1. Introduction

Welcome to 4mi ("we," "our," or "us"), a product of MCA Co., Ltd. 4mi is a real-time voice AI companion mobile application designed to provide personalized conversational experiences. We are committed to protecting your privacy and being transparent about how we handle your data.

This Privacy Policy explains what information we collect, how we use it, how we store and protect it, and what rights you have regarding your personal data when you use the 4mi application (the "Service").

By using 4mi, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create a 4mi account, we collect:

• Authentication data — your name, email address, and profile picture as provided through Google OAuth, Apple Sign In, or Magic Link email authentication.
• Account identifiers — a unique user ID generated by our authentication system (Supabase Auth).
• Age verification — confirmation that you are 18 years of age or older. We do not collect your exact date of birth.

2.2 Conversation Data

When you use 4mi's voice conversation features, we collect:

• Text transcripts — the text output of your speech after on-device speech-to-text processing. Raw voice audio is never stored on our servers.
• AI responses — the text of responses generated by the AI during your conversations.
• Conversation summaries — condensed summaries of your conversations, generated automatically after each session to support the memory system.

2.3 Memory Data

To provide a personalized experience, 4mi maintains a layered memory system that stores:

• Semantic memory (user facts) — information you share about yourself during conversations, such as your name, occupation, interests, relationships, and preferences.
• Episodic memory — summaries and emotional context from past conversation sessions, stored as vector embeddings.
• Emotional patterns — aggregated analysis of emotional themes and time-of-day patterns derived from your conversations, maintained on a 90-day rolling basis.

2.4 Voice Emotion Analysis

4mi may analyze emotional characteristics of your speech (such as tone, pace, and energy level) to provide more empathetic responses. Only the results of this analysis (e.g., "calm," "energetic") are stored — never the raw audio data.

2.5 Usage and Device Data

• Session metadata — session duration, timestamps, and frequency of use.
• Device information — device type, operating system version, and app version, collected for troubleshooting and compatibility purposes.
• Subscription status — your current plan (Free or Pro) and billing history.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service — to generate real-time AI conversational responses tailored to you.
• Personalization — to maintain your memory profile so that 4mi remembers your context, preferences, and past conversations across sessions.
• Memory extraction — to process conversation transcripts asynchronously after each session to extract and update your semantic, episodic, and emotional memory layers.
• Service improvement — to analyze aggregate, anonymized usage patterns to improve the quality and reliability of the Service.
• Account management — to authenticate your identity, manage your subscription, and process payments.
• Safety — to operate crisis detection systems that identify potential mental health emergencies and surface appropriate resources (see Section 11).
• Customer support — to respond to your inquiries and resolve technical issues.

4. Voice Data & Privacy

Your voice privacy is at the core of 4mi's design. We have engineered the Service to minimize voice data exposure:

4.1 On-Device Speech-to-Text (Primary)

By default, all speech-to-text (STT) processing occurs entirely on your device:

• On iOS, we use Apple's SpeechAnalyzer framework.
• On Android, we use Whisper ONNX (base model) running locally on your device.

In this mode, your voice audio never leaves your device. Only the resulting text transcript is transmitted to our servers over an encrypted connection.

4.2 Cloud Fallback (Deepgram)

In approximately 30% of sessions — typically in noisy environments where on-device STT accuracy is insufficient — 4mi may activate a cloud-based speech-to-text fallback using Deepgram Nova-3.

4.3 No Voice Storage

4mi does not store raw voice audio recordings on our servers under any circumstances. Voice audio exists only temporarily on your device during active conversation sessions and is discarded when the session ends.

5. Data Storage & Security

5.1 Where Your Data is Stored

Your data is stored on servers managed through Supabase, which uses cloud infrastructure with data centers in the United States. Vector embeddings for episodic memory are stored in PostgreSQL with the pgvector extension.

5.2 Encryption

• In transit — all data transmitted between your device and our servers is encrypted using TLS 1.3.
• At rest — all stored data is encrypted using AES-256-GCM encryption.

5.3 Access Controls

Access to user data is strictly limited to authorized personnel who require it for system operations and support. We employ role-based access controls, audit logging, and regular security reviews.

5.4 Real-Time Communication

Voice conversation sessions use WebRTC (via self-hosted LiveKit) for real-time communication. WebRTC connections are end-to-end encrypted and audio streams are not recorded or stored on our infrastructure.

6. Third-Party Services

4mi uses the following third-party services to deliver the Service. We share only the minimum data necessary for each service to function:

6.1 Supabase

We use Supabase for authentication, database hosting (PostgreSQL), and vector storage. Supabase stores your account information, conversation transcripts, memory data, and subscription records. See Supabase's Privacy Policy.

6.2 Anthropic (Claude API)

Text transcripts and memory context are sent to Anthropic's Claude API to generate conversational AI responses. Anthropic processes this data in real-time and is contractually prohibited from using your data to train their models. See Anthropic's Privacy Policy.

6.3 OpenAI (GPT-5 mini)

After each conversation session, anonymized conversation data is sent to OpenAI's GPT-5 mini model for asynchronous memory extraction (generating conversation summaries and updating your memory profile). See OpenAI's Privacy Policy.

6.4 Deepgram

When cloud STT fallback is activated, voice audio is transmitted to Deepgram for real-time transcription. Deepgram does not retain audio data after processing. See Deepgram's Privacy Policy.

6.5 Cartesia (Sonic 3 TTS)

AI response text is sent to Cartesia's text-to-speech API to generate the first sentence of each spoken response. Only text is transmitted — no user data. See Cartesia's Privacy Policy.

6.6 Mem0

We use Mem0 for intelligent memory management and retrieval. Conversation context is processed through Mem0 to maintain your personalized memory profile. See Mem0's Privacy Policy.

6.7 Stripe & Apple/Google Payment Processors

Payment processing is handled by Stripe, Apple In-App Purchase, and Google Play Billing. We do not store your full credit card number or payment credentials. Payment processors handle this data under their own privacy policies.

7. Your Rights

You have the following rights regarding your personal data, regardless of your location:

7.1 Universal Rights

• Access — you can request a copy of all personal data we hold about you.
• Export — you can export your complete data, including your memory profile, conversation history, and account information, at any time through the app's Settings.
• Deletion — you can request deletion of all your data at any time. Upon request, we will permanently delete all your personal data from our systems within 30 days.
• Correction — you can request correction of inaccurate personal data.
• Memory management — you can view, edit, or delete individual memories stored in your profile through the app's Memory screen.

7.2 European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis — we process your data based on your consent (provided at account creation) and on the basis of contractual necessity (to provide the Service you have subscribed to).
• Data portability — you have the right to receive your data in a structured, commonly used, machine-readable format.
• Restriction of processing — you can request that we restrict the processing of your data under certain circumstances.
• Objection — you can object to certain types of data processing.
• Withdraw consent — you can withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Supervisory authority — you have the right to lodge a complaint with your local data protection supervisory authority.

7.3 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know — you can request details about the categories and specific pieces of personal information we have collected about you.
• Right to delete — you can request deletion of your personal information.
• Right to opt-out of sale — we do not sell your personal information. We never have and never will.
• Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.
• Right to correct — you can request correction of inaccurate personal information.
• Right to limit use of sensitive personal information — you can direct us to limit the use of sensitive personal information to what is necessary to provide the Service.

To exercise any of these rights, contact us at support@4mi.app or use the in-app data management tools in Settings.

8. Data Retention

• Free plan users — conversation history and memory data is retained for 30 days. After 30 days of inactivity or upon reaching the retention limit, data is automatically and permanently deleted.
• Pro plan users — conversation history and memory data is retained for the duration of your active subscription ("permanent memory").
• Emotional patterns — maintained on a 90-day rolling window for all users. Data older than 90 days is automatically aggregated and anonymized.
• Account deletion — when you delete your account, all associated data (transcripts, memories, patterns, and account information) is permanently deleted from our servers within 30 days.
• Subscription cancellation — if you cancel your Pro subscription, your memory data is retained for 90 days in case you choose to resubscribe. After 90 days, it is permanently deleted.

9. Children's Privacy

4mi is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. An age verification gate is presented during account registration.

If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete that information from our servers. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@4mi.app.

10. Cookies & Tracking

The 4mi mobile application does not use cookies, advertising trackers, or analytics SDKs that track you across other apps or websites. We do not participate in cross-app tracking or targeted advertising.

We collect only the minimal usage analytics described in Section 2.5, which are used exclusively for service improvement and are not shared with any third party.

11. Mental Health Disclaimer

4mi includes an always-on crisis detection system that cannot be disabled. If indicators of suicidal ideation or self-harm are detected during a conversation, 4mi will:

• Immediately surface the 988 Suicide & Crisis Lifeline (call or text 988 in the United States) along with relevant local crisis resources.
• End the current conversation session.

This crisis detection feature processes conversation text to identify potential emergency situations. No additional personal data is collected or shared as part of this process.

If you are in crisis, please contact emergency services immediately or call/text 988.

12. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and third-party service providers are located. We ensure that appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required by GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you through the app via an in-app notification.
• For significant changes affecting how we process your voice or conversation data, request your renewed consent before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MCA Co., Ltd.
Email: support@4mi.app

For data protection inquiries in the European Economic Area, you may also contact our data protection representative at privacy@4mi.app.