Privacy Policy
The short version: Alibi ("the App") is a fake-call utility with optional AI voice features. We keep your data minimal and we never sell it. Core features work on-device; AI voice calls and voice cloning require cloud processing and are explained in detail below.
Information We Collect
1.1 Information You Provide
We collect information you voluntarily give us when you use the App:
- Account email โ required to sign in. We authenticate via one-time codes sent to your email (no password). Handled by Supabase Auth.
- Custom scenes & callers โ names, fake phone numbers, profile emoji, and scripts you create. Stored in our Supabase database so they sync across your devices. You can delete any scene at any time.
- Custom ringtones โ audio files you import from your device. Stored locally on your device only; never uploaded.
- Voice samples for cloning โ if you choose to clone a voice, you record a ~30-second sample. The sample is uploaded through our backend to MiniMax, which trains a voice model and returns a model ID. See Section 1.4 for the full data flow.
- Live call audio โ during an AI voice call, your microphone audio is streamed to Google's Gemini Live service for real-time conversation. See Section 1.4.
- Feedback & support messages โ if you contact us by email or in-app feedback form, we collect your email address and message content.
1.2 Information Collected Automatically
When you use the App, we may automatically collect:
| Data Type | What It Includes | Purpose |
|---|---|---|
| Usage analytics | Feature interactions, session duration, crash logs | Improve stability and UX |
| Device info | OS version, device model, app version | Debug compatibility issues |
| Identifiers | Anonymous install ID (not linked to identity) | Aggregate analytics |
We do not collect your real phone contacts, GPS location, or any biometric data. Microphone audio is only captured when you actively record a voice sample or answer an AI voice call โ never in the background.
1.3 Purchase Information
If you purchase a premium subscription, payments are processed entirely by Apple's App Store or Google Play. We do not receive or store your payment card details. Subscription state is synchronized through RevenueCat, which we use to unlock premium features on your other devices; RevenueCat receives an anonymous user ID and your purchase receipt, nothing more.
1.4 Voice & AI Call Data
Two features involve sending audio off-device. Both are opt-in and both are explained here in plain terms:
- Voice cloning (MiniMax) โ when you choose to clone a voice, your ~30-second sample is uploaded via TLS to our Supabase backend, which forwards it to MiniMax for model training. MiniMax returns a model ID; we store that ID and the sample in our backend so you can re-use the cloned voice on any of your devices. You can delete a cloned voice at any time in Settings; deletion removes it from our backend and requests removal from MiniMax.
- AI voice calls (Google Gemini Live) โ when you answer an AI call, your microphone audio is streamed in real time to Google's Gemini Live API, which generates the AI's spoken responses. The audio stream passes through our backend only to attach your API credentials; we do not store or transcribe the live audio. Google's retention of streamed audio is governed by its own policies.
If you never use voice cloning and never answer an AI voice call, no audio ever leaves your device.
How We Use Your Information
We use the information we collect to:
- Operate, maintain, and improve the App's features
- Diagnose crashes and fix bugs
- Respond to support requests and feedback
- Understand aggregate usage patterns to prioritize development
- Comply with legal obligations
We do not use your data for targeted advertising, profiling, or selling to third parties.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
Service Providers
We use trusted third-party services to help operate the App. These providers are contractually bound to use your data only to perform services on our behalf:
- Supabase โ authentication (email OTP), Postgres database for scenes and cloned-voice metadata, Edge Functions for secure API calls, and Storage for assets.
- Google Gemini Live โ real-time AI conversation during AI voice calls. Audio is streamed, not stored by us.
- MiniMax โ voice cloning. We send your 30-second sample; they return a model ID we use to generate speech in later calls.
- RevenueCat โ subscription state synchronization across devices. Receives an anonymous user ID and your App Store / Play Store purchase receipt.
- Apple App Store & Google Play โ payment processing and distribution.
Legal Requirements
We may disclose data if required by law, court order, or government authority, or to protect the rights, property, or safety of our users or the public.
Business Transfers
In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify users before any such transfer and provide the option to delete their data.
Data Retention
We retain data only as long as necessary:
- On-device data (imported ringtones, local preferences): Retained until you delete the App or clear its data.
- Account & scene data (your email, custom scenes, cloned-voice metadata): Retained while your account is active. Deleting your account via Settings โ Account โ Delete Account triggers immediate removal from our database and cascades to cloned-voice deletions at MiniMax.
- Voice samples: Stored alongside the cloned-voice model until you delete the voice or your account.
- Live AI call audio: Not retained by us. Streamed directly to Google Gemini Live for real-time processing.
- Analytics data: Retained for up to 24 months in aggregated, anonymized form.
- Support correspondence: Retained for 12 months after your inquiry is resolved, then deleted.
You can request deletion of your data at any time by contacting us at the email address in Section 11. Account deletion inside the App deletes your cloud data within 30 days.
Your Rights & Choices
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request that we delete your personal data ("right to be forgotten").
- Portability: Request your data in a machine-readable format.
- Objection / Restriction: Object to or restrict certain processing of your data.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time.
Analytics Opt-Out
You can disable analytics collection in Settings โ Privacy โ Analytics within the App at any time. This stops all future data collection; it does not delete previously collected anonymous data.
Push Notifications
You can disable push notifications at any time through your device's system settings.
To exercise any of your rights, email us at privacy@gcdm.studio. We will respond within 30 days.
Security
We take reasonable technical and organizational measures to protect your data, including:
- All data in transit is encrypted via TLS 1.2+
- On-device data is stored in the app's sandboxed container
- Access to backend systems is restricted and audited
No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify affected users as required by applicable law.
Children's Privacy
The App is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
Third-Party Services
The App integrates third-party services whose privacy practices are governed by their own policies. We recommend reviewing them:
- Supabase โ supabase.com/privacy
- Google Gemini Live (AI voice conversation) โ policies.google.com/privacy
- MiniMax (voice cloning) โ www.minimax.io/protocol/privacy-policy
- RevenueCat (subscription management) โ revenuecat.com/privacy
- Apple App Store / iOS โ apple.com/legal/privacy
- Google Play / Android โ policies.google.com/privacy
International Data Transfers
Our Supabase backend is hosted in the United States. When you use AI voice features, audio is processed by Google Gemini Live and (for cloning) MiniMax, which operate their own global infrastructure. If you are located outside these regions, your data may be transferred to and processed in countries with different data protection laws than your own. Where required, we rely on standard contractual clauses (SCCs) approved by the European Commission and equivalent safeguards for other jurisdictions.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Last Updated" date at the top of this page
- Display an in-app notification for material changes
- For significant changes, obtain renewed consent where required by law
Continued use of the App after changes become effective constitutes your acceptance of the revised policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:
- Email: privacy@gcdm.studio
- Response time: We aim to respond within 30 days.
If you are located in the European Economic Area and believe your data has been processed unlawfully, you have the right to lodge a complaint with your local data protection authority (DPA).