Privacy Policy

Last updated: March 22, 2026

This Privacy Policy explains how Ayva ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use the Ayva mobile application for Android ("the App"). By using the App, you agree to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you register, we collect your email address and a securely hashed password. If you sign in with Google, we receive your name and email address from Google. We never store your plain-text password.

1.2 Conversation History

We store your conversations with Ayva to provide context-aware responses across sessions. We retain up to the most recent 50 messages per conversation session. Older messages are pruned automatically for performance and privacy.

1.3 AI Memory (Persistent Personal Knowledge)

A core feature of Ayva is its ability to remember things you share over time — this is what makes it genuinely useful as a personal assistant. Specifically, we store:

• Personal facts and preferences — things you tell Ayva about yourself (e.g., dietary restrictions, hobbies, work situation)
• Health and dietary information — only what you explicitly share (e.g., allergies, intolerances)
• People in your life — names and context of people you mention (e.g., "my colleague Martin") to enable personalized assistance
• Plans and future events — trips, appointments, goals you mention, so Ayva can follow up
• Routines and habits — recurring patterns you describe, used to make proactive suggestions

This memory is stored as encrypted vector embeddings in our database and is used exclusively to improve the quality of your AI assistant experience. You can request deletion of your memory data at any time.

1.4 Voice Data

When you use voice input or the Gemini Live voice feature, your audio is streamed in real time directly to Google's Gemini API for processing. We do not store your voice recordings on our servers. Audio is processed transiently and discarded after the AI response is generated.

1.5 Photos and Videos

If you send images or videos in a conversation (Premium feature), the media is temporarily uploaded to our servers for AI processing and then included in your conversation history. Media files are associated with the messages you send and are deleted when your account is deleted.

1.6 Location Data

If you enable location sharing, Ayva uses your approximate location to provide context-aware responses (e.g., local weather, nearby places). Location data is used only to generate your AI response and is not stored persistentlyon our servers.

1.7 Contacts

If you grant the Contacts permission, Ayva can read contact names and phone numbers to assist with call and message features. This data is accessed on-demand and is not copied or stored in our database.

1.8 Notification Content

If you enable the Notification Listener permission, Ayva may read incoming notification content (sender, message preview) to provide proactive assistance — for example, to alert you to important messages or suggest replies. This content is processed in real time and is not stored on our servers.

1.9 Calendar and Gmail Data

When you connect Google Calendar or Gmail, Ayva accesses event data and email previews to answer questions and take actions on your behalf (e.g., creating events, summarizing emails). This data is processed in real time for each request and is not stored in our database beyond what appears in your conversation history.

1.10 Spotify Data

When you connect Spotify, we receive an OAuth access token that allows Ayva to control playback and access your top tracks and playlists. We store this token securely to maintain your connection. Spotify data is used only to execute your music-related requests.

1.11 Smart Home Data

If you configure smart home devices (e.g., Tuya-compatible lights, switches), we store your device configuration (device IDs, names, room assignments) to allow Ayva to control them. Device state information is fetched on demand.

1.12 Device Information

We collect your Firebase Cloud Messaging (FCM) push token to deliver notifications and proactive alerts. We also collect basic device information (Android version, device model) for debugging and compatibility purposes.

1.13 Usage Analytics

We collect anonymized usage data — such as which features are used and error logs — to improve the App. This data cannot be used to identify you individually.

2. Android Permissions Explained

The App requests the following Android permissions. We only request what is strictly necessary:

• INTERNET — Required to communicate with our servers and AI services
• RECORD_AUDIO — Required for voice input and Gemini Live voice assistant
• SYSTEM_ALERT_WINDOW — Required for the overlay chat that appears over other apps (activated via power button)
• FOREGROUND_SERVICE — Required to keep the overlay assistant running when active
• POST_NOTIFICATIONS — Required to deliver reminders and proactive alerts
• RECEIVE_BOOT_COMPLETED — Required to restore background services after device restart
• BIND_NOTIFICATION_LISTENER_SERVICE — Optional; enables Ayva to read notifications for proactive assistance
• READ_CONTACTS — Optional; enables Ayva to assist with calls and messages using your contacts
• ACCESS_FINE_LOCATION — Optional; enables location-aware responses
• CAMERA — Optional; enables taking photos to include in conversations
• READ_EXTERNAL_STORAGE / MEDIA permissions — Optional; enables selecting photos and videos from your gallery

3. How We Use Your Information

• To provide and personalize the AI assistant experience
• To maintain conversation memory and long-term personal context
• To deliver proactive notifications, reminders, and follow-ups
• To integrate with your connected services (Spotify, Google Calendar, Gmail, Contacts)
• To control smart home devices on your behalf
• To process payments and manage your subscription
• To diagnose bugs, improve reliability, and develop new features
• To comply with legal obligations

4. Third-Party Services

Ayva relies on the following third-party services. Your data may be transmitted to these services in order to provide the App's functionality. Each service operates under its own privacy policy.

• Supabase — Authentication, database storage (PostgreSQL), and vector search. Hosted on AWS infrastructure (US/EU regions). Data stored here includes your account, conversations, and AI memory.
• Google Gemini AI — AI conversation processing and voice streaming (Gemini Live). Your messages and voice input are processed by Google's AI models. Subject to Google's AI and Privacy policies.
• Google Firebase — Push notifications (Firebase Cloud Messaging). Your FCM token is used to deliver alerts to your device.
• Google Play Billing — Payment processing for Premium subscriptions. Payment data is handled exclusively by Google.
• Fly.io — Backend server hosting. Our API servers run on Fly.io infrastructure. No data is permanently stored at this layer.
• Spotify — Music playback control and personalization via Spotify's Web API. Only activated when you explicitly connect your Spotify account.
• Google APIs — Calendar, Gmail, Maps, and Contacts. Only activated when you explicitly grant permission for each service.
• RevenueCat — Subscription management and entitlement verification. Used to validate your Premium status across app reinstalls and device changes.
• Groq Cloud — Fast AI inference used for internal message classification (not your full conversation content). Subject to Groq's privacy policy.

5. Data Storage and Security

All user data is stored in Supabase with row-level security (RLS) policies, ensuring that each user can only access their own data. OAuth tokens (Spotify, Google) are encrypted at rest using AES-256. Passwords are hashed using bcrypt and never stored in plain text.

All communication between the App, our servers, and third-party services uses TLS/HTTPS encryption in transit.

AI memory embeddings are stored as encrypted vector data and are only accessible during AI response generation for your account.

6. Data Retention

• Account data — Retained until you delete your account
• Conversation history — Most recent 50 messages per session; older messages are pruned automatically
• AI memory — Retained until you delete individual memories or your account; periodically compressed by AI to maintain relevance
• Voice recordings — Not stored; processed transiently and discarded
• OAuth tokens — Retained until you disconnect the service or delete your account
• FCM token — Updated on each app launch; old tokens are replaced
• Analytics data — Anonymized; retained for up to 90 days
• After account deletion — All personal data is permanently and irreversibly deleted within 30 days

7. Your Rights (GDPR and Global)

Regardless of where you are located, you have the following rights over your data:

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate data
• Right to erasure — Request deletion of your account and all associated data ("right to be forgotten")
• Right to data portability — Request your data in a machine-readable format
• Right to object — Object to processing of your data for specific purposes
• Right to withdraw consent — Disconnect any integrated service at any time from Settings
• Right to restrict processing — Request that we limit how we use your data

EU users: We comply with the General Data Protection Regulation (GDPR). If you are in the European Economic Area, you have additional rights and may lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at support@ayvaai.com or use the in-app account deletion feature.

8. Children's Privacy

Ayva is not intended for children under 13 years of age (or under 16 in the European Union, in accordance with GDPR). We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@ayvaai.com and we will delete it promptly.

9. International Data Transfers

Ayva is a global service. Your data may be processed in countries outside your own, including the United States and the European Union, where our infrastructure providers (Supabase, Fly.io, Google) operate. We take appropriate steps to ensure your data is protected in accordance with this Privacy Policy regardless of where it is processed.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes through the App or via email. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact Us