Privacy Policy
Last updated: May 2026
This Privacy Policy explains how [LEGAL ENTITY NAME] ("AYANA", "we", "us", or "our") collects, uses, stores, and protects personal data when you use ayanalab.com and related services (the "Platform"). AYANA is an AI-powered educational mentoring platform. We are committed to handling your information responsibly and in line with applicable data protection laws, including the UK GDPR and EU GDPR where they apply.
Data controller
[LEGAL ENTITY NAME — e.g. Daetis.ai Ltd]
[REGISTERED ADDRESS — street, city, country]
Privacy: privacy@daetis.ai
1. Who is responsible for your data
The data controller for personal data processed through the Platform is [LEGAL ENTITY NAME], registered at [REGISTERED ADDRESS].
If you have questions about this policy or how we handle your data, contact our privacy team at privacy@daetis.ai. For general support, you may also use contact@daetis.ai.
When we use third-party service providers to help operate the Platform, they act as data processors on our instructions. We remain responsible for your personal data and require processors to protect it under contract.
2. Who this policy applies to
This policy applies to registered users who create an account on AYANA, visitors who use limited preview features without signing in, and educators or institutions whose learners use the Platform under an agreement with us.
It does not cover third-party websites or services linked from the Platform. Those services have their own privacy policies.
3. We do not sell your personal data
We do not sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes.
We share data only as described in this policy: with service providers who help us run the Platform, when required by law, or with your consent where applicable.
4. Personal data we collect
We collect only the data needed to provide, secure, and improve the Platform. The categories below describe what we may process depending on how you use AYANA.
- Account identifier: your email address is the primary identifier used to create and manage your account.
- Authentication data: an Auth0 user ID and related authentication metadata managed by our identity provider.
- Chat and mentoring content: messages you send to and receive from the AI mentor, including conversation history stored in our systems.
- Studio and Co-Lab content: materials you create, edit, or collaborate on within AYANA Studio and Co-Lab features.
- Learning profile: progress, preferences, and activity related to your educational use of the Platform.
- Preview session data: for visitors using preview mode without an account, a hashed IP address and limited session metadata to prevent abuse.
- Server and application logs: technical records such as timestamps, request metadata, error reports, and security events.
- Local device storage: theme preferences and draft content stored in your browser via localStorage to improve your experience on return visits.
5. How we use your data and our legal bases
Under the GDPR and similar laws, we must have a lawful basis for each purpose of processing. The table below summarises our main uses of personal data.
- Provide the Platform and your account (create login, deliver mentoring, save Studio/Co-Lab work, sync learning profile) — Legal basis: performance of a contract with you, or steps at your request before entering a contract.
- Operate AI mentoring features (send chat content to our AI processor to generate responses; store conversation history in our database) — Legal basis: performance of a contract.
- Customer support and service communications — Legal basis: performance of a contract; legitimate interests in responding to enquiries efficiently.
- Security, fraud prevention, and abuse detection (monitoring logs, investigating suspicious activity, protecting accounts) — Legal basis: legitimate interests in keeping the Platform secure; legal obligation where applicable.
- Preview mode abuse prevention (hashed IP and session limits for unauthenticated users) — Legal basis: legitimate interests in preventing misuse of free preview access.
- Legal compliance and enforcement of our terms — Legal basis: legal obligation; legitimate interests in protecting our rights and users.
- Improve reliability and fix errors (aggregated or de-identified analytics where possible) — Legal basis: legitimate interests in maintaining a stable service, balanced against your rights.
6. AI processing and OpenAI Enterprise
AYANA uses artificial intelligence to power mentoring conversations. When you use chat features, your messages and relevant context may be transmitted to OpenAI via its Enterprise API to generate responses.
OpenAI acts as a data processor on our behalf under a data processing agreement. OpenAI Enterprise API data is not used to train OpenAI's models.
OpenAI may retain API inputs and outputs for up to 30 days for abuse monitoring and service integrity, unless [ZDR STATUS — confirm with OpenAI account team; default: standard Enterprise API retention up to 30 days for abuse monitoring]. We store your chat history in our own database so you can access past conversations within the Platform.
You should not submit special category data (such as detailed health information beyond what is relevant to a learning scenario) or unnecessary personal data about third parties in chat unless your institution's policies and applicable law permit it.
7. Subprocessors and service providers
We use carefully selected subprocessors to host, authenticate, and operate the Platform. Each is bound by contractual obligations to protect personal data and process it only on our instructions.
- OpenAI (Enterprise API) — AI inference and abuse monitoring for chat features; United States.
- Auth0 (Okta) — user authentication and identity management; location depends on tenant configuration.
- [HOSTING PROVIDER — e.g. self-hosted EU VPS] — application and infrastructure hosting; location as specified in our vendor agreement.
- [DATABASE PROVIDER — e.g. PostgreSQL on same host] — database storage for account, chat, and Platform content data; location as specified in our vendor agreement.
8. International transfers
Your personal data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your jurisdiction.
Where we transfer personal data from the UK, EEA, or other regions requiring safeguards, we rely on appropriate mechanisms such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses (SCCs), or equivalent approved transfer tools, supplemented by transfer impact assessments where required.
You may contact privacy@daetis.ai for more information about transfers relevant to your data or to request a copy of applicable safeguards where we are permitted to share them.
9. How long we keep your data
We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required by law.
- Account data, chat history, Studio/Co-Lab content, and learning profile: retained for the life of your account and up to 30 days after you request account deletion or we close your account, to allow recovery requests and complete deletion workflows.
- Preview session data (hashed IP and related metadata): retained for up to 72 hours, then deleted or anonymised.
- Server and security logs: retained for up to 90 days, unless needed longer for an active security investigation or legal hold.
- Backup copies: may persist for up to 90 days in encrypted backups before being overwritten through normal rotation; deleted account data is removed from active systems within the account deletion period above and from backups on the backup retention cycle.
10. Your privacy rights
Depending on where you live, you may have the following rights regarding your personal data. We will respond within the timeframes required by applicable law, typically one month.
To exercise any right, email privacy@daetis.ai from the email address linked to your account or provide sufficient information for us to verify your identity. We may need to confirm your request before acting on it.
- Right of access — request a copy of personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — request deletion of your data in certain circumstances, such as when it is no longer needed or you withdraw consent where consent was the legal basis.
- Right to restrict processing — ask us to limit how we use your data in specific situations.
- Right to data portability — receive certain data in a structured, commonly used, machine-readable format where processing is based on contract or consent and carried out by automated means.
- Right to object — object to processing based on legitimate interests, including profiling related to those interests, where applicable law provides this right.
- Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint — you may complain to your local supervisory authority (data protection authority) if you believe we have violated applicable data protection law. We encourage you to contact us first so we can try to resolve your concern.
11. Children and young users
AYANA is designed for educational use. The Platform is intended for users aged 16 and over. If you are under 16, you may use AYANA only with verifiable parental or guardian consent, or as permitted under an agreement between your school or institution and us that covers learner consent and supervision.
If you are a parent, guardian, or educator and believe a child has provided personal data without appropriate consent, contact privacy@daetis.ai and we will take steps to delete the account and associated data where required.
12. Security measures
We implement technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, or alteration. These measures include encryption in transit (TLS), access controls and role-based permissions for staff, authentication through Auth0, logging and monitoring for security events, regular patching of infrastructure, and contractual security requirements for subprocessors.
No online service can guarantee absolute security. If you believe your account has been compromised, contact contact@daetis.ai promptly and change your password through the authentication provider where applicable.
13. Cookies, localStorage, and similar technologies
We use essential cookies and similar technologies required for authentication, session management, and security. These are necessary for the Platform to function and are not used for third-party advertising.
AYANA may store theme preferences and draft content in your browser's localStorage so your settings and unfinished work persist between visits. This data remains on your device unless you clear site data in your browser. Clearing localStorage may remove drafts stored only locally and not yet synced to your account.
14. Preview mode and anonymous use
Visitors may access limited preview functionality without creating an account. In preview mode we process a hashed IP address and minimal session information to enforce fair-use limits and prevent automated abuse.
Preview data is not linked to a named account. It is retained for up to 72 hours as described in our retention schedule. Preview use is subject to the same security and abuse-prevention practices as registered use, on a proportionate basis.
15. Automated decision-making
AYANA uses AI to generate mentoring responses and educational guidance. These outputs assist your learning but do not, by themselves, produce legal or similarly significant effects about you in the sense of solely automated decision-making under the GDPR.
Institutional grading, assessment, or accreditation decisions, if any, remain the responsibility of your educator or institution and are outside the scope of automated decisions made solely by AYANA.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or Platform features. When we make material changes, we will post the updated policy on ayanalab.com and revise the "Last updated" date at the top.
Where required by law, we will provide additional notice or seek your consent before changes take effect. Continued use of the Platform after the effective date of an update constitutes acknowledgement of the revised policy, except where your consent is legally required for specific processing.
17. Contact us
For privacy-related requests, questions about this policy, or to exercise your data protection rights, contact:
Privacy enquiries: privacy@daetis.ai
General support: contact@daetis.ai
Postal address: [LEGAL ENTITY NAME], [REGISTERED ADDRESS]
This Privacy Policy is governed by the laws of [GOVERNING LAW JURISDICTION], without prejudice to mandatory data protection rights available to you in your country of residence.