Privacy Policy

1. Introduction and Scope

Dyva, Inc. ("Dyva," "we," "us") is a Delaware corporation. We run dyva.ai — a social AI platform where people create, share, and chat with AI characters.

This Privacy Policy explains what data we collect, why we collect it, who we share it with, and what rights you have over it. It covers everything: the website, apps, API, integrations, embed widgets, and any other Dyva service.

Under GDPR, Dyva is the data controller. Under CCPA, Dyva is the business that determines how your personal information is processed.

We're going to be straight with you in this document. If you don't agree with how we handle data, don't use the service.

2. What We Collect

2.1 Information You Give Us

• Account data. Email, display name, password. Optionally: avatar, date of birth, gender, bio.
• Conversation data. Every message you send to an AI character — stored for conversation history, memory features, and continuity across sessions.
• Voice data. If you use voice features, we process your audio for speech-to-text transcription and generate spoken responses via text-to-speech. If you upload voice samples for custom cloning, those are stored too (see Section 5).
• Payment data. Billing details go through Stripe. We never see or store your full card number. We get transaction confirmations, subscription status, and the last four digits.
• Content you create. Character configurations, system prompts, knowledge base uploads, scenes, comics, published Marketplace characters, feed posts, profile content — all of it.
• Communications. Support emails, feedback, bug reports — we keep those to help you and improve the service.

2.2 Information We Collect Automatically

• Usage analytics. Pages viewed, features used, session duration, conversation frequency, interaction patterns. This helps us understand what works and what doesn't.
• Device and browser info. Browser type, OS, device type, screen resolution, language preferences.
• Log data. IP addresses (hashed with SHA-256 before storage — we don't keep raw IPs in analytics), access timestamps, referring URLs, request metadata.
• Cookies. Session tokens, theme preferences, and analytics cookies. No cross-site tracking. No ad pixels. Details in Section 10 and our Cookie Policy.

2.3 Information from Third Parties

• OAuth providers. If you sign in with Google or Discord, we receive your name, email, and avatar — whatever you authorize during the OAuth flow.
• Stripe. Transaction confirmations, subscription status, last four digits, billing postal code.

3. How We Use Your Data

Here's what we do with your data and why. For users in the EEA, UK, and Switzerland, we've listed the GDPR legal basis for each purpose.

Where we rely on legitimate interest, we've confirmed our interests don't override your fundamental rights. You can request a copy of that assessment anytime.

4. AI and Your Conversations

This is the part most people care about. Here's exactly how AI processes your data.

4.1 What Gets Sent to AI

When you send a message, the AI processing pipeline receives:

• Your current message and relevant conversation history (context window)
• Your display name and profile attributes needed for personalization
• The character's system prompt, personality config, and knowledge base context
• Relevant memories from past conversations (the character's memory of you)

Your email, password, payment information, and IP address are never sent to AI models. Period.

4.2 Memory System

Characters on Dyva have persistent memory. Facts you share — preferences, interests, biographical details — get stored as vector embeddings so the character can recall them in future conversations. These memories are yours alone — never shared with other users, never visible to other characters (unless you choose to).

You can view, export, and delete your memories anytime in account settings. Deleting a memory removes it from the character's context permanently.

4.3 AI Processing Infrastructure

We use a combination of proprietary and third-party AI infrastructure for generating responses. Some features like intent classification, content safety, and content analysis use additional model services. Your data is processed for the inference you requested — response generation, not model training (unless you opt in; see Section 8).

4.4 No Automated Decisions with Legal Effects

We don't use your data for automated decisions that produce legal or similarly significant effects (GDPR Article 22). AI responses are conversational output — not decisions affecting your legal rights, employment, credit, or anything like that.

5. Voice Data

Voice is one of the more sensitive data categories we handle. Here's the full picture.

5.1 Speech-to-Text (What You Say)

When you speak during a voice conversation, your audio is transcribed to text in real time by our speech recognition provider (Deepgram). The raw audio is discarded immediately after transcription — it is not stored. Only the text transcript is retained as part of your conversation history.

5.2 Text-to-Speech (What the AI Says)

AI text responses are converted to spoken audio by our TTS provider (ElevenLabs). The synthesized audio is streamed to you and not stored after playback. Text inputs are not retained by ElevenLabs after synthesis is complete, per our data processing agreement.

5.3 Custom Voice Cloning

Pro and Creator plans can upload audio samples to create custom character voices. Those samples are processed to build a voice model and retained for the duration of your subscription plus 30 days to allow for model updates. You can delete a voice model and its source samples anytime from your character's voice settings.

5.4 What Voice Providers See

Deepgram receives your raw audio for transcription. ElevenLabs receives AI-generated text for synthesis. Neither provider receives your account information, conversation history, or any other personal data. Both are bound by data processing agreements.

6. Sharing and Disclosure

We do not sell your data. We do not share it with ad networks. We do not trade it.

We share data only in these situations:

• Service providers. The companies that help us run Dyva, bound by data processing agreements:

• Legal requirements. When required by law, regulation, legal process, or enforceable government request — including national security or law enforcement.
• Protection of rights. To investigate illegal activity, fraud, threats to safety, Terms violations, or as evidence in litigation.
• Business transfers. If Dyva is acquired, merged, or sells assets, your data may be part of the transaction. We'll notify you of any ownership change.
• With your consent. When you explicitly ask us to — like publishing a shared conversation link or connecting a character to Discord.
• Aggregated data. We may share anonymized, de-identified data that cannot identify you for research or analytics.

7. Data Retention

We keep data only as long as we need it — or as long as the law requires.

Account deletion. Delete your account and we remove or anonymize your data within 30 days. Exceptions: data required by law (tax records) or needed for active legal claims. Encrypted backups may persist up to 90 additional days before permanent deletion.

8. Your Rights

Your data, your rights. Exercise them by emailing privacy@dyva.ai or using the tools in your account settings. Here's what you can do:

• Access your data. Get a copy of everything we have on you — account info, conversations, memories, usage data. We'll tell you what we're processing, why, and who sees it. (GDPR Art. 15 / CCPA 1798.100)
• Delete your data. Request full or partial deletion. We'll remove it unless law requires us to keep it. (GDPR Art. 17 / CCPA 1798.105)
• Export your data. Get everything in a structured, machine-readable format (JSON). Conversations, memories, character configs, profile data — portable and ready to take elsewhere. Go to Settings or email us. (GDPR Art. 20)
• Correct your data. Fix inaccurate or incomplete information. (GDPR Art. 16 / CCPA 1798.106)
• Opt out of AI training. Go to Settings and toggle off AI Improvement Data. Takes effect immediately for future data. Already-incorporated de-identified data can't be retroactively removed. (See also Section 4.)
• Object to processing. If we're processing based on legitimate interest, you can object. We'll stop unless we have compelling grounds that override your interests. (GDPR Art. 21)
• Restrict processing. In certain situations — you contest accuracy, processing is unlawful, you need data for legal claims — you can ask us to restrict how we use it. (GDPR Art. 18)
• Withdraw consent. Where processing is based on consent, withdraw it anytime. Doesn't affect the lawfulness of prior processing.
• No sale of your data. We don't sell personal information. We don't share it for cross-context behavioral advertising. If this ever changes, we'll provide a "Do Not Sell or Share" option. (CCPA 1798.120)
• Non-discrimination. Exercising your rights won't affect your pricing, service quality, or access. (CCPA 1798.125)

We respond within 30 days (extendable by 60 for complex requests under GDPR). For CCPA requests, we verify your identity by matching information you provide with our records. You can designate an authorized agent with written authorization.

9. Children's Privacy

Dyva is not for children under 13. We do not knowingly collect personal information from anyone under 13, in compliance with COPPA (15 U.S.C. 6501-6506).

EEA users: The minimum age is 16 (or lower where local GDPR implementing law permits) per GDPR Article 8.

If we discover we've collected data from a child below the applicable age threshold, we delete it. Fast.

Parents and guardians: If you believe your child provided data without your consent, contact privacy@dyva.ai immediately. We'll verify and delete it. Users aged 13-17 need parental consent as described in our Terms of Service.

10. International Transfers

Dyva is US-based. Your data is processed and stored on US servers. If you're outside the US, your data crosses borders.

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection (per GDPR Articles 44-49), we use:

• Standard Contractual Clauses (SCCs). The European Commission's SCCs (Decision (EU) 2021/914) with sub-processors, supplemented by transfer impact assessments.
• EU-U.S. Data Privacy Framework. Where applicable, we rely on sub-processors' self-certification under the EU-U.S., UK, and Swiss-U.S. frameworks.
• Supplementary measures. Encryption in transit (TLS 1.2+), encryption at rest, access controls, and pseudonymization where feasible — consistent with the Schrems II requirements.

Want a copy of our SCCs or more details about transfer mechanisms? Email privacy@dyva.ai.

11. Security

We take security seriously. Here's what we do (per GDPR Article 32):

• Encryption in transit. All data between your device and our servers is encrypted with TLS 1.2 or higher.
• Encryption at rest. Sensitive database data is encrypted at rest with industry-standard algorithms.
• Password security. Passwords are hashed with bcrypt and per-user salts. We never store plaintext passwords.
• IP pseudonymization. IP addresses are irreversibly hashed with SHA-256 before storage. Raw IPs are not retained in analytics.
• Access controls. Personal data access is restricted to authorized personnel on a need-to-know basis with multi-factor authentication.
• Infrastructure security. Firewalls, intrusion detection, and regular security audits.
• Incident response. We maintain a breach response plan. If a breach affects your data, we notify you and the relevant supervisory authority within 72 hours per GDPR Article 33 and applicable state laws.

No system is perfectly secure. We can't make absolute guarantees. But we address vulnerabilities fast and take every incident seriously.

12. Changes to This Policy

This policy may change as our practices, technology, or legal requirements evolve.

• Non-material changes. We update the effective date and post the revision. We encourage you to check back periodically.
• Material changes. If we change how we handle your data in significant ways — new data categories, new purposes, new sub-processors — we'll notify you by email or in-app notice at least 30 days before the change takes effect.
• Consent where required. If law requires your consent for a material change, we'll get it first. If you disagree, delete your account before the changes take effect.

Continued use after a revision means you accept it, to the extent permitted by law.

13. Contact and DPO

Questions about your data? We'd rather you reach out than wonder.

Supervisory Authorities

If you're in the EEA, UK, or Switzerland and believe we've violated your GDPR rights, you can file a complaint with your local supervisory authority (GDPR Article 77). EEA authorities are listed at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.

But reach out to us first. We want to fix things directly.