Privacy Policy

MAX AI Companion is currently operated by Dexter Enriquez as an individual developer. Dexter Enriquez acts as the personal information controller for MAX until a legal entity is formed or another controller is formally designated.

Jorge Dollisen serves as Data Protection Officer for MAX AI Companion and may be contacted at privacy@maxaicompanion.com.

MAX is currently in closed beta testing. During beta, we process tester data to provide the app, verify safety and reliability, improve AI behavior, troubleshoot bugs, handle account and subscription flows, and prepare MAX for public release. Beta testers should avoid sharing more sensitive information than necessary to test the app.

We collect the following information to provide and improve the MAX AI Companion experience:

- Display name: Used to personalize your conversations with MAX. - Language preference: Used to deliver content in your chosen language. - Date of birth: Used solely for age verification. You must be at least 18 years old to use MAX. - Emergency contact, optional: Stored securely on your device using encrypted storage. Never transmitted to our servers. - Account credentials: Email and password managed by Supabase. - Account, preference, consent, and entitlement records: Used to manage onboarding, privacy choices, settings, subscription status, and account deletion. - Beta feedback and support messages: Used to investigate issues and improve MAX when you choose to send feedback or contact us.

Before you can use online AI features, MAX asks in the app for your permission to send personal data to named third-party AI services through our secure Supabase Edge Function proxy.

What may be sent:

- Typed messages and recent conversation context for chat responses and safety moderation. - Recent user messages used to create distilled profile or memory entries. - Voice recordings when you choose to use voice mode, for speech-to-text transcription. - AI response text, selected voice, and language hint when you use cloud text-to-speech.

Who receives it:

- OpenAI receives chat, moderation, profile-extraction, and Whisper transcription requests. - xAI/Grok Voice receives response text, voice selection, and language hints for cloud text-to-speech. - Supabase processes authentication, request routing, and server-side proxy operations for these features.

Why it is used: We use this data only to provide requested AI replies, safety checks, voice transcription, personalization/memory features, and spoken playback. We do not sell this data and do not use it for third-party advertising. We use third-party providers only where we have reviewed their published privacy and security commitments and believe they provide the same or equal protection required by our Privacy Policy and app store rules.

If you do not want this data sent to third-party AI services, do not accept the online AI consent. Offline mode, when available, does not send conversation data to third-party AI services.

Your conversations with MAX are stored on your device using local file storage. We do not maintain a central database of full conversation transcripts.

When you use MAX in online mode, your messages are transmitted transiently through our secure server-side proxy, Supabase Edge Functions, to OpenAI's API to generate AI responses. Our servers do not intentionally store or log full conversation content. OpenAI's data usage policies apply to messages processed by their API.

When you use MAX in offline mode, all processing happens locally on your device. No conversation data is transmitted to any third party.

MAX may create distilled personalization data from your conversations so it can remember useful context across sessions. This may include topics you discuss, people or relationships you mention, preferences, emotional patterns, growth milestones, short summaries, and relationship-graph entries.

When online profile extraction is used, recent user messages may be sent through our Supabase Edge Function proxy to OpenAI to generate this distilled profile data. Our extraction prompt instructs the AI not to copy raw conversation quotes, health diagnoses, medication names, or sexually explicit content into the profile.

You can view, delete individual memory items, or clear your profile from Settings.

When you use voice mode in MAX, your device's microphone records your speech and the audio is transmitted to OpenAI's Whisper API through our secure server-side proxy for transcription into text.

What we do:

- Capture audio only while you actively use voice mode. Audio is not captured at any other time. - Transmit the audio recording to OpenAI's Whisper API for speech-to-text transcription. - Receive the transcribed text back and display it in your conversation. The transcribed text then follows the same path as a typed message.

What we do not do:

- We do not store voice recordings on our servers. - We do not record or transmit ambient audio outside of an active voice session. - We do not use voice recordings for any purpose other than transcription.

When MAX reads a response aloud using cloud text-to-speech, the response text, selected voice, and language hint are transmitted through our secure server-side proxy to xAI's Grok Voice/Text-to-Speech API to generate audio. We do not send your microphone recordings to xAI for this text-to-speech feature.

OpenAI's privacy policy is at https://openai.com/policies/privacy-policy. xAI publishes privacy information at https://x.ai/legal/privacy-policy.

MAX uses the following third-party services to deliver its features. Your data is shared with these services only as described in this policy:

- OpenAI: Chat responses, moderation, profile extraction, and Whisper voice transcription. - xAI/Grok Voice: Cloud text-to-speech for spoken MAX responses. - Supabase: Authentication, user profiles, privacy choices, entitlement records, analytics events, and secure proxy operations. - Sentry: Crash reports and error traces for app stability monitoring. No personally identifiable information or conversation content is intentionally included. - RevenueCat, Apple, and Google: Subscription, entitlement, and purchase-status management where applicable. We do not receive full payment card numbers from Apple or Google.

During closed beta, iOS access may be limited by Apple's TestFlight availability period, generally up to 90 days from the date a build is uploaded. This app availability period does not, by itself, delete all personal data from our service providers or from your device.

Beta account data, profile data, preferences, privacy consent records, subscription or entitlement records, and related server-side records are retained for the duration of the beta and up to 30 days after the beta ends, unless you delete your account earlier or we notify you and obtain any required consent to carry your account into production.

Conversations are retained on your device for up to 90 days or a maximum of 200 conversations, whichever limit is reached first. At 80% capacity, you will receive a notification with the option to clear older conversations. When limits are reached, the oldest conversations are automatically pruned with prior notification.

You can delete individual conversations or all conversation data at any time from Settings > Conversation History. Deleting your account removes server-side account data where technically and legally feasible. On-device data is cleared when you uninstall the app or use the delete all option.

MAX includes safety features that detect messages indicating a potential crisis. Crisis detection processing happens on your device. Individual crisis trigger content is never transmitted to our servers.

We collect only anonymous, aggregate crisis detection counts to monitor system safety. These aggregate counts contain no personally identifiable information and cannot be linked to any individual user or conversation.

We use privacy-preserving analytics events through Supabase and crash/error reporting through Sentry. Analytics events may include app opens, session start and end, voice-mode usage, speech-to-text provider routing, response flag categories, onboarding screen counts, and similar operational metrics.

Analytics events do not intentionally include account email, names, raw message content, audio recordings, emergency contact details, or crisis message text. If you opt in to cohort-based retention analytics, the app may use a random cohort token that is not derived from your account, device ID, or conversation content.

We do not use third-party advertising analytics, tracking pixels, or behavioral profiling of any kind.

We take the security of your data seriously:

- Data in transit: All communication between the app and our servers uses TLS 1.2 or higher encryption. - Data at rest, device: Conversations are protected by your device's built-in encryption. Sensitive data such as authentication tokens and emergency contacts are stored using encrypted secure storage. - API key isolation: Third-party API keys are stored server-side only. The app never contains third-party API credentials. - Row-level security: Server-side data is protected by row-level security policies where applicable.

Under the Philippine Data Privacy Act, Republic Act No. 10173, and applicable data protection laws, you have rights to access, correction, erasure, objection, and data portability. To exercise these rights, contact privacy@maxaicompanion.com or use the account deletion feature in Settings.

MAX AI Companion is not intended for users under 18 years of age. We enforce age verification through a date of birth check during account creation. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact privacy@maxaicompanion.com and we will promptly delete the account.

When using MAX in offline mode, no data is sent to any third-party AI service. All conversation processing uses locally stored response patterns on your device. Crisis detection in offline mode uses on-device keyword matching only. Text-to-speech in offline mode uses your device's built-in speech synthesis.

MAX AI Companion processes personal data in accordance with Republic Act No. 10173, the Data Privacy Act of 2012, and its implementing rules and regulations. For inquiries related to data privacy, you may contact the National Privacy Commission at https://privacy.gov.ph.

We may update this Privacy Policy from time to time. Changes will be posted within the app with an updated effective date. Continued use of MAX after changes are posted constitutes acceptance of the updated policy.

For privacy inquiries or to exercise your data rights, contact Jorge Dollisen, Data Protection Officer, at privacy@maxaicompanion.com.

Dexter Enriquez is the current personal information controller for MAX AI Companion until a legal entity is formed or another controller is formally designated.