Privacy Policy

Last updated: 24 September 2025

Clariia (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. If you do not agree with this policy, please do not use the Service.

Contact: donna.odonoghue@gmail.com • Address: 86 Lorna Street, New Plymouth, New Zealand

1) Scope

This policy applies to the websites, apps, and services we operate that link to it (the “Service”), including our integrations with Google services (e.g., Google Calendar). It does not cover third-party services that we do not control.

2) Information We Collect

The data we collect about you is what you have provided to us.

2.1 Information you provide to us

Account details (from Google Sign-In or email sign-up): name, email address, profile photo (if available).
Support content: information you send us in emails or forms.

2.2 Information we obtain from Google when you connect your account

When you opt in, we request the narrowest Google OAuth scopes needed for the features you use (for example, read-only access to calendar events or permission to create events). We do not request full access unless necessary for a feature you explicitly use.

Google Calendar data. We access only the minimum data required to perform the feature you invoke, specifically to sync critical deadlines and appointments. We do not store full event bodies or calendar contents on our servers. We may store minimal operational metadata such as event or calendar IDs and timestamps needed to deliver the feature reliably.

2.3 Automatically collected information

Device/usage: IP address, device type, browser type, basic diagnostics, and interaction logs for security and reliability.
Cookies/SDKs: essential cookies for sign-in/session; optional analytics (see §10).

2.4 AI & Voice Processing

AI Inputs: Text, images, and documents you submit to the "Assistants" (e.g., Apothecary, Kitchen, Art Scanner) are processed by third-party AI models (Google Gemini/Vertex AI) to generate responses.
Voice Data: If you use the microphone feature, audio data is processed transiently to convert speech to text. We do not store raw audio files after transcription is complete.

3) How We Use Information

We will use your data to provide you with the services you requested, and we will not sell your data to third parties.

To provide, maintain, and improve the Service and its features you request (e.g., reading your calendar to show upcoming events; creating events when you ask us to).
To secure the Service, prevent abuse, and troubleshoot issues.
To communicate with you (support, service notices, updates).
To comply with legal obligations.

4) Google User Data — Limited Use & Human Access

We use Google user data only to provide and improve user-facing features that you request or to comply with law. We do not sell Google user data or use it for ads. We do not transfer Google user data except (a) to service providers acting on our behalf under strict confidentiality and security obligations and only to operate the Service or (b) as required by law.

Human access to Google user data does not occur unless you explicitly ask for support that requires it, we obtain your consent, or access is required by law. We log such access where legally permitted.

Tokens: We use OAuth access tokens from Google to perform actions you request. For features requiring background processing, refresh tokens are stored securely in a dedicated, encrypted Firestore collection with restricted access and are rotated regularly.

5) Firestore and Other Firebase Services

Firestore (Cloud Firestore): We store minimal operational metadata necessary to run the Service (e.g., document IDs, calendar IDs, event IDs, timestamps, feature flags, and user preferences). We do not store Google Doc contents or full Calendar event bodies. Firestore data is encrypted at rest and in transit.
Firebase Authentication: Used to sign you in. We store your UID, email, and basic profile (if provided) to manage your account.
Cloud Functions / Cloud Logging: May process and log operational events (non-content) for reliability, debugging, and security.
Nexa Research Data: Documents (PDF/Text) uploaded to Nexa Knowledge Labs are stored in your secure Firebase Storage "Master Copy" and transiently processed via the Gemini File API. These files are used only to answer your specific queries and are not used to train global AI models.
Concierge Session Data: To provide accurate navigation, the Concierge may process your current page URL and interaction history to contextualize help responses.

6) Data Retention & Deletion

We will retain your personal information for the length of time needed to fulfill the purposes outlined in this privacy policy. When the data retention period expires, we will delete or destroy it. You may request for your data to be deleted at any time.

Operational metadata (IDs/timestamps, job state, error codes): retained up to 90 days for reliability, abuse prevention, and auditing, then deleted or de-identified.
Access tokens: short-lived and rotated; cached tokens purged within 24 hours after you disconnect or revoke access.
Logs: security and service logs retained up to 30 days unless a longer retention is required for legal or security reasons.

Disconnect / revoke: You can revoke our access at any time at myaccount.google.com/permissions. When you revoke, we stop accessing your Google data immediately and purge cached tokens as above.

Deletion requests: You may request deletion of your account data by emailing donna.odonoghue@gmail.com. We will complete account-level deletion within 30 days unless retention is required by law or to resolve active disputes.

7) Legal Bases (EEA/UK only)

Where GDPR/UK GDPR applies, we process:

To perform our contract with you (provide requested features);
With your consent (connecting your Google account and granting scopes);
For our legitimate interests (service security, fraud prevention, improvement), where those interests are not overridden by your rights.

8) Sharing & Transfers

We do not transfer or disclose your information to third parties for purposes other than the ones provided.

We share information only with:

Service providers (processors) that help us operate the Service (e.g., Google Cloud/Firebase). They must follow our instructions, protect your data, and cannot use it for their own purposes.
Legal/disclosure when required by law, safety, or to protect our rights.
Business transfers (e.g., merger/acquisition) with continued protections or notice and choices where required.
AI Service Providers: Text and image inputs are sent to Google (Gemini) for the sole purpose of generating the AI responses you request. This usage is subject to Google's data processing terms.

International transfers: Data may be processed in countries other than your own. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses). Hosting region: us-central1.

9) Security

Security procedures and encryption are in place to protect the confidentiality of your data.

Encryption in transit (HTTPS/TLS) and at rest (Google-managed encryption).
Least-privilege access controls and role separation.
Key/token management with rotation and restricted access.
Monitoring and logging to detect abuse and anomalous activity.
Vendor due diligence and data processing agreements with subprocessors where applicable.
Data location: Cloud Functions region is us-central1 (US Central). Storage and Firestore locations are configured in Google Cloud/Firebase for this project.

Incident response: If we learn of a data breach affecting your personal information, we will notify you and relevant authorities as required by law.

10) Cookies, Advertising & Analytics

We use essential cookies/SDKs for authentication and session management within our core authenticated application. For our public, unauthenticated web pages (such as Clariia Utilities), we display advertisements to keep these tools free.

Third-Party Vendors: Third-party vendors, including Google, use cookies to serve ads based on a user's prior visits to our website or other websites.
Advertising Cookies: Google's use of advertising cookies enables it and its partners to serve personalized ads to you based on your visit to our sites and/or other sites on the Internet.
Opting Out: You may opt out of personalized advertising by visiting Google's Ads Settings. Alternatively, you can opt out of a third-party vendor's use of cookies for personalized advertising by visiting www.aboutads.info.

11) Your Rights & Choices

Depending on your location, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. To exercise these rights, email donna.odonoghue@gmail.com. We may verify your request and may be unable to comply where an exception applies (e.g., legal obligations).

12) Children’s Privacy

The Service is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.

13) Third-Party Links

The Service may contain links to third-party sites/services. Their privacy practices are governed by their own policies.

14) Changes to This Policy

We may update this policy from time to time. Material changes will be notified via in-app notice or email. The “Last updated” date above reflects the latest version.

Appendix: Google Integration Disclosures

We request only the Google OAuth scopes needed for the features you choose to use, such as:
- https://www.googleapis.com/auth/calendar.events – View and edit events on all your calendars to sync critical deadlines and appointments.
We do not store full Google Calendar event bodies or calendar contents on our servers. Minimal operational metadata (IDs/timestamps) may be stored in Firestore to deliver features reliably.
You can revoke access anytime at myaccount.google.com/permissions. After revocation, we stop access immediately and purge cached tokens within 24 hours; related logs are purged within 30 days.
We comply with Google’s Limited Use requirements: no selling of Google user data, no use for advertising, no unnecessary transfers, and no human access without consent or legal necessity.

OAuth scopes we request & purposes

openid – Associate you with your personal info on Google.
https://www.googleapis.com/auth/userinfo.email – See your primary Google Account email address.
https://www.googleapis.com/auth/userinfo.profile – See your personal info, including any personal info you've made publicly available.
https://www.googleapis.com/auth/drive.file – See, edit, create, and delete only the specific Google Drive files you use with this app; we do not have access to your entire Drive. Used solely to read/write files you explicitly open or create via the Service, including provisioning document and spreadsheet templates.
https://www.googleapis.com/auth/documents.currentonly – Edit only the Google Docs file you are currently using with the Service (e.g., the document the Service creates for you or that you explicitly open/select).
https://www.googleapis.com/auth/spreadsheets.currentonly – Edit only the Google Sheets file you are currently using with the Service (e.g., the spreadsheet the Service creates for you or that you explicitly open/select).
https://www.googleapis.com/auth/calendar.events – Create/update events in your calendars only when you ask us to.

We request only the minimum scopes needed for the features you choose to use. We do not sell Google user data, use it for ads, or allow human access without your request (support) or where required by law. You can revoke access anytime at myaccount.google.com/permissions.

If you have questions about this policy or our data practices, contact donna.odonoghue@gmail.com.