Privacy Policy

1. Introduction

AIA Business Solutions ("Company", "we", "us", "our") operates Maaia, an AI-powered personal operating system. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

We are committed to protecting your privacy. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, password (hashed)
• Profile Data: Goals, preferences, values, life domains (GTD, finance, health, CRM)
• User Content: Tasks, projects, contacts, transactions, notes, journal entries, health logs
• Conversations: Messages exchanged with Maaia AI, including tool calls and context
• Vault Data: Encrypted sensitive information (passwords, documents, keys) stored client-side
• Payment Information: Billing details processed by Stripe (we do not store full card numbers)

2.2 Information Automatically Collected

• Usage Data: Daily tool calls, tokens used, features accessed, session duration
• Device Information: Browser type, operating system, IP address (anonymized)
• Log Data: API requests, errors, performance metrics (retained for 30 days)
• Cookies: Session cookies for authentication, analytics cookies (see Cookie Policy)

2.3 Information from Third-Party Integrations

• Google Calendar: Calendar events, attendees, meeting details (if you enable sync)
• Telegram: Telegram user ID, username (if you connect your account)
• Voice Services: Voice recordings temporarily processed by ElevenLabs for text-to-speech

3. How We Use Your Information

We use your information to:

• Provide the Service: Deliver AI-powered assistance, memory management, and productivity tools
• Personalization: Customize responses based on your goals, preferences, and conversation history
• AI Processing: Send your messages to third-party AI models (Gemini, Claude, OpenAI) to generate responses
• Semantic Search: Embed your conversations and knowledge base for contextual retrieval (RAG)
• Proactive Insights: Analyze patterns to surface relevant information and recommendations
• Communication: Send service updates, usage alerts, and support messages
• Billing: Process payments and manage subscriptions via Stripe
• Improvement: Analyze aggregate usage to improve features and fix bugs
• Security: Detect fraud, abuse, and unauthorized access
• Legal Compliance: Comply with laws, regulations, and legal requests

We do NOT: Sell your personal data to third parties, use your data to train public AI models without consent, or share identifiable data with advertisers.

4. How We Share Your Information

4.1 Third-Party AI Providers

To generate intelligent responses, we send your messages (and relevant context) to:

• Google Gemini: Primary AI model (free tier, usage logged by Google)
• Anthropic Claude: Backup model for specific use cases
• OpenAI GPT: Optional model for certain features
• ElevenLabs: Text-to-speech voice synthesis (audio not retained)

These providers have their own privacy policies. We minimize data sharing by sending only necessary context (not your entire account data) and using provider guarantees that data is not used for training without consent.

4.2 Service Providers

• Vercel: Hosting and database (Postgres with encryption at rest)
• Stripe: Payment processing (PCI-DSS compliant, handles all payment data)
• Resend: Transactional email delivery (password resets, notifications)

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, safety, or the safety of others.

4.4 Business Transfers

If we are acquired or merge with another company, your information may be transferred as part of that transaction. We will notify you via email of any change in ownership or use of your data.

5. Data Security

5.1 Encryption

• In Transit: All data is transmitted over HTTPS (TLS 1.3)
• At Rest: Database encrypted using Vercel Postgres encryption
• Vault: Sensitive data encrypted client-side using AES-256-GCM before leaving your device
• Passwords: Hashed using bcrypt with salt
• Authentication: JWT tokens stored in HttpOnly cookies (XSS protection)

5.2 Access Control

• Row-Level Security (RLS): Database policies prevent users from accessing each other's data
• API Authentication: All API requests require valid session tokens
• Admin Access: Strictly limited to essential personnel with audit logs

5.3 Security Practices

• Regular security audits and penetration testing
• Automated vulnerability scanning
• Incident response plan with 24-hour breach notification
• Rate limiting and DDoS protection

Note: No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. Use the Vault feature for highly sensitive data.

6. Data Retention

• Active Accounts: Data retained indefinitely while your account is active
• Deleted Accounts: Data deleted within 30 days of account deletion (except legal holds)
• Conversations: Stored for memory persistence; you can delete individual conversations anytime
• Usage Logs: Retained for 30 days for debugging and analytics
• Payment Records: Retained for 7 years for tax and legal compliance (via Stripe)
• Backups: Deleted from backups within 90 days of account deletion

7. Your Privacy Rights

7.1 GDPR Rights (EU/UK Users)

If you are in the European Union or United Kingdom, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format (JSON export)
• Objection: Object to processing of your data for certain purposes
• Restriction: Request restriction of processing
• Withdraw Consent: Revoke consent for data processing at any time
• Lodge Complaint: File a complaint with your local data protection authority

7.2 CCPA Rights (California Users)

If you are a California resident, you have the right to:

• Know: Request disclosure of personal information collected, used, and shared
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of sale of personal information (Note: We do NOT sell your data)
• Non-Discrimination: Not be discriminated against for exercising your rights

7.3 How to Exercise Your Rights

To exercise any of these rights, email us at privacy@aiabusiness.com with your request. We will respond within 30 days. You may also:

• Export Data: Use the "Export All Data" button in Settings
• Delete Account: Use the "Delete Account" button in Settings (irreversible)
• Manage Cookies: Use your browser settings or our Cookie Consent banner

8. Children's Privacy

Maaia is not intended for users under 13 years old (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us immediately at privacy@aiabusiness.com and we will delete it.

9. International Data Transfers

Your data is stored on servers in the United States (Vercel). If you are located outside the US, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for EU/UK users.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and a banner in the app. Continued use after changes constitutes acceptance of the updated policy. The "Last Updated" date at the top reflects the most recent revision.

11. Contact Us

For privacy-related questions, requests, or concerns, contact us:

• Email: privacy@aiabusiness.com
• Data Protection Officer: dpo@aiabusiness.com
• Address: AIA Business Solutions, Las Vegas, NV, USA

12. Additional Information

12.1 Do Not Track (DNT)

Our Service does not respond to Do Not Track (DNT) browser signals as there is no industry consensus on how to handle DNT. You can manage cookies via our Cookie Consent banner.

12.2 AI Training

We do not use your personal conversations to train public AI models. However, we may use anonymized, aggregated data to improve Maaia's features (e.g., tool success rates, common user intents). You can opt out of analytics in Settings.

12.3 Marketing Communications

We may send promotional emails about new features or offers. You can unsubscribe anytime via the link in the email or in Settings. Transactional emails (password resets, billing) cannot be disabled.