Privacy Policy

Last updated: May 17, 2026

1. Introduction

AIAH ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web service at aiah.app (collectively, the "Service").

This policy is compliant with the EU General Data Protection Regulation (GDPR / Règlement Général sur la Protection des Données — RGPD) and applicable French data-protection law (Loi Informatique et Libertés).

2. Data controller

The data controller for your personal data is:

Moustafa BAHRI — Micro-entrepreneur

Email: privacy@aiah.app

Website: aiah.app

3. Legal basis for processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you subscribed to (account creation, AI companion chat, weekly planning).
  • Consent (Art. 6(1)(a)): for optional features such as push notifications, mood tracking, and wellness data collection. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)): for service security, fraud prevention, and anonymous analytics to improve the product.
  • Legal obligation (Art. 6(1)(c)): when required by applicable law (e.g., financial record-keeping for subscription payments).

4. Information we collect

We collect information that you provide directly to us:

  • Account information: name, email address, and authentication data when you sign in via Google OAuth or magic link.
  • Profile data: preferences, goals, and life-system settings you enter into the app.
  • Chat data: messages you send to the AI companion, which are processed to generate responses.
  • Mood and wellness data: mood entries, breathing exercise usage, and weekly planning inputs.
  • Payment information: subscription status is managed through Stripe. We do not store your credit card details directly.

We do not collect any special category data (Article 9 GDPR) such as health data for medical purposes. Mood and wellness entries are self-reported lifestyle preferences, not medical records.

5. How we use your information

  • To provide, maintain, and improve the Service
  • To personalize your AI companion experience
  • To process subscriptions and payments
  • To send you service-related notifications
  • To respond to your requests and support inquiries
  • To detect and prevent fraud or abuse

6. Data storage and security

Your data is stored securely using Supabase (hosted on AWS infrastructure in the US-East region) with row-level security enabled. We use industry-standard encryption for data in transit (TLS 1.3) and at rest (AES-256). Access to user data is restricted and monitored.

7. International data transfers

Some of our service providers (Supabase, Vercel, OpenAI, Stripe) are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.

8. Third-party services (sub-processors)

We use the following third-party services to provide the Service:

  • Supabase (US): database and authentication infrastructure
  • Stripe (US): payment processing — PCI-DSS compliant
  • Google OAuth (US): sign-in authentication
  • Vercel (US): hosting and deployment
  • OpenAI (US): AI model provider for companion chat — data is not used for training
  • Resend (US): transactional email delivery

Each sub-processor has its own privacy policy and data processing agreement. Chat data sent to OpenAI is processed under their API terms, which prohibit using API inputs for model training.

9. Data sharing

We do not sell, trade, or rent your personal information to third parties. We do not serve advertisements. We may share data only as necessary to provide the Service (e.g., sending chat messages to AI providers for response generation) or as required by law.

10. Data retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account deletion, all personal data is removed within 30 days. Payment records are retained for the legally required period (10 years in France for accounting purposes). You can request deletion of your account and all associated data at any time through the app or by visiting aiah.app/delete-account.

11. Your rights under GDPR / RGPD

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): you may request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): you may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): you may request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing (Art. 18): you may request that we limit the processing of your data in certain circumstances.
  • Right to data portability (Art. 20): you may request to receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to object (Art. 21): you may object to processing based on legitimate interest at any time.
  • Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@aiah.app. We will respond within 30 days as required by law.

If you believe your rights have not been respected, you have the right to lodge a complaint with the French data protection authority: CNIL (Commission Nationale de l'Informatique et des Libertés) — cnil.fr

12. Cookies and local storage

AIAH uses only strictly necessary cookies and local storage for authentication (session token), language preferences, and UI state. We do not use tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is required under GDPR as we only use technically essential cookies (CNIL exemption).

13. Children's privacy

The Service is not intended for children under 16 years of age (age of digital consent in France). We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or in-app notification and update the "Last updated" date above. Continued use of the Service after changes constitutes acceptance.

15. Contact us

For any questions about this Privacy Policy or to exercise your GDPR rights: privacy@aiah.app

Terms of Service·Legal Notices·Delete Account

© 2026 AIAH. All rights reserved.