Little Birdie – Privacy Policy

Last updated: September 24, 2025

This Privacy Policy explains how Macrospecs, Inc. (“Little Birdie,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our iOS application, website(s), in‑app forum, and related services (collectively, the “Services”). By using the Services, you agree to this Privacy Policy.

Summary (plain language)
Little Birdie is an audio‑first mobile web browser. You need an account (email‑based or social login). When you ask us to read a page, we extract the text, optionally pre‑process it with an LLM, generate audio with TTS, and cache both the text and audio on our servers (in the United States). We may re‑use the same audio for other users if—and only if—the URL is the same and the page content hash matches (meaning the content is identical). Account info is encrypted at rest; page text and audio are not encrypted at rest. You can delete your account and associated stored data, and we complete deletion within 30 days (with 30‑day backup retention). We do not sell your personal information.

1. Who we are & scope

Controller: Macrospecs, Inc. (headquartered in California, United States).
Contact: help@getlittlebirdie.com
Scope: This policy covers our iOS app, websites, support channels, and the community forum.

This document is for transparency and compliance purposes and is not legal advice.

2. Information we collect

A. Account & identity

Email address (required), collected directly or via social login (Sign in with Apple, Google, or Facebook).
Firebase Authentication identifiers/tokens and an internal user ID tied to your account.

B. Content & audio (to provide the core service)

Page URLs you ask us to read.
Extracted page text (verbatim), and where applicable LLM‑processed text used to create “podcast‑style” audio.
Generated audio files for those URLs.
Content hash used to confirm whether a given URL’s content is identical to a cached version.
These data (URL, text, audio, hash) are linked to your account and retained as described in Section 7.

We do not upload or collect your general browsing history. We only process the specific pages you instruct the app to read.

C. Device, app & network

Device model, OS version, app version, language, time zone, IP address at request time, and basic in‑app events (feature usage, playback minutes).
Crash reporting: We rely on Apple’s default crash reporting.

D. Payments & subscriptions

Apple In‑App Purchase (IAP) transaction status (we do not receive your full payment card details).

E. Support & forum

Support communications you send to us (including optional screenshots or logs you choose to share).
Forum (Discourse, self‑hosted by us): A randomly generated forum account may be created so you can post. Forum posts are public by nature.

F. Website cookies/SDKs

On our websites, we use cookies/analytics for operations and performance. In the app, we use analytics SDKs (no browser cookies).

3. How we use information

Provide and improve the Services

Convert web pages to audio (verbatim or LLM “podcast” mode), stream audio, power history/“finish listening,” and queues.
Caching & re‑use: We may serve previously generated audio to other users only when (i) the URL is identical and (ii) the content hash matches—ensuring the underlying page content is exactly the same. No user account details are included in cached audio.

Operations, security, and analytics

Operate, maintain, secure, and debug the Services; prevent abuse and fraud.
Measure aggregate usage to improve reliability and prioritize features.
Process crash information via Apple’s default crash reporting.

Communications

Essential account and transactional messages (e.g., subscription status, service notifications).
Marketing emails and push tips (you can opt out at any time in‑app and via email links).

Legal

Comply with legal obligations and enforce our terms.

We do not sell your personal information. We also do not “share” personal information for cross‑context behavioral advertising.

4. AI, LLM, and TTS processing

LLM pre‑processing: When enabled, extracted page text is sent to our LLM provider(s) to create a podcast‑style script.
Text‑to‑Speech (TTS): Text (verbatim or LLM‑processed) is sent to TTS provider(s) to generate audio.
Vendor settings: We configure LLM/TTS providers to disable retention/training of your content for their own purposes.
Data minimization: We send only page text needed for processing—no user identifiers, tokens, or passwords.
Caching: We store resulting audio, associated URL, and a content hash for performance and re‑use as described above.

5. Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, our legal bases include: Contract (to provide the Services you request), Legitimate interests (service reliability, security, analytics, and caching/re‑use of identical content), Consent (where required), and Legal obligation.

6. Sharing & disclosures

Service providers (processors)

We use vendors to operate the Services. These providers are contracted to protect data and process it only on our instructions:

Authentication: Firebase Authentication (Google)
Analytics: Mixpanel; Amplitude; Google Analytics
LLM/TTS: OpenAI; Google Cloud Text‑to‑Speech; Microsoft Azure Cognitive Services; Amazon Polly
Infrastructure/CDN/Email: US‑based cloud infrastructure and communications providers
Forum: Discourse (self‑hosted by us)

Other disclosures

Legal/safety: If required by law or to protect rights, safety, and security.
Business transfers: In connection with a merger, acquisition, or asset sale (we will notify you where required).

7. Data retention

Extracted page text, generated audio, URL & content hash: Retained indefinitely and linked to your account—until your account is deleted.
Account and operational data: Retained for the period necessary for the purposes described, then deleted or de‑identified.
Backups: Deleted data may remain in backups for up to 30 days.
Item‑level deletion: Not currently available. (Deleting your account removes associated stored data, subject to backup window.)

We complete account deletion within 30 days of a verified request.

8. Security

In transit encryption: TLS for data in transit.
At rest: Account information (e.g., email and links to content) is encrypted at rest. Extracted page text and generated audio are not encrypted at rest.
Access controls & monitoring: Role‑based staff access and auditing.
Credentials: Website passwords/cookies remain on your device; we do not store them on our servers.

No method of transmission or storage is 100% secure; we continuously improve our safeguards.

9. Your choices & rights

Account & data deletion: Request Account Deletion in‑app or by contacting us. We verify requests and delete associated stored data (including server‑stored text/audio and URL/hash records) within 30 days, subject to the 30‑day backup window.
Access/portability: Request a copy of your personal data.
Correction: Update your account email (or contact support).
Marketing controls: Opt out of marketing emails and push tips at any time.
Regional rights: Where applicable (e.g., EEA/UK/US states), you may have additional rights (e.g., restriction, objection, appeal). Contact us to exercise rights.

10. Forum & user‑generated content

We create an anonymous forum identity (random ID).
Posts and replies are public and may be indexed by search engines. Consider what you share.
The forum software (Discourse, self‑hosted) typically logs IP addresses and timestamps for moderation/security under its default configuration; we retain such logs as needed for these purposes.
You may delete your posts; copies can remain in backups for up to 30 days.

11. International data transfers

We process and store data in the United States. Where required for cross‑border transfers, we use appropriate safeguards (e.g., Standard Contractual Clauses).

12. Children

The Services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact help@getlittlebirdie.com and we will delete it.

13. Do Not Track & platform disclosures

Do Not Track: Industry standards are evolving; we currently do not respond to DNT signals on the web. You can manage analytics/cookie preferences where offered.
App privacy labels: On iOS, we disclose data categories such as Contact Info (email), Identifiers, Usage Data, and Diagnostics, and indicate which data are linked to you in the App Store listing.

14. Changes to this policy

We will update this Policy as our Services evolve. Material changes will be notified in‑app and/or by email, and the “Last updated” date will change.

15. Contact us

Questions or requests: help@getlittlebirdie.com

16. US State Privacy Addendum (including California)

This section supplements the Privacy Policy for residents of US states with comprehensive privacy laws (e.g., California, Colorado, Connecticut, Utah, Virginia).

Categories collected

Identifiers: Email; internal user ID; device identifiers; IP address at request time.
Internet/Network activity: Page requests you ask us to read; feature usage; playback telemetry; forum usage.
Audio information: Generated audio that we create for you.
Geolocation: Coarse location derivable from IP (we do not collect precise GPS).
Commercial information: IAP subscription status (from Apple).
Inferences: We do not create marketing or advertising profiles.
Sensitive personal information: Not intentionally collected.

Sources & purposes

We collect directly from you and your devices, and from service providers (e.g., auth, analytics). Purposes include operating and improving the Services, security/fraud prevention, analytics, support, and legal compliance.

Disclosures for business purposes

We disclose personal information to service providers (processors) as listed in Section 6, under contracts that limit their use to providing services to us.

“Sale” and “sharing” (CPRA)

We do not sell personal information and do not share personal information for cross‑context behavioral advertising.

Your state privacy rights

Depending on your state, you may have the right to know/access, correct, delete, opt‑out of sale/sharing, access portability, and appeal a decision.

To exercise rights, contact help@getlittlebirdie.com.
We will verify your request and respond as required by applicable law.
Non‑discrimination: We will not discriminate against you for exercising your rights.

17. EEA/UK Privacy Rights (GDPR)

If GDPR/UK GDPR applies, you have the right to request access, rectification, erasure, restriction, objection (including to processing based on legitimate interests), portability, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority. To exercise rights, contact help@getlittlebirdie.com.

18. Sub‑processors (key providers)

We rely on the following categories of sub‑processors to deliver the Services (US‑hosted unless noted). This list may change as we improve the Service:

Authentication: Firebase Authentication (Google)
Analytics: Mixpanel; Amplitude; Google Analytics
LLM: OpenAI
TTS: Google Cloud Text‑to‑Speech; Microsoft Azure Cognitive Services; Amazon Polly
Infrastructure/CDN/Email: Cloud and email providers used for hosting, storage, and communications (US)
Forum: Discourse (self‑hosted by us)

We seek to configure AI/TTS providers with no training/retention of your content for their own purposes.