Privacy Policy

• Account data: your email address, optional display name, and preferred language.
• Password: stored only as a one-way cryptographic hash (bcrypt) — never in plain text and never readable by us.
• Content: the conversations and messages you exchange with Deywos, plus any projects and project prompts you create.
• State Input readings (Core State Agent): when you tap "Read state", the four state values you set, the matched cluster, and the time of day are saved.
• Optional pulse & HRV via camera (Core State Agent): if you tap the pulse card and complete a measurement, we save the derived heart rate, heart-rate variability (RMSSD), signal-quality grade, and the raw camera-derived pulse signal (red-channel time series) for that ~60-second window. The camera feed itself is never recorded — only the per-frame brightness used to estimate pulse. Completely optional; skipping it has no effect on the rest of the service.
• Technical & session data: IP address, device/browser identifier (user agent), and timestamps, recorded with each login session for security.
• Transient tokens: short-lived email-verification and password-reset tokens.

We process your data under the following legal bases (Art. 6(1) GDPR):

• To provide the service (Art. 6(1)(b)): creating your account, authenticating you, storing your conversations, and delivering responses.
• Transactional email (Art. 6(1)(b)): sending verification and password-reset messages.
• Security & abuse prevention (Art. 6(1)(f), legitimate interest): recording IP address and user agent with sessions to protect accounts.

We do not use your data for advertising, profiling for marketing, or automated decisions with legal effect, and we do not sell it.

We rely on a small number of processors who handle data on our behalf:

• Hetzner Online GmbH (Germany) — hosts the backend and database.
• Vercel Inc. (USA) — hosts this website.
• Resend — sends transactional emails; processes the recipient address and message content.

Self-hosted AI models (for chat and voice) are not yet active in this alpha. This policy will be updated before they are introduced.

Some providers (e.g. Vercel, Resend, Google) may process data on servers outside the EU/EEA, including in the USA. Where this occurs, transfers are based on appropriate safeguards such as the EU Standard Contractual Clauses.

• Regular chats: kept while your account exists. When you delete a chat from the app, it disappears from your list immediately and, within 30 days, is unlinked from your account. The message content may be retained afterwards in anonymized form (with no link to your account) to improve the service and train AI models.
• Incognito chats: still stored, but unlinked from your account within 24 hours of closing the session. As with regular chats, content may be retained in anonymized form for service improvement and model training.
• Projects & project prompts: kept while your account exists. When you delete a project, its chats remain in your list (unlinked from the project); the project itself is removed.
• State Input readings & optional pulse data: kept while your account exists. Closing your account unlinks them from your identity; they may be retained in anonymized form for service improvement and AI training. Deep Data Wipe Request removes them in full.
• Closing your account ("Delete account"): your account is closed and your conversations/projects are unlinked from your identity. Content may persist in anonymized form for the purposes above.
• Deep Data Wipe Request: a separate action in your settings that permanently deletes your account and every conversation, message, and project you produced — including any content that would otherwise remain in the anonymized training corpus. Irreversible. Use this to exercise GDPR Art. 17 right to erasure.
• Sessions: refresh sessions expire automatically (within ~72 hours of inactivity).
• Verification / reset tokens: expire quickly (verification within 24 hours, reset within 1 hour).

As this is a closed alpha, alpha data may be removed when the alpha period ends.

Under the GDPR you have the right to:

• access the data we hold about you (Art. 15);
• correct inaccurate data (Art. 16);
• have your data erased (Art. 17) — see Deep Data Wipe Request in your settings, or email us;
• restrict or object to processing (Art. 18, 21);
• receive your data in a portable format (Art. 20);
• lodge a complaint with a data-protection supervisory authority.

To exercise any of these, email nevidomskyi.work@gmail.com.

All traffic is encrypted in transit (HTTPS). Passwords are stored only as bcrypt hashes. Access to the database is restricted to the backend on a private network.

Deywos is not directed at children under 16, and we do not knowingly collect their data.

We may update this policy as the service evolves (for example, when AI features, payments, or social sign-in are added). The "last updated" date above reflects the current version.