Privacy Policy

This policy explains what data delv ("we") collects when you use our service at delvai.io, how we use it, and your rights. We've tried to write it in plain English. Ask us at support@delvai.io if anything is unclear.

1. Who's responsible

delv is operated from the Philippines. For the purposes of the Philippine Data Privacy Act (RA 10173) and GDPR, the operator of delv is the "data controller" for your account data. For any privacy request or to identify the responsible individual in writing, contact support@delvai.io.

2. What we collect

Account data (from Google OAuth)

• Your email address and name
• Your Google profile photo URL
• A unique user ID we generate to identify your account

Content you create

• Chat messages (your prompts + AI responses)
• Files you upload (images, PDFs, documents)
• Voice call transcripts and audio recordings
• Generated images, music tracks, and voice snippets (text-to-speech)
• Conversation titles, metadata, and timestamps

Technical data

• IP address (for rate limiting and fraud prevention)
• Browser user agent
• Cookies (authentication session only — we don't use analytics cookies)
• Basic error logs (to debug problems)

Payment data (Pro subscribers only)

We do not see or store your credit card number. Payments are processed by Lemon Squeezy (Merchant of Record), who is PCI-DSS compliant. We receive only: your subscription status, plan tier, and billing period. See Lemon Squeezy's privacy policy for their handling of payment data.

3. How we use your data

• Provide the Service: route your messages to AI models, store conversations, serve the app
• Improve the Service: aggregate usage patterns to inform product decisions (never using your content directly)
• Communicate with you: service announcements, important billing notices. You can't opt out of transactional email while holding an active account, but we don't send marketing email without separate consent.
• Comply with law: respond to legitimate legal process, prevent fraud, protect users

4. AI model training — we don't

Your content is never used to train AI models. We route requests through OpenRouter with training opt-out enabled on every provider that supports it. This includes OpenAI, Anthropic, Google, DeepSeek, Moonshot, Alibaba, Meta, and xAI.

5. Who we share data with

We share data with these processors to deliver the Service:

• Google Cloud Platform (Firebase / Firestore for user data and conversations; Cloud Storage bucket delvai-attachments for file uploads and generated images)
• Google OAuth — authentication (we receive your email, name, and profile photo URL; we never see your Google password)
• OpenRouter — routes chat prompts to AI model providers with training opt-out enabled
• AI model providers via OpenRouter — OpenAI, Anthropic, Google, DeepSeek, Moonshot, Alibaba, Meta, xAI — process your prompts to generate responses
• Google Vertex AI — image generation (Gemini 2.5 Flash Image); prompts and any source images you upload for image-to-image editing are sent here
• ElevenLabs — voice call synthesis, speech recognition, conversational AI, text-to-speech (voice snippets), and music composition (generated tracks)
• Serper — web search (sends your search queries to Google's results, relayed back through Serper; no personal data beyond the query)
• Lemon Squeezy — payment processing and Merchant of Record for Pro subscribers (handles billing, tax, and invoicing on our behalf)

We don't sell your data. We don't share it with advertisers or data brokers. We may disclose data if legally compelled (valid court order, subpoena) and will notify you unless prohibited from doing so.

6. Data retention

• Active accounts: we keep your data while your account is active
• Deleted conversations: removed from our database immediately; backups purged within 30 days
• Closed accounts: data deleted within 30 days, except anonymized usage logs we keep for up to 12 months for security / abuse prevention
• Billing records: retained for 7 years to comply with Philippine tax law

7. Your rights

Depending on your jurisdiction, you have rights to:

• Access — request a copy of data we hold about you
• Delete — request deletion of your account and data (you can self-serve this from your account page)
• Correct — update inaccurate data
• Export — receive your conversations in a portable format
• Object — tell us to stop processing your data for specific purposes
• Withdraw consent — where processing is based on consent

To exercise any of these, email support@delvai.io. We respond within 30 days. You can also lodge a complaint with your local data protection authority — for Philippine residents, the National Privacy Commission; for EU residents, your national DPA.

8. Security

We take security seriously. Specifically:

• All traffic encrypted via HTTPS (TLS 1.2+)
• Data at rest encrypted by Google Cloud (AES-256)
• Authentication via Google OAuth — we never see your Google password
• Session tokens signed + encrypted (NextAuth v5 JWT)
• Principle of least privilege for internal access

No system is 100% secure. If we discover a breach affecting your data, we'll notify you without undue delay and report to regulators as required by law.

9. Children

delv is not intended for children under 13. We don't knowingly collect data from children under 13. If you believe a child has provided us data, email us and we'll delete it.

10. International transfers

Your data may be processed in the United States, European Union, Philippines, Singapore, or wherever our cloud providers operate data centers. We rely on standard contractual clauses and provider certifications (SOC 2, ISO 27001) where applicable.

11. Cookies

We use strictly necessary cookies only:

• Session cookie — keeps you logged in (required)
• Theme cookie — remembers light/dark mode preference

No analytics, advertising, or tracking cookies.

12. Changes to this policy

If we make material changes, we'll notify you by email or an in-app banner at least 14 days before they take effect. The "last updated" date at the top shows the current version.

13. Contact

Privacy questions or requests: support@delvai.io.