Privacy Policy

HeyAva (“HeyAva,” “we,” “us,” “our”) is a voice-first AI assistant platform operated by Super Intellisense Technologies, a company registered in India with its principal office in Mohali, Punjab, India. Contact us at hello@superintech.com.

This policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and the choices you have. It applies to the HeyAva web application at heyava.superintech.com and any associated APIs.

2.1 Information you provide

• Account details: name, email address, password hash, profile photo (if you sign in with Google).
• Onboarding responses: persona, business type, team size, tone preference, and any free-text answers you provide to help Ava personalise responses.
• Memories: facts you explicitly save to Ava's memory (manual or via onboarding).
• Billing details: plan, billing cycle, subscription/payment identifiers, GST number if you provide one. We do not store card numbers; those live with Razorpay.

2.2 Information generated when you use HeyAva

• Voice & text conversations: transcripts of what you say to Ava and her replies, model used, tokens consumed, tools invoked.
• Audio: short audio clips of your voice are sent to OpenAI for transcription (Whisper) and returned as text. Raw audio is not retained after transcription.
• Usage logs: per-call records of model, tokens, cost, timestamps for billing and support.
• Device & network data: IP address, browser user-agent, approximate device type, for security and abuse prevention.

2.3 Information from third parties you connect

When you connect an integration (Gmail, Google Calendar, WhatsApp, GoHighLevel, HubSpot, Slack, Notion, ClickUp, Monday, Stripe, Razorpay, custom webhooks), we access only what is needed to perform the action you requested. Specifically:

• Google (Gmail / Calendar): with your explicit OAuth consent, HeyAva may read a limited number of emails you ask Ava to search, compose drafts you review before sending, list your upcoming calendar events, and create/update calendar events at your request. Access is revocable at any time from your Google Account permissions or from the Integrations page in HeyAva.
• Other integrations: HeyAva uses access tokens or API keys you provide only to execute actions you explicitly ask for.

HeyAva's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We only use Google user data to provide the features you explicitly invoke through Ava (search email, create calendar event, etc.).
• We do not use Google user data to train, fine-tune, or improve any generalised AI model.
• We do not sell Google user data to anyone.
• We do not transfer Google user data to third parties except to the specific providers that perform the task you requested (e.g. sending your transcript to Anthropic to generate a reply), or when required by law.
• We do not allow humans to read your Google user data unless we have your explicit permission, it is necessary for security investigations, or it is required by law.

• Provide the service: respond to your voice/text requests, maintain context, invoke the integrations you connect.
• Billing: charge your plan, grant monthly credits, track usage, generate invoices.
• Support: diagnose issues you report to us.
• Security & abuse prevention: detect unauthorised access, rate-limit abusive patterns, protect the platform.
• Service improvement: aggregate and anonymised analytics to understand feature usage. We never train general-purpose AI models on your private content.
• Communication: send transactional emails (verification, password reset, billing notices). We send marketing emails only if you opted in and you can unsubscribe at any time.

HeyAva processes your data with the following sub-processors. Each receives only the data necessary to perform their service.

• Anthropic — AI model inference (Claude). Receives your conversation prompts and returns replies.
• OpenAI — speech-to-text (Whisper). Receives short audio clips when you speak to Ava.
• ElevenLabs — text-to-speech. Receives Ava's text reply and returns audio.
• Razorpay — payment processing. Receives billing details to process subscriptions and credit purchases.
• Resend — transactional email delivery. Receives your email address and email contents (verification codes, password resets, receipts).
• Hostinger — our hosting provider.
• Google, and other integrations you connect — only when you explicitly ask Ava to perform an action on that platform.

We do not sell your personal data. We share information with law enforcement only when we are legally required to do so.

• Account data: kept while your account is active. Deleted within 30 days of account closure.
• Conversations & memories: retention window is set by your plan (7 days on Starter, up to 365 days on Enterprise). Older entries are automatically deleted.
• Audio: not persisted after transcription.
• Billing records: retained for the period required by Indian tax law (typically 8 years).
• OAuth tokens: encrypted at rest; deleted when you disconnect the integration or close your account.

• All traffic runs over HTTPS (TLS 1.2+).
• Passwords are hashed with bcrypt; we never store plaintext passwords.
• OAuth tokens and API keys are encrypted at rest using AES-256-GCM.
• Access to production systems is limited to authorised engineering personnel using key-based SSH.
• We maintain an incident response process and will notify you of any confirmed breach affecting your data within 72 hours of discovery.

Depending on where you live, you have the right to:

• Access a copy of the personal data we hold about you.
• Correct data that is inaccurate.
• Delete your account and associated data (see Data deletion).
• Export your conversations and memories in a machine-readable format.
• Restrict or object to certain processing.
• Withdraw consent for optional processing at any time.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email hello@superintech.com. We will respond within 30 days.

You can delete your HeyAva account and all associated data in two ways:

1. Self-service: go to Settings → Delete account. This removes your profile, conversations, memories, OAuth tokens, and any associated credit balance within 30 days. Billing records may be retained as required by tax law.
2. Email request: email hello@superintech.com from the address on file and we will process the deletion within 30 days.

If you only want to revoke a specific integration, go to Integrations in HeyAva and click Disconnect. For Google, you can also revoke access at myaccount.google.com/permissions.

HeyAva is operated from India. Some of our sub-processors (Anthropic, OpenAI, ElevenLabs, Resend) operate primarily in the United States. When your data is transferred internationally, we rely on standard contractual clauses or equivalent safeguards.

HeyAva is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has used HeyAva, please contact us and we will delete the account.

We may update this policy as our service evolves. If we make material changes we will notify you by email or via the dashboard at least 15 days before the change takes effect. The current version and its effective date are always at the top of this page.

Questions, complaints, or requests? Email us at hello@superintech.com or write to: