#Privacy & Your Data
The short version: your data is yours, it stays yours, and nobody else gets to rummage through it. The long version follows, because privacy deserves more than a slogan.
#What It Does
ambientChat takes a fundamentally simple position on privacy: the data you put into the app belongs to you, is accessible only to you, and exists to serve you. There's no advertising model, no data marketplace, and no shadowy third party getting a copy of your grocery receipts.
Your inventory, documents, chat history, and location data are stored in a secure cloud account protected by Firebase Authentication and Firestore security rules. These rules enforce that each user can only read and write their own data — not just as a policy, but as a technical constraint enforced at the database level. Even if someone managed to guess your document IDs, the database itself would refuse to hand over the data. It's like having a bank vault that checks your ID at the molecular level.
When you talk to the AI, your context (inventory, location, conversation history) is sent to whichever AI provider you've selected — OpenAI, Google Gemini, or Anthropic Claude — to generate a response. This is necessary for the AI to be useful, but the data is sent per-request and is subject to each provider's data handling policies. You control which AI provider you use and what context is shared.
#Location Precision
When the AI helps you with something location-aware — identifying a monument in a photo, answering "where did I leave my keys?", searching the web for nearby places — it uses your location. You decide how precise that location is, separately for each kind of AI call:
- 📍 Exact GPS (default) — coordinates like 40.4168°N 3.7038°W plus city and country. Best accuracy; the AI can identify a specific landmark, recommend the closest restaurant, or distinguish two similar places. Trade-off: your precise coordinates leave your phone and reach the AI provider.
- 🏙️ City — city + country (e.g. "Madrid, Spain"). Good balance for most queries — enough for "what monument is this?" without precise coordinates.
- 🌍 Country — country only (e.g. "Spain"). Minimal signal; some location-dependent answers will be less accurate.
- 🚫 Off — no location data sent. Maximum privacy; the AI works blind.
The three independent settings:
| Setting | When it's used |
|---|---|
| Photos (scan) | When the AI looks at a photo or document you scanned |
| Chat | When the AI answers a question referencing your inventory, documents, or context |
| Web search | When the AI calls a web search provider on your behalf |
#Adjusting your precision
- iOS: Account → Privacy → Location precision. Tap any row, pick from the four options.
- Web: Settings → Location precision card. Same three rows.
- Just ask: tell the AI "Send less location info when you search the web" or "Use my exact GPS for photo scanning." It can adjust the settings on your behalf and will surface a notification with an undo whenever it does.
#Defaults
New accounts start at Exact GPS for all three call types — maximum AI utility out of the box. Dial back any time. If the AI changes a setting on your behalf (because the next query would benefit), you'll see a notification with an Undo button.
#How to Manage It — Ask the AI
The fastest way to review or change any privacy setting is to ask the AI in chat:
- "Guide me through the privacy controls for location." → The AI reads your current location-precision settings and offers to change them.
- "What can I control about my privacy?" → The AI lists every privacy-related setting along with what it does.
- "Send less location info when scanning." → The AI changes your scan-precision setting on the spot (with a notification + undo).
- "Who has access to my data?" → The AI reads your third-party context-sharing settings.
- "Hide adult beacons." → The AI updates your beacon-category notification preferences.
This works in regular chat and in voice/Conversation Mode — you don't need to leave the conversation to manage settings. The AI uses MCP tools to read your current state and apply changes, and surfaces every change as a notification with an Undo button so nothing happens behind your back.
#Settings the AI can manage for you
| Setting | What it controls | Default |
|---|---|---|
| Location precision (scan / chat / web search — independent) | What the AI sends about your location — exact GPS, city, country, or off | Exact GPS |
| Voice preferences | TTS voice name, playback speed, auto-speak | Sage, 1.0×, off |
| Beacon notification categories | Which beacon categories (retail, hospitality, adult, etc.) trigger notifications | All on |
| Context sharing | Whether brand/partner apps (Claude Desktop, McCormick, Amazon) can read curated context | All off |
| Profile | Display name, nickname, profile photo, home and work addresses | Empty |
#The GUI is still there if you prefer it
Every setting has a screen too — useful if you want to scan the full list visually.
- iOS: Tap your profile icon → Settings → choose the relevant section (Privacy, Voice Settings, Application Behavior, Context Sharing, Profile)
- Web:
/settings— all settings live on one long scrollable page with anchor links
#Exporting your data
Independent of the privacy settings above, you can download everything ambientChat knows about you. See the Data Export & Import guide for details. In chat: "Export my data."
#Deleting your account
Ask the AI: "Delete my account." The AI runs the pre-flight check, summarizes what will be removed, and creates a pending confirmation that you confirm explicitly. There is no "undo" for account deletion — export your data first if you might want it later.
#MCP Tools Reference
These privacy and settings tools are available via Claude Desktop and other MCP clients:
get_privacy_preferences/update_privacy_preferences— Location precision per AI call typeget_context_sharing/update_context_sharing— Third-party context sharing togglesget_notification_preferences/update_notification_preferences— Beacon category notificationsget_account_deletion_precheck— Pre-flight check before deletionrequest_account_deletion— Request deletion (creates a 5-minute confirmation)export_user_data— Export all your data before deletion
For the full tool reference, see MCP Tools — Complete Reference.
#Tips & Tricks
- Just ask the AI. Anything below — "what's my voice speed?", "who can see my inventory?", "stop the AI from using my exact GPS" — is a one-sentence request away. Voice users especially: you should never have to look at a screen to manage these.
- The AI may adjust ambient settings on its own (with notify + undo). For example, when scanning a monument it may temporarily upgrade your location precision to exact GPS so the identification is accurate. You'll see a notification with an Undo button after the response. Nothing happens silently.
- Per-AI-call independence. "Location precision" isn't one switch — it's three: scan, chat, and web search are independent. You can be precise for landmark identification and coarse for everything else.
- Export before delete. Account deletion is a one-way door — download your data first if you might want it later.
#What Data Is Collected
Here's a transparent breakdown:
| Data Type | Stored Where | Who Can Access |
|---|---|---|
| Inventory items | Firebase (your account) | Only you |
| Documents (receipts, manuals, etc.) | Firebase (your account) | Only you |
| Chat history | Firebase (your account) | Only you |
| Location trails (if enabled) | Firebase (your account) | Only you |
| Beacon visit history | Firebase (your account) | Only you |
| AI provider interactions | Sent per-request to selected provider | You + AI provider (per their policies) |
| Usage metrics | Aggregate analytics | anonymized, not personally identifiable |
| Account info (email, auth) | Firebase Authentication | Firebase infrastructure |
#What Is NOT Collected
- Your data is not sold to third parties. Ever.
- There is no ad targeting based on your inventory or location.
- Your specific items, documents, and conversations are not used to train AI models by ambientChat. (Individual AI providers have their own training data policies — review them if this matters to you.)
- No third party gets your data by default. Context sharing is strictly opt-in.
#Known Limitations
- AI providers receive your context per-request. When you ask a question, the selected AI model (OpenAI, Gemini, or Claude) receives the context needed to answer. This is how AI works — it needs your data to help you. Each provider has its own data retention and training policies, which are outside ambientChat's control.
- Aggregate analytics are collected for service improvement. Things like "how many users scanned a barcode today" or "average response time for chat queries." These are anonymized and don't identify you personally, but they do exist.
- Account deletion is irreversible. Once deleted, your data cannot be recovered. There is no 30-day grace period, no recycle bin, no "are you really sure?" email three weeks later. It's gone.
- Firebase security rules are the enforcement layer. Privacy isn't just a promise — it's enforced by database rules that physically prevent cross-user data access. But like any system, it depends on correct configuration. Security rules are regularly reviewed and tested.
#Version History
| Version | Date | What Changed |
|---|---|---|
| 1 | 2026-03-01 | Initial guide |
| 2 | 2026-05-19 | Rewrote "How to Use It" → "Ask the AI" tool-first framing. Replaced stale screen breadcrumbs that referenced non-existent paths. Added the Settings table reflecting the actual MCP-controllable settings post-AMB-176 / AMB-224. Removed the "AI Provider = Gemini" default claim (that's no longer accurate — the user picks per conversation). |
| 3 | 2026-06-07 | Terminology: settings screen labeled "Web" not "Admin web" (the web interface) |