1. Who we are
This service is published by Bubl, a sole proprietorship based in the United States ("we," "us," "our"). "You" means the person texting Bubl or visiting chat.bublcx.com.
For any privacy question, request, or complaint: support@bublcx.com. A real person reads everything sent to that address.
2. Information we collect
Bubl only collects what's needed to text you back and remember you between conversations. The following is a complete list of information we (or a service provider acting on our behalf) receive:
- Your phone number. Required — it's the only way Bubl can text you back. We store it in our database in a one-way hashed form (so it can't be reversed) plus an encrypted form (so we can re-deliver replies). We don't have your name, your email, your address, or any other identifier unless you choose to tell Bubl during a conversation.
- Your messages and the assistant's replies. Stored so Bubl can remember context across conversations. Sent to the AI provider that generates each reply (see section 3). Not used for advertising, not sold, not shared with third parties beyond the providers listed below.
- A small profile and memory file. When Bubl learns useful things about you ("prefers vegan products," "buys gifts in June," "based in Lisbon," "is a beginner runner," "writes in a casual tone") it saves a structured profile and a short notes file so future conversations don't make you repeat yourself. You can ask Bubl to forget any of it at any time, or text STOP to delete everything.
- Images you send. If you text Bubl a photo (for example, "find me this product," "what kind of plant is this," or "is this a typo"), the image is downloaded from the SMS provider's temporary URL, resized, and sent to an image-recognition model so Bubl can describe what's in it. The image bytes and Bubl's text analysis of them are both stored on our infrastructure and remain there until you ask us to delete them (see section 7).
- Voice notes you send. If you send an audio message, it is downloaded from the SMS provider, sent to a speech-to-text model (see section 3) to convert it to text, and Bubl reasons over the transcript the same way it would over a text message. The audio bytes and the resulting transcript are both stored on our infrastructure and remain there until you ask us to delete them.
- Documents (PDFs) you send. If you text Bubl a PDF — for example a school form, a schedule, or an appointment summary — the file is downloaded from the SMS provider's temporary URL and its text is read so Bubl can answer questions about it. For PDFs that can't be read from their text layer alone (such as scans), the document is sent to the AI provider to be read (see section 3). The file and the text read from it are both stored on our infrastructure and remain there until you ask us to delete them (see section 7).
- YouTube videos you share. If you send a YouTube link and ask Bubl about the video, Bubl fetches the video's transcript through a transcript provider (see section 3) and reasons over it the same way it would over text. The transcript is stored on our infrastructure for a short period and remains there until it expires or you ask us to delete it.
- Google account data (only if you connect). If you choose to connect Google so Bubl can help with Gmail or Calendar, we store an OAuth token (encrypted), your Google account email address, your Google display name, your Google account ID, and the list of permissions you granted. While the connection is active, Bubl reads Gmail messages and Calendar events on demand each turn to answer your request; we do not maintain a long-running copy of your inbox or your calendar. If you text
STOP GOOGLE, your OAuth token and Google profile fields are immediately erased from our database and the grant is revoked with Google; a non-identifying record that a connection once existed is kept so we can recognize a different Google account if you reconnect later.
- Third-party app connections (only if you connect). Bubl can connect to certain third-party apps on your behalf through our integration provider, Composio (see section 3). If you choose to connect one, we store a small connection record — which app you connected, a connection reference ID issued by Composio, and the connection's status — so Bubl knows the app is available to you. The login credentials (OAuth tokens) that grant access to that app are held by Composio in their secure vault; we do not store those tokens in our database. You can disconnect at any time (see section 7), which revokes the connection at Composio.
- Scheduled reminders and routines. If you ask Bubl to remind you or to set up a routine ("every weekday at 7 send me a morning brief"), we store the intent text you wrote ("send me a morning brief"), the schedule, and the timezone so we can fire the reminder when it's due. Cancelled or completed reminders are hard-deleted from our database within 30 days.
- Operational logs. Standard hosting logs (timestamps, request IDs, error traces) plus an audit log of events like "message received," "reply sent," "memory saved." When an error occurs, a scrubbed diagnostic report is also retained by our error-monitoring provider, Sentry (see section 5). These are retained for debugging and abuse prevention; they do not include the content of your messages.
- Support email. If you email us, we see what you send. We keep it only as long as we need it to help you.
That list is exhaustive. We don't collect your contacts (other than what you explicitly tell Bubl or import from Google if you connect it), your physical location, your web-browsing history, or anything else beyond what you put into a message to Bubl.
A note on sensitive topics. Because Bubl can help with more than just shopping — research, advice, decisions, ideas — you may at times share information that feels personal: health questions, financial situations, relationship matters, things you're worried about. Anything you tell Bubl is handled the same way as any other message described above (stored in our database, sent to the AI provider to generate a reply, never sold or used for advertising), but please use your judgment about what you're comfortable sharing over SMS to a third-party service. If you'd rather not have something remembered, tell Bubl to forget it, or text STOP to delete everything.
3. How AI is used
Every reply Bubl sends is generated by a large language model. We use commercial AI APIs rather than running models ourselves. When you text Bubl, the contents of the conversation (your messages and the assistant's prior replies, plus any Gmail or Calendar items you asked about) are sent to the AI provider so the model can produce the next reply.
The providers Bubl uses are:
- Anthropic (Claude). Generates the conversational replies. When you send a photo, the image is also sent to Anthropic for recognition so Bubl can describe what's in it. When you send a PDF that can't be read from its text layer alone (such as a scan), the document is also sent to Anthropic to be read. We send all of this under Anthropic's commercial API terms, which state that API inputs and outputs are not used to train their models.
- Tavily. Used to search the web for results when Bubl looks something up. Tavily sees the search query Bubl generates (which may paraphrase what you asked for) and returns ranked URLs and snippets. Tavily does not see your phone number or your raw conversation.
- Firecrawl. Used to fetch the contents of specific web pages on your behalf once Tavily has returned the URLs — for example, a product page when you're shopping or a reference article when you're researching. Firecrawl sees the URLs it is asked to fetch. Firecrawl does not see your phone number or your raw conversation.
- Cloudflare Workers AI (speech-to-text). When you send a voice note, the audio is transcribed by Cloudflare's open-source Whisper model running on Cloudflare's Workers AI platform. Cloudflare processes the audio under its own privacy policy and the resulting text is returned to Bubl.
- Open-Meteo (weather). When you ask about the weather, the place name you mention (for example "Denver") is sent to Open-Meteo to look up current conditions and the forecast. Open-Meteo sees only that place name — not your phone number or your conversation.
- Supadata (video transcripts). When you share a YouTube link and ask Bubl about the video, the video's identifier is sent to Supadata to fetch its transcript so Bubl can respond to what was actually said. Supadata sees the video reference, not your phone number or your conversation.
We do not share your data with these providers for advertising or marketing purposes — only for the technical purpose of generating the reply you asked for.
If you have connected Google, we additionally talk to Google's Gmail and Calendar APIs on your behalf to read messages and events, and (only after you confirm an action in chat) to send Gmail replies, organize labels, archive or trash messages, or create, modify, delete, or RSVP to Calendar events. Google's handling of your data is governed by their privacy policy; you can review and revoke our access at any time on your Google Account permissions page or by texting STOP GOOGLE.
If you connect a third-party app, Bubl uses Composio as its integration provider to handle that connection. Composio is an integration platform that manages the secure login (OAuth) to the apps you choose to connect and runs the actions you ask Bubl to take in them. When you connect an app, Composio brokers the login and stores the resulting access credentials in its own secure vault; when Bubl performs an action you've asked for, it sends Composio a non-identifying user reference (a one-way hash of your phone number — never the number itself), the connection reference, and the details needed for that action, and receives back the result. Composio sees the data involved in those actions but processes it under its own privacy policy, which states it does not use the data for advertising or to train AI or machine-learning models. This applies only to apps you have explicitly chosen to connect, and you can disconnect at any time (see section 7).
4. SMS delivery
Text messages reach Bubl through an SMS provider, which acts as the carrier between your phone and our servers:
- Sendblue. Our SMS / iMessage provider. Sendblue sees your phone number, the contents of every message you send to Bubl, and every reply Bubl sends back — this is unavoidable for any SMS-based service. They process this data under their own privacy policy. Your mobile carrier also sees that messages are being exchanged with our number, the same as any other text.
Note on attachments: when you send an image, Sendblue temporarily hosts it and gives us a URL to download it. The image is publicly accessible at that URL for the duration of Sendblue's retention window (typically about 30 days) before being deleted on their side.
5. Hosting and storage
Bubl runs on:
- Cloudflare. Hosts our application (Cloudflare Workers), stores conversation history, your profile, your audio transcripts, your encrypted Google OAuth tokens (if you connected Google), and your scheduled reminders (Cloudflare D1, a SQLite-compatible database), stores your memory notes and any uploaded image, audio, or document (PDF) bytes plus video transcripts (Cloudflare R2 object storage), routes our AI requests through an AI Gateway, and serves this website (Cloudflare Pages). Cloudflare can technically see what passes through and what's stored, the same way any cloud provider can — they process this data under their own privacy policy and do not use it for advertising.
- Sentry. Our error-monitoring provider (US-based). When something goes wrong inside Bubl, a diagnostic error report — the type of error, a stack trace, the release version, a timestamp, and a non-identifying per-turn reference — is sent to Sentry so we can detect and fix failures. This is scoped to errors only, not a general log of your activity. The content of your messages, your phone number, and your profile and memory are scrubbed before any report is sent and never reach Sentry — only structural, technical error details do. Sentry processes this under its own privacy policy and does not use it for advertising.
6. What we don't do
For clarity, here is a list of things Bubl does not do, that other "free" services sometimes do:
- We do not sell your data to anyone.
- We do not show you ads. We don't have an ad product.
- We do not take undisclosed money from merchants, brands, or anyone else to influence what Bubl recommends or how it answers. If a recommendation ever contains an affiliate link, this page will be updated to say so before any such links go live.
- We do not use your conversations to train AI models. Neither do we, nor do the AI providers we use (under their commercial API terms).
- We do not embed analytics, tracking pixels, advertising SDKs, or cookies on this website.
- We do not send marketing texts, win-back drips, or upsells. The only proactive messages Bubl sends are the reminders and routines you have explicitly asked us to schedule (for example, "every weekday at 7 give me a morning brief"); each is read back to you for confirmation when you set it up.
7. Your rights and how to use them
Depending on where you live, you may have rights under the General Data Protection Regulation (GDPR, EU/UK), the California Consumer Privacy Act (CCPA/CPRA), or a similar law. These typically include the right to:
- Know what personal information we hold about you;
- Request a copy, correction, or deletion of that information;
- Object to or restrict certain processing;
- Withdraw consent at any time; and
- Lodge a complaint with your local data protection authority.
You can use the following self-serve tools at any time:
- Ask Bubl what it remembers about you. Just text something like "what do you remember about me?" — Bubl will list the facts and notes it has stored.
- Ask Bubl to forget specific things. Text "forget that I'm vegan" or "forget my sister's birthday" — Bubl will read back what it's about to delete and confirm with you before removing it from your profile and memory notes.
- Disconnect Google. Text
STOP GOOGLE to permanently erase the OAuth credentials we hold and revoke our access to your Gmail and Calendar.
- Disconnect a third-party app. If you've connected a third-party app through Composio, ask Bubl to disconnect it (or request full deletion below). This removes our local connection record and revokes the connection — including the access credentials Composio holds — at Composio.
- Stop receiving messages. Text
STOP to opt out of any further messages from Bubl. Important: the STOP keyword is an opt-out only — it does not by itself delete your conversation history, your profile, your memory notes, the images or voice notes you sent, or any other stored data. If you want full erasure, see the next bullet.
- Request full deletion of your data. Email support@bublcx.com from the number or address associated with your account and ask for full deletion. We will erase your conversation history, profile, memory notes, image, voice, and document (PDF) files, audio and video transcripts, and any Google connection from our systems, and confirm by email when done. We respond within 30 days, usually much sooner.
We do not sell your personal information and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
8. Children
Bubl is not directed to children under 13, or under the equivalent age of digital consent in your jurisdiction (16 in parts of the EU and the UK). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact support@bublcx.com and we will delete it.
9. Security
Our primary security measure is minimization: by not collecting an account, an email address, a payment method, or any data beyond what you choose to share inside a message, the amount of information an attacker could obtain from us is inherently small.
For the data we do hold: phone numbers are stored as a one-way hash plus an AES-256-GCM encrypted reversible form, with three separate secret keys (one for the hash, one for phone-number encryption, one for Google OAuth-token encryption) so that compromise of any single key does not unlock the others; message history, profile, audio transcripts, encrypted Google OAuth tokens, and scheduled reminders are stored in Cloudflare D1; memory notes and any image, audio, or document (PDF) bytes and video transcripts are stored in Cloudflare R2 with access scoped to our application. We rely on Cloudflare's security program for the underlying infrastructure. No system is perfectly secure, and we cannot guarantee absolute security of any information.
10. International users
The publisher is based in the United States. The SMS number is a US number. If you text Bubl from outside the United States, the information we hold may be processed in the United States or in other countries where our service providers operate. Where required, we rely on the standard contractual clauses or equivalent transfer mechanisms offered by those providers.
11. Changes to this policy
We may update this policy from time to time. Minor edits (clarifying wording, fixing typos, updating a link) take effect when posted. Any material change — for example, adding a new type of data collection, or weakening one of the core privacy guarantees in the summary above — will be announced on this page at least 30 days before it takes effect, and the effective date below will be updated.
For any question about this policy, to exercise a privacy right, or to tell us you think we're doing something wrong, email support@bublcx.com.
Effective June 10, 2026. Last updated July 6, 2026.