Clad — Privacy Policy

Effective date: June 6, 2026 Last updated: June 6, 2026

This Privacy Policy explains how Clad (“Clad”, “we”, “us”, or “the app”) handles information when you use the Clad iOS application.

We designed Clad to be privacy-first:

There is no Clad account, no sign-up, and no Clad-operated server.
Your API key stays on your device in the iOS Keychain.
Your audio is processed transiently — Clad does not store it, and we do not retain transcripts on any server we control.
We do not track you, run advertising SDKs, or share data with data brokers.

If you have questions about this policy, contact us at benjaminharriscody@yahoo.com.

1. Who provides Clad

Clad is published by Benjamin Harris Cody, located at 6815 Payton Road, Cumming, GA 30041, United States. References to “we” and “us” in this policy refer to that entity.

2. What Clad does in plain English

Clad listens to a conversation, transcribes it, and uses xAI’s Grok models to flag potentially false, unsupported, or rhetorically misleading claims in real time. It works in two modes:

In-room debate — multiple speakers in the same room.
Watch the News — a single broadcast source (e.g. a TV news segment).

During an in-room session, anyone can say “Hey Clad, …” followed by a question to request an on-demand answer. Clad sends just the spoken question to xAI’s API to look up a concise reply, which appears as an “Editor’s Reply” card.

Clad also ships with a built-in demo mode that plays a short, pre-recorded debate against the live interface so new users can see how the app works without configuring an API key. The demo is entirely on-device — no microphone capture, no network call.

After a session ends, Clad can generate a written report card and let you export a PDF transcript.

3. Information we process

Clad processes the following kinds of information only while you are actively using the app:

3.1 Microphone audio

When you start a session, Clad uses the device microphone to capture audio. The audio is streamed in real time to xAI’s speech-to-text and chat-completions APIs for transcription and analysis. Clad does not store the raw audio, and we do not operate a server that receives or retains it.

3.2 Transcripts and AI-generated flags

Live transcripts and the AI-generated verdicts (“flags”) are kept in memory on your device for the duration of the session, and you can choose to export them as a PDF or share them through the iOS share sheet. They are not transmitted to any Clad-operated server.

3.3 Your xAI API key

Clad asks you to provide your own xAI API key. The key is stored in the iOS Keychain on your device. It is sent only to xAI’s API endpoints to authenticate the requests Clad makes on your behalf. We never see, collect, or store your key.

3.4 App preferences

A small amount of preference data (your selected debate “lens”, diagnostic results you’ve run yourself) is stored locally on your device using iOS UserDefaults. None of this is transmitted off the device.

3.5 Diagnostic logs (opt-in, off by default)

If you turn on Settings → Diagnostic Logs, Clad writes a structured record of each session (utterances, analyzer flushes, AI verdicts, citation URLs) as a JSONL file.

If iCloud Drive is enabled for Clad on your device (Settings → Apple ID → iCloud → iCloud Drive → Clad), these logs are stored in your private Clad folder inside iCloud Drive. That is Apple’s first-party iCloud infrastructure under your Apple ID — the logs sync to other Apple devices signed into the same Apple ID (so you can review them from your Mac without a manual export) and are protected by Apple’s iCloud encryption. They are not sent to any Clad-operated server (there isn’t one) and are not sent to any third party. If iCloud Drive is off for Clad, the logs stay on the device only.

Diagnostic Mode is off by default. The Settings → Diagnostic Logs section shows whether logs are currently syncing to iCloud or sitting device-only. Toggling Diagnostic Mode off and tapping “Delete All” removes the log files immediately from wherever they’re stored.

3.6 Image lookup requests

When the AI flags a claim that would be reinforced by a visual, Clad looks up an illustrative image through a tiered set of free sources:

Wikipedia — a short topic title is sent to Wikipedia’s public page-summary REST endpoint to retrieve a thumbnail URL.
Wikimedia Commons — if Wikipedia has no matching article, the same short title is sent to Wikimedia Commons’ public search API.
Open Graph scrape — if neither encyclopedic source has a useful image, Clad fetches up to three of the article URLs the AI cited during its web search and extracts the page’s Open Graph or Twitter Card preview image (an HTML <meta> tag).

These lookups send only the short topic title (Wikipedia, Commons) or a plain HTTP request to the cited article URL (Open Graph). They do not include your microphone audio, your transcript, your IP address beyond what any web request reveals, or any identifier we could use to recognize you in a later request.

3.7 What we do NOT collect

We do not collect:

Your name, email address, phone number, or any account identifier.
Your device advertising identifier (IDFA).
Your precise or coarse location.
Health, financial, or contacts data.
Photos, videos, or files outside of what you explicitly share via the iOS share sheet.
Diagnostic / crash data — Clad does not run a third-party crash or analytics SDK.

4. How information is used

The information described above is used exclusively to provide Clad’s core functionality:

Audio → transcript: streamed to xAI for speech-to-text.
Transcript → flags: sent to xAI’s Grok models for fact-checking and analysis.
xAI API key: used to authenticate the calls above on your behalf.
Preferences: remembered between launches so the app respects your last-used settings.

We do not use any of this information for advertising, profiling, training third-party AI models on your behalf, or any purpose unrelated to providing the app’s features.

5. Third parties Clad sends data to

When you use Clad, the following third parties receive data because Clad calls their APIs to deliver functionality. Each is independent of Clad and has its own privacy policy:

Provider	What is sent	Purpose	Their policy
xAI	Live audio stream and transcript windows	Speech-to-text and AI analysis	https://x.ai/legal/privacy-policy
Wikimedia Foundation (Wikipedia + Wikimedia Commons)	Short topic-title lookups (e.g. “Solar system”)	Fetching illustrative images for flags	https://foundation.wikimedia.org/wiki/Policy:Privacy_policy
Cited article sites (variable per session — e.g. news outlets, blogs, official sources)	A plain HTTP GET to the article URL the AI cited; only the page’s first ~64 KB is read	Extracting the Open Graph preview image for current-events flags	Varies per site
Apple	Standard iOS app telemetry that Apple collects from any app	App distribution and crash reporting	https://www.apple.com/legal/privacy/

We have no business relationship with these providers other than as a paying API customer (xAI) or anonymous consumer of public services (Wikipedia, Apple).

6. AirPlay, smart-TV discovery, and your local network

If you choose to cast Clad’s “broadsheet” view to a TV, the app uses Apple’s AirPlay APIs to discover AirPlay 2 receivers (e.g. Apple TVs) on your local Wi-Fi network and stream Clad’s display content to them. No audio or transcript data is transmitted to other devices on your network beyond what AirPlay itself sends to your chosen receiver.

Clad also supports discovering smart TVs on your Wi-Fi for audio-source setup (Settings or homepage → “Listen to TV”). When you open that screen, Clad sends standard mDNS / Bonjour multicast queries for _airplay._tcp and _googlecast._tcp service types and reads the following from any device that responds:

The Bonjour service name (e.g. “Living Room TV”).
The model / md TXT-record field (e.g. “AppleTV5,3”, “LG-OLED55C9PUA”), used solely to label the row with a brand hint.

That’s it. No network traffic ever leaves the device during discovery — mDNS is link-local multicast. Clad does not connect to, control, or authenticate against any discovered TV. The actual audio pairing (Bluetooth or 3.5mm cable) happens between the iPhone and the TV directly through iOS, with no Clad involvement in the link.

5b. Auto-naming speakers in debate sessions

In debate sessions (not news mode), Clad periodically sends each speaker’s recent transcript snippet to xAI’s chat-completions API along with a prompt asking Grok to identify the speaker by likely public name based on what they say and how others address them. Inferred names appear in the speaker roster with an “auto” tag. This feature:

Is on by default but can be disabled in Settings → “Auto-Name Speakers”. When off, no extra requests are made for speaker identification.
Sends only the transcript text and the speaker’s current label — no audio, no metadata, no other context — to xAI under your API key.
Identifies public figures only (politicians, hosts, journalists, candidates). The prompt instructs Grok to skip private individuals.
Never overrides a name you typed manually or a name Grok extracted from a self-introduction (“I’m Ben”) — those are higher trust signals than content-based inference.

6d. Proximity filter (experimental)

If you turn on Settings → Proximity Filter, Clad runs an on-device acoustic classifier over the microphone audio to distinguish close-mic voice (someone speaking near the iPhone — typically room conversation) from speaker-mediated voice (TV audio arriving via speakers — typically the broadcast you want fact-checked). Utterances classified as close-mic are silently dropped before they reach the fact-checker, so the room chatter doesn’t generate flags.

You can choose between two classifier backends, both fully on-device:

Heuristic (default): Uses Apple’s Accelerate framework for FFT-based frequency analysis. Combines two simple acoustic features — a low-frequency energy ratio (captures the “proximity effect” bass boost that close-mic voices produce) and spectral flatness (close voices are tonal; speaker-mediated voices are flatter). Cheap CPU-wise; good first pass for many rooms.
Sound Analysis: Uses Apple’s SoundAnalysis framework with the built-in V1 audio classifier (SNClassifierIdentifier.version1). The classifier was trained by Apple on a large labeled audio dataset and recognizes hundreds of categories — Clad looks for the television, radio, loudspeaker, and speech labels and derives a close-vs-distant score from their relative confidences. More accurate than the heuristic when the V1 model’s training matches your TV; uses more CPU.

Both backends:

Process audio entirely on your device. No Core ML cloud inference, no audio leaves the phone for the purpose of proximity classification, and no Sound Analysis results are transmitted anywhere.
Read from the same microphone audio that’s already in use for STT — no additional capture takes place when filtering is on.
Are off by default. When you turn the filter on, a calibration step lets you tune the threshold to your specific room + classifier combination.

Filter decisions are logged locally only (Console.app under subsystem com.bencody.clad, categories proximity and proximityml) for debugging and do not leave the device.

6e. Household voice enrollment (experimental)

If you turn on Settings → Household Voices and enroll one or more voices, Clad uses an on-device acoustic fingerprint to silently filter those voices out of fact-checking sessions:

Enrollment records a 10-second audio sample of the chosen voice, extracts a 13-dimensional MFCC (Mel-frequency cepstral coefficient) feature vector summarizing the recording’s vocal- tract characteristics, and stores only that feature vector plus the label you typed (e.g. “Ben”) in your iPhone’s UserDefaults. The audio itself is discarded immediately and never persisted, transmitted, or used for anything else.
Fingerprint vectors are opaque: 13 floats per voice in the default MFCC mode, or whatever dimensionality a bundled Core ML speaker-embedding model (see docs/CUSTOM_SPEAKER_MODEL.md) produces — typically 128-512. In both cases the vector has no recoverable audio content: it cannot be played back, used to reconstruct speech, or meaningfully matched against external voice databases without access to the same extractor and matching threshold.
Matching during a session computes the same MFCC mean for each incoming utterance and compares (via cosine similarity) against every enrolled fingerprint. Matches above a similarity threshold are silently dropped; unmatched voices (typically the TV broadcast) proceed to fact-checking normally.
All processing is on-device using Apple’s Accelerate framework. No audio, no MFCC vector, no match decision ever leaves the phone for the purpose of voice verification.
Off by default. When no voices are enrolled, the verifier doesn’t run at all (its audio chunk feed isn’t even subscribed).

Match decisions are logged locally only (Console.app under subsystem com.bencody.clad, category voiceverifier) for debugging and do not leave the device. You can remove individual enrollments or “Clear All” at any time from Settings.

6c. YouTube captions

If you choose to fact-check a YouTube video via the Watch a YouTube clip flow, Clad fetches the official captions for that video from youtube.com and feeds them into the fact-checker in place of microphone audio. The data flow:

Clad sends a standard GET request to https://www.youtube.com/watch?v={videoID} to read the public caption track URL from the player response.
Clad then sends a second GET request to that caption track URL to download the timed captions in YouTube’s json3 format.
No personal data is included in either request — no user ID, no Clad-specific identifier, just a standard browser user-agent.
No request goes to Google’s user-authenticated APIs; the calls hit the same public surfaces YouTube’s own embedded player uses.
Captions are processed entirely on your device. The transcript text is then sent to xAI for fact-checking under your API key, the same as microphone-based sessions.

If a video has no captions available, no further requests are made and the session won’t start. Clad doesn’t store or retain any fetched caption data beyond the in-memory transcript of the active session.

6a. Lock-screen notifications

If you opt in to lock-screen notifications (Settings → “Lock-Screen Notifications” → Notify me on flags), Clad will post a local notification on your device when a disputed claim, logical fallacy, or editor’s reply is generated during a session. These notifications:

Are generated entirely on your device. They are not sent through Apple’s Push Notification Service (APNs), and no Clad-operated server ever sees that a notification was scheduled.
Contain a short summary of the flag (the same text shown in-app) and the speaker label, if any. Nothing else.
Stop firing the moment you toggle the setting off, end the session, or revoke notification permission in iOS Settings → Notifications → Clad.

The setting is off by default; we never request notification permission until you ask for it.

7. Where data is stored

On your device: API key (Keychain), preferences (UserDefaults), in-memory session data (cleared when the session ends or the app is terminated), any PDFs you choose to save.
On xAI’s servers: subject to xAI’s own privacy policy and retention practices.

Clad does not operate any servers that store your data.

8. Children’s privacy

Clad is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided information through the app, please contact us at benjaminharriscody@yahoo.com and we will assist.

9. Your rights and choices

Because Clad does not maintain accounts or store your data on any server we control, most data-subject rights are exercised directly on your device:

Stop sending audio to xAI: end the session, or revoke microphone permission in iOS Settings → Privacy & Security → Microphone → Clad.
Delete your API key: open Settings inside Clad and tap “Clear” next to your API key. The Keychain entry is removed.
Delete the app: uninstalling Clad removes all local data (Keychain entries, preferences, cached PDFs).
Exercise rights with respect to data held by xAI: contact xAI directly using the channels listed in their privacy policy.

If you are in the EEA, UK, California, or another jurisdiction with specific data-subject rights (access, rectification, erasure, portability, restriction, objection), you may contact us at benjaminharriscody@yahoo.com and we will respond consistent with applicable law. We act as a data controller for the limited device-side preferences described above and as a “processor” only in the sense of facilitating your direct relationship with xAI as the provider of the AI services.

10. Data security

The xAI API key is stored using Apple Keychain, which is encrypted at the operating-system level. Network communication with xAI and other providers uses HTTPS (TLS). Because Clad has no backend, there is no server-side database for an attacker to compromise. That said, no system is perfectly secure — please use a unique API key for Clad and revoke it from your xAI account if you suspect the device has been compromised.

11. AI-generated content disclaimer

Clad’s flags and verdicts are produced by xAI’s large language models and may be incorrect, incomplete, or biased. Do not rely on Clad as a sole source of truth for any consequential decision. Clad is not a substitute for professional fact-checking, journalism, legal counsel, or medical / financial / political advice.

12. Changes to this policy

If we update this policy in any material way, we will revise the “Effective date” above and surface the change in the app’s Settings screen on the next launch following the change. Your continued use of Clad after the revised date constitutes acceptance of the updated policy.

13. Contact

If you have questions, complaints, or requests related to this policy, contact:

Benjamin Harris Cody 6815 Payton Road, Cumming, GA 30041 Email: benjaminharriscody@yahoo.com

This document was last updated on the “Last updated” date shown at the top. A historical version log is available on request.