Privacy Policy

1. Introduction

Aiva AI, Inc., a Delaware corporation (“Aiva”, “we”, “us”, or “our”), operates the website getaiva.xyz and the Aiva Clone Studio at studio.getaiva.xyz (collectively, the “Platform”) and is the controller of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and professional details you provide during onboarding. If you sign in via a third-party service (e.g. Google), we receive basic profile information from that provider.

2.2 Contributor Content

If you participate as a contributor (clone creator), you may provide materials such as documents, URLs, text, voice recordings, and interview responses. These are used solely to build and maintain your AI clone and are stored securely.

2.3 Connected Accounts

You may choose to connect third-party accounts (LinkedIn, X/Twitter) via OAuth. We store encrypted access tokens to fetch your publicly available content (posts, articles, tweets). We never access private messages, connections, or data beyond the scopes you explicitly authorise.

2.4 Voice Data

During interviews, we record your voice to create a voice clone and to transcribe your responses. Voice recordings are used exclusively for your clone and are not shared with third parties except our voice synthesis provider (ElevenLabs) for the purpose of creating your digital voice.

2.5 Usage Data

We automatically collect standard usage data such as IP address, browser type, pages visited, and timestamps. This is used to improve the Platform and is not linked to your contributor content.

3. How We Use Your Information

• To create, maintain, and improve your AI clone
• To provide voice cloning and text-to-speech capabilities
• To sync content from your connected accounts
• To operate, maintain, and improve the Platform
• To communicate with you about your account and updates, including transactional emails such as verification, billing receipts, and product-state notifications (e.g. a clone going live, an export completing). Marketing emails are opt-in and unsubscribable; transactional emails are required for service operation.
• To comply with legal obligations

AI processing. To generate clone responses, Aiva sends your prompts and the relevant clone context to large language model (LLM) providers (currently Anthropic). Your data is therefore processed by, and in that sense shared with, those providers, and that processing is governed by their respective privacy policies (see Sections 4 and 5). Aiva does not train foundation models on Contributor Content or User conversations, and Anthropic’s commercial API terms contractually exclude inputs from their model training. Clone outputs may contain factual inaccuracies or hallucinations. See Terms §6 for the full AI-output disclosures.

4. Data Storage and Security

Your data is stored using industry-standard cloud infrastructure. OAuth tokens are encrypted at rest using AES-256-GCM encryption. We use Supabase for authentication and Turso for database storage, both of which maintain SOC 2 compliance.

Inference is handled by Anthropic under commercial API terms that contractually exclude customer inputs from model training. Aiva does not train foundation models on Contributor Content or user conversations, and does not share content across accounts or clones. When a clone generates a response, the prompt and the context needed for that response are transmitted to our LLM provider for the inference itself; that processing is governed by the provider’s own privacy policy, as described in Section 5.

While we implement reasonable security measures, no method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

5. Third-Party Services

We use the following third-party services to operate the Platform:

• Anthropic (Claude): AI model for knowledge extraction and clone intelligence
• ElevenLabs: Voice cloning and text-to-speech synthesis
• Deepgram: Real-time speech-to-text transcription
• Supabase: Authentication and user management
• Vercel: Hosting and deployment
• Turso: Database storage

Each provider processes data in accordance with their own privacy policies. We only share the minimum data necessary for each service to function. This list may not be exhaustive: as we continue to enhance the Platform we may add or change providers, and we will update this policy accordingly.

5a. Slack Integration (early beta)

If a creator installs the Aiva app in a Slack workspace, the integration receives limited Slack data only when someone in the workspace explicitly invokes the bot via /aiva or by @-mentioning Aiva. The Aiva bot does not read other messages in the workspace.

5a.1 What gets sent to Aiva on each invocation

• The text of the message that invoked the bot (the question)
• The invoking user’s Slack user ID (for routing the reply, not stored)
• The workspace ID and channel ID (for routing the reply, not stored)

5a.2 What Aiva stores about Slack

• The workspace ID + name and an encrypted bot access token (so we can post replies)
• Which of the installer’s clones are enabled for that workspace
• Aggregate counts of invocations for rate limiting and analytics

We do not persist the body of Slack messages beyond the round-trip needed to mint a reply. The clone’s reply is posted into the channel or thread (or as an ephemeral message visible only to the requester), by design, but the requesting message is not stored in our database after the call completes.

5a.3 The four canonical privacy claims still apply

• Inputs sent to Aiva via Slack are not used to train foundation models
• Content is not shared across clones or accounts
• Content does not leave the workspace except by explicit invocation
• We don’t attach identity to the inference call (no user email, no profile data)

5a.4 Revoking access

Both the workspace admin (via Slack’s Manage Apps page) and the installing creator (via Studio’s Deploy page) can revoke the integration at any time. Revocation marks the installation as inactive immediately, and no further Slack messages will reach Aiva.

Slack is currently in early beta: Aiva-hosted mode only, Aiva pays for inference. Bring-your-own-Anthropic-key and enterprise workspace billing arrive in v2.

6. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated data
• Disconnect linked third-party accounts at any time
• Export your personal data, free, on request. Interview recordings, uploaded materials, your profile, and full transcripts can be requested any time by emailing hello@getaiva.xyz from the address on your account. We will send a JSON, Markdown, or ZIP-with-audio bundle free of charge within 30 days, in line with GDPR Articles 15 (right of access) and 20 (right to data portability).
• Withdraw consent for data processing where applicable

To exercise any of these rights, contact us at the email address below.

Note that the compiled artifacts for a clone (the system prompt, knowledge document, voice-clone metadata, and benchmark results) are works Aiva builds for you using our compute and pipeline. They are not personal data per se, and downloading them is offered as a one-time paid export ($499.99 per clone, capped at three downloads). The free personal-data request above is never gated, conditioned, or delayed by the paid path. See the Cloning Agreement § 7 and Terms § 13 (Export Pricing) for the policy on promotional windows. From time to time we may make export free during a defined launch or promotional window. Promotional access is captured against the wording you accepted at the time and does not create a perpetual entitlement; the standard fee resumes when the window closes.

6a. Waitlist & Form Submissions

When you submit interest via a form on the Platform (e.g. consumer waitlist, project-mode notification list), we store the email address you provide together with the surface you submitted from (clone slug, referrer, optional free-text), so we can email you when the relevant feature opens. Submissions are stored in our own Postgres only; no third-party marketing platform receives them. You can request deletion at any time via the contact address below.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data, contributor content, voice recordings, and clone data within 30 days. Some data may be retained longer where required by law.

MCP conversation memory. When you use your own clone via the Model Context Protocol (MCP) inside tools like Claude Code or Cursor, it remembers your conversations in two ways. First, calls from the same tool session thread together so it follows the immediate back-and-forth; that session content auto-expires after 24 hours of inactivity. Second, it builds a longer-term memory of what you have told it and recalls relevant context across sessions and days. This longer-term memory is private to you and that clone: it is scoped to your creator account, is never surfaced on the clone’s public page or to other people, and is retained until you clear it or delete the clone or account. You can wipe both layers at any time from Studio → Settings → Memory, and deleting your clone or account also wipes them. This applies to the Aiva-hosted and BYOK MCP modes; the native mode bypasses our inference layer and is not retained on Aiva at all. Conversations on a clone’s public share page do not build cross-session memory in this way.

8. Cookies & Analytics

Essential cookies. We use first-party cookies to keep you signed in, manage your session, and protect against cross-site request forgery. These are required for the Platform to function and load on every page regardless of consent.

Analytics cookies. We use Google Analytics (GA4) to understand aggregate site usage: which pages get traffic, where visitors arrive from, where they drop off. GA sets its own first-party cookies (typically _ga + _ga_*) and processes IP-anonymised page-view data via Google’s infrastructure under the EU Standard Contractual Clauses. We do not use Google Analytics for advertising, remarketing, or cross-site tracking.

Consent. Analytics cookies are loaded only after you accept them on the banner shown when you first visit the Platform. If you reject them, Google Analytics is never loaded for your session. You can change your choice at any time using the button below; your decision is stored in your browser’s local storage.

Third-party services we integrate with (Stripe for payments, Anthropic for inference, etc.) may set their own cookies on their own surfaces when you interact with them. Those cookies are governed by the third party’s privacy policy, not ours.

9. Children’s Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date above and, where appropriate, by email.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

hello@getaiva.xyz