Privacy Policy

Effective: 12 May 2026

BetaSuite ("we", "us") provides the BetaSuite mobile app ("the App"). The App is built local-first: feedback entries, recordings, photos, and project data live on your device by default and never leave it unless you choose to use a feature that involves an outside service.

Where you do choose such a feature (cloud sync, AI analysis, weather overlay), data is sent directly from your device to that service. Each service is responsible for its own processing under its own privacy policy. We link to those policies in section 4. We process your personal information in accordance with applicable privacy and data-protection laws in your country of residence.

1. What we collect, where it lives

On-device only

Feedback entries, notes, voice memos, photos, videos, screen recordings, project data, markers, sessions, and auto-populated device context (model, OS, app version, optional battery / network state when you enable that toggle). All stored on your device, encrypted at rest using AES via the device secure-storage keychain.

Sent to a third party only when you use that feature

Coordinates → weather provider; files you choose to upload → your own cloud storage account; prompts you choose to process → your selected AI provider; anonymised crash reports → analytics provider when analytics is enabled. See sections 2–4 for detail.

What we never collect

We do not run a backend that stores your account data. We have no access to your cloud storage, your AI requests, or the contents of your feedback entries. We do not sell or trade personal information. We do not run advertising and do not track you across other apps or websites.

2. Cloud sync (optional)

If you connect Google Drive, OneDrive, or iCloud, files you choose to upload are sent from your device to your own account at that provider via standard authentication. We do not see, store, or proxy these uploads. Disconnect the account at any time in Settings → Storage.

3. Weather and analytics (optional)

Weather overlay

Coordinates are sent to a weather provider to retrieve local conditions. On iOS 16+ the default provider is Apple WeatherKit; otherwise the App falls back to OpenWeatherMap or Open-Meteo. No identifier is sent — only the coordinates needed for the lookup.

• Apple WeatherKit privacy notice
• OpenWeatherMap privacy policy
• Open-Meteo terms

Crash analytics

When analytics is enabled (off by default), anonymised crash reports and feature events are sent to Firebase / Google. No feedback content, recordings, or personally identifiable information is included.

4. AI features

AI features are on by default. The default "BetaSuite Assist" provider is an umbrella that picks the best backend for each task — on-device when your device supports it, cloud when it doesn't. The two backends BetaSuite Assist can call:

Apple on-device (no data leaves your device)

Used first whenever your device supports it.

• Text generation — Apple Intelligence (Foundation Models), iOS 26+ on iPhone 15 Pro / 16 / 17 series. In this path no feedback content leaves your device.
• Speech-to-text — Apple's Speech framework (SFSpeechRecognizer) in on-device mode, iOS 13+ on most modern iPhones. Voice memos and voice notes are transcribed locally — the audio never leaves your device.

Apple publishes a dedicated notice covering Apple Intelligence and Private Cloud Compute: Apple Intelligence & Privacy.

Google Firebase AI (cloud fallback)

Used when on-device routing is unavailable (older iPhone, locale model not installed, or a feature without an on-device path). The specific text or audio you choose to process is sent to Google for inference under the BetaSuite Assist umbrella, and is governed by Google's privacy policy. We do not see or store the request. Google privacy policy.

You can switch to another provider (Anthropic Claude, OpenAI, Google Gemini, DeepSeek, or BetaSuite Default / Pollinations) or turn AI off in Settings → AI Features.

Bring-your-own-key providers

When you supply your own API key for Anthropic Claude, OpenAI, Google Gemini, or DeepSeek, prompts go directly from your device to that provider for inference. The data is governed by that provider's privacy policy and terms. We do not see, store, or relay these requests. Your API key is held in device secure storage (iOS Keychain) and is never transmitted to us.

• Anthropic Claude privacy policy
• OpenAI privacy policy
• Google Gemini API additional terms
• DeepSeek privacy policy

Voice memo and voice note transcription (on-device first, cloud fallback)

Voice memos recorded inside a session — and voice notes attached to markers or feedback entries — are transcribed whenever AI features are enabled and Confidential Mode is off. On iOS 13+ devices that support it, BetaSuite Assist uses Apple's on-device speech recognition (SFSpeechRecognizer with requiresOnDeviceRecognition): the audio never leaves the device, there is no quota, and no network round-trip is involved. When on-device recognition isn't available (older iOS or locale model not installed) the audio falls back to Google Firebase AI (Gemini) under the BetaSuite Assist umbrella and is governed by Google's privacy policy. Transcription is fully blocked in Confidential Mode regardless of routing.

The App also offers an optional post-transcription polish step that removes speech fillers ("um", "uh", "like"), tightens punctuation, and softens crude language before the transcript is shown to you or embedded in a report. This polish call routes through whichever AI provider you have selected and shares its privacy posture — disable AI features in Settings to skip it. Profanity is masked at report-generation time in any case.

Apple requires its own one-time system dialog before the on-device speech recogniser can run. BetaSuite triggers that dialog up-front when you grant the master AI consent (during onboarding, or via Settings → AI Features → Skip AI consent prompts) so you handle both consents in one step rather than being interrupted mid-recording later. If you decline the system dialog, the App silently falls back to cloud transcription via BetaSuite Assist; you can change your mind any time in iOS Settings → Privacy & Security → Speech Recognition.

AI session summaries (automatic)

When you complete a test session, the App generates a short bullet summary of that session's markers, feedback notes, and media using the AI provider you have selected. This happens automatically whenever AI features are enabled and Confidential Mode is off; on Apple Intelligence the inference is on-device. The summary is cached locally on your device and is included in exported reports only if you choose to generate one. You can regenerate or delete a summary at any time from the session detail screen.

Confidential Mode (section 6) blocks every cloud AI provider automatically — only Apple Intelligence and Apple on-device speech recognition (strictly on-device) are permitted while Confidential Mode is active, and any feature whose on-device path is unavailable is skipped entirely rather than falling back to a cloud route.

5. Feature requests

The Feature Requests screen lets you share ideas with the BetaSuite team and the wider tester community. Submissions go to a public GitHub repository (brilt9/betasuite-feedback) where every entry is visible to anyone with internet access. You can browse and upvote ideas in-app without signing in.

What is sent

The title, description, category (Capture / Reports / AI / Sessions / Workflow / Other), the app version, and the OS version. No project, session, recording, photo, location, account, or device-identifier data is included.

Automated redaction (best-effort)

Before submission, your text runs through an on-device redactor. Pattern matching removes emails, phone numbers, IP addresses, URLs that look like they carry tokens, long hex / base64 strings, and Luhn-valid credit-card numbers. On iPhones that support Apple Intelligence, an on-device language model takes a second pass to redact names, addresses, and employer references. On other devices the redactor falls back to Google Firebase AI (Gemini) — in that path your text is sent to Google for inference, governed by Google's privacy policy. Redaction is best-effort, never guaranteed; please review your text before submitting and avoid personal details.

Where it is stored

Each submission becomes a GitHub Issue in the public feedback repository. Anyone can read, comment on, or react to it. Once posted, an entry cannot be deleted from inside the App. To request removal or amendment, contact us via Settings → Contact Us.

Confidential Mode

Feature-request submission is permitted in Confidential Mode after a one-tap acknowledgement. The data flow is identical to non-confidential submission — only the form fields are sent — but the App surfaces an extra dialog so you confirm the public posting explicitly.

How it gets there

Your device POSTs to a Cloudflare Worker that BetaSuite operates. The Worker holds a fine-grained access token scoped only to the feedback repository, so the App never embeds a GitHub credential. The Worker rate-limits per IP and runs a second pass of pattern-matching redaction before posting.

Unrecognised company brand names

When you set up a project, you can pick the company being tested from a built-in registry of brand swatches. If the company isn't in the registry and you type its name as free text, the App posts a brand-add suggestion to the same public feedback repository so we can grow the registry over time. Only the typed brand name is sent (after the same on-device redaction described above), plus the app version and OS version. No project, session, recording, photo, location, or feedback content is included. Brand suggestions are automatically suppressed while Confidential Mode is active so NDA-protected client names never leave the device.

Anonymous community upvote count

When you tap thumbs-up on a request, the App generates a random UUID on first launch (stored in iOS Keychain) and uses it only to dedupe your vote in a Cloudflare Worker counter. The UUID is not your name, email, account, or any device identifier supplied by the OS — it is just random bytes. It is never sent to GitHub. Reinstalling the App generates a new UUID, so a single person could in principle vote again from a fresh install. We accept that as the cost of "no logins, ever".

6. Confidential Mode

When Confidential Mode is active, the App enforces:

• All data stays on your device.
• Cloud sync is disabled.
• All cloud AI providers are blocked. Apple Intelligence (on-device) and Apple on-device speech recognition are permitted; any feature whose on-device path is unavailable on your device is skipped rather than falling back to cloud.
• Feature-request submission (section 5) remains available after a one-tap acknowledgement, since only form fields leave the device.
• A confirmation dialog is required before any share or export action.

Confidential Mode is best-effort enforcement of the App's data-flow paths. It is not a substitute for your own review of where data goes when you take a manual action (e.g. taking a screenshot, sharing via the system sheet after the dialog).

7. International transfers

The third-party services listed in this policy are operated from various countries. When you use such a service, the data you choose to send may be processed in a jurisdiction with different privacy and data-protection laws than the country you live in. Each service's privacy policy (linked above) describes how that service handles transfers and what protections apply.

8. Your rights

You have rights over your personal information under applicable law. Because the App stores data locally, you can exercise most rights directly inside the App:

• View and edit any entry, recording, or project at any time.
• Delete an individual entry, recording, project, or session.
• Wipe all app data (Settings → Data → Wipe all app data) or by uninstalling the App.
• Withdraw consent for analytics or AI by toggling the feature off in Settings.
• Export a portable backup (Settings → Data → Export) so you can take your data with you.

For data you have sent to a third-party service (connected cloud storage, an AI provider you used, the public feedback repository), exercise your rights with that service directly using the contact channel in their privacy policy. For removal or amendment of a feature-request issue, contact us via Settings → Contact Us and we'll act on your behalf in the public repository.

For data we directly control — limited to what you send via the Contact form and any anonymised analytics you have enabled — contact us at the address in section 10 and we will respond within a reasonable time as required by applicable law.

9. Children

The App is not directed at children. We do not knowingly collect personal information from a child. If you believe a child has used the App and provided personal information, contact us so we can help you remove it.

10. Changes and contact

We may update this policy from time to time. The effective date at the top of this page reflects the most recent revision; the current version is always available inside the App at Settings → Legal → Privacy Policy and on this website.

If you are not satisfied with our response, you have the right to lodge a complaint with the data-protection authority in your country of residence.