‍

PRIVACY POLICY

Last updated: 14 January 2026

This Privacy Policy for Aphra Assistants Ltd (“Aphra”, “we”, “us”, “our”) explains how and why we access, collect, store, use, and share (“process”) personal information when you use our services (“Services”), including when you:

• Visit our website at aphra.me (the “Site”)
• Download and use our mobile application, Aphra (the “App”)
• Use our AI-powered personal assistant features, including chat, reminders, notes, calendar/event creation, and Snap & Scan
• Engage with us for support, marketing, or other communications

If you do not agree with this Privacy Policy, please do not use our Services.

Contact: privacy@aphra.me
Company: Aphra Assistants Ltd, 128 City Road, London EC1V 2NX, United Kingdom

SUMMARY OF KEY POINTS

• What data we process: Account info, device/usage data, content you submit (e.g., chat messages, notes), Snap & Scan images/extracted text, and (if you connect accounts) email/calendar data.
• Sensitive data: We do not request sensitive data, but you may choose to include it in content you submit (e.g., emails/screenshots/chats).
• Third-party sources: We may receive data from third parties you choose to use with Aphra (e.g., Google/Microsoft email/calendar providers, Apple/Google app stores, social login providers).
• AI processing: Your inputs/outputs may be processed by third-party AI service providers to deliver AI features.
• Security: Chat text is encrypted at rest. Snap & Scan content is stored separately and is not encrypted at rest.
• Assistant Memory: We store derived insights (themes/preferences/usage signals) to personalise and improve the Services; it is not a verbatim copy of chats.
• Your rights: Depending on where you live, you may have rights to access, correct, delete, and object/opt out.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON? (UK/EU) / CONSENT (CANADA)
4. WHEN AND WITH WHOM DO WE SHARE PERSONAL INFORMATION?
5. COOKIES, ANALYTICS, AND TRACKING
6. AI-BASED PRODUCTS AND AUTOMATED PROCESSING
7. CONNECTED ACCOUNTS (EMAIL/CALENDAR) AND SOCIAL LOGINS
8. INTERNATIONAL TRANSFERS
9. HOW LONG DO WE KEEP YOUR INFORMATION?
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
11. CHILDREN AND TEENS
12. YOUR PRIVACY RIGHTS
13. UNITED STATES PRIVACY RIGHTS
14. CANADA PRIVACY RIGHTS
15. GOOGLE WORKSPACE / GOOGLE API DATA USE
16. UPDATES TO THIS POLICY
17. CONTACT US
18. HOW TO REQUEST ACCESS/DELETION

1) WHAT INFORMATION DO WE COLLECT?

A. Personal information you provide to us

Depending on how you use the Services, you may provide:

Account and profile data

• Name (optional), email address, username
• Password (stored in a protected/hashed form where applicable)
• Contact preferences
• Support messages you send us

User content you submit

• Chat messages and assistant interactions
• Notes, reminders, tasks, calendar entries you create in Aphra
• Any files, text, or other content you input into the App

Snap & Scan content

• Images you upload or capture (screenshots/photos)
• Text extracted from those images
• Any structured outputs created from those images (e.g., suggested actions, saved items)

Connected account data (only if you choose to connect)

• Email content and metadata you authorise us to access (e.g., message subject/sender/body depending on permission scope)
• Calendar events and metadata you authorise us to access
• Other data available via the connection scopes you approve

Sharing

• If you use a share feature (e.g., sharing an event/output), we process what you choose to share and basic delivery metadata.

No community posting: Aphra does not provide public forums or public posting/community feeds. Sharing is limited to what you explicitly choose to send to others.

B. Information we receive from third parties

We may receive information from:

• App Store providers (Apple / Google): subscription status, purchase/renewal/cancellation events, and transaction identifiers needed to provide access to paid features. (We do not receive your full payment card details.)
• Connected account providers (e.g., Google/Microsoft) when you link email/calendar, limited to the scopes/permissions you grant.
• Social login providers (if you choose to sign in that way), such as basic profile identifiers (e.g., name/email) depending on provider and your settings.

C. Information collected automatically

When you use the Services, we may automatically collect:

Device and technical data

• IP address, device type, OS version, app version, language, time zone
• Device identifiers (e.g., device ID) and diagnostic data
• Push notification tokens (if you enable notifications)

Usage and analytics data

• App interactions and feature usage (e.g., what you click/tap, which features you use, session info)
• Crash logs and performance data

Approximate location

• Approximate location may be inferred from IP address.
• Precise location is collected only if you explicitly grant device permission (where used).

2) HOW DO WE PROCESS YOUR INFORMATION?

We process personal information to:

Provide the Services

• Create and manage your account
• Deliver AI assistant features (chat, reminders, notes, summaries, Snap & Scan outputs)
• Enable sharing features you initiate
• Provide customer support

Personalise and improve

• Personalise content and suggestions
• Improve feature relevance and reduce repetitive/irrelevant suggestions
• Monitor performance, debug issues, and improve reliability

Assistant Memory (derived insights)
We create and store Assistant Memory—derived insights such as:

• themes you frequently discuss (e.g., “school runs”, “work meetings”)
• preferences you express (e.g., reminder style/times)
• usage signals (e.g., what features/actions you use or click)

Assistant Memory is not a verbatim copy of your chats, but it may be personal information.

Security, safety, and compliance

• Prevent fraud and abuse
• Protect accounts and infrastructure
• Comply with legal obligations and respond to lawful requests

Marketing (where permitted)

• Send service updates and administrative messages
• Send marketing messages where you have opted in or where permitted by law, and you can opt out at any time

3) WHAT LEGAL BASES DO WE RELY ON?

If you are in the UK/EU/EEA

We rely on the following legal bases under UK GDPR / GDPR:

• Performance of a contract (to provide the Services you request)
• Legitimate interests (to secure, improve, and operate our Services; prevent fraud; analytics and product improvement)
• Consent (for certain permissions like precise location, certain marketing, and where required)
• Legal obligation (tax/accounting, regulatory, lawful requests)
• Vital interests (rare cases involving safety)

Sensitive data: We do not ask you to provide special category/sensitive data. If you choose to include it in content you submit, we process it only as needed to provide the Services and protect the Services, and where required we rely on your explicit consent or another lawful basis permitted by applicable law.

If you are in Canada

We process personal information with your meaningful consent (express or implied, depending on context) except where law permits otherwise.

4) WHEN AND WITH WHOM DO WE SHARE PERSONAL INFORMATION?

We may share personal information with:

Service providers (processors)

• Cloud hosting and storage providers
• Analytics and performance monitoring providers
• Customer support tooling
• AI service providers (to generate outputs you request)

These providers are contractually required to protect your data and process it only on our instructions.

Connected account providers

• When you connect email/calendar, data is exchanged with the provider as required for the integration.

App Store providers

• Apple/Google process subscription payments and provide us subscription status signals.

Legal and safety

• Where required by law, regulation, court order, or to protect rights/safety.

Business transfers

• In connection with mergers, acquisitions, or asset sales (with appropriate safeguards).

We do not “sell” personal information in the traditional sense. If we engage in targeted advertising in a way that is considered “sale” or “sharing” under certain US state laws, we will provide required opt-outs (see Section 13).

5) COOKIES, ANALYTICS, AND TRACKING

Website: We may use cookies and similar technologies for security, basic functionality, and analytics.
App: We may use SDKs for analytics and crash/performance monitoring.

Where required by law, we provide cookie consent tools and opt-outs.

6) AI-BASED PRODUCTS AND AUTOMATED PROCESSING

Aphra includes AI-based features that process your inputs to generate outputs (e.g., summaries, suggested actions, extracted entities).

AI service providers: We may send your input and receive output from third-party AI providers to deliver the feature you request.

Human review: We do not routinely have humans read your private content. Human access may occur in limited cases such as:

• you request support and consent to us reviewing specific content, or
• investigating abuse, security incidents, or legal compliance, where permitted by law.

Assistant Memory: We store derived insights (themes/preferences/usage signals) to personalise and improve the Services.

7) CONNECTED ACCOUNTS (EMAIL/CALENDAR) AND SOCIAL LOGINS

If you connect third-party accounts, we access only what you authorise via the permission scopes you grant, and we use it to provide features you request (e.g., surfacing upcoming events, summarising emails, suggesting next actions).

If you use social login, we receive basic profile information as allowed by the provider and your settings.

You can disconnect connected accounts in the App (where available). Disconnecting may limit features that rely on those connections.

8) INTERNATIONAL TRANSFERS

We may process and store personal information in the United Kingdom, Ireland, and the United States, and potentially other locations where our service providers operate.

If you are in the UK/EU/EEA/Switzerland, we use appropriate safeguards for international transfers (such as Standard Contractual Clauses) where required.

9) HOW LONG DO WE KEEP YOUR INFORMATION?

We keep personal information only as long as necessary for the purposes described in this Privacy Policy, including to provide the Services and comply with legal obligations.

In general:

• We keep account data and core user content while your account is active.
• When you delete your account (or request deletion), we delete or anonymise personal information within a reasonable period, unless we must retain it for legal reasons (e.g., accounting, fraud prevention, dispute resolution).
• Backup archives may persist for a limited time on normal backup cycles.

Important: If you state a fixed deletion timeline internally (e.g., “within 6 months”), you should ensure your systems actually meet it. (I’ve avoided hard promises here to reduce mismatch risk.)

10) HOW DO WE KEEP YOUR INFORMATION SAFE?

We use organisational and technical safeguards designed to protect personal information. However, no method of transmission or storage is 100% secure.

Feature-specific security disclosure (important)

• Chat text content is encrypted at rest in our systems.
• Snap & Scan content (uploaded images and/or extracted text) is stored separately and is not encrypted at rest.

Data is typically protected in transit using standard transport protections (e.g., HTTPS/TLS).

If you do not want Snap & Scan content stored in that way, do not upload images via Snap & Scan.

11) CHILDREN AND TEENS

The Services are not directed to children under 13. If we learn we have collected personal information from a child under 13, we will take steps to delete it.

If you are 13–17, you should use the Services only with parental/guardian involvement where required by law.

UK/EU note: UK age for consent in the context of information society services is 13; GDPR allows EU/EEA countries to set this between 13 and 16 for consent-based processing.

Quebec note: Quebec law includes specific rules for collecting personal information from minors under 14 in certain contexts.

12) YOUR PRIVACY RIGHTS (GENERAL)

Depending on your location, you may have rights to:

• Access your personal information
• Correct inaccurate information
• Delete your information
• Object to or restrict processing
• Data portability
• Withdraw consent (where processing is based on consent)

You can exercise rights by emailing privacy@aphra.me.

13) UNITED STATES PRIVACY RIGHTS

If you live in a US state with privacy laws (e.g., CA, CO, CT, VA, etc.), you may have rights to access, delete, correct, and to opt out of certain processing such as targeted advertising or “sale/sharing” as defined by law.

California sensitive information: California residents may have the right to limit the use and disclosure of “sensitive personal information” to certain permitted purposes.

We will not discriminate against you for exercising privacy rights.

To submit a request, email privacy@aphra.me.

14) CANADA PRIVACY RIGHTS

If you are in Canada, you can request access to and correction of your personal information and withdraw consent (subject to legal/contractual restrictions). PIPEDA generally requires meaningful consent and limiting collection to what is necessary.

To submit a request, email privacy@aphra.me.

15) GOOGLE WORKSPACE / GOOGLE API DATA USE (Important)

If you connect Google services (e.g., Gmail/Google Calendar) and we receive information from Google APIs:

• Our use of information received from Google APIs will comply with the Google API Services User Data Policy, including applicable Limited Use requirements.
• We do not use Google Workspace API user data to develop, improve, or train non-personalized (generalized) AI/ML models.
• We use Google Workspace data only to provide the user-facing features you enable (e.g., inbox/calendar-related features) and for security/operational purposes consistent with those requirements.

This section replaces your current clause that says Workspace API data “may be used to develop, improve, or train generalized AI/ML models” — that wording is a compliance risk with Google’s Workspace API policy protections.

16) UPDATES TO THIS POLICY

We may update this Privacy Policy from time to time. We will update the “Last updated” date and may provide additional notice in the App for material changes.

17) CONTACT US

Email: privacy@aphra.me
Mail: Aphra Assistants Ltd, 128 City Road, London EC1V 2NX, United Kingdom

18) HOW TO REQUEST ACCESS/DELETION

To request access, correction, or deletion, email privacy@aphra.me. We may need to verify your identity before fulfilling requests.

‍