Privacy Policy

Steady is a private observation log. Only you can read your entries. We use third-party services (Supabase, OpenAI, Vercel, Google) to make the app work — they process your data on our behalf and don't use it for anything else. We don't sell your data. We don't train AI models on it. You can delete your account and everything attached to it at any time by emailing samynaayma@gmail.com.

Steady is operated by Samy as an independent project. There is no team, no investors, no advertising. If you have a question about your data, you email me directly and you get me directly.

You give us:

• Your email address and name — used to identify your account.
• Optional profile data from Google — if you sign in with Google, we receive your name, email, and profile photo URL from your Google account. We do not request any other Google data (no contacts, no calendar, no Drive, no Gmail).
• Voice recordings — each check-in is captured as an audio file in your browser and uploaded to our storage.
• Transcripts — the text version of your recording, produced by OpenAI Whisper from your audio.
• Structured entries — the JSON Steady extracts from your transcript (the parts that map to capacity, response, intent).
• Observations— the short reflection generated for each entry by OpenAI's language model.
• Anchor data— if you provide a rehab start date, we store it so we can compute "day X of rehab" on your home screen.

We collect automatically:

• Anonymous page views via Vercel Web Analytics — no cookies, no fingerprinting, no cross-site tracking. Used to understand which screens get used.
• Essential session cookies set by Supabase so you stay signed in between visits. These are first-party cookies and are not used for tracking.

We do not collect:

• Your location.
• Your contacts.
• Any data from other apps on your device.
• Anything beyond what you type, speak, or explicitly enter into the app.

We use your data to make Steady work for you and nothing else:

• Your audio is sent to OpenAI's Whisper API for transcription, then stored in Supabase Storage under your user ID.
• Your transcripts are sent to OpenAI's GPT-4o for two purposes: (1) extracting structured fields, and (2) generating one short observation per entry. Both prompts are version-controlled and visible in the project's public source.
• Your structured entries and observations are stored in Supabase Postgres, scoped to your user ID via row-level security policies — no other user can read them.

AI training:we use OpenAI's API, not their consumer ChatGPT product. Per OpenAI's API policy, data submitted via their API is not used to train their models. OpenAI retains API data for up to 30 days for abuse monitoring and then deletes it.

We do not run our own models. We do not share your data with any party other than the processors listed below.

• Supabase — database, authentication, and storage. Servers are currently located in the United States.
• OpenAI — transcription (Whisper) and language model processing (GPT-4o). United States.
• Vercel — hosting and serverless functions. Global edge network with US-based control plane.
• Google — if you sign in with Google, Google processes the authentication exchange. We never see your Google password.
• Stripe — payment processing, used only if you subscribe. We never store your full card number; Stripe handles that.

Each of these is a contracted processor — they handle data on Steady's instructions and have their own published privacy policies you can read.

Steady's primary database and storage are hosted on Supabase infrastructure in the United States. If you are in the European Economic Area, the United Kingdom, or another region with data protection laws, your data crosses borders to be processed. We rely on the standard contractual clauses our processors offer to cover this transfer.

Your entries, observations, and audio files are kept for as long as your account exists. If you delete an individual entry, the associated audio and observations are deleted with it via cascade. If you delete your account, all of the above are removed within 30 days, except where we are required to retain certain records (e.g. payment receipts) for legal or tax purposes.

Anonymous analytics events are retained by Vercel per their standard retention.

You can, at any time:

• Access — view all your entries directly inside the app.
• Export — email samynaayma@gmail.comand I'll send you a JSON dump of everything attached to your account within 7 days.
• Correct — edit or re-record an entry (forthcoming) or ask me to correct profile data.
• Delete — delete an entry inside the app, or email samynaayma@gmail.com to delete your entire account.
• Withdraw consent — stop using the app and request deletion. You owe no explanation.

If you are in the EEA, UK, or California, you have additional statutory rights (e.g. portability, restriction of processing, objecting to processing, lodging a complaint with your data protection authority). Email samynaayma@gmail.comand we'll honor them.

All traffic uses TLS. Database and storage are scoped per-user via row-level security policies, so requests authenticated as user A cannot read user B's data even if a bug tried to. Audio is stored privately and only accessible via signed URLs scoped to your session. We do not store passwords ourselves — Supabase handles authentication using industry-standard hashed credentials.

That said, no system is invulnerable. If we become aware of a security incident affecting your data, we will email you within 72 hours.

Steady uses one type of cookie: the Supabase authentication session cookie that keeps you signed in. It is set on the Steady domain and is required for the app to function. We do not use advertising cookies, analytics cookies, or any third-party trackers.

Steady is not directed at children under 16. If you are under 16, please do not use Steady. If you become aware that a child has created an account, email samynaayma@gmail.com and we will delete it.

If we change this policy in a material way (new types of data collected, new processors, new uses), we will update the "last updated" date above and notify active users by email at least 14 days before the change takes effect. Trivial edits (typos, clarifications) may happen without notice.

Email samynaayma@gmail.com for any privacy question, data request, or complaint. There is no support queue — I read every email myself.