Privacy Policy

1. INTRODUCTION AND SCOPE

Dyva, Inc. ("Dyva+," "we," "us," "our") is a Delaware corporation. We operate Dyva+.ai -- an AI companion platform for text and voice conversations with AI characters.

This Privacy Policy ("Policy") covers how we collect, use, disclose, and process personal data when you use dyva.ai, our apps, and related services (the "Service"). Also covers your data rights and how to exercise them.

Under the GDPR, Dyva, Inc. is the data controller for your personal data. Under the CCPA, Dyva, Inc. is the business that determines how your personal information is processed.

By using the Service, you acknowledge reading this Policy. Disagree with our data practices? Do not use the Service.

2. INFORMATION WE COLLECT

2.1 Information You Provide

Data you give us directly:

Account Information: Email address, display name, and password. You may optionally add a profile avatar, date of birth, and gender.
Conversation Content: Messages and prompts you send to AI companions, stored for conversation history and memory features.
Voice Data: If you use voice features, we process your audio for speech-to-text transcription and generate audio responses via text-to-speech.
Payment Information: Payment card details and billing info are collected and processed by Stripe, Inc. We never store your full card number.
Communications: If you contact us for support, we collect your messages, email address, and any other information you provide.
User-Generated Content: Character configurations, shared conversation links, and other content you create or publish.

2.2 Information Collected Automatically

Collected automatically when you use the Service:

Usage Data: Pages viewed, features used, session duration, conversation frequency, and interaction patterns.
Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
Log Data: IP address, access timestamps, referring URLs, and HTTP request metadata. IP addresses are hashed with SHA-256 before storage (pseudonymized).
Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 10 and our Cookie Policy.

2.3 Information from Third Parties

Data we receive from other sources:

OAuth Providers: If you sign in with Google or Discord, we receive your name, email, and profile avatar as authorized during the OAuth consent flow.
Payment Processors: Stripe provides transaction confirmations, subscription status, and limited billing details (last four digits of your card, billing postal code).

3. HOW WE USE YOUR INFORMATION

What we do with your data and why. For EEA, UK, and Swiss users, the GDPR Article 6(1) legal basis is listed:

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Provide and operate the Service, including AI conversation generation and memory features	Account data, conversation content, voice data	Performance of contract (Art. 6(1)(b))
Process payments and manage subscriptions	Email, billing information (via Stripe)	Performance of contract (Art. 6(1)(b))
Authenticate your identity and secure your account	Email, password hash, OAuth tokens, JWT session tokens	Performance of contract (Art. 6(1)(b))
Improve and optimize the Service, including AI model quality and safety	Usage data, aggregated conversation metadata	Legitimate interest (Art. 6(1)(f))
Analyze usage trends and generate aggregated analytics	Hashed IP addresses, page views, device data	Legitimate interest (Art. 6(1)(f))
Prevent fraud, abuse, and enforce our Terms of Service	IP addresses, usage patterns, account data	Legitimate interest (Art. 6(1)(f))
Send transactional communications (account verification, password resets, billing receipts)	Email address	Performance of contract (Art. 6(1)(b))
Send marketing communications and product updates	Email address, usage preferences	Consent (Art. 6(1)(a))
Respond to your support inquiries and legal requests	Communications content, account data	Performance of contract / Legal obligation (Art. 6(1)(b), (c))
Comply with applicable laws, regulations, and legal processes	As required by the specific obligation	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have confirmed our interests do not override your fundamental rights. Request a copy of that assessment anytime.

4. AI DATA PROCESSING

Your inputs go through AI systems. Here is how data moves during that processing, per GDPR Article 13(2)(f).

4.1 Conversation Processing

When you send a message, the following data may be sent to our AI sub-processors:

Your current message and relevant conversation history (context window)
Your display name and profile attributes needed for personalization (e.g., preferred name, gender if provided)
System-level instructions that define the AI character's persona and behavior

Your email, password, payment information, and IP address are never sent to AI sub-processors.

4.2 AI Processing

We use proprietary AI infrastructure for generating responses. Some features like intent classification and content analysis may use additional internal language model services. Your data is never used for model training -- only for providing the inference you requested.

4.3 Voice Processing

Voice interactions use two additional systems:

Speech recognition: Your audio is transcribed to text in real time. Audio is not stored after transcription.
Voice synthesis: Text is converted to audio for playback. Text inputs are not stored after synthesis.

4.4 Memory and Learning

Dyva+ stores conversation memories for continuity and personalization. Facts you share (preferences, interests, biographical details) become vector embeddings. Memories are yours alone -- never shared with other users. View, export, and delete them anytime in account settings.

4.5 No Automated Decision-Making with Legal Effects

We do not use your data for automated decisions that produce legal or similarly significant effects (GDPR Article 22). AI responses are conversational outputs -- not decisions affecting your legal rights.

5. SUB-PROCESSORS

Per GDPR Article 28, these are our sub-processors. Each bound by a data processing agreement consistent with this Policy:

Sub-Processor	Purpose	Data Categories Processed	Location
AI Processing Provider	Conversation and response generation	Conversation content, display name, character system prompts	United States
AI Analysis Provider	Intent classification, content analysis, auxiliary AI features	Message content, conversation context	United States
Voice Processing Provider	Text-to-speech synthesis	AI-generated text responses	United States
Speech Processing Provider	Speech-to-text transcription	User audio input	United States
Stripe, Inc.	Payment processing, subscription management	Billing name, email, payment card details, billing address	United States
Google (OAuth)	Authentication provider	Name, email, profile photo (user-authorized)	United States
Discord (OAuth)	Authentication provider	Username, email, avatar (user-authorized)	United States

List stays current. Material changes trigger notification per Section 14. Object to a new sub-processor? You may terminate your account per our Terms of Service.

We do not sell, rent, or trade your personal data. No sharing with third parties for their marketing. Disclosure happens only in these cases:

Service Providers and Sub-Processors: We share data with sub-processors listed in Section 5 to provide and improve the Service, under data processing agreements.
Legal Requirements: We may disclose data when required by law, regulation, legal process, or enforceable government request, including national security or law enforcement.
Protection of Rights: We may disclose data to investigate or act on illegal activity, suspected fraud, threats to safety, Terms of Service violations, or as evidence in litigation.
Business Transfers: In a merger, acquisition, asset sale, or business transfer, your data may be part of the transaction. We will notify you of any ownership change affecting your data.
With Your Consent: We may share data when you give explicit consent (e.g., publishing a shared conversation link).
Aggregated or De-Identified Data: We may share anonymized data that cannot identify you, for research, analytics, or business intelligence.

7. DATA RETENTION

Data lives only as long as it needs to. Or as law requires:

Data Category	Retention Period	Notes
Account information	Until account deletion	Deleted within 30 days of account deletion request
Conversation content and memories	Until account deletion or manual deletion	Users may delete individual conversations or all data at any time
Voice audio data	Processed in real time and discarded	Audio is not persistently stored; only transcriptions are retained as conversation content
Analytics data (hashed IPs, page views)	90 days	Automatically purged; IP addresses stored only in SHA-256 hashed form
Server and application logs	30 days	Automatically rotated and purged
Payment and billing records	As required by applicable tax and financial regulation	Typically 7 years for tax compliance; card details stored by Stripe only
Support communications	2 years after resolution	May be retained longer if related to an ongoing legal matter
Guest session data	24 hours	Temporary, automatically purged; see Section 13

Delete your account and we delete or anonymize your data within 30 days. Exceptions: law requires retention (tax records) or data is needed for legal claims. Encrypted backups may persist up to 90 additional days before permanent deletion.

8. INTERNATIONAL DATA TRANSFERS

Dyva+ is US-based. Data is processed and stored on US servers. Access from outside the US means your data may cross borders to the US and countries where our sub-processors operate.

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection, we use these mechanisms per GDPR Articles 44-49:

Standard Contractual Clauses (SCCs): We use the European Commission's SCCs (Decision (EU) 2021/914) with sub-processors receiving data outside the EEA, supplemented by additional safeguards based on transfer impact assessments.
EU-U.S. Data Privacy Framework: Where applicable, we rely on sub-processors' self-certification under the EU-U.S., UK, and Swiss-U.S. Data Privacy Frameworks.
Supplementary Measures: Per the Schrems II decision, we implement encryption in transit (TLS 1.2+), encryption at rest, access controls, and pseudonymization where feasible.

You can request a copy of the SCCs or more information about our transfer mechanisms at [email protected].

9. YOUR RIGHTS

Your location determines your data rights. To exercise them, contact [email protected] or use the data management tools in your account settings.

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are in the EEA, UK, or Switzerland, you have these rights under GDPR Articles 15-22:

Right of Access (Art. 15): Confirm whether your data is being processed and get a copy, along with details about purposes, categories, recipients, and retention periods.
Right to Rectification (Art. 16): Correct inaccurate data or complete incomplete data.
Right to Erasure (Art. 17): Request deletion when data is no longer needed, you withdraw consent, you object to processing with no overriding grounds, or data was unlawfully processed.
Right to Restriction of Processing (Art. 18): Restrict processing when you contest accuracy, processing is unlawful, we no longer need the data but you need it for legal claims, or you have objected pending verification.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON) and transfer it to another controller.
Right to Object (Art. 21): Object to processing based on legitimate interests. We will stop unless we show compelling grounds that override your interests, or the processing is needed for legal claims.
Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing with legal or significant effects. As noted in Section 4.5, we do not engage in such decision-making.
Right to Withdraw Consent: Withdraw consent anytime without affecting the lawfulness of prior processing.

We respond within one month, extendable by two months for complex requests per GDPR Article 12(3). We will notify you of any extension within the first month.

9.2 Rights Under the CCPA (California Residents)

California residents have these rights under the CCPA (Cal. Civ. Code 1798.100-1798.199):

Right to Know (1798.100): Request the categories and specific pieces of personal information we collected, the sources, the business purposes, and the third parties we share it with.
Right to Delete (1798.105): Request deletion of your personal information, subject to exceptions (legal compliance, completing transactions, security).
Right to Correct (1798.106): Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing (1798.120): Dyva+ does not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Non-Discrimination (1798.125): We will not discriminate against you for exercising your CCPA rights -- no different pricing, quality, or access.

Categories Collected (Past 12 Months): Identifiers (name, email, IP address); commercial information (subscription and payment records); internet activity (usage data, logs); audio information (voice data for transcription); inferences (conversation memories, AI-generated preferences); and sensitive personal information (account credentials). These are collected for the purposes in Section 3.

Categories Disclosed for Business Purposes: We disclose identifiers, internet activity, and audio data to sub-processors (Section 5) solely to provide the Service.

To submit a verifiable consumer request, contact [email protected]. We verify your identity by matching the information you provide with our records. You may also designate an authorized agent with written authorization.

10. COOKIES AND TRACKING

Cookies and similar technologies keep the Service running and help us understand usage. Small data files on your device.

Cookie Type	Purpose	Duration
Session Token	Authentication and session management (strictly necessary)	Session / 7 days
Theme Preference	Stores your selected UI theme (functional)	1 year
Analytics	Aggregated usage statistics with hashed identifiers (analytics)	90 days

Strictly Necessary Cookies are essential for the Service and cannot be disabled. They include session tokens and security cookies.

Managing Cookies: You can control cookies through your browser settings. Disabling strictly necessary cookies may break the Service. See our Cookie Policy for details.

We do not use third-party advertising cookies, tracking pixels, cross-site tracking, or real-time bidding.

11. CHILDREN'S PRIVACY

Not directed at children under 13. We do not knowingly collect their personal information, per COPPA (15 U.S.C. 6501-6506) and GDPR Article 8.

If we discover we have collected data from a child under 13 (or under 16 in the EEA where applicable), we will promptly delete it.

Parental Rights: If you believe your child provided data without your consent, contact us immediately at [email protected]. We will verify and delete the data.

Users aged 13-17 need parental or guardian consent, as set forth in our Terms of Service.

12. SECURITY MEASURES

Technical and organizational measures protecting your data, per GDPR Article 32:

Encryption in Transit: All data between your device and our servers is encrypted with TLS 1.2 or higher.
Encryption at Rest: Sensitive database data is encrypted at rest with industry-standard algorithms.
Password Security: Passwords are hashed with bcrypt and per-user salt. We never store plaintext passwords.
IP Address Pseudonymization: IP addresses are irreversibly hashed with SHA-256 before storage. Raw IPs are not retained in analytics.
Access Controls: Personal data access is restricted to authorized personnel on a need-to-know basis with multi-factor authentication.
Infrastructure Security: Servers are hosted in physically secured facilities with firewalls, intrusion detection, and regular security audits.
Incident Response: We maintain a breach response plan. If a breach affects your data, we notify you and the relevant supervisory authority within 72 hours per GDPR Article 33 and applicable state laws.
Secure Token Management: Sessions use JWTs with appropriate expiration and secure storage.

Nothing is completely secure. No absolute guarantees. But we address vulnerabilities and incidents fast.

13. GUEST SESSIONS

Limited use without an account. Here is how guest data works:

No Account Creation: No email, display name, or registration info is collected.
Temporary Data: Guest conversations are automatically purged within 24 hours and are not linked to any persistent profile.
Rate Limiting: We use a SHA-256 hash of your IP address solely for rate limiting. This hash is not linked to personal data and is purged with the session.
Limited Features: Guest sessions do not include conversation history, memory, voice, or personalization.
AI Processing: Guest conversations are processed by the same AI sub-processors (Sections 4 and 5) with the same data handling practices.

14. CHANGES TO THIS POLICY

This Policy may change as our practices, technology, or legal requirements evolve:

Non-Material Changes: We update the effective date and post the revised version. We encourage you to review this Policy periodically.
Material Changes: For changes that materially affect how we handle your data (new data categories, new purposes, new sub-processors), we will notify you by email and/or in-app notice at least 30 days before the changes take effect.
Consent Where Required: Where law requires consent for a material change, we will get it before implementing. If you disagree, you may delete your account before changes take effect.

Keep using the Service after a revision and you accept it, to the extent permitted by law.

15. CONTACT

Questions? Reach out:

Privacy Inquiries: [email protected]
Data Controller: Dyva, Inc., a Delaware corporation.
Data Protection Officer: Email [email protected] with subject line "Attn: DPO."

Supervisory Authority

If you are in the EEA, UK, or Switzerland and believe we have violated your GDPR rights, you may file a complaint with your local supervisory authority (GDPR Article 77). EEA authorities are listed at https://edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, contact the ICO at https://ico.org.uk.

Helpful?

1. INTRODUCTION AND SCOPE

Dyva, Inc. ("Dyva+," "we," "us," "our") is a Delaware corporation. We operate Dyva+.ai -- an AI companion platform for text and voice conversations with AI characters.

Under the GDPR, Dyva, Inc. is the data controller for your personal data. Under the CCPA, Dyva, Inc. is the business that determines how your personal information is processed.

By using the Service, you acknowledge reading this Policy. Disagree with our data practices? Do not use the Service.

2. INFORMATION WE COLLECT

2.1 Information You Provide

Data you give us directly:

Account Information: Email address, display name, and password. You may optionally add a profile avatar, date of birth, and gender.
Conversation Content: Messages and prompts you send to AI companions, stored for conversation history and memory features.
Voice Data: If you use voice features, we process your audio for speech-to-text transcription and generate audio responses via text-to-speech.
Payment Information: Payment card details and billing info are collected and processed by Stripe, Inc. We never store your full card number.
Communications: If you contact us for support, we collect your messages, email address, and any other information you provide.
User-Generated Content: Character configurations, shared conversation links, and other content you create or publish.

2.2 Information Collected Automatically

Collected automatically when you use the Service:

Usage Data: Pages viewed, features used, session duration, conversation frequency, and interaction patterns.
Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
Log Data: IP address, access timestamps, referring URLs, and HTTP request metadata. IP addresses are hashed with SHA-256 before storage (pseudonymized).
Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 10 and our Cookie Policy.

2.3 Information from Third Parties

Data we receive from other sources:

OAuth Providers: If you sign in with Google or Discord, we receive your name, email, and profile avatar as authorized during the OAuth consent flow.
Payment Processors: Stripe provides transaction confirmations, subscription status, and limited billing details (last four digits of your card, billing postal code).

3. HOW WE USE YOUR INFORMATION

What we do with your data and why. For EEA, UK, and Swiss users, the GDPR Article 6(1) legal basis is listed:

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Provide and operate the Service, including AI conversation generation and memory features	Account data, conversation content, voice data	Performance of contract (Art. 6(1)(b))
Process payments and manage subscriptions	Email, billing information (via Stripe)	Performance of contract (Art. 6(1)(b))
Authenticate your identity and secure your account	Email, password hash, OAuth tokens, JWT session tokens	Performance of contract (Art. 6(1)(b))
Improve and optimize the Service, including AI model quality and safety	Usage data, aggregated conversation metadata	Legitimate interest (Art. 6(1)(f))
Analyze usage trends and generate aggregated analytics	Hashed IP addresses, page views, device data	Legitimate interest (Art. 6(1)(f))
Prevent fraud, abuse, and enforce our Terms of Service	IP addresses, usage patterns, account data	Legitimate interest (Art. 6(1)(f))
Send transactional communications (account verification, password resets, billing receipts)	Email address	Performance of contract (Art. 6(1)(b))
Send marketing communications and product updates	Email address, usage preferences	Consent (Art. 6(1)(a))
Respond to your support inquiries and legal requests	Communications content, account data	Performance of contract / Legal obligation (Art. 6(1)(b), (c))
Comply with applicable laws, regulations, and legal processes	As required by the specific obligation	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have confirmed our interests do not override your fundamental rights. Request a copy of that assessment anytime.

4. AI DATA PROCESSING

Your inputs go through AI systems. Here is how data moves during that processing, per GDPR Article 13(2)(f).

4.1 Conversation Processing

When you send a message, the following data may be sent to our AI sub-processors:

Your current message and relevant conversation history (context window)
Your display name and profile attributes needed for personalization (e.g., preferred name, gender if provided)
System-level instructions that define the AI character's persona and behavior

Your email, password, payment information, and IP address are never sent to AI sub-processors.

4.2 AI Processing

4.3 Voice Processing

Voice interactions use two additional systems:

Speech recognition: Your audio is transcribed to text in real time. Audio is not stored after transcription.
Voice synthesis: Text is converted to audio for playback. Text inputs are not stored after synthesis.

4.4 Memory and Learning

4.5 No Automated Decision-Making with Legal Effects

5. SUB-PROCESSORS

Per GDPR Article 28, these are our sub-processors. Each bound by a data processing agreement consistent with this Policy:

Sub-Processor	Purpose	Data Categories Processed	Location
AI Processing Provider	Conversation and response generation	Conversation content, display name, character system prompts	United States
AI Analysis Provider	Intent classification, content analysis, auxiliary AI features	Message content, conversation context	United States
Voice Processing Provider	Text-to-speech synthesis	AI-generated text responses	United States
Speech Processing Provider	Speech-to-text transcription	User audio input	United States
Stripe, Inc.	Payment processing, subscription management	Billing name, email, payment card details, billing address	United States
Google (OAuth)	Authentication provider	Name, email, profile photo (user-authorized)	United States
Discord (OAuth)	Authentication provider	Username, email, avatar (user-authorized)	United States

List stays current. Material changes trigger notification per Section 14. Object to a new sub-processor? You may terminate your account per our Terms of Service.

We do not sell, rent, or trade your personal data. No sharing with third parties for their marketing. Disclosure happens only in these cases:

Service Providers and Sub-Processors: We share data with sub-processors listed in Section 5 to provide and improve the Service, under data processing agreements.
Legal Requirements: We may disclose data when required by law, regulation, legal process, or enforceable government request, including national security or law enforcement.
Protection of Rights: We may disclose data to investigate or act on illegal activity, suspected fraud, threats to safety, Terms of Service violations, or as evidence in litigation.
Business Transfers: In a merger, acquisition, asset sale, or business transfer, your data may be part of the transaction. We will notify you of any ownership change affecting your data.
With Your Consent: We may share data when you give explicit consent (e.g., publishing a shared conversation link).
Aggregated or De-Identified Data: We may share anonymized data that cannot identify you, for research, analytics, or business intelligence.

7. DATA RETENTION

Data lives only as long as it needs to. Or as law requires:

Data Category	Retention Period	Notes
Account information	Until account deletion	Deleted within 30 days of account deletion request
Conversation content and memories	Until account deletion or manual deletion	Users may delete individual conversations or all data at any time
Voice audio data	Processed in real time and discarded	Audio is not persistently stored; only transcriptions are retained as conversation content
Analytics data (hashed IPs, page views)	90 days	Automatically purged; IP addresses stored only in SHA-256 hashed form
Server and application logs	30 days	Automatically rotated and purged
Payment and billing records	As required by applicable tax and financial regulation	Typically 7 years for tax compliance; card details stored by Stripe only
Support communications	2 years after resolution	May be retained longer if related to an ongoing legal matter
Guest session data	24 hours	Temporary, automatically purged; see Section 13

8. INTERNATIONAL DATA TRANSFERS

Dyva+ is US-based. Data is processed and stored on US servers. Access from outside the US means your data may cross borders to the US and countries where our sub-processors operate.

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection, we use these mechanisms per GDPR Articles 44-49:

Standard Contractual Clauses (SCCs): We use the European Commission's SCCs (Decision (EU) 2021/914) with sub-processors receiving data outside the EEA, supplemented by additional safeguards based on transfer impact assessments.
EU-U.S. Data Privacy Framework: Where applicable, we rely on sub-processors' self-certification under the EU-U.S., UK, and Swiss-U.S. Data Privacy Frameworks.
Supplementary Measures: Per the Schrems II decision, we implement encryption in transit (TLS 1.2+), encryption at rest, access controls, and pseudonymization where feasible.

You can request a copy of the SCCs or more information about our transfer mechanisms at [email protected].

9. YOUR RIGHTS

Your location determines your data rights. To exercise them, contact [email protected] or use the data management tools in your account settings.

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are in the EEA, UK, or Switzerland, you have these rights under GDPR Articles 15-22:

Right of Access (Art. 15): Confirm whether your data is being processed and get a copy, along with details about purposes, categories, recipients, and retention periods.
Right to Rectification (Art. 16): Correct inaccurate data or complete incomplete data.
Right to Erasure (Art. 17): Request deletion when data is no longer needed, you withdraw consent, you object to processing with no overriding grounds, or data was unlawfully processed.
Right to Restriction of Processing (Art. 18): Restrict processing when you contest accuracy, processing is unlawful, we no longer need the data but you need it for legal claims, or you have objected pending verification.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON) and transfer it to another controller.
Right to Object (Art. 21): Object to processing based on legitimate interests. We will stop unless we show compelling grounds that override your interests, or the processing is needed for legal claims.
Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing with legal or significant effects. As noted in Section 4.5, we do not engage in such decision-making.
Right to Withdraw Consent: Withdraw consent anytime without affecting the lawfulness of prior processing.

We respond within one month, extendable by two months for complex requests per GDPR Article 12(3). We will notify you of any extension within the first month.

9.2 Rights Under the CCPA (California Residents)

California residents have these rights under the CCPA (Cal. Civ. Code 1798.100-1798.199):

Right to Know (1798.100): Request the categories and specific pieces of personal information we collected, the sources, the business purposes, and the third parties we share it with.
Right to Delete (1798.105): Request deletion of your personal information, subject to exceptions (legal compliance, completing transactions, security).
Right to Correct (1798.106): Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing (1798.120): Dyva+ does not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Non-Discrimination (1798.125): We will not discriminate against you for exercising your CCPA rights -- no different pricing, quality, or access.

Categories Disclosed for Business Purposes: We disclose identifiers, internet activity, and audio data to sub-processors (Section 5) solely to provide the Service.

10. COOKIES AND TRACKING

Cookies and similar technologies keep the Service running and help us understand usage. Small data files on your device.

Cookie Type	Purpose	Duration
Session Token	Authentication and session management (strictly necessary)	Session / 7 days
Theme Preference	Stores your selected UI theme (functional)	1 year
Analytics	Aggregated usage statistics with hashed identifiers (analytics)	90 days

Strictly Necessary Cookies are essential for the Service and cannot be disabled. They include session tokens and security cookies.

Managing Cookies: You can control cookies through your browser settings. Disabling strictly necessary cookies may break the Service. See our Cookie Policy for details.

We do not use third-party advertising cookies, tracking pixels, cross-site tracking, or real-time bidding.

11. CHILDREN'S PRIVACY

Not directed at children under 13. We do not knowingly collect their personal information, per COPPA (15 U.S.C. 6501-6506) and GDPR Article 8.

If we discover we have collected data from a child under 13 (or under 16 in the EEA where applicable), we will promptly delete it.

Parental Rights: If you believe your child provided data without your consent, contact us immediately at [email protected]. We will verify and delete the data.

Users aged 13-17 need parental or guardian consent, as set forth in our Terms of Service.

12. SECURITY MEASURES

Technical and organizational measures protecting your data, per GDPR Article 32:

Encryption in Transit: All data between your device and our servers is encrypted with TLS 1.2 or higher.
Encryption at Rest: Sensitive database data is encrypted at rest with industry-standard algorithms.
Password Security: Passwords are hashed with bcrypt and per-user salt. We never store plaintext passwords.
IP Address Pseudonymization: IP addresses are irreversibly hashed with SHA-256 before storage. Raw IPs are not retained in analytics.
Access Controls: Personal data access is restricted to authorized personnel on a need-to-know basis with multi-factor authentication.
Infrastructure Security: Servers are hosted in physically secured facilities with firewalls, intrusion detection, and regular security audits.
Incident Response: We maintain a breach response plan. If a breach affects your data, we notify you and the relevant supervisory authority within 72 hours per GDPR Article 33 and applicable state laws.
Secure Token Management: Sessions use JWTs with appropriate expiration and secure storage.

Nothing is completely secure. No absolute guarantees. But we address vulnerabilities and incidents fast.

13. GUEST SESSIONS

Limited use without an account. Here is how guest data works:

No Account Creation: No email, display name, or registration info is collected.
Temporary Data: Guest conversations are automatically purged within 24 hours and are not linked to any persistent profile.
Rate Limiting: We use a SHA-256 hash of your IP address solely for rate limiting. This hash is not linked to personal data and is purged with the session.
Limited Features: Guest sessions do not include conversation history, memory, voice, or personalization.
AI Processing: Guest conversations are processed by the same AI sub-processors (Sections 4 and 5) with the same data handling practices.

14. CHANGES TO THIS POLICY

This Policy may change as our practices, technology, or legal requirements evolve:

Non-Material Changes: We update the effective date and post the revised version. We encourage you to review this Policy periodically.
Material Changes: For changes that materially affect how we handle your data (new data categories, new purposes, new sub-processors), we will notify you by email and/or in-app notice at least 30 days before the changes take effect.
Consent Where Required: Where law requires consent for a material change, we will get it before implementing. If you disagree, you may delete your account before changes take effect.

Keep using the Service after a revision and you accept it, to the extent permitted by law.

15. CONTACT

Questions? Reach out:

Privacy Inquiries: [email protected]
Data Controller: Dyva, Inc., a Delaware corporation.
Data Protection Officer: Email [email protected] with subject line "Attn: DPO."

Supervisory Authority

Helpful?

1. INTRODUCTION AND SCOPE

2. INFORMATION WE COLLECT

2.1 Information You Provide

2.2 Information Collected Automatically

2.3 Information from Third Parties

3. HOW WE USE YOUR INFORMATION

4. AI DATA PROCESSING

4.1 Conversation Processing

4.2 AI Processing

4.3 Voice Processing

4.4 Memory and Learning

4.5 No Automated Decision-Making with Legal Effects

5. SUB-PROCESSORS

6. DATA SHARING AND DISCLOSURE

7. DATA RETENTION

8. INTERNATIONAL DATA TRANSFERS

9. YOUR RIGHTS

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

9.2 Rights Under the CCPA (California Residents)

10. COOKIES AND TRACKING

11. CHILDREN'S PRIVACY

12. SECURITY MEASURES

13. GUEST SESSIONS

14. CHANGES TO THIS POLICY

15. CONTACT

Supervisory Authority

Privacy Policy

1. INTRODUCTION AND SCOPE

2. INFORMATION WE COLLECT

2.1 Information You Provide

2.2 Information Collected Automatically

2.3 Information from Third Parties

3. HOW WE USE YOUR INFORMATION

4. AI DATA PROCESSING

4.1 Conversation Processing

4.2 AI Processing

4.3 Voice Processing

4.4 Memory and Learning

4.5 No Automated Decision-Making with Legal Effects

5. SUB-PROCESSORS

6. DATA SHARING AND DISCLOSURE

7. DATA RETENTION

8. INTERNATIONAL DATA TRANSFERS

9. YOUR RIGHTS

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

9.2 Rights Under the CCPA (California Residents)

10. COOKIES AND TRACKING

11. CHILDREN'S PRIVACY

12. SECURITY MEASURES

13. GUEST SESSIONS

14. CHANGES TO THIS POLICY

15. CONTACT

Supervisory Authority