VAIA
Features Pricing FAQ Download

Privacy Policy

Last updated: July 20, 2026

This Privacy Policy explains how Novidea Group SRL, Intrarea Neatarnarii, Nr. 15, Ap. 7, Sector 1, Bucharest, Romania ("Novidea", "we", "us") processes personal data when you use VAIA, our desktop application for Windows, our website usevaia.com, and related services (together, the "Service").

We are the data controller for the processing described in this Policy, except where this Policy says otherwise. You can contact us about privacy at privacy@usevaia.com.

The short version: your conversations are processed in real time to generate suggestions and are not stored on our servers. Your documents stay on your device and are used only to generate answers for you. We store what is needed to run your account and billing, and as little else as possible.

1. What VAIA does with conversation audio

When VAIA is active, it captures the audio playing on your computer (for example the voices in an online meeting), detects speech, and sends short audio segments for transcription. The resulting text is then sent, together with your settings and (if enabled) your documents, to an AI model that generates the suggestions shown in your overlay.

Here is the exact data path:

  1. Audio is captured and segmented on your device.
  2. Each speech segment is sent over an encrypted connection to our relay server (hosted on Railway, in the EU region we configure), which forwards it to OpenAI for transcription. Our relay server passes conversation content through in transit only. It does not store audio, transcripts, prompts or responses. It records only usage metrics per request (such as token counts, cost, model and timestamps) for billing purposes.
  3. OpenAI processes the audio and text to provide transcription and AI responses. Under OpenAI's API terms, API data is not used to train their models and is retained by OpenAI for a limited period (currently up to 30 days) for abuse monitoring, after which it is deleted.
  4. The suggestion is streamed back to your device and displayed in your overlay.

Audio segments on your device are written to a temporary file only for the duration of a single transcription request and are deleted immediately afterwards. VAIA does not keep recordings of your conversations, on your device or on our servers, and we have no ability to listen to, read, or reconstruct your conversations.

2. Your responsibility toward other people in the conversation

Conversations usually involve other people, and their voices are personal data too. VAIA is a tool under your control: you decide when it runs and in which conversations. For the audio of other participants, you act as the person responsible for that choice. Depending on your country and the situation, you may be legally required to inform the other participants or obtain their consent before processing a conversation with any tool, including VAIA. Please check the rules that apply to you; this responsibility cannot be ours, because we neither see nor store the conversation.

3. Data stored on your device (and only there)

The following data stays on your device, under your control, and is never uploaded to our servers:

  • Your documents. If you add documents (such as a CV) in Settings, VAIA stores the file paths and reads the files locally. Document content leaves your device only as part of an AI request: when VAIA generates an answer, the text of your selected documents is included in the request sent through our relay to OpenAI, under the same transit-only handling described above. Documents are never uploaded to or stored on our servers.
  • Screen captures. If you use the screen-explain feature, the screenshot of the area you select is saved locally in the app's data folder and its content is sent as part of that one AI request. Locally saved captures are not deleted automatically; you can delete them at any time.
  • Technical logs. The app writes local diagnostic logs (events and performance metrics). These logs do not contain conversation transcripts or AI reply text.
  • Account file. A local file stores your account email and identifiers, with session credentials encrypted using Windows' built-in encryption (DPAPI) where available.

Important: uninstalling VAIA does not currently delete the app's data folder. After uninstalling, you can remove all remaining local data by deleting the folder %APPDATA%\VAIA on your computer.

4. Data we store on our servers

We keep on our servers only what is needed to operate your account and billing:

  • Account data: your email address, a cryptographically hashed password (argon2id; we never store your actual password), session identifiers, email verification and password reset tokens (stored hashed), and your account status.
  • Billing and usage data: your subscription status, a Stripe customer reference, your usage allowance and consumption expressed as metered usage and cost figures, and related timestamps. Payment card data is handled entirely by Stripe; we never receive it.
  • Usage metrics on the relay: per-request records with token counts, cost, model and timestamps, used for allowance accounting. These records do not include conversation content.
  • Support correspondence: if you email us, we keep the correspondence.

5. Crash reporting (optional) and website analytics

  • Crash reporting (Sentry) is optional and off by default. If you enable it in Settings, technical crash data is sent to Sentry to help us fix problems. We apply filtering designed to strip conversation content, document content and personal identifiers from reports before they are sent.
  • Our website uses Cloudflare Web Analytics, a privacy-friendly, cookieless measurement tool. Our website does not use advertising trackers and does not set cookies for tracking purposes.

6. Purposes and legal bases (GDPR)

ProcessingPurposeLegal basis
Real-time processing of conversation audio, documents and screen captures to generate suggestionsProviding the core Service you requestPerformance of a contract (Art. 6(1)(b) GDPR)
Account creation, authentication, email verification, password resetOperating your account securelyPerformance of a contract (Art. 6(1)(b))
Billing, usage allowance accounting, subscription managementCharging for and metering the ServicePerformance of a contract (Art. 6(1)(b)); legal obligations (Art. 6(1)(c)) for accounting records
Transactional emails (verification, password reset)Necessary service communicationsPerformance of a contract (Art. 6(1)(b))
Crash reporting via SentryImproving stabilityConsent (Art. 6(1)(a)), off by default, withdrawable in Settings
Website analytics (cookieless, aggregated)Understanding website usageLegitimate interest (Art. 6(1)(f)) in operating and improving our website
Fraud prevention, security, abuse preventionProtecting the Service and usersLegitimate interest (Art. 6(1)(f))

7. Recipients and processors

We share personal data only with the providers needed to run the Service, under data processing agreements:

ProviderRoleData involved
OpenAI (USA)AI transcription and generationConversation audio segments, transcripts, document text and screen captures included in requests; limited retention for abuse monitoring, no model training on API data
Railway (hosting)Hosts our relay and billing backendContent in transit (relay); account and billing data (backend)
Stripe (payments; merchant of record via Link)Payment processing, taxes, refunds, disputesPayment and transaction data; for purchases, Stripe acts as merchant of record and processes your payment data as an independent controller under its own privacy policy
ResendSends transactional emailsYour email address and the verification/reset link
CloudflareWebsite hosting, update delivery, cookieless analyticsStandard connection data (such as IP address) processed to deliver content; aggregated analytics
Sentry (only if you opt in)Crash reportingFiltered technical crash data

We do not sell personal data and we do not use it for advertising.

8. International transfers

Some providers (notably OpenAI and, depending on configuration, parts of Stripe, Sentry and Cloudflare) process data in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the provider is certified, and otherwise on Standard Contractual Clauses, together with the providers' technical safeguards.

9. Retention

  • Conversation content: not stored by us. Transient processing only; OpenAI's abuse-monitoring retention is currently up to 30 days on their side.
  • Account data: kept while your account exists, deleted within 30 days of a verified deletion request (see Section 10).
  • Billing and usage records: kept while your account exists and thereafter as required by accounting and tax law (in Romania, generally up to 10 years for accounting records), then deleted.
  • Email verification/reset tokens: single-use; removed when your account is deleted.
  • Crash reports (if enabled): retained per Sentry's retention settings (typically 90 days).
  • Local data on your device: under your control; see Section 3.

10. Your rights

Under the GDPR you have the right to access, rectify, and erase your personal data, restrict or object to processing, data portability, and to withdraw consent at any time where processing is based on consent (for example the crash-reporting toggle), without affecting prior processing.

To exercise any right, email privacy@usevaia.com from the address associated with your account (or provide equivalent proof of identity). We respond within one month. Deleting your account removes your account and billing records from our systems (subject to legal retention duties for accounting data) and disables your access; remember to also delete the local data folder described in Section 3, which only you can do.

You also have the right to lodge a complaint with a supervisory authority, in Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, București, dataprotection.ro.

11. Security

We use encryption in transit (TLS) for all communication between the app, our servers and our providers; passwords are stored only as argon2id hashes; session credentials on your device are encrypted with the operating system's key store where available; access to production systems is restricted. No system is perfectly secure, but we design the Service so that the most sensitive data, your conversations, is not retained anywhere we control.

12. Children

The Service is not directed to persons under 18, and we do not knowingly process their data. If you believe a minor has created an account, contact us and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. For material changes we will notify you (for example by email or in the app) before they take effect. The current version is always available at usevaia.com/privacy.

14. Contact

Novidea Group SRL
Intrarea Neatarnarii, Nr. 15, Ap. 7, Sector 1, Bucharest, Romania
Email: privacy@usevaia.com

VAIA © 2026 Novidea Group SRL
Terms Privacy GDPR Talk to the founder →