Privacy Policy

Effective Date: March 5, 2026 | Last Updated: March 5, 2026

1. Introduction

Aiva.io ("Aiva", "we", "us", or "our") is an AI-powered communication assistant operated by Aiva.io. Our registered business is located in Australia.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you access or use our website at www.tryaiva.io (the "Website"), our application, and any related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

This Privacy Policy is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) (EU/EEA), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Google API Services User Data Policy, and other applicable data protection laws.

2. Definitions

For the purposes of this Privacy Policy:

  • "Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked to you as an individual, including but not limited to your name, email address, and usage data.
  • "Google User Data" means any data obtained through Google APIs, including Gmail message content, Google Calendar events, and Google account profile information.
  • "Processing" means any operation performed on personal information, including collection, storage, use, disclosure, or deletion.
  • "Workspace" means a multi-tenant organizational unit within Aiva where your data is isolated and managed.
  • "AI Processing" means the use of artificial intelligence models to classify, summarise, draft replies to, or otherwise analyse your communication data within the Service.
3. Google User Data — Specific Disclosures

Aiva integrates with Google services to provide AI-powered email management and calendar scheduling. This section specifically addresses how we access, use, store, and protect data obtained through Google APIs, in compliance with the Google API Services User Data Policy and the Google APIs Terms of Service.

3.1 Google Data We Access

When you connect your Google account, Aiva requests the following OAuth scopes and accesses the corresponding data:

OAuth ScopeData Accessed
gmail.readonlyEmail messages (subject, body, sender, recipients, timestamps, labels, attachments metadata)
gmail.sendAbility to send emails on your behalf (only AI-drafted replies you approve, or auto-send with your configured thresholds)
userinfo.emailYour Google account email address
userinfo.profileYour Google account name and profile picture
calendar.readonlyCalendar events (title, time, location, attendees, description)
calendar.eventsAbility to create and modify calendar events (for AI-assisted scheduling)

3.2 How We Use Google User Data

Google User Data is used exclusively to provide and improve the Aiva Service. Specifically:

  • Email Classification: We use AI to classify your emails by priority (urgent, high, medium, low), category (e.g., customer inquiry, sales lead, scheduling), and sentiment to help you focus on what matters.
  • AI-Powered Drafting: We generate draft replies to your emails using AI, incorporating conversation context, your preferences, and your configured tone.
  • Auto-Send: With your explicit opt-in and configurable confidence thresholds, Aiva can automatically send replies on your behalf. You control which categories are eligible, review periods, and can disable auto-send at any time.
  • Scheduling and Calendar: We read your calendar events to detect scheduling conflicts, propose meeting times, and create calendar events from email conversations.
  • Task Extraction: We extract actionable tasks from your emails (e.g., deadlines, follow-ups) to help you stay organised.
  • Summarisation: We generate summaries of email threads to provide quick overviews in your inbox.
  • Contact Management: We build contact profiles from your email interactions to provide contextual information when composing replies.

3.3 Sharing of Google User Data

Google User Data is shared only with:

  • OpenAI: Email content (subject, body, sender information) is sent to OpenAI's API for AI classification, summarisation, and reply drafting. OpenAI processes this data under their enterprise privacy terms and does not use it to train their models.
  • Supabase: Google User Data is stored in our Supabase-hosted PostgreSQL database with row-level security isolation.

We do NOT:

  • Sell Google User Data to any third party
  • Use Google User Data for advertising, marketing profiling, or any purpose unrelated to providing the Service
  • Allow any third party to use Google User Data for purposes unrelated to the Service
  • Transfer or disclose Google User Data except as described in this Privacy Policy

3.4 Google API Services Limited Use Disclosure

Aiva's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google User Data to provide or improve user-facing features that are prominent in our application's user interface.
  • We do not transfer Google User Data to others unless necessary to provide and improve user-facing features, to comply with applicable laws, or as part of a merger, acquisition, or asset sale with prior notice to users.
  • We do not use Google User Data for serving advertisements.
  • We do not allow humans to read Google User Data unless we have your affirmative consent for specific messages, it is necessary for security purposes (e.g., investigating abuse), it is necessary to comply with applicable law, or the data is aggregated and anonymised for internal operations.

3.5 Storage and Protection of Google User Data

  • Google OAuth tokens (access tokens and refresh tokens) are stored securely in our database. We never store your Google password.
  • All Google User Data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256 encryption.
  • Google User Data is isolated per workspace using row-level security (RLS) policies, ensuring no cross-tenant data access.
  • Our infrastructure providers (Vercel, Supabase) maintain SOC 2 compliance.

3.6 Retention and Deletion of Google User Data

  • Google User Data is retained for as long as your account is active and your Google account is connected.
  • You can disconnect your Google account at any time through your Aiva workspace settings. Upon disconnection, we delete all stored Gmail messages, calendar events, and associated AI classifications within 30 days.
  • You can also revoke Aiva's access directly from your Google Account permissions page.
  • Upon account deletion, all Google User Data is permanently removed within 30 days. Backup copies are purged within 90 days.
  • To request immediate deletion of your Google User Data, contact privacy@tryaiva.io.
4. Information We Collect

4.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in via a third-party OAuth provider (Google, Microsoft, GitHub), we receive your name, email, and profile picture from that provider. For Shopify merchants, we also receive your store name, domain, owner information, and store email through Shopify's OAuth system.

4.2 Communication Data

To provide our AI inbox assistant services, we access and store messages from your connected communication channels (Gmail, Microsoft Outlook) with your explicit permission. This includes email subject lines, body content, sender and recipient information, timestamps, labels, and attachment metadata. This data is used solely to power AI features such as classification, reply drafting, summarisation, task extraction, and scheduling.

4.3 Calendar Data

When you connect your Google Calendar or Microsoft Outlook Calendar, we access event details including titles, descriptions, times, locations, attendees, and organiser information. This is used for scheduling conflict detection and AI-assisted event creation.

4.4 Shopify Data (for Shopify App Users)

If you use Aiva through our Shopify App, we access and store customer data (name, email, phone, address, order history), order data (financial details, line items, shipping addresses), and product data (titles, descriptions, pricing) from your Shopify store. This data is used to provide AI-powered customer support and contextual replies to customer inquiries.

4.5 Usage Data

We automatically collect information about how you interact with our Service, including features used, pages visited, messages processed, AI actions taken (classifications, drafts generated, auto-sends), preferences set, timestamps of interactions, and error logs. This is collected through privacy-respecting analytics tools.

4.6 Device and Technical Data

We collect your IP address, browser type and version, operating system, device type, referring URLs, and timezone. This information is used for security, fraud prevention, and service optimisation.

4.7 Voice Data (Pro Plan Feature)

If you use the Voice Aiva feature, your voice audio is transmitted to OpenAI's Whisper API for speech-to-text transcription. The transcribed text and AI responses are stored as part of your voice conversation history. Voice audio is not permanently stored by Aiva.

4.8 Billing Information

Payment processing is handled by Stripe (for web customers) and Shopify Billing (for Shopify App users). We do not directly store your credit card numbers. Stripe and Shopify store your payment details securely under their respective privacy policies and PCI DSS compliance.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: Deliver AI-powered email classification, draft reply generation, auto-send functionality, scheduling assistance, task extraction, and inbox management.
  • AI Processing: Send communication data to AI models (OpenAI GPT-4o-mini) for classification, summarisation, reply drafting, sentiment analysis, and scheduling intent detection.
  • Calendar Integration: Read calendar events to detect conflicts, propose meeting times, and create events from email conversations.
  • Contact Management: Build and maintain contact profiles from your communication interactions for contextual AI responses.
  • Personalisation: Customise the Service based on your preferences, tone settings, AI rules, and workspace configuration.
  • Notifications: Send you service-related notifications about messages requiring review, high-priority items, daily digests, and auto-send confirmations.
  • Billing: Process subscriptions and payments through Stripe or Shopify Billing.
  • Security: Detect and prevent fraud, abuse, and unauthorised access.
  • Analytics: Understand usage patterns and improve the Service using privacy-respecting analytics (PostHog).
  • Error Monitoring: Identify and fix bugs and technical issues (Sentry).
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.
6. Legal Bases for Processing

We process your personal information on the following legal bases:

  • Consent: When you connect a third-party account (e.g., Google, Microsoft) via OAuth, you explicitly consent to us accessing the data covered by the requested scopes. You may withdraw consent at any time by disconnecting the account.
  • Contract: Processing necessary to perform our contract with you (i.e., providing the Service you subscribed to).
  • Legitimate Interest: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, provided these interests are not overridden by your rights.
  • Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal processes.
7. Data Sharing and Third-Party Disclosure

We do not sell your personal information or Google User Data to any third party. We never have and never will.

We share data with the following categories of third-party service providers, solely to operate and improve the Service:

ProviderPurposeData Shared
OpenAIAI classification, summarisation, reply drafting, voice transcriptionEmail content (subject, body, sender), voice audio
SupabaseDatabase hosting, authentication, real-time updatesAll application data (stored with row-level security)
VercelApplication hosting and CDNServer-side request data, IP addresses
StripePayment processingName, email, billing address, payment method tokens
ElevenLabsText-to-speech (Voice Aiva, Pro plan)AI-generated response text
PostHogProduct analyticsAnonymised usage events, feature interactions
SentryError tracking and monitoringError reports, stack traces, device info
ResendTransactional email deliveryRecipient email addresses, notification content

We may also disclose your information:

  • Legal Requirements: When required by law, court order, subpoena, or government request, or to protect our legal rights.
  • Safety: To protect the safety, rights, or property of Aiva, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets. You will be notified via email and/or a prominent notice on our Website of any change in ownership or uses of your personal information.
8. Data Storage and Security

We implement industry-standard technical and organisational measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at Rest: All data stored in our database is encrypted using AES-256 encryption.
  • OAuth Token Security: We never store your email passwords. We use secure OAuth 2.0 tokens to access your connected accounts. Tokens are stored in our encrypted database and are refreshed automatically.
  • Row-Level Security (RLS): Our database enforces workspace-level data isolation, ensuring that your data is only accessible within your workspace and cannot be accessed by other tenants.
  • Access Controls: Workspace-based role permissions (owner, admin, member, read-only) control who can access data within a workspace.
  • SOC 2 Compliant Infrastructure: Our hosting providers (Vercel, Supabase) maintain SOC 2 Type II compliance.
  • Regular Security Reviews: We conduct regular security reviews, vulnerability assessments, and dependency audits.
  • AI Audit Logging: All AI operations (message classification, reply generation, auto-sends) are logged with full audit trails including model used, confidence scores, and processing timestamps.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry best practices.

9. Data Retention and Deletion

We retain your data for only as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy:

Data TypeRetention Period
Account informationDuration of account existence + 30 days after deletion
Email and calendar data (Gmail, Outlook)Duration of active channel connection + 30 days after disconnection
AI classifications and draftsDuration of active subscription + 30 days after account deletion
AI audit logs12 months (for compliance and quality assurance)
Voice conversation dataDuration of active subscription + 30 days after account deletion
Billing records7 years (as required by tax and financial regulations)
Anonymised analytics dataIndefinite (cannot be linked back to individuals)

Deleting Your Data:

  • Disconnect a Channel: Go to your workspace settings and disconnect any channel (Gmail, Outlook, Calendar). Associated data will be deleted within 30 days.
  • Delete Your Account: You can request account deletion through your account settings or by contacting privacy@tryaiva.io. All personal data will be permanently removed within 30 days.
  • Backup Purge: Data in backups is purged within 90 days of deletion.
  • Exceptions: Certain data may be retained longer where required by law (e.g., billing records for tax compliance) or to resolve disputes.
10. International Data Transfers

Aiva is operated from Australia. Your data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States and countries within the European Economic Area (EEA), where our service providers operate.

When transferring data internationally, we ensure appropriate safeguards are in place:

  • Our service providers maintain industry-standard data protection certifications (SOC 2, ISO 27001).
  • For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions where applicable.
  • For transfers from Australia, we comply with Australian Privacy Principle 8 (APP 8), ensuring overseas recipients are bound by obligations substantially similar to the APPs.
  • We maintain data processing agreements with all service providers that handle personal information.
11. Your Rights

Depending on your location, you have certain rights regarding your personal information. We are committed to honouring these rights regardless of where you reside.

11.1 Australian Privacy Act (APPs)

Under the Australian Privacy Act 1988, you have the right to:

  • Access the personal information we hold about you (APP 12)
  • Request correction of inaccurate or outdated personal information (APP 13)
  • Complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached
  • Opt out of direct marketing communications
  • Request information about how we handle your personal information

11.2 European Economic Area (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access: Obtain a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Restrict processing of your personal data
  • Portability: Receive your personal data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Lodge a Complaint: File a complaint with your local data protection authority

11.3 California (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Right to Know: Request information about what personal information we have collected, used, disclosed, and sold in the preceding 12 months
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out of Sale: We do not sell personal information, so this right is satisfied by default
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information: Direct us to limit use of sensitive personal information to what is necessary

Do Not Sell or Share My Personal Information: Aiva does not sell or share (as defined by the CCPA/CPRA) your personal information for cross-context behavioural advertising.

11.4 All Users — Universal Rights

Regardless of your location, you can:

  • Disconnect any connected channel (Gmail, Outlook, Calendar) at any time through workspace settings
  • Revoke OAuth access to Google via your Google Account permissions
  • Disable auto-send and AI features at any time
  • Export your data in a machine-readable format by contacting support
  • Delete your account and all associated data

To exercise any of these rights, visit your account settings or contact us at privacy@tryaiva.io. We will respond to your request within 30 days (or sooner where required by applicable law).

12. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled as the Service will not function without them.
  • Analytics Cookies: We use PostHog (a privacy-respecting analytics tool) to understand usage patterns and improve the Service. These collect anonymised interaction data.
  • Performance Cookies: We use Google Analytics for web performance monitoring. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

You can control cookie preferences through your browser settings. Disabling non-essential cookies will not affect the core functionality of the Service.

13. Children's Privacy

The Service is not intended for use by children under the age of 16 (or 13 in jurisdictions where a lower age of consent applies). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@tryaiva.io and we will promptly delete the information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or other factors. When we make material changes:

  • We will update the "Last Updated" date at the top of this page.
  • We will notify you via email or through a prominent notice on the Service at least 30 days before the changes take effect (for material changes).
  • Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@tryaiva.io

General Support: support@tryaiva.io

Website: www.tryaiva.io

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters involving data breaches, please include "URGENT" in your email subject line.

16. Regulatory Bodies and Complaints

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant data protection authority:

Australia

Office of the Australian Information Commissioner (OAIC)

Website: www.oaic.gov.au

Phone: 1300 363 992

European Union

Contact your local Data Protection Authority (DPA). A list of EU DPAs is available at: European Data Protection Board

United States (California)

California Attorney General's Office

Website: oag.ca.gov/privacy

United Kingdom

Information Commissioner's Office (ICO)

Website: ico.org.uk