Privacy Policy

Last updated: 7 May 2026 · Effective: 7 May 2026

This policy explains what JustSay ("we", "the app") collects, how we use it, and the choices you have. The aim is plain language. If anything's unclear, email us at the address at the bottom — we'll fix it.

Quick summary. JustSay is a voice keyboard. We collect what's needed to run it: your email, your transcription session metadata (counts and durations, not the text), and your plan. When you record audio, the audio is sent to OpenAI for transcription — we don't keep a copy after we get the transcript back. The transcript itself is not stored on our servers either; it goes straight back to your phone. You can delete your account and all data at any time.

1. Who we are

JustSay is operated by an independent developer based in the European Union. The data controller for the purposes of GDPR is the operator listed at the bottom of this page. For any data-related question please use the contact email below.

2. What we collect

2.1 Account information

Email address — required to sign in and to recover access.
Display name — optional; from your Google profile if you sign in with Google.
Password — stored only as a bcrypt hash; we cannot read your password.
Google account identifiers (if you use Google sign-in) — your Google subject ID, email, name, and avatar URL. We do not request or store any other Google profile field.
Account timestamps — when you signed up and last signed in.
Plan — Free / Premium / Complimentary, plus the trial-end and paid-until dates.

2.2 Transcription session metadata

For each time you tap the mic, we record:

Duration in seconds — to apply the monthly minute cap.
Character count of the returned transcript — for usage analytics.
Detected language (e.g. en, fr) — Whisper returns this.
Whether the cleanup pass was applied.
Plan in effect at the time.
Success / failure flag and a short error string if it failed.
Timestamp.

We do NOT store the transcribed text. The text goes from the OpenAI API straight back to your device, and we keep only the metadata above.

2.3 Audio

When you press and hold the mic, audio is recorded locally on your device. On release, the file is uploaded to our server, immediately forwarded to the OpenAI Whisper API for transcription, and deleted from our server within seconds. We do not store audio recordings.

2.3a Clipboard (voice commands only)

When you use the ✨ voice-command button, JustSay reads the system clipboard so the command can operate on text you've copied (a message you're replying to, an article you're summarising, etc.). The clipboard contents are sent to OpenAI alongside your spoken command and treated the same way as any other transformed text — not stored on our servers. The microphone-only path (the 🎤 button) never touches the clipboard.

Android may show a system Toast saying "JustSay accessed the clipboard" the first time this happens — that's a system-level notification, not anything we control.

2.4 What we do NOT collect

The text you type or dictate beyond the metadata above.
Hardware identifiers (IMEI, advertising ID, MAC address).
Your contacts, photos, location, calendar, or call history.
Anything from other apps on your device.
Background audio. The microphone is only active while you actively hold the mic button.
Keystrokes from your other keyboard or any text typed when JustSay is not the active input method.

3. How we use this data

Strictly to run the app:

Sign you in and keep you signed in.
Transcribe your audio and (on Premium / trial) clean up the transcript.
Show you usage information ("you've used 24 of 60 minutes this month").
Enforce the monthly cap.
Diagnose problems when you report them.
Compute aggregate metrics (total transcribed minutes across all users, error rates) for capacity planning. These contain no personal content.

We do not sell your data. We do not show advertising. We do not profile you for marketing. We do not use your audio or transcripts to train any model.

4. Third-party processors

JustSay relies on a small number of third parties to function. They process your data on our behalf, under their own privacy policies.

4.1 OpenAI

Important: Every time you tap the mic, your audio is sent to OpenAI to be transcribed. On Premium (and during the free trial), the resulting transcript is also sent to OpenAI's chat API for the cleanup pass and (when you use the command button) for the text transformation. Treat OpenAI as a recipient of any content you dictate or operate on with the command button.

OpenAI Whisper — transcribes audio to text. Audio is sent, transcript returned.
OpenAI Chat Completions (gpt-4o-mini) — applies the cleanup pass and runs voice commands.

OpenAI's policy on data handling for API customers is summarised at openai.com/policies/api-data-usage-policies. At time of writing, OpenAI states that API content is not used to train their models and is retained only for abuse-monitoring purposes for up to 30 days. We have no control over this — read their policy directly.

OpenAI processes data in the United States. By using JustSay you accept that your audio and transcripts are transferred to the US.

4.2 Google

Google Sign-In — if you choose Continue with Google, Google authenticates you and provides us with your email, name, profile picture URL, and a stable subject ID. Standard OAuth flow. See Google Privacy Policy.
Google Play Billing (when launched on the Play Store) — handles subscription payments. We do not see your card or bank details.
Firebase Crashlytics — collects crash reports from the app. The crash payload contains a stack trace and device model, and may incidentally include short fragments of in-flight transcripts when a crash happens mid-request. We use this only to fix bugs.

4.3 Hosting

The application server runs on a virtual private server provided by a commercial hosting provider in the European Union.

5. Where data is stored

Application data (your account, transcription session metadata, plan info) is stored in a MariaDB database on a single server in the European Union. Audio uploads live for at most a few seconds in a temporary directory before being forwarded to OpenAI and deleted.

6. How long we keep data

Account data: until you delete your account. After deletion: removed within 30 days from active databases.
Transcription session metadata: kept indefinitely as anonymous-from-content metrics. Contains no transcript text.
Audio uploads: deleted within seconds of receipt — they exist only long enough to forward to OpenAI.
Trial-grant fingerprint: a one-way SHA-256 hash of your sign-in identifier (email or Google subject ID, combined with a server-side secret) is kept indefinitely after you delete your account. It exists solely to prevent the same identifier from claiming a fresh free trial after every deletion. The hash cannot be reversed to recover your email — it's a fingerprint, not a record. This is the same pattern used by Spotify, Netflix, Apple, and most other apps with a free trial.
Server access logs: up to 30 days.

7. Your rights

If you live in the European Economic Area, the United Kingdom, or California (or anywhere with similar legislation), you have the following rights regarding your personal data:

Access — ask us what we hold about you.
Rectification — fix anything that's wrong.
Erasure — have your data deleted ("right to be forgotten"). The fastest path: open the JustSay app → Account card → Delete account. Or email us if you can't access the app.
Portability — receive a machine-readable export. Email us.
Restriction / Objection — limit or object to certain processing. Email us.
Withdraw consent — sign out, uninstall, or delete the account.
Lodge a complaint — with your local supervisory authority if you believe we're handling your data incorrectly.

We respond to requests within 30 days. We may ask for proof that you're the account holder (e.g. a sign-in from your registered email).

8. Children

JustSay is not directed at children under 13 (16 in some EU jurisdictions). We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

9. Security

We use HTTPS for all connections, bcrypt for password storage, HttpOnly + Secure session cookies, and standard server hardening. We are a small team without a formal security audit. Treat the private beta as such — please don't share secrets you wouldn't be comfortable losing in the unlikely event of a breach. We will disclose any confirmed breach to affected users within 72 hours where required by law.

10. Changes to this policy

If we change something material — a new third party, a new data type collected, a change in retention — we'll update the "Last updated" date and notify you in the app. Continuing to use the app after a change means you accept the updated policy.

11. Contact

Email: hello@clearlogicassist.com

For data-protection requests specifically, mention "GDPR" or "data request" in the subject. We aim to respond within 7 working days, 30 calendar days at the outside.

This policy is provided in good faith but is not a substitute for legal advice tailored to your jurisdiction. If you find a wording that contradicts the actual behaviour of the app, that's a bug — please report it.