Last updated: May 16, 2026 · Effective: May 16, 2026
RAI Assistant ("the App", Android package com.aermob.rai) is developed and operated by Aerendir Mobile Inc. ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the App.
1. Scope of This Policy
This Privacy Policy applies exclusively to the RAI Assistant Android application (package com.aermob.rai). The App is distributed pre-installed on Reeder phones; it is not published on the Google Play Store. For Aerendir Mobile Inc.'s corporate privacy policy covering our other products and services, see our Global Privacy Policy. For RAI Inbox (package com.aermob.raiemail), see the RAI Inbox Privacy Policy.
2. Information We Collect
Account information. When you sign in with Google, we receive your email address, name, and profile picture from Google's authentication service.
Email content and metadata. When you use the App's email features, the App accesses messages in your Gmail mailbox via the Gmail API under the OAuth scopes you grant during sign-in. This includes message bodies, sender and recipient addresses, subject lines, labels, thread structure, and timestamps. Email content is stored locally on your device and is transmitted off-device only when you invoke an AI feature (see Section 6).
Voice data (audio). When you start a voice session, the App records audio from your microphone. The App offers two voice modes:
Low-latency mode ("Private Memory" off): audio is streamed in real time via WebRTC through Aerendir's LiveKit media relay to OpenAI's Realtime API for processing.
Privacy mode ("Private Memory" on): audio is buffered on-device and individual segments are sent to OpenAI's Whisper transcription API for speech-to-text only; the resulting transcript is then processed by an on-device language model, with no further cloud audio processing.
In both modes, audio is not persisted on the App's storage beyond the live session buffer and is not stored by Aerendir's backend.
SMS messages (on-device only). If you grant SMS permission, the App can search your text messages on demand (e.g., "find my texts from Sarah about the dinner reservation"). SMS data is queried on-device through Android's Telephony.Sms content provider. Matched message snippets may be included in the prompt sent to a language model only at the moment you ask, only for the messages you asked about. The App does not bulk-export, periodically scan, or transmit SMS messages in the background.
Contacts (on-device only). If you grant Contacts permission, the App can look up contacts on demand (e.g., "text Mom"). Contact records are queried on-device through Android's ContactsContract. Only the matched display name (and the specific field you ask for) is included in any AI prompt; the App does not transmit your full address book.
Motion state. If you grant Activity Recognition permission, the App detects whether you are still, walking, or in a vehicle and adapts response length accordingly (shorter answers while moving). Only the categorical state flag is held in memory; raw activity data is never transmitted off-device.
Device-level context. Device model, OS version, locale, timezone, network type, battery level, and storage state, used only on-device to enable context-aware AI features.
Usage telemetry. On our backend, we maintain per-user counters of AI request count, token consumption, voice session minutes, and timestamps for billing, quota enforcement, and abuse prevention. We do not log or store the contents of messages, voice transcripts, prompts, AI responses, SMS, or contacts.
We do not collect: your GPS or coarse location, your camera or photos, your call log, your browsing history, your phone number, or data from any app other than your connected Gmail accounts (for email features) and the system providers you have authorized.
3. Google API Services User Data — Limited Use Disclosure
RAI Assistant's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
No advertising. We do not use Gmail data for serving advertisements, including personalized, retargeted, or interest-based advertisements. RAI Assistant contains no advertising.
No third-party transfers except as permitted. We do not transfer Gmail data to third parties except as necessary to provide or improve user-facing features that are prominent in the App's user interface, or as required for security purposes (such as investigating abuse), or to comply with applicable law.
No human reading of Gmail data. We do not allow humans to read Gmail data, except (a) with your affirmative agreement for specific messages, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized.
No sale of Gmail data. We do not sell Gmail data under any circumstances.
4. Gmail OAuth Scope Requested and Why
RAI Assistant requests a single Gmail OAuth scope so the assistant can read your messages and send mail you have drafted with its help.
https://www.googleapis.com/auth/gmail.modify
What the App actually does with this data: reads messages, threads, and metadata so the assistant can answer questions about your email by voice or text ("did Sarah ever reply about the demo?", "summarize my unread emails from this morning"); and sends emails the assistant has drafted on your behalf, only after you explicitly review and confirm the draft.
What the App does not do despite holding this scope: the App does not archive, delete, label, or otherwise bulk-modify your mail. Those capabilities are granted by gmail.modify but are not invoked by the assistant.
Why this scope rather than narrower ones: the companion application RAI Inbox uses gmail.modify for full email management. Sharing the scope across both apps in the same Google Cloud project means there is one Google verification covering both, and you see one consent prompt rather than two. The App's actual runtime usage stays inside the read + send subset.
We do not request https://mail.google.com/, gmail.settings.*, or any other Gmail scope beyond gmail.modify.
5. How We Use Your Information
To process voice commands and produce voice responses
To run an on-device conversational assistant with retrieval-augmented memory
To answer questions about your Gmail messages, SMS messages, and contacts (each only when you ask)
To adapt the assistant's behavior to your motion state, battery level, and network conditions
To manage subscriptions, quotas, and abuse prevention
6. Third-Party Data Processing
OpenAI (AI Features)
When you use a voice feature or a chat feature that requires cloud inference, audio and/or text is sent from the App, either directly or via Aerendir's backend, to OpenAI for processing.
Backend role. Aerendir's backend acts as an authenticated proxy and rate limiter. It forwards requests to OpenAI and returns the response. The backend does not log or store the contents of audio, transcripts, prompts, or AI responses.
LiveKit media relay. Voice low-latency mode uses LiveKit's media server to bridge the WebRTC connection between the device and OpenAI's Realtime API. LiveKit is operated by Aerendir on its own infrastructure; audio is relayed in transit and not persisted by LiveKit.
OpenAI processing. Content sent for inference (audio for Realtime/Whisper, text for chat completions) is subject to OpenAI's API data usage terms, available at openai.com/policies/api-data-usage-policies. Under OpenAI's API terms, OpenAI does not use API inputs or outputs to train its models by default.
What the backend does store. Only per-user usage counters (request count, token count, voice session minutes, timestamps, account identifier) for billing, quota enforcement, and abuse prevention. Never message bodies, voice transcripts, prompts, or responses.
User control. Privacy mode (Private Memory on) processes responses on-device after a Whisper transcription step; only the transcription request touches OpenAI's cloud, not the full conversational reasoning.
Stripe: Subscription payment processing, governed by Stripe's Privacy Policy. Payment data is collected by Stripe directly; Aerendir does not see card details. Stripe does not receive any of your email, SMS, voice, or contact data.
Amazon Web Services (AWS): Aerendir's backend infrastructure is hosted on AWS in the EU (eu-central-1, Frankfurt). AWS is governed by its own data processing terms; AWS acts as a subprocessor for Aerendir and does not have access to in-flight request contents beyond what is required to operate the underlying network.
7. On-Device Processing
The App ships with an on-device large language model (a customized Liquid foundation model) that powers conversational responses in privacy mode without contacting any cloud LLM.
An on-device sentence-embedding model (all-MiniLM-L6-v2, ONNX) computes 384-dimensional embeddings used for the App's retrieval-augmented memory.
Gmail messages, SMS searches, contact lookups, and embeddings are stored locally in a private, app-sandboxed SQLite database that is encrypted with SQLCipher (AES-256). The database is not accessible to other applications.
Aerendir does not store your Gmail messages, SMS, contacts, or voice transcripts on its servers. Your data does not transit Aerendir's infrastructure except as a transient payload to OpenAI when you invoke an AI feature (see Section 6).
8. Data Storage and Security
We protect your data on the device and in transit using the following technical controls:
Device storage. Android File-Based Encryption (FBE), AES-256-XTS, hardware-backed via the device's Keystore and Trusted Execution Environment, applied to all app-private storage.
Database encryption. The App's local SQLite database (containing conversations, embeddings, cached Gmail metadata) is additionally encrypted with SQLCipher (AES-256), using a 256-bit passphrase generated by SecureRandom on first launch and stored in Android EncryptedSharedPreferences.
Credentials and OAuth tokens. Stored in Android EncryptedSharedPreferences using AES-256-SIV for keys and AES-256-GCM for values, with the master key managed by the Android Keystore.
Network transport. All traffic between the App, the Aerendir backend, the Gmail API, the LiveKit media relay, and OpenAI is transmitted over TLS 1.2 or higher. Cleartext traffic is disabled at the platform level via the Android Network Security Configuration; in debug builds an override permits cleartext only for the Android emulator and localhost.
Certificate pinning. Connections to Aerendir's backend (api.rai-dev.aermob.com) are pinned to Amazon's ACM certificate hierarchy (Amazon RSA 2048 M04 intermediate + Amazon Root CA 1), defeating man-in-the-middle attacks that use an attacker-installed root certificate.
WebSocket encryption. The LiveKit voice connection is enforced to wss:// at the client; the App refuses to establish a cleartext WebSocket.
Backup hardening. Google Drive auto-backup is disabled (android:allowBackup="false"). Explicit per-path exclusions are also defined for cloud backup and device-to-device transfer to prevent encrypted prefs and the database from leaving the device.
Independent security assessment. RAI Assistant is undergoing an independent CASA Tier 2 security assessment conducted by TAC Security. The companion RAI Inbox application has previously completed the same assessment.
Although we take appropriate measures to safeguard against unauthorized disclosure of information, no system of electronic storage or transmission can be guaranteed to be 100% secure.
9. Permissions
The App requests the following Android permissions:
Internet — to sync emails and connect to AI services
Network state — to adapt to offline / metered connections
Microphone — for voice input
Audio settings / Bluetooth — to route voice to a Bluetooth headset or speaker
Activity Recognition — to adapt response length to your motion state
Contacts — for contact lookup tools
SMS (read & receive) — for the SMS search tool
External storage (Android < 13) — for user-initiated backup files on legacy Android versions
For a complete per-permission justification including code references, see CASA_PERMISSIONS.md in the App's source repository.
10. Data Retention and Deletion
On-device data. Conversation history, RAG embeddings, and cached Gmail metadata persist in the encrypted local database until you sign out, clear the App's storage, or uninstall the App. Signing out triggers a wipe of local conversation data and cached credentials.
Backend-side usage counters. Aerendir retains per-user usage counters for up to twelve (12) months for billing and quota enforcement, after which they are deleted. No message content, voice transcript, prompt, or response is retained at any time.
Revoking access. Revoke RAI Assistant's access to your Gmail account at any time at myaccount.google.com/permissions. Revocation immediately prevents the App from making further Gmail API calls on your behalf.
Revoking other permissions. Microphone, SMS, Contacts, and Activity Recognition permissions can be revoked at any time in Android Settings → Apps → RAI Assistant → Permissions. The corresponding assistant features will degrade or become unavailable.
Deletion requests. Email info@aermob.com with subject line "RAI Assistant Data Deletion Request". Verified requests are actioned within 30 days.
11. Your Rights
Remove your account and all local data from the App at any time
Delete your account and all associated backend-side data using the Delete Account option in the App's settings
Enable Private Memory mode to keep conversational reasoning on-device, with only transcription touching the cloud
Revoke individual Android permissions at any time without uninstalling the App
12. Children's Privacy
The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Material changes will be communicated via an in-App notice prior to taking effect. Continued use of the App after changes constitutes acceptance of the revised policy.