Privacy Policy
Permalink: /legal/privacy/v2
Last updated: 2026-06-15 · Version v2
1. Who we are
Aya is operated by Velts (the “Company”, “we”, “us”). We are the data controller for personal information processed through the Aya app and website at tryaya.app.
- Email: contact@velts.org
- Postal address: Margolin 1, Rishon LeZion, Israel
- DPO contact: contact@velts.org (subject line: “DPO”)
If you are in the EU/EEA and have a complaint we cannot resolve, you have the right to lodge a complaint with your local supervisory authority.
2. Scope
This policy covers the Aya mobile app (iOS package app.tryaya.aya, Android package app.tryaya.aya) and our website at tryaya.app. It applies whenever you create an account, sign in, send messages to the assistant, upload receipts or files, or connect a calendar, email, or payment integration.
It does not cover third-party services we link to but do not operate (for example, the Apple App Store or Google Play purchase flows — those are governed by Apple’s and Google’s own terms).
3. Data we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity | Email, phone number, display name, business profile, country/region | You (sign-up, onboarding) |
| Content | Chat messages, voice notes, attachments, receipts, invoices, client notes, memory entries | You |
| Integration data | Calendar events (including events Aya creates or updates on your instruction), email messages and attachments (only from accounts you explicitly connect) | Google Calendar / Gmail (with OAuth consent) |
| Payment data | Subscription tier, store transaction IDs, IP and device fingerprint at purchase, RevenueCat app_user_id (a pseudonymous UUID) | Apple App Store, Google Play, RevenueCat |
| Device & technical | App version, OS, device model, language, anonymous installation IDs (analytics, push, RevenueCat) | The app |
| Diagnostic | Crash reports, error traces, performance metrics | The app (via Sentry) |
| Communications | Magic-link emails, OTP messages, push notifications | Generated by us, delivered by Brevo / OneSignal |
We do not collect payment card details. Purchases run entirely through Apple In-App Purchase or Google Play Billing.
4. How we use your data (lawful basis under GDPR)
| Purpose | Lawful basis |
|---|---|
| Provide the assistant, store your data, run AI features | Contract (Art. 6(1)(b)) |
| Authenticate you (magic link / OTP) | Contract |
| Bill subscriptions and resolve entitlements | Contract |
| Detect abuse, debug crashes, secure the service | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails (sign-in, receipts) | Contract |
| Send marketing or product-update emails | Consent (Art. 6(1)(a)) — opt-in only |
| Comply with Israeli, EU, and other applicable law | Legal obligation (Art. 6(1)(c)) |
You can withdraw consent at any time without affecting prior processing.
5. Sharing — sub-processors
We use the following sub-processors to deliver Aya. Each is bound by a written data-processing agreement.
| Sub-processor | Purpose | Region |
|---|---|---|
| Google LLC (Gemini API, Google Cloud, Google OAuth) | AI processing, calendar/email integration | US |
| RevenueCat, Inc. | Subscription entitlement management | US |
| OneSignal (Onesignal, Inc.) | Push notification delivery | US |
| Sendinblue SAS (Brevo) | Transactional email (magic links, receipts) | EU (France) |
| DigitalOcean, LLC | App hosting (PostgreSQL, Spaces object storage) | EU region for primary data |
| Functional Software, Inc. (Sentry) | Crash and error monitoring | US |
| Meta Platforms Ireland Ltd | WhatsApp Business API for OTP delivery (if used) | EU + US |
| Apple Inc., Google LLC (App Store, Play Store) | Payment processing (independent controllers) | US |
We do not sell your personal information and do not share it for cross-context behavioural advertising.
5a. Google user data (Gmail and Calendar) and Limited Use
If you choose to connect a Google account, Aya accesses a limited set of your Google data through Google’s official APIs, only with your explicit OAuth consent, and only to provide the features described below.
Google Calendar — view and edit events (https://www.googleapis.com/auth/calendar.events) and view your list of calendars (https://www.googleapis.com/auth/calendar.calendarlist.readonly). Aya reads your calendar events to show them in your unified Planner and to provide scheduling context (for example leave-now and travel-time estimates); when you ask Aya to add or change a job, task, or reminder, it creates, updates, or deletes those events; and it reads the list of your calendars so you can choose which calendars Aya should sync. Aya only edits events on your instruction and does not manage or permanently delete entire calendars.
Gmail (https://www.googleapis.com/auth/gmail.readonly). Aya reads your email messages and their attachments on a read-only basis to automatically extract business records for your review: receipts and expenses, client follow-ups and commitments, and to-do items. Aya never sends, modifies, deletes, or labels your email.
How this data is processed and stored. Connected-account data is used solely to power the features above for you. Email and calendar content may be processed by our AI sub-processor (Google Gemini) to extract structured records, as described in section 9; it is not used for advertising, is not sold, and is not shared except with the sub-processors listed in section 5 strictly to deliver these features. Access tokens are encrypted at rest. You can disconnect a Google account at any time from Aya’s settings or your Google Account; disconnecting deletes the email and calendar data Aya holds for that connection, and account deletion erases it under section 7.
Limited Use. Aya’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
6. International transfers
Aya is operated from Israel, which the European Commission has recognised as providing an adequate level of data protection.
Where sub-processors are located outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum where applicable, and EU-US Data Privacy Framework certifications where the sub-processor is enrolled. We also apply technical safeguards (encryption in transit and at rest) and organisational safeguards (least-privilege access).
A full list of sub-processors with their region and transfer mechanism is published at https://tryaya.app/legal/dpa and updated when it changes.
7. Retention
We keep your data while your account is active. When you delete your account, we erase your content within 30 days, except where law requires a longer hold (for example, financial records may be retained for up to seven years to satisfy tax-record obligations). Crash logs and server logs roll off in 30 days. Encrypted backups age out on a rolling 35-day window.
You can export your data and request deletion at any time from in-app settings, or by emailing contact@velts.org.
8. Your rights (GDPR / CCPA / UK GDPR)
Depending on where you live, you have the right to:
- access the personal data we hold about you;
- correct inaccurate data;
- request erasure (“right to be forgotten”);
- receive your data in a portable, machine-readable format;
- restrict or object to processing;
- withdraw consent;
- lodge a complaint with a supervisory authority.
California residents additionally have the right to know, the right to delete, the right to correct, and the right to opt out of any “sale” or “sharing” of personal information. Aya does not sell personal information and does not share it for cross-context behavioural advertising.
To exercise any right, email contact@velts.org. We respond within 30 days (extendable by up to two months for complex requests, as the GDPR allows).
9. AI processing
Aya uses third-party large language models (currently Google Gemini) to power the assistant, triage email, transcribe voice, and extract structured records from your content. We do not use your content to train, fine-tune, or improve any general-purpose AI model, and our AI sub-processors are configured to honour training opt-outs where the provider supports it.
AI-derived memory (vector embeddings of facts and preferences extracted from your messages) is stored to personalise the assistant for you. This memory is your data and is deleted when you close your account.
AI outputs may be inaccurate, incomplete, or out of date. They are suggestions — you decide whether to send, save, or act on them.
10. Children’s privacy
Aya is not directed at children. You must be at least 16 in the EEA/UK or 13 elsewhere to use the Service. We do not knowingly collect personal data from anyone below those ages. If you believe a child has provided their data, email contact@velts.org and we will delete it promptly.
11. Security
We use TLS in transit, encryption at rest, hashed credentials, short-lived JWTs with refresh-token rotation, iOS Keychain / Android Keystore for tokens on your device, encrypted SQLite for offline drafts, least-privilege staff access with auditing, dependency scanning, and documented incident-response procedures.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant supervisory authority as required by law.
12. Changes
We will post material changes here and bump the version. Older versions remain at https://tryaya.app/legal/privacy/{version}. If a change materially reduces your rights, we will notify you in the app or by email before it takes effect.
Version v2 (2026-06-15) adds the Google user data (Gmail and Calendar) disclosure and the Google API Services Limited Use statement, and discloses country/region collection.
13. Contact
- General: contact@velts.org
- DPO contact: contact@velts.org (subject line: “DPO”)
- Postal: Margolin 1, Rishon LeZion, Israel
See also our Terms of Service.