Privacy Policy

hYYa Vault's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• Data accessed via Local Connections is retrieved directly from Google to your device and processed by an on-device AI model.
• It is never transmitted to or stored on hYYa servers, never used for advertising, and never shared with anyone.
• Connected-account content is never included in any web search query or any other outbound request from the app.
• You can revoke access at any time in your Google Account settings or from within the app.

• Email address — stored in Supabase to manage your account and send sign-in links.
• Conversation messages — routed via OpenRouter to the AI model provider that generates your response (e.g. Anthropic, Google, xAI, DeepSeek). These providers do not use your messages to train their models. If you add your own provider API key (BYOK), that key is encrypted at rest on hYYa’s servers (AES-256), never shown again after you save it, and used only to send your messages directly to that provider under your own key — across chat and DataLens. You can remove a saved key at any time in Settings → API Keys.
• DataLens documents — if you upload documents to a DataLens, their text is stored in Supabase and sent to Google’s embedding API so hYYa can search and reason over them. Used only to power your DataLens.

• Vercel — hosts the hYYa web app and processes your requests in transit; it does not retain your conversation content.
• Supabase — hYYa’s database and file storage: your account, conversations, memory, and DataLens documents are stored here, protected by row-level security.
• OpenRouter — routes your hYYa Cloud conversation messages to the AI model provider that generates your response. OpenRouter does not retain your prompts, and hYYa configures routing to exclude providers that train on your data.
• AI model providers (such as Anthropic, Google, xAI, DeepSeek, and Moonshot) — receive your message content in order to generate the response. They are not sent your hYYa account identity, and do not use your messages to train their models.
• Google — for DataLens, generates embeddings for the documents you upload and reads (OCR) any images you add, so they can be searched. Used for that processing only.
• Composio — only if you turn on Connections: securely stores the authorization for the apps you connect (e.g. Gmail, Calendar, Outlook, Notion, Drive) and relays read-only data into your chat at your request. SOC 2 Type 2; tokens are encrypted and isolated per user. Inactive unless you connect an app.
• Google (Gemini Live) — only if you use voice: real-time voice runs through Google’s Gemini Live service. Audio streams directly between your browser and Google and does not pass through hYYa’s servers; the voice assistant also uses Google Search to answer real-time questions. Active only during a voice session.
• Polar — processes subscription payments as Merchant of Record. No card data touches hYYa servers.
• Resend — delivers account and billing emails (sign-in links, subscription notices).