Privacy Policy

Last updated: March 25, 2026

1. Introduction

Ara ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our messaging service ("the Service").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address (via Apple or Google sign-in)
Display name and profile photo (user-provided)
Date of birth (optional)

2.2 Messages

Messages are encrypted using strong symmetric encryption both in transit and at rest in our database. To provide AI-powered features such as automatic translation, summarization, and suggested replies, our servers may process message content when these features are enabled by you.

2.3 Device Information

Push notification tokens and platform type (iOS/Android)
Activity logs for your account (visible only to you), including records of actions such as message sends, settings changes, auto-reply triggers, and AI feature usage

2.5 Voice Input & Transcription

When you use voice input features:

Your voice audio is sent to OpenAI's Whisper API for transcription
Voice data is not stored after transcription is complete
Transcription results are processed according to your request (e.g., sent as a message)
You can revoke microphone access at any time in your device settings

2.4 Subscription & Payment

Subscription purchases are processed entirely by Apple (App Store). We receive only transaction identifiers and subscription status to verify your plan. We do not collect or store credit card numbers or billing addresses.

2.6 AI Personalization

Personal Prompt: Your custom AI instruction text, stored on our servers and editable or deletable at any time
AI Memory: Brief notes HomeAI remembers from your conversations (e.g., your preferences, birthday) to personalize responses
Speech patterns: Per-contact writing style data used by auto-reply, automatically deleted after 7 days of inactivity

2.7 Security & Account

Two-factor authentication credentials (TOTP secret encrypted at rest; backup codes hashed)
Subscription transaction identifiers (for plan verification only)
Monthly usage counters (message and transcription counts)

2.8 User Preferences

Muted rooms and blocked users lists

3. Information Accessed on Your Device Only

With your explicit permission, Ara may access the following data directly on your device. This data is processed locally on your device and is never transmitted to or stored on our servers.

Calendar: To view your schedule and help manage events
Contacts: To help you find and communicate with people you know
Reminders: To view and create reminders on your behalf

These permissions are requested only when needed and require your explicit approval through your device's system dialog. You can revoke access at any time in your device settings.

4. Email Integration (Optional)

With your explicit consent, Ara may connect to your email account to provide AI-powered email features:

Gmail:Connected via OAuth 2.0. Access is granted only after you explicitly authorize it through Google's consent flow.
iCloud Mail: Connected via IMAP using app-specific passwords you provide. Each app-specific password is unique to Ara and can be revoked independently without affecting your iCloud account.

How we handle your email data:

Email credentials are encrypted at rest using AES-256-GCM on our servers
Email content is fetched and processed temporarily to fulfill your request (e.g., search, summarize), then discarded
We do not permanently store email content on our servers
You can disconnect your email account at any time, which immediately revokes access and deletes stored credentials

5. Google API Limited Use Disclosure

Ara's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. AI Processing

Ara uses multiple AI models to provide features such as chat assistance, translation, summarization, and suggested replies:

Google Gemini 2.5 Flash-Lite (via OpenRouter): Primary AI tasks including HomeAI chat, translations, summarization, and suggested replies
OpenAI GPT-4o-mini: Image and vision analysis
OpenAI Whisper: Voice-to-text transcription

When you use these features:

Your input is sent to the relevant AI service provider for processing
AI inference data is not retained or used for model training (store: false)
AI responses are generated in real-time and not stored beyond your conversation
Data is processed according to each provider's privacy policy

Important: Do not input sensitive personal information into AI conversations, including but not limited to passwords, credit card numbers, social security numbers, government-issued ID numbers, or financial account details. We are not responsible for any consequences arising from the voluntary disclosure of such information through the Service.

AI-generated responses are provided for reference purposes only and may not always be accurate. You should verify important information independently before acting on it.

7. Encryption & Security

We implement strong security measures to protect your data:

Messages are encrypted using TweetNaCl SecretBox (XSalsa20-Poly1305) symmetric encryption with a per-room key, both in transit (TLS) and at rest. Some server-side AI features temporarily process decrypted content when enabled by you (see Section 2.2)
Email credentials are encrypted using AES-256-GCM
Authentication is handled through trusted providers (Apple, Google)
Database access is protected by row-level security policies
Two-factor authentication (TOTP) is available; TOTP secrets are encrypted at rest and backup codes are securely hashed
API rate limiting is applied per-user to protect against abuse

8. How We Use Your Information

We use your information to:

Provide and maintain the messaging service
Send push notifications for new messages
Process AI-powered features (translation, summarization, suggested replies)
Provide email integration features as described in Section 4
Improve the Service and resolve technical issues

9. Data Sharing & Service Providers

We do not sell, trade, or share your personal information for advertising or marketing purposes. We share data with the following service providers solely to operate the Service:

Supabase: Database hosting, authentication, and real-time messaging
Cloudflare R2: Secure media storage for images and files
OpenRouter: AI model routing for primary AI tasks (no data retention)
OpenAI: Vision analysis (GPT-4o-mini) and speech-to-text (Whisper) (no data retention)
Apple: OAuth sign-in and in-app purchase processing
Google: OAuth sign-in
Expo: Push notification delivery

All service providers are contractually obligated to process data only as necessary to deliver their services.

We may also disclose your information if required to do so by law, or in response to valid legal requests by public authorities (e.g., a court order or government agency).

10. Data Retention

Account information: Retained until you delete your account. Upon deletion, all associated data is permanently removed
Messages: Retained until deleted by a conversation participant or upon account deletion
Activity logs: Retained until you delete your account
Email credentials: Retained until you disconnect the email integration or delete your account
AI inference data: Not retained by external AI providers after processing
Personal Prompt: Stored on our servers; you can edit or delete it at any time
AI Memory: Brief notes HomeAI remembers from your conversations (e.g., your preferences, birthday) are stored on our servers to personalize responses, and permanently deleted upon account deletion
Device-only data (never sent to our servers): Calendar events, contacts, reminders, and AI reply correction history are processed and stored exclusively on your device
Voice audio: Not retained after transcription is complete
Deleted data: Permanently purged from backups within 30 days

11. Account Deletion & Data Portability

You can delete your account at any time through the app. Upon deletion, we will remove your profile, account information, activity logs, stored credentials, push notification tokens, and messages from our systems. Messages you sent in conversations with other users will also be removed from their view. Authentication provider records may take a short time to fully propagate deletion.

To request a copy of your personal data in a structured, machine-readable format (GDPR Article 20), contact us at support@ara-app.com.

12. Children's Privacy

Ara is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

13. What We Do Not Collect

Location data (GPS coordinates are never collected or stored)
Device advertising identifiers (IDFA, AAID)
Behavioral profiling or usage analytics beyond activity logs

14. International Data

Your information may be processed and stored on servers located outside your country of residence. By using the Service, you consent to the transfer of your information to these locations.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

16. Contact Us

If you have questions about this Privacy Policy, please contact us at support@ara-app.com.