Privacy Policy

Privacy Commitment

Airuda Labs, LLC ("we", "our", "AIRUDA") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our multi-modal AI messenger platform.

Key Principles: We collect only data necessary for Service operation. We never sell your personal data. You control your data with rights to access, export, and deletion.

1. Data We Collect

Account Information

• Email address (for account creation, verification, communications)
• Username (public identifier in chats and marketplace)
• Password (hashed with bcrypt rounds 12, never stored in plain text)
• Language preference (for UI localization and AI responses)
• Profile information (avatar, bio - optional)

Usage Data

• Messages sent and received (stored for conversation history and RAG context)
• AI prompts used and conversations (for service delivery and cost calculation)
• Photos, videos, audio recordings, documents, and other files you upload or generate in chats, including content processed by AI features
• Contact-sync data (such as phone numbers from device contacts) if you grant access, used to find friends already on AIRUDA and support invites
• Marketplace interactions (prompts viewed, bookmarked, purchased, reviewed)
• Credit transactions (purchases, usage, balances for billing accuracy)
• Workflow configurations (parameters you provide for automation execution)

Technical Data

• IP address and approximate location derived from IP (for security, login history, rate limiting, and geolocation routing)
• Device information, push tokens, and other device identifiers (for notifications, security, and platform optimization)
• Browser type and version (for compatibility and debugging)
• Usage analytics (page views, feature usage, performance metrics)
• Crash logs, diagnostics, performance data, and error logs with correlationIds (for debugging, monitoring, and incident response)

Payment Information

On mobile, Apple App Store and Google Play process native credit-pack purchases. On web, Stripe processes direct top-ups, saved cards, Auto-Recharge, creator payouts, and KYC. We store store-order and transaction metadata, Stripe customer/payment-method references, and transaction history, but never full credit card numbers.

2. How We Use Your Data

• Service Delivery: Operate messenger, AI chats, marketplace, workflow automation
• AI Context: RAG sliding window uses message history for perfect recall (recent 10 + semantic 10 pairs)
• Billing: Calculate credit usage, process purchases, track creator revenue
• Security: Detect fraud, prevent abuse, enforce rate limiting
• Communications: Send verification emails, notifications, service updates (in your language)
• Improvement: Analyze usage patterns to improve features, optimize performance, fix bugs
• Legal Compliance: Respond to legal requests, enforce Terms of Service

3. Data Sharing and Third Parties

AI Providers (Service Delivery)

Your AI conversations, messages, and any photos, videos, audio files, documents, or other files you choose to attach for AI processing may be sent to third-party providers solely for generation, analysis, and related AI features: OpenAI (GPT-5.4, GPT-5.4 mini, GPT-image-2, embeddings), Anthropic (Claude Sonnet 4.6, Claude Opus 4.6), Google (Gemini 3.1 Pro, Imagen 4, Veo 3.1), Stability AI (Stable Diffusion 3.5), BFL AI (FLUX.2 Pro), Recraft (Recraft V4), and Runway (Gen-4.5). Each provider's privacy policy applies to their processing.

Payment Processing (Stripe)

Credit purchases and creator payouts processed by Stripe. Stripe receives: payment information, billing address, transaction amounts. Stripe Connect used for creator KYC and revenue distribution. Stripe's privacy policy applies.

We Never Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Data shared with AI providers and Stripe is solely for service delivery, not monetization of your information.

Legal Requirements

We may disclose data if required by law, court order, or to: (1) Comply with legal process, (2) Protect our rights and safety, (3) Investigate fraud or abuse, (4) Respond to government requests.

4. Your Privacy Rights (GDPR/CCPA)

• Access: Request copy of your personal data we hold
• Export: Download your data in machine-readable format (JSON)
• Correction: Update inaccurate or incomplete information
• Deletion: Request account and data deletion (some data retained per legal requirements)
• Portability: Transfer your data to another service
• Object: Object to certain data processing (analytics, marketing)
• Withdraw Consent: Revoke consent for optional data processing

To exercise these rights, contact privacy@airuda.com with your request, or use the in-app path Settings > Account > Close my account for account deletion. We respond within 30 days.

5. Data Retention

Active Accounts: We retain your data while your account is active and for reasonable period after (backup, recovery, legal compliance).

Messages and uploads: Chat history is retained so you can access your conversations, and uploaded files/media remain available until you delete them. You can delete individual messages, whole chats, and uploaded content at any time.

Inactive Accounts: Accounts inactive for 2+ years with no credits or data may be deleted after email notification with 60-day grace period. After an account-deletion request, personal data such as profile information, chats, messages, files, sessions, and device tokens is removed within 30 days, and backup copies are purged within 90 days.

Backups: Data in automated backups retained up to 35 days (Aurora point-in-time recovery), then automatically purged.

Legal Holds: Data subject to legal holds, investigations, or disputes retained until resolution.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: HTTPS/TLS for all data in transit, encryption at rest for database (Aurora) and cache (Redis)
• Authentication: JWT with short-lived access tokens (15min), refresh tokens in httpOnly cookies (XSS protection)
• Passwords: Bcrypt hashing rounds 12, never stored in plain text, never logged
• Access Controls: Role-based permissions, principle of least privilege, database row-level security
• Monitoring: CloudWatch alerts for suspicious activity, Sentry error tracking with correlationId tracing
• Rate Limiting: Prevents brute force attacks, DDoS protection, abuse detection

Despite our efforts, no system is 100% secure. Notify us immediately of any suspected security breach at security@airuda.com.

7. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected data from a child under 13, we will delete it immediately.

Users aged 13-17 may use the Service with parental consent. Parents can request access to or deletion of their child's data by contacting privacy@airuda.com.

8. International Data Transfers

AIRUDA operates globally with infrastructure in: United States (primary), Korea, Europe, Japan. Your data may be transferred to and processed in these regions.

EU-US Transfers: For European users, we rely on Standard Contractual Clauses approved by EU Commission for lawful data transfer to United States.

Regional Data Residency: We use multi-region infrastructure (Aurora Global Database, ElastiCache Global Datastore) to keep data close to users for performance while maintaining global accessibility.

9. Changes to This Policy

We may update this Privacy Policy occasionally. We will notify you of material changes via: (1) Email to your registered address, (2) In-app notification, (3) Notice on this page.

Continued use of Service after changes constitutes acceptance of updated Privacy Policy. We encourage reviewing this page periodically.

10. Contact for Privacy Matters

For privacy-related questions, data requests, or concerns, contact: