fix: add static privacy page to fix 404 on direct URL access

GitHub Pages serves SPAs via a 404.html redirect trick, but automated
checkers (Google Play Store, HTTP clients) receive a real 404 status
code for /privacy. Adding a static public/privacy/index.html ensures
GitHub Pages serves it directly with a 200 OK status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: ozkeisar

public/privacy/index.html

@@ -0,0 +1,306 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Privacy Policy - Addit</title>
+  <meta name="description" content="Addit Privacy Policy - How we collect, use, and protect your data." />
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      background: #0f172a;
+      color: #cbd5e1;
+      line-height: 1.7;
+      padding: 2rem 1rem;
+    }
+    .container { max-width: 860px; margin: 0 auto; }
+    header { margin-bottom: 2rem; border-bottom: 1px solid #1e293b; padding-bottom: 1.5rem; display: flex; align-items: center; gap: 1rem; }
+    header a { color: #94a3b8; text-decoration: none; font-size: 0.9rem; }
+    header a:hover { color: #fff; }
+    h1 { font-size: 2rem; font-weight: 700; color: #f1f5f9; margin-bottom: 0.25rem; }
+    .updated { color: #64748b; font-size: 0.9rem; margin-bottom: 2rem; }
+    h2 { font-size: 1.25rem; font-weight: 600; color: #e2e8f0; margin: 2rem 0 0.75rem; padding-top: 1rem; border-top: 1px solid #1e293b; }
+    h3 { font-size: 1rem; font-weight: 600; color: #cbd5e1; margin: 1.25rem 0 0.5rem; }
+    h4 { font-size: 0.95rem; font-weight: 600; color: #94a3b8; margin: 1rem 0 0.4rem; }
+    p { margin-bottom: 0.85rem; }
+    ul, ol { margin: 0.5rem 0 0.85rem 1.5rem; }
+    li { margin-bottom: 0.3rem; }
+    a { color: #60a5fa; text-decoration: none; }
+    a:hover { text-decoration: underline; }
+    strong { color: #e2e8f0; }
+    table { width: 100%; border-collapse: collapse; margin: 1rem 0; font-size: 0.9rem; }
+    th, td { border: 1px solid #334155; padding: 0.6rem 0.75rem; text-align: left; }
+    th { background: #1e293b; color: #e2e8f0; font-weight: 600; }
+    tr:nth-child(even) td { background: #0f172a; }
+    .card { background: #1e293b; border: 1px solid #334155; border-radius: 1rem; padding: 2.5rem; }
+    @media (max-width: 640px) { .card { padding: 1.25rem; } h1 { font-size: 1.5rem; } }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <header>
+      <a href="/">&larr; addit.dev</a>
+    </header>
+    <div class="card">
+      <h1>Privacy Policy</h1>
+      <p class="updated">Last updated: January 16, 2026</p>
+
+      <h2>1. Introduction and Scope</h2>
+      <p>Welcome to Addit ("we," "our," "us," or "the Company"). Addit is a mobile application that provides call recording, voice memo recording, transcription, and AI-powered extraction services. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our mobile application (the "App") available on iOS and Android platforms.</p>
+      <p>This Privacy Policy applies to all users of the App worldwide. We are committed to protecting your privacy and complying with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Lei Geral de Proteção de Dados (LGPD), Personal Information Protection and Electronic Documents Act (PIPEDA), UK General Data Protection Regulation (UK GDPR), Australian Privacy Act, and other applicable state, federal, and international privacy laws.</p>
+      <p><strong>PLEASE READ THIS PRIVACY POLICY CAREFULLY.</strong> By downloading, installing, accessing, or using Addit, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the App.</p>
+
+      <h2>2. Data Controller Information</h2>
+      <p>For the purposes of applicable data protection laws, the data controller responsible for your personal data is:</p>
+      <p><strong>Addit</strong><br>Email: <a href="mailto:privacy@addit.dev">privacy@addit.dev</a></p>
+      <p>For users in the European Economic Area (EEA), United Kingdom, or Switzerland, you may also contact our data protection representative at <a href="mailto:dpo@addit.dev">dpo@addit.dev</a>.</p>
+
+      <h2>3. Information We Collect</h2>
+      <p>We collect information to provide and improve our services. The types of information we collect depend on how you use the App and the permissions you grant.</p>
+
+      <h3>3.1 Audio Recordings and Voice Data</h3>
+      <p>When you use the App's recording features, we process audio data including:</p>
+      <ul>
+        <li>Phone call recordings (when you initiate recording)</li>
+        <li>Voice memos and audio notes you create</li>
+        <li>Audio files you import or share to the App</li>
+      </ul>
+      <p><strong>Storage:</strong> All audio recordings are stored locally on your device. Audio data is only transmitted to third-party transcription services (Deepgram or Gladia) when you initiate transcription, using API keys you provide.</p>
+
+      <h3>3.2 Call Log Information</h3>
+      <p>With your explicit permission (READ_CALL_LOG permission on Android), we access:</p>
+      <ul>
+        <li>Phone numbers of incoming and outgoing calls</li>
+        <li>Call timestamps and duration</li>
+        <li>Call type (incoming, outgoing, missed)</li>
+      </ul>
+      <p><strong>Purpose:</strong> This information is used solely to associate recordings with specific calls and display call context within the App. This data is stored locally on your device and is never transmitted to our servers.</p>
+
+      <h3>3.3 Contacts Information</h3>
+      <p>With your explicit permission (READ_CONTACTS), we access:</p>
+      <ul>
+        <li>Contact names associated with phone numbers</li>
+        <li>Phone numbers in your contact list</li>
+      </ul>
+      <p><strong>Purpose:</strong> This information is used solely to display caller names with recordings for your convenience. Contact data is accessed locally and is never transmitted to external servers.</p>
+
+      <h3>3.4 Calendar Information</h3>
+      <p>With your explicit permission (Calendar access on iOS, Calendar permissions on Android), we can:</p>
+      <ul>
+        <li>Read existing calendar events (to avoid duplicates)</li>
+        <li>Create new calendar events based on AI-extracted information from your recordings</li>
+      </ul>
+      <p><strong>Purpose:</strong> Calendar access is used solely to create events you approve from action items extracted from your recordings. Calendar data is accessed locally.</p>
+
+      <h3>3.5 Transcription Data</h3>
+      <p>When you transcribe recordings, the following data is processed:</p>
+      <ul>
+        <li>Transcribed text from your audio recordings</li>
+        <li>Speaker identification and diarization data</li>
+        <li>Language detection information</li>
+        <li>Timestamps and word-level timing</li>
+      </ul>
+      <p><strong>Storage:</strong> Transcriptions are stored locally on your device. The audio data is transmitted to your chosen transcription provider (Deepgram or Gladia) using your own API keys for processing.</p>
+
+      <h3>3.6 AI-Extracted Information</h3>
+      <p>When you use AI extraction features, we process transcriptions to extract:</p>
+      <ul>
+        <li>Calendar events (dates, times, descriptions)</li>
+        <li>Reminders and action items</li>
+        <li>Contact information mentioned in conversations</li>
+        <li>Key facts and summaries</li>
+        <li>Semantic embeddings for search functionality</li>
+      </ul>
+      <p><strong>Processing:</strong> Transcription text is sent to your chosen AI provider (OpenAI or Google Gemini) using your own API keys. Extracted data is stored locally on your device.</p>
+
+      <h3>3.7 Technical and Device Information</h3>
+      <p>We may collect limited technical information for app functionality:</p>
+      <ul>
+        <li>Device type and model</li>
+        <li>Operating system version</li>
+        <li>App version</li>
+        <li>Error logs and crash reports (stored locally)</li>
+      </ul>
+      <p><strong>Note:</strong> We do not collect device identifiers, advertising IDs, or tracking identifiers. We do not use analytics services or tracking pixels.</p>
+
+      <h3>3.8 User-Provided API Keys</h3>
+      <p>To use transcription and AI features, you provide your own API keys for:</p>
+      <ul>
+        <li>Deepgram (transcription)</li>
+        <li>Gladia (transcription)</li>
+        <li>OpenAI (AI extraction and embeddings)</li>
+        <li>Google Gemini (AI extraction)</li>
+      </ul>
+      <p><strong>Storage:</strong> API keys are stored securely using your device's native secure storage (iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly, Android Keystore with hardware-backed encryption when available).</p>
+
+      <h2>4. Legal Basis for Processing (GDPR/UK GDPR)</h2>
+      <p>For users in the EEA, UK, and Switzerland, we process your personal data based on the following legal grounds:</p>
+
+      <h3>4.1 Consent (Article 6(1)(a) GDPR)</h3>
+      <p>We rely on your explicit consent for:</p>
+      <ul>
+        <li>Recording audio (microphone permission)</li>
+        <li>Accessing your contacts (contacts permission)</li>
+        <li>Accessing your calendar (calendar permission)</li>
+        <li>Accessing your call logs (call log permission)</li>
+        <li>Transmitting audio to transcription services</li>
+        <li>Transmitting transcriptions to AI services</li>
+      </ul>
+      <p>You may withdraw consent at any time by revoking permissions in your device settings or deleting your data within the App.</p>
+
+      <h3>4.2 Contract Performance (Article 6(1)(b) GDPR)</h3>
+      <p>Processing necessary to provide the App's core functionality:</p>
+      <ul>
+        <li>Storing and displaying your recordings</li>
+        <li>Processing transcriptions you request</li>
+        <li>Displaying extracted calendar events and action items</li>
+      </ul>
+
+      <h3>4.3 Legitimate Interests (Article 6(1)(f) GDPR)</h3>
+      <p>We may process data based on our legitimate interests for:</p>
+      <ul>
+        <li>App improvement and bug fixing</li>
+        <li>Security and fraud prevention</li>
+        <li>Legal compliance and responding to legal requests</li>
+      </ul>
+
+      <h2>5. How We Use Your Information</h2>
+      <h3>5.1 Core App Functionality</h3>
+      <ul>
+        <li>Recording, storing, and playing back audio recordings</li>
+        <li>Transcribing audio using third-party services</li>
+        <li>Extracting calendar events, reminders, and contacts using AI</li>
+        <li>Displaying caller identification from your contacts</li>
+        <li>Creating calendar events based on extracted information</li>
+        <li>Providing search functionality across your recordings and transcriptions</li>
+      </ul>
+
+      <h3>5.2 App Improvement</h3>
+      <ul>
+        <li>Debugging and fixing errors</li>
+        <li>Improving app stability and performance</li>
+      </ul>
+
+      <h3>5.3 Legal Compliance</h3>
+      <ul>
+        <li>Complying with applicable laws and regulations</li>
+        <li>Responding to lawful requests from authorities</li>
+        <li>Protecting our legal rights</li>
+      </ul>
+
+      <h2>6. Third-Party Services and Data Sharing</h2>
+      <p>Addit uses third-party services for transcription and AI processing. When you use these features, your data is transmitted to these services using API keys that you provide. We do not have access to your accounts with these providers.</p>
+
+      <h3>6.1 Transcription Services</h3>
+      <h4>Deepgram</h4>
+      <ul>
+        <li><strong>Data Sent:</strong> Audio files for transcription</li>
+        <li><strong>Privacy Policy:</strong> <a href="https://deepgram.com/privacy" target="_blank" rel="noopener noreferrer">https://deepgram.com/privacy</a></li>
+        <li><strong>Terms of Service:</strong> <a href="https://deepgram.com/terms" target="_blank" rel="noopener noreferrer">https://deepgram.com/terms</a></li>
+      </ul>
+      <h4>Gladia</h4>
+      <ul>
+        <li><strong>Data Sent:</strong> Audio files for transcription</li>
+        <li><strong>Privacy Policy:</strong> <a href="https://www.gladia.io/privacy-policy" target="_blank" rel="noopener noreferrer">https://www.gladia.io/privacy-policy</a></li>
+        <li><strong>Terms of Service:</strong> <a href="https://www.gladia.io/terms-of-use" target="_blank" rel="noopener noreferrer">https://www.gladia.io/terms-of-use</a></li>
+      </ul>
+
+      <h3>6.2 AI Processing Services</h3>
+      <h4>OpenAI</h4>
+      <ul>
+        <li><strong>Data Sent:</strong> Transcription text for analysis, text for embeddings</li>
+        <li><strong>Privacy Policy:</strong> <a href="https://openai.com/privacy" target="_blank" rel="noopener noreferrer">https://openai.com/privacy</a></li>
+      </ul>
+      <h4>Google Gemini</h4>
+      <ul>
+        <li><strong>Data Sent:</strong> Transcription text for analysis</li>
+        <li><strong>Privacy Policy:</strong> <a href="https://policies.google.com/privacy" target="_blank" rel="noopener noreferrer">https://policies.google.com/privacy</a></li>
+      </ul>
+
+      <h3>6.3 What We Do NOT Share</h3>
+      <ul>
+        <li>We do NOT sell your personal data to any third party</li>
+        <li>We do NOT share your data for advertising or marketing purposes</li>
+        <li>We do NOT provide your data to data brokers</li>
+        <li>We do NOT use your data to train AI models</li>
+        <li>We do NOT transfer your data to our servers (all data remains on your device)</li>
+      </ul>
+
+      <h2>7. Data Storage and Security</h2>
+      <h3>7.1 Local Storage</h3>
+      <p>All your personal data, including recordings, transcriptions, extracted items, and settings are stored locally on your device. We do not operate servers that store your personal data.</p>
+
+      <h3>7.2 Security</h3>
+      <ul>
+        <li><strong>op-sqlite:</strong> For structured data (recordings, transcriptions, events)</li>
+        <li><strong>MMKV:</strong> For preferences and settings, with AES encryption</li>
+        <li><strong>iOS Keychain / Android Keystore:</strong> For API keys, with hardware-backed encryption</li>
+        <li>All data transmitted to third-party services uses HTTPS/TLS encryption</li>
+      </ul>
+
+      <h2>8. Data Retention</h2>
+      <p>Data stored on your device is retained until you delete it. You control retention through individual deletion, cache clearing, full data deletion, or app uninstallation. Data transmitted to third-party services is subject to their respective retention policies.</p>
+
+      <h2>9. Your Rights and Choices</h2>
+      <p>Since all data is stored locally on your device, you can exercise most rights directly through the App:</p>
+      <ul>
+        <li><strong>Access:</strong> View all your data directly in the App</li>
+        <li><strong>Deletion:</strong> Delete individual items or all data through Settings &gt; Data Management &gt; Delete All Data</li>
+        <li><strong>Export:</strong> Export your data in JSON format through Settings &gt; Data Management &gt; Export Data</li>
+        <li><strong>Permission Control:</strong> Revoke App permissions at any time through your device's settings</li>
+      </ul>
+      <p>For requests that cannot be fulfilled through the App, contact us at <a href="mailto:privacy@addit.dev">privacy@addit.dev</a>.</p>
+
+      <h2>10. GDPR Compliance (EEA, UK, Switzerland)</h2>
+      <ul>
+        <li><strong>Right of Access (Article 15)</strong></li>
+        <li><strong>Right to Rectification (Article 16)</strong></li>
+        <li><strong>Right to Erasure (Article 17)</strong> — "right to be forgotten"</li>
+        <li><strong>Right to Restrict Processing (Article 18)</strong></li>
+        <li><strong>Right to Data Portability (Article 20)</strong> — JSON export</li>
+        <li><strong>Right to Object (Article 21)</strong></li>
+        <li><strong>Right to Withdraw Consent (Article 7(3))</strong></li>
+      </ul>
+      <p>Contact our DPO at <a href="mailto:dpo@addit.dev">dpo@addit.dev</a>. You may lodge a complaint with your local supervisory authority.</p>
+
+      <h2>11. CCPA/CPRA Compliance (California Residents)</h2>
+      <table>
+        <thead>
+          <tr><th>Category</th><th>Examples</th><th>Collected</th></tr>
+        </thead>
+        <tbody>
+          <tr><td>Identifiers</td><td>Contact names, phone numbers</td><td>Yes (locally)</td></tr>
+          <tr><td>Audio/Visual Information</td><td>Voice recordings, call audio</td><td>Yes (locally)</td></tr>
+          <tr><td>Internet Activity</td><td>Browsing history, search history</td><td>No</td></tr>
+          <tr><td>Geolocation</td><td>Precise location</td><td>No</td></tr>
+          <tr><td>Sensitive Personal Information</td><td>Contents of communications</td><td>Yes (locally)</td></tr>
+        </tbody>
+      </table>
+      <p><strong>Addit does NOT sell your personal information</strong> and does NOT share it for cross-context behavioral advertising.</p>
+
+      <h2>12. Other Regional Compliance</h2>
+      <p><strong>LGPD (Brazil):</strong> Contact our DPO at <a href="mailto:dpo@addit.dev">dpo@addit.dev</a>. Response within 15 days.</p>
+      <p><strong>PIPEDA (Canada):</strong> Complaints may be filed with the Office of the Privacy Commissioner at <a href="https://www.priv.gc.ca" target="_blank" rel="noopener noreferrer">priv.gc.ca</a>.</p>
+      <p><strong>Australian Privacy Act:</strong> Complaints may be filed with the OAIC at <a href="https://www.oaic.gov.au" target="_blank" rel="noopener noreferrer">oaic.gov.au</a>.</p>
+      <p><strong>U.S. State Laws:</strong> We comply with VCDPA, CPA, CTDPA, UCPA, and other applicable state privacy laws. Exercise rights at <a href="mailto:privacy@addit.dev">privacy@addit.dev</a>.</p>
+
+      <h2>13. Call Recording and Privacy</h2>
+      <p><strong>IMPORTANT:</strong> You are solely responsible for complying with all applicable laws regarding call recording in your jurisdiction. Many jurisdictions require consent from all parties to a call. Please understand and comply with your local laws before recording calls.</p>
+
+      <h2>14. Children's Privacy</h2>
+      <p>Addit is intended for users who are at least 17 years of age (18 in some jurisdictions). We do not knowingly collect personal information from children under 13. If you believe your child has used the App, contact us at <a href="mailto:privacy@addit.dev">privacy@addit.dev</a>.</p>
+
+      <h2>15. Changes to This Privacy Policy</h2>
+      <p>We may update this Privacy Policy from time to time. We will update the "Last updated" date and, for material changes, provide notice through the App. Continued use after changes constitutes acceptance.</p>
+
+      <h2>16. Contact Us</h2>
+      <p><strong>General Privacy:</strong> <a href="mailto:privacy@addit.dev">privacy@addit.dev</a></p>
+      <p><strong>Data Protection Officer (GDPR/LGPD):</strong> <a href="mailto:dpo@addit.dev">dpo@addit.dev</a></p>
+      <p><strong>Legal:</strong> <a href="mailto:legal@addit.dev">legal@addit.dev</a></p>
+
+      <p style="margin-top:2rem; font-size:0.85rem; color:#475569;">This Privacy Policy is effective as of January 16, 2026, and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.</p>
+    </div>
+  </div>
+</body>
+</html>