Privacy Policy
Last updated: 2026-06-09 · Version v1
1. Who we are
Aya is operated by Velts (the “Company”, “we”, “us”). We are the data controller for personal information processed through the Aya app and website at tryaya.app.
- Email: contact@velts.org
- Postal address: Margolin 1, Rishon LeZion, Israel
- DPO contact: contact@velts.org (subject line: “DPO”)
If you are in the EU/EEA and have a complaint we cannot resolve, you have the right to lodge a complaint with your local supervisory authority.
2. Scope
This policy covers the Aya mobile app (iOS package app.tryaya.aya, Android package app.tryaya.aya) and our website at tryaya.app. It applies whenever you create an account, sign in, send messages to the assistant, upload receipts or files, or connect a calendar, email, or payment integration.
It does not cover third-party services we link to but do not operate (for example, the Apple App Store or Google Play purchase flows — those are governed by Apple’s and Google’s own terms).
3. Data we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity | Email, phone number, display name, business profile | You (sign-up, onboarding) |
| Content | Chat messages, voice notes, attachments, receipts, invoices, client notes, memory entries | You |
| Integration data | Calendar events, email messages and metadata (only from accounts you explicitly connect) | Google Calendar / Gmail (with OAuth consent) |
| Payment data | Subscription tier, store transaction IDs, IP and device fingerprint at purchase, RevenueCat app_user_id (a pseudonymous UUID) | Apple App Store, Google Play, RevenueCat |
| Device & technical | App version, OS, device model, language, anonymous installation IDs (analytics, push, RevenueCat) | The app |
| Diagnostic | Crash reports, error traces, performance metrics | The app (via Sentry) |
| Communications | Magic-link emails, OTP messages, push notifications | Generated by us, delivered by Brevo / OneSignal |
We do not collect payment card details. Purchases run entirely through Apple In-App Purchase or Google Play Billing.
4. How we use your data (lawful basis under GDPR)
| Purpose | Lawful basis |
|---|---|
| Provide the assistant, store your data, run AI features | Contract (Art. 6(1)(b)) |
| Authenticate you (magic link / OTP) | Contract |
| Bill subscriptions and resolve entitlements | Contract |
| Detect abuse, debug crashes, secure the service | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails (sign-in, receipts) | Contract |
| Send marketing or product-update emails | Consent (Art. 6(1)(a)) — opt-in only |
| Comply with Israeli, EU, and other applicable law | Legal obligation (Art. 6(1)(c)) |
You can withdraw consent at any time without affecting prior processing.
5. Sharing — sub-processors
We use the following sub-processors to deliver Aya. Each is bound by a written data-processing agreement.
| Sub-processor | Purpose | Region |
|---|---|---|
| Google LLC (Gemini API, Google Cloud, Google OAuth) | AI processing, calendar/email integration | US |
| RevenueCat, Inc. | Subscription entitlement management | US |
| OneSignal (Onesignal, Inc.) | Push notification delivery | US |
| Sendinblue SAS (Brevo) | Transactional email (magic links, receipts) | EU (France) |
| DigitalOcean, LLC | App hosting (PostgreSQL, Spaces object storage) | EU region for primary data |
| Functional Software, Inc. (Sentry) | Crash and error monitoring | US |
| Meta Platforms Ireland Ltd | WhatsApp Business API for OTP delivery (if used) | EU + US |
| Apple Inc., Google LLC (App Store, Play Store) | Payment processing (independent controllers) | US |
We do not sell your personal information and do not share it for cross-context behavioural advertising.
6. International transfers
Aya is operated from Israel, which the European Commission has recognised as providing an adequate level of data protection.
Where sub-processors are located outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum where applicable, and EU-US Data Privacy Framework certifications where the sub-processor is enrolled. We also apply technical safeguards (encryption in transit and at rest) and organisational safeguards (least-privilege access).
A full list of sub-processors with their region and transfer mechanism is published at https://tryaya.app/legal/dpa and updated when it changes.
7. Retention
We keep your data while your account is active. When you delete your account, we erase your content within 30 days, except where law requires a longer hold (for example, financial records may be retained for up to seven years to satisfy tax-record obligations). Crash logs and server logs roll off in 30 days. Encrypted backups age out on a rolling 35-day window.
You can export your data and request deletion at any time from in-app settings, or by emailing contact@velts.org.
8. Your rights (GDPR / CCPA / UK GDPR)
Depending on where you live, you have the right to:
- access the personal data we hold about you;
- correct inaccurate data;
- request erasure (“right to be forgotten”);
- receive your data in a portable, machine-readable format;
- restrict or object to processing;
- withdraw consent;
- lodge a complaint with a supervisory authority.
California residents additionally have the right to know, the right to delete, the right to correct, and the right to opt out of any “sale” or “sharing” of personal information. Aya does not sell personal information and does not share it for cross-context behavioural advertising.
To exercise any right, email contact@velts.org. We respond within 30 days (extendable by up to two months for complex requests, as the GDPR allows).
9. AI processing
Aya uses third-party large language models (currently Google Gemini) to power the assistant, triage email, transcribe voice, and extract structured records from your content. We do not use your content to train, fine-tune, or improve any general-purpose AI model, and our AI sub-processors are configured to honour training opt-outs where the provider supports it.
AI-derived memory (vector embeddings of facts and preferences extracted from your messages) is stored to personalise the assistant for you. This memory is your data and is deleted when you close your account.
AI outputs may be inaccurate, incomplete, or out of date. They are suggestions — you decide whether to send, save, or act on them.
10. Children’s privacy
Aya is not directed at children. You must be at least 16 in the EEA/UK or 13 elsewhere to use the Service. We do not knowingly collect personal data from anyone below those ages. If you believe a child has provided their data, email contact@velts.org and we will delete it promptly.
11. Security
We use TLS in transit, encryption at rest, hashed credentials, short-lived JWTs with refresh-token rotation, iOS Keychain / Android Keystore for tokens on your device, encrypted SQLite for offline drafts, least-privilege staff access with auditing, dependency scanning, and documented incident-response procedures.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant supervisory authority as required by law.
12. Changes
We will post material changes here and bump the version. Older versions remain at https://tryaya.app/legal/privacy/{version}. If a change materially reduces your rights, we will notify you in the app or by email before it takes effect.
13. Contact
- General: contact@velts.org
- DPO contact: contact@velts.org (subject line: “DPO”)
- Postal: Margolin 1, Rishon LeZion, Israel
See also our Terms of Service.