries described in Section 1.5 that reference your account ID (in the cross-user
eventLogsandflagscollections) are not deleted when you delete your account. These entries are not stored under your account and are accessible only to us via Admin-SDK-restricted, operator-only access — we retain them for moderation, audit, and abuse-prevention purposes even after account deletion. - Logging out of the App does not delete data stored in Firestore, and your locally cached app data and locally stored encryption key remain on that device (so signing back in on the same device restores access to your personal data). If you have not enabled multi-device sync for personal data, losing that device, uninstalling the App, or clearing its data makes the corresponding personal table content permanently unrecoverable; the App warns you before logout if you have personal data protected only by a device-local key.
5. Data Security
We rely on Firebase's security infrastructure and on-device cryptography, including:
- Encryption in transit (HTTPS/TLS) for all communication between the App and our backend
- End-to-end encryption (AES-256-GCM) of personal table row content, performed on-device, with keys protected by your device's OS-managed credential storage (Android Keystore / iOS Keychain) and, optionally, a user-chosen passphrase (Section 1.4)
- Firestore security rules that restrict access to a user's MyApps, logs, shares, notifications, and device tokens to that authenticated user only
- Access to the internal admin analytics dashboard restricted to specific operator accounts via a Firebase Authentication custom claim
- Authentication via Firebase Auth with Google Sign-In or Sign in with Apple, rather than passwords we manage ourselves
No method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security. Note that end-to-end encryption protects personal table *content* — table/column names and the fact that a personal table exists are not encrypted.
6. Children's Privacy
MyApp Studio is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.
7. Your Choices and Rights
- Camera and microphone permissions are optional and only used for the features described above (voice prompts and photo fields in generated MyApps); you can decline or revoke them at any time in your device's system settings, with reduced functionality (e.g., text-only input) as a result. For the microphone specifically, the App also asks for your explicit in-app confirmation ("Use Microphone" / "Type instead") before ever opening it or triggering the system permission dialog, every time you enter voice mode — see Section 1.2.
- Notification permission is optional; declining it disables local reminders and push notifications for shares.
- Personal table encryption is something you control per table; multi-device sync of that encrypted data is opt-in and requires you to set a passphrase that we never see.
- Sign-out leaves your local data cache and locally stored encryption key on the device, so signing back in there restores access; uninstalling the App or clearing its data removes them. Deleting your account (Section 4) removes your local cache as well as your server-side data.
- Depending on your location, you may have rights under applicable law (such as the GDPR or CCPA) to access, correct, export, or delete your personal data. To exercise these rights, contact us using the information below. Note that we cannot read or export the content of end-to-end encrypted personal tables on your behalf — only you, with your key or passphrase, can.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above. Continued use of the App after changes take effect constitutes acceptance of the revised policy.
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Email: support@myappstudio.app