Privacy Policy

We collect information you provide directly:

• Account identifiers: name, email address, and any credentials or keys needed to verify you. Depending on how you sign in, this may be a hashed password, a passkey public key, a one-time code sent to your email, or an identifier issued by a third-party sign-in provider you choose to use.
• Messages, uploaded files, and conversation history when using the service
• Bookmarks you create on sessions or individual messages
• Data accessible through integrations you choose to connect (for example, email, calendar, files, documents, or tickets from third-party services you link to your account)
• Support communications

We also collect usage data automatically: IP address, browser type, pages visited, session and sharing metadata, approximate location derived from IP, and interaction data to improve our service. We also collect diagnostic information, including error messages, stack traces, and performance metrics, to detect, debug, and prevent failures.

• To provide, maintain, and improve Aryra
• To process conversations and file uploads through our AI systems
• To execute code and queries you initiate against connected data sources
• To enable Gmail integration features you opt into, including reading and composing emails via AI
• To deliver and manage real-time notifications
• To send service-related communications
• To detect and address technical issues or abuse
• To comply with legal obligations

Your data is stored on secure servers with encryption in transit (TLS) and at rest. Uploaded files use isolated, access-controlled cloud storage with per-user data isolation enforced at the application level.

Authentication tokens are stored in HttpOnly cookies, which are inaccessible to JavaScript and protected against XSS attacks. A separate non-HttpOnly session-presence cookie may be used so the app can detect login state without a server round-trip. Logging out or clearing cookies will end your session.

If a security incident affects your personal data, we will notify you and the relevant data protection authority as required by applicable law.

Aryra relies on the following sub-processors to deliver the service. We list each by vendor together with the category of processing, and we only share the minimum data necessary for each purpose.

Google Cloud

• AI model inference. Your messages, attachments, and relevant context are sent to Google Cloud's AI services to produce responses, research, and generated images, video, and audio.
• Object storage for uploaded files.
• Document understanding and speech-to-text for documents, images, audio, and video you provide.
• Google Workspace APIs, only if you explicitly connect a Google account (for example, for email, calendar, drive, docs, or sheets). We use the minimum scopes needed to deliver the feature you activated.

Amazon Web Services (AWS)

• Transactional email. One-time login codes, account notifications, and service alerts are delivered through AWS Simple Email Service. Only your email address and the message body are processed.
• Additional AWS-hosted services may be used as fallbacks for storage, document processing, or speech-to-text where Google Cloud services are unavailable.

Cloudflare

• Content delivery, DNS, and security (DDoS mitigation, TLS termination). Cloudflare processes your IP address and request metadata to route traffic to our service.

Sentry

• Error diagnostics and performance monitoring. When something fails, we send error messages, stack traces, and request context (which may incidentally include your IP address and the account identifier associated with the request) to Sentry so we can fix the issue. We configure Sentry to redact sensitive fields where possible.

Web search

• When you ask a question that needs fresh information from the web, we send the relevant search query to an independent search provider on your behalf. Your account identity is not disclosed to the search provider.

Third-party integrations you choose to connect

• Aryra can connect, at your initiation, to a range of third-party services you already use, for example: productivity suites (Google Workspace, Microsoft 365), communication tools (Slack, Microsoft Teams), developer platforms (GitHub, GitLab, Bitbucket), issue and knowledge trackers (Jira, Confluence, Linear, Notion), support and CRM tools (Salesforce, HubSpot, Zendesk), observability platforms (Datadog, Sentry, PagerDuty), and HR systems. You choose which to connect, and you can disconnect any of them from your account settings at any time. Data shared with these providers is governed by their own terms and privacy policies.
• Single sign-on. If you choose to sign in with a third-party identity provider (for example, Google, Microsoft, or GitHub), that provider receives your authentication request and returns a verified identifier; Aryra never sees your password for that provider.

Enterprise / on-premise deployments

• Enterprise customers may run Aryra's crawling, indexing, and inference components inside their own infrastructure so that content from their environment never leaves their network. Contractual safeguards and the specific sub-processor list for those deployments are defined in the customer agreement.

We do not use your conversations, uploaded files, or queries to train or fine-tune AI models. Your content is used only to serve your own requests.

Our AI sub-processors (such as Google Cloud and AWS) are contractually prohibited from using customer content sent through their enterprise APIs to train their own foundation models. Aggregated, de-identified usage signals (for example, which features are used and how often) may be retained to improve product quality; these cannot be linked back to you.

We do not sell your personal data. We do not share your data with third parties except as described in this policy, as required by law, or with your explicit consent.

When you share a conversation via a public link, its content becomes accessible to anyone with that link. Shared sessions may be forked (copied) into other users' accounts. Revoking a share link prevents future access but does not remove copies already forked by other users. You control what you share.

We use cookies to maintain your session and remember preferences such as theme settings. Authentication tokens are stored in HttpOnly cookies (not accessible to JavaScript). A separate non-HttpOnly session-presence cookie may be used so the app can detect your login state without a server call. Disabling cookies will prevent login from working. Theme and UI preferences are stored in localStorage and contain no personal data.

You have the right to access, correct, or delete your personal data. Contact us at legal@aryra.ai. We respond within 30 days.

If you are in India, the Digital Personal Data Protection Act, 2023 (DPDPA) gives you specific rights as a Data Principal. Aryra acts as the Data Fiduciary for your personal data.

• Access and correction: ask for a summary of data we hold about you and request corrections.
• Erasure: request deletion when the data is no longer needed for the purpose collected.
• Withdraw consent: at any time, with the same ease as giving it. Withdrawal does not affect processing that already happened.
• Nominate: name someone to exercise your rights if you are incapacitated or die.
• Grievance redressal: write to our Grievance Officer at legal@aryra.ai. We respond within 30 days. If unresolved, you may escalate to the Data Protection Board of India.

If you are in the EEA, UK, or Switzerland, you also have the right to object to processing, request restriction, lodge a complaint with your local data protection authority, and protection against solely automated decisions with legal effects.

Aryra is not intended for anyone under 18. We do not knowingly collect personal data from anyone under 18. If we learn we have, we will delete it. If you believe a child has shared data with us, write to legal@aryra.ai.

We retain your data while your account is active and for the purposes described in this policy.

• Deleted conversations are removed from your view immediately and purged from our live systems within 30 days.
• If you delete your account, your personal data is deleted within 30 days, except data we must keep for legal, tax, or security reasons (invoice records are typically retained for the period required by applicable tax law in your jurisdiction).
• Encrypted backups may retain data for up to 90 additional days before overwrite.
• Diagnostic information (error logs, performance metrics) is retained for up to 90 days.
• Aggregated, de-identified data that can no longer be linked to you may be retained indefinitely.

Aryra is operated from India; our application infrastructure and primary data stores run in the Mumbai region. Certain sub-processors, including AI model inference, transactional email, content delivery, and error diagnostics, may be served from multiple regions globally. We rely on contractual safeguards with each sub-processor (including standard contractual clauses where applicable) to protect your data during transfer and storage.

Aryra does not make automated decisions that produce legal or significant effects about you without human review.

We may update this policy. We will notify you of significant changes via email or in-app notice.

Aryra is the Data Fiduciary for your personal data. Questions, complaints, or requests? Write to our Grievance Officer at legal@aryra.ai.