#Privacy & Your Data

The short version: your data is yours, it stays yours, and nobody else gets to rummage through it. The long version follows, because privacy deserves more than a slogan.

#What It Does

ambientChat takes a fundamentally simple position on privacy: the data you put into the app belongs to you, is accessible only to you, and exists to serve you. There's no advertising model, no data marketplace, and no shadowy third party getting a copy of your grocery receipts.

Your inventory, documents, chat history, and location data are stored in a secure cloud account protected by Firebase Authentication and Firestore security rules. These rules enforce that each user can only read and write their own data — not just as a policy, but as a technical constraint enforced at the database level. Even if someone managed to guess your document IDs, the database itself would refuse to hand over the data. It's like having a bank vault that checks your ID at the molecular level.

When you talk to the AI, your context (inventory, location, conversation history) is sent to whichever AI provider you've selected — OpenAI, Google Gemini, or Anthropic Claude — to generate a response. This is necessary for the AI to be useful, but the data is sent per-request and is subject to each provider's data handling policies. You control which AI provider you use and what context is shared.

#Location Precision

When the AI helps you with something location-aware — identifying a monument in a photo, answering "where did I leave my keys?", searching the web for nearby places — it uses your location. You decide how precise that location is, separately for each kind of AI call:

  • 📍 Exact GPS (default) — coordinates like 40.4168°N 3.7038°W plus city and country. Best accuracy; the AI can identify a specific landmark, recommend the closest restaurant, or distinguish two similar places. Trade-off: your precise coordinates leave your phone and reach the AI provider.
  • 🏙️ City — city + country (e.g. "Madrid, Spain"). Good balance for most queries — enough for "what monument is this?" without precise coordinates.
  • 🌍 Country — country only (e.g. "Spain"). Minimal signal; some location-dependent answers will be less accurate.
  • 🚫 Off — no location data sent. Maximum privacy; the AI works blind.

The three independent settings:

Setting When it's used
Photos (scan) When the AI looks at a photo or document you scanned
Chat When the AI answers a question referencing your inventory, documents, or context
Web search When the AI calls a web search provider on your behalf

#Adjusting your precision

  • iOS: Account → Privacy → Location precision. Tap any row, pick from the four options.
  • Web: Settings → Location precision card. Same three rows.
  • Just ask: tell the AI "Send less location info when you search the web" or "Use my exact GPS for photo scanning." It can adjust the settings on your behalf and will surface a notification with an undo whenever it does.

#Defaults

New accounts start at Exact GPS for all three call types — maximum AI utility out of the box. Dial back any time. If the AI changes a setting on your behalf (because the next query would benefit), you'll see a notification with an Undo button.

#How to Manage It — Ask the AI

The fastest way to review or change any privacy setting is to ask the AI in chat:

  • "Guide me through the privacy controls for location." → The AI reads your current location-precision settings and offers to change them.
  • "What can I control about my privacy?" → The AI lists every privacy-related setting along with what it does.
  • "Send less location info when scanning." → The AI changes your scan-precision setting on the spot (with a notification + undo).
  • "Who has access to my data?" → The AI reads your third-party context-sharing settings.
  • "Hide adult beacons." → The AI updates your beacon-category notification preferences.

This works in regular chat and in voice/Conversation Mode — you don't need to leave the conversation to manage settings. The AI uses MCP tools to read your current state and apply changes, and surfaces every change as a notification with an Undo button so nothing happens behind your back.

#Settings the AI can manage for you

Setting What it controls Default
Location precision (scan / chat / web search — independent) What the AI sends about your location — exact GPS, city, country, or off Exact GPS
Voice preferences TTS voice name, playback speed, auto-speak Sage, 1.0×, off
Beacon notification categories Which beacon categories (retail, hospitality, adult, etc.) trigger notifications All on
Context sharing Whether brand/partner apps (Claude Desktop, McCormick, Amazon) can read curated context All off
Profile Display name, nickname, profile photo, home and work addresses Empty

#The GUI is still there if you prefer it

Every setting has a screen too — useful if you want to scan the full list visually.

  • iOS: Tap your profile icon → Settings → choose the relevant section (Privacy, Voice Settings, Application Behavior, Context Sharing, Profile)
  • Web: /settings — all settings live on one long scrollable page with anchor links

#Exporting your data

Independent of the privacy settings above, you can download everything ambientChat knows about you. See the Data Export & Import guide for details. In chat: "Export my data."

#Deleting your account

Ask the AI: "Delete my account." The AI runs the pre-flight check, summarizes what will be removed, and creates a pending confirmation that you confirm explicitly. There is no "undo" for account deletion — export your data first if you might want it later.

#MCP Tools Reference

These privacy and settings tools are available via Claude Desktop and other MCP clients:

  • get_privacy_preferences / update_privacy_preferences — Location precision per AI call type
  • get_context_sharing / update_context_sharing — Third-party context sharing toggles
  • get_notification_preferences / update_notification_preferences — Beacon category notifications
  • get_account_deletion_precheck — Pre-flight check before deletion
  • request_account_deletion — Request deletion (creates a 5-minute confirmation)
  • export_user_data — Export all your data before deletion

For the full tool reference, see MCP Tools — Complete Reference.

#Tips & Tricks

  • Just ask the AI. Anything below — "what's my voice speed?", "who can see my inventory?", "stop the AI from using my exact GPS" — is a one-sentence request away. Voice users especially: you should never have to look at a screen to manage these.
  • The AI may adjust ambient settings on its own (with notify + undo). For example, when scanning a monument it may temporarily upgrade your location precision to exact GPS so the identification is accurate. You'll see a notification with an Undo button after the response. Nothing happens silently.
  • Per-AI-call independence. "Location precision" isn't one switch — it's three: scan, chat, and web search are independent. You can be precise for landmark identification and coarse for everything else.
  • Export before delete. Account deletion is a one-way door — download your data first if you might want it later.

#What Data Is Collected

Here's a transparent breakdown:

Data Type Stored Where Who Can Access
Inventory items Firebase (your account) Only you
Documents (receipts, manuals, etc.) Firebase (your account) Only you
Chat history Firebase (your account) Only you
Location trails (if enabled) Firebase (your account) Only you
Beacon visit history Firebase (your account) Only you
AI provider interactions Sent per-request to selected provider You + AI provider (per their policies)
Usage metrics Aggregate analytics anonymized, not personally identifiable
Account info (email, auth) Firebase Authentication Firebase infrastructure

#What Is NOT Collected

  • Your data is not sold to third parties. Ever.
  • There is no ad targeting based on your inventory or location.
  • Your specific items, documents, and conversations are not used to train AI models by ambientChat. (Individual AI providers have their own training data policies — review them if this matters to you.)
  • No third party gets your data by default. Context sharing is strictly opt-in.

#Known Limitations

  • AI providers receive your context per-request. When you ask a question, the selected AI model (OpenAI, Gemini, or Claude) receives the context needed to answer. This is how AI works — it needs your data to help you. Each provider has its own data retention and training policies, which are outside ambientChat's control.
  • Aggregate analytics are collected for service improvement. Things like "how many users scanned a barcode today" or "average response time for chat queries." These are anonymized and don't identify you personally, but they do exist.
  • Account deletion is irreversible. Once deleted, your data cannot be recovered. There is no 30-day grace period, no recycle bin, no "are you really sure?" email three weeks later. It's gone.
  • Firebase security rules are the enforcement layer. Privacy isn't just a promise — it's enforced by database rules that physically prevent cross-user data access. But like any system, it depends on correct configuration. Security rules are regularly reviewed and tested.

#Version History

Version Date What Changed
1 2026-03-01 Initial guide
2 2026-05-19 Rewrote "How to Use It" → "Ask the AI" tool-first framing. Replaced stale screen breadcrumbs that referenced non-existent paths. Added the Settings table reflecting the actual MCP-controllable settings post-AMB-176 / AMB-224. Removed the "AI Provider = Gemini" default claim (that's no longer accurate — the user picks per conversation).
3 2026-06-07 Terminology: settings screen labeled "Web" not "Admin web" (the web interface)