Last updated: 15 May 2026
Privacy Policy
Assay is a private companion you can talk to about anything — including the parts of your life you don't share with anyone else. This policy explains how we handle your personal data, and what we will and won't do with it.
1. Who we are
The data controller responsible for your personal data is the operator of Assay. You can contact us at [email protected].
2. What data we collect and why
We collect and process the following categories of data:
- Account and profile: email address, account identifier, and preferences (e.g. theme, tone, conversation style). We use this to provide and personalise the service.
- Conversations and messages: the content of your chats with Assay. We use this to deliver the chat experience and to derive memories.
- Memories: information inferred from your conversations (e.g. identity, goals, preferences, relationships, events). These are not verbatim logs; they are structured facts the system stores to maintain continuity across sessions.
- Payment-related data: we store identifiers that link your account to Stripe (e.g. customer ID, subscription ID). We do not store your card number or full payment details; Stripe handles payment processing.
- Notifications and engagement: if you opt in to push notifications, we store your subscription endpoint and record whether notifications are delivered and opened. We use this to measure engagement and improve notification timing. You can opt out at any time in Settings.
- Incognito messages: you can send any message in incognito mode. Incognito messages are stored so your conversation history still reads naturally, but they are excluded from memory extraction and from the long-term memory layer — they do not shape what Assay remembers about you.
- Voice messages: if you use voice mode, your spoken audio is sent to a speech-to-text provider for transcription and the reply text is sent to a text-to-speech provider for playback. We do not store the audio itself — only the resulting text transcript, which is treated identically to typed messages. See section 9 below for the full voice-mode handling.
Purposes: We use your data to provide the Assay service (chat, memory, continuity), to manage your account and subscription, and to improve the product within the scope described here. We do not use your data for advertising or sell it to third parties.
3. Lawful basis
We process your personal data primarily on the basis of contract: the processing is necessary to perform our agreement with you (to provide the Assay service, memory, and billing). Where we rely on another lawful basis (e.g. legitimate interest for security or product improvement), we ensure it is documented and balanced with your rights.
4. Who we share data with
We use the following processors, who process data on our instructions:
- Supabase — authentication and database (account, conversations, messages, memories). Data may be stored in a region you or we configure (e.g. EU).
- Anthropic — Claude is the model that generates Assay's replies. Your messages and the relevant memory context are sent to Anthropic to produce each reply. Anthropic is based in the United States; we rely on appropriate safeguards (e.g. EU Standard Contractual Clauses and/or Data Privacy Framework) for transfers, and Anthropic's API terms exclude using customer content to train their models.
- OpenAI — used for embeddings, auxiliary classification (e.g. turning text into vectors so memories can be searched, classifying messages for routing), and — when you use voice mode — text-to-speech synthesis of the assistant's replies. Same US transfer safeguards apply, and OpenAI's API terms exclude using customer content to train their models.
- Deepgram (United States) — speech-to-text transcription when you use voice mode. We send your audio to Deepgram in no-retention mode; Deepgram does not store your audio. We rely on appropriate transfer safeguards (e.g. EU Standard Contractual Clauses) for US transfers. Deepgram does not use customer audio or transcripts to train their models.
- Stripe — payment processing. We only store Stripe customer and subscription identifiers; Stripe processes payment details according to their own policy.
- Qdrant — vector storage used for memory search. We ensure a data processing agreement and, where relevant, transfer safeguards are in place.
We do not sell your data or share it with third parties for their marketing. We do not use your conversations or memories for advertising.
5. Retention
We keep your data for as long as your account is active. When you delete your account (via Settings → Account → Delete account), we delete your profile, conversations, messages, memories, notification data, and all related data. Deletion is performed immediately and is completed no later than 30 days from your request. After that, we do not retain your personal data for the purposes of the service. We may retain limited data where required by law (e.g. accounting) for the period mandated by applicable rules.
6. Your rights
Under the GDPR (and similar laws), you have the right to:
- Access — receive a copy of your personal data. You can use Export my data in Settings → Account to download your profile, conversations, and memories in a structured format (JSON). We will respond to any other access request within one month.
- Rectification — correct inaccurate data. You can edit or delete individual memories and conversations in the app. For other corrections, contact us at [email protected].
- Erasure — have your data deleted. You can Delete account in Settings → Account; this permanently removes your account and associated data. We will also honour erasure requests sent to [email protected] within one month.
- Data portability — receive your data in a machine-readable form. The Export my data feature provides this; we respond to other portability requests within one month.
- Object or restrict — in certain situations you may object to processing or ask for restriction. Contact us to exercise these rights.
We respond to all requests within one month (GDPR Art. 12(3)). If you are in the EU/EEA and believe we have not complied with data protection law, you have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Integritetsskyddsmyndigheten (IMY) (imy.se).
7. Cookies
We use session cookies (and similar technologies) that are strictly necessary for authentication and the operation of the service. We do not use cookies for advertising or third-party tracking. If we introduce non-essential cookies (e.g. analytics) in the future, we will describe them here and, where required by law, obtain your consent.
8. AI and memories
Assay is an AI-driven service. The "memories" we store are inferred from your conversations — they are structured facts (e.g. preferences, goals, events), not verbatim transcripts. We use them only to give you a better experience (continuity and personalisation across sessions). We do not use the system to make automated decisions that have legal or similarly significant effects on you (e.g. credit, legal advice). The system is not always accurate; you can correct or delete any memory at any time.
We do not train AI models on your data. Your conversations and memories are not used to train any AI model — ours or any third party's. Our AI subprocessors (Anthropic and OpenAI) operate under API terms that exclude using customer content for training.
Safety detection. Before generating a reply, we run an automated check for indications of acute crisis (e.g. self-harm). If the check triggers, we may interrupt the normal reply and surface emergency and professional resources, and we log that the trigger occurred for safety auditing. We do not use crisis-flagged content for any other purpose, and it is never used for training.
9. Voice mode
Voice mode lets you talk to Assay out loud instead of typing. When you use it, your spoken words travel through a speech-to-text provider (Deepgram) so they can be converted into text, and the assistant's reply text is sent to a text-to-speech provider (OpenAI) so it can be played back to you as audio.
Both providers are configured to operate in no-retention mode: they do not store your audio after the request completes. We also never store your raw audio. Only the resulting text transcript is saved, and it is treated identically to a typed message — same memory extraction, same incognito controls if you have incognito turned on, same delete behaviour. If you delete your account, voice transcripts are removed alongside everything else.
You can leave voice mode at any time by tapping the close button; your conversation is preserved as text. Voice mode is rate-limited per account (a per-window cap on mic-open minutes) to protect against runaway costs from a misbehaving client.
10. No ads, no selling data
We do not use your personal data, conversations, or memories for advertising. We do not sell or share your data with third parties for their marketing purposes. Our revenue comes from your subscription (Assay Core and Max plans).
11. Changes and contact
We may update this Privacy Policy from time to time. We will post the updated version on this page and, for material changes, we will notify you (e.g. by email or a notice in the app). The "Last updated" date at the top indicates when the policy was last revised.
For any privacy-related request or question, contact us at [email protected].