Legal

Privacy Policy

Last updated: 2026-04-20

1. Who we are

Aya ("we", "us") is an AI receptionist service operated in the Philippines. For the purposes of the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, "DPA"), Aya acts as the Personal Information Controller ("PIC") for data you provide directly to us as a customer, and as a Personal Information Processor ("PIP") on behalf of our business customers for end-user messages processed through the Aya agent.

If you are a patient, client, or visitor chatting with a business that uses Aya, that business is the Personal Information Controller for your conversation data. Please also consult their own privacy policy.

2. What we collect

From Aya customers (business owners):

  • Account email and authentication data (via Supabase Auth)
  • Business profile: name, contact details, operating hours, services
  • Knowledge base content you upload (FAQs, documents, PDFs)
  • Billing and usage records

From end-users (people chatting with businesses on Aya):

  • Name and phone number (when provided to the agent)
  • Message content sent and received through the chat widget or chat link
  • Booking details (appointment date, service) when the business has enabled booking
  • Technical metadata: IP address (hashed with salt), browser user agent, session identifier, timestamps

3. How we use it

  • Operate the agent loop, retrieve relevant knowledge, and respond to messages
  • Notify the business of new leads and urgent inquiries by email and SMS
  • Save leads and conversations so operators can follow up
  • Prevent abuse and enforce rate limits (the reason we hash IPs)
  • Improve Aya's reliability (aggregated, non-identifying metrics only)

We do not sell personal information. We do not use your messages or knowledge base content to train external AI models.

4. Third-party processors

We use the following processors to deliver the service. Each is bound by its own privacy terms and acts only on our documented instructions:

  • Supabase — database, authentication, file storage
  • Vercel — application hosting, logs, analytics
  • OpenRouter — LLM inference (Google Gemini, Anthropic Claude, and other models) and text embeddings
  • Resend — transactional email (lead notifications, auth links)
  • Semaphore — SMS delivery for urgent lead alerts (Philippine senders)
  • Cloudflare — bot / captcha protection on sign-up (Turnstile)
  • Google — optional sign-in via OAuth

5. Retention

  • Leads, conversations, and messages are retained while the business's Aya account is active.
  • On account deletion, personal information is removed within 30 days, except where retention is required by law (e.g., tax or anti-fraud records).
  • Hashed IP logs used for rate limiting are kept for 30 days.
  • Backups are purged on a rolling 90-day window.

6. Your rights (Data Privacy Act §16)

As a data subject in the Philippines you have the right to:

  • Be informed about how your data is processed
  • Object to processing (including withdrawing consent)
  • Access a copy of your personal information
  • Rectify inaccurate information
  • Erase or block your data (right to be forgotten)
  • Data portability in a structured, commonly used format
  • File a complaint with the National Privacy Commission (privacy.gov.ph)

To exercise any of these rights, email privacy@biiieem.website. We will respond within 15 business days.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest at the infrastructure level. Access is limited to authorized personnel and is governed by Supabase row-level security so one business cannot read another's data. We follow the principle of least privilege, rotate credentials regularly, and conduct periodic security reviews.

8. Children

Aya is not directed at children under 18. We do not knowingly collect information from minors. If you believe a child has submitted information, contact us and we will delete it.

9. International transfers

Our processors operate data centers in Singapore, the United States, and the European Union. By using Aya you acknowledge that your data may be processed outside the Philippines, under the contractual and technical safeguards imposed on each processor.

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced in-app and by email to account owners at least 7 days before taking effect. Continued use after the effective date constitutes acceptance.

11. Contact

Questions, complaints, or DPA requests: privacy@biiieem.website.

See our Terms of Service →