← hYYa ai

Privacy Policy

Last updated: May 2026 · hYYa ai by Hassaan (hYYa Apps)

Overview

Privacy is built into hYYa ai at the architecture level — not as an afterthought. Vault mode never sends any data anywhere. Oracle mode transmits only what is necessary to produce your AI response, nothing more.

1. Vault Mode — What We Collect

Nothing. All AI inference, conversation history, memory, and documents are processed and stored entirely on your device. No data is transmitted to hYYa servers or any third party. Deleting the app removes everything.

2. Oracle Mode — What We Collect

When you use Oracle mode, we collect:
  • Email address — stored in Supabase to manage your account and send sign-in links.
  • Conversation messages — forwarded to Groq and/or Together.ai to generate your AI response. These providers do not use your messages to train models.
  • Anonymous usage metrics — request counts and error rates, collected via PostHog in anonymised form. No personal data or conversation content is included in analytics.
We do not collect your photo library, contacts, location, or any data you have not explicitly shared in a conversation.

3. Payments

All billing is handled by Paddle as Merchant of Record. hYYa ai never sees or stores your card number, bank details, or payment credentials. Paddle collects and processes payment data under their own privacy policy. You will receive receipts directly from Paddle.

4. Third-Party Services

  • Supabase — stores your email address and authentication tokens for account management.
  • Groq & Together.ai — receive your Oracle conversation messages to generate AI responses. They are prohibited from using your data for model training.
  • Paddle — processes subscription payments. No card data touches hYYa servers.
  • PostHog — anonymised product analytics (feature usage, error rates). No personal data or message content is sent.

5. Data We Never Sell

Your data is never sold, rented, or shared with third parties for marketing or advertising purposes. Ever.

6. Security

All data in transit uses TLS 1.3. Authentication is magic-link only — no passwords are stored. Supabase enforces row-level security so each user can only access their own data.

7. Your Rights

You can delete your account and all associated data at any time from the Settings screen, or by emailing H@hyya.com. We will action deletion requests within 30 days.

8. Children

hYYa ai is not directed at children under 13. We do not knowingly collect data from children under 13.

9. Changes to This Policy

This policy may be updated as the service evolves. Material changes will be notified via email or in-app notice. Continued use after changes constitutes acceptance.

10. Contact

Privacy questions or data requests: H@hyya.com.
Terms of ServiceRefund PolicyHome