← Back to home

Avatiq Privacy Policy

Last updated: 27/03/2026

This Privacy Policy describes how Avatiq (“we,” “us,” or “our”) collects, uses, stores, and shares information when you use our productivity and wellness mobile application and related services (collectively, the “Services”), including our backend API. By using the Services, you agree to this policy. If you do not agree, please do not use the Services.

Note: Analytics providers, retention details, and the exact scope of self‑serve account deletion or data export can vary by app version and region. Our production API is available at https://api.avatiq.ai.

1. Introduction

Avatiq helps you manage tasks and habits, keep a journal, chat with an AI coach, and optionally connect third‑party tools such as Google Calendar. We process personal data to provide these features, keep your account secure, and improve the Services where permitted by law.

We do not use this policy to claim specific compliance certifications (for example, SOC 2 or HIPAA) unless we publish those separately.

2. Data we collect

We collect data you provide, data generated when you use the Services, and limited data from optional integrations.

2.1 Account and profile

  • Credentials: Email address and password. Passwords are stored on our servers only as a cryptographic hash, not as plaintext.
  • Profile: Name and optional profile picture and coach avatar images. Image files are stored on our servers (for example under an uploads path and served under /uploads as applicable).
  • Onboarding: Answers you provide during onboarding may be stored as structured data (e.g., JSON) on your user record.

2.2 Your content and activity

Depending on how you use the app, this may include:

  • Tasks and subtasks, including optional Google Calendar event identifiers when you sync or link calendar-related features.
  • Habits: Streaks, completion status, and related metadata.
  • Journal entries: Text you enter, mood information, and optional AI-generated “insight” text produced from your entries.
  • AI coach chat: Session data, messages with roles such as user and assistant/model.

2.3 Optional Google connection

If you choose to connect Google, we may receive and use data according to the OAuth scopes you approve, which may include read-only calendar access (calendar.readonly) and basic profile and email (userinfo.profile, userinfo.email). Integration tokens may be stored in our systems (for example in records such as user_integration) and used only for features you enable. Your use of Google is also governed by Google’s own terms and privacy policies for your Google account and data.

2.4 Audio and speech

If you use features that capture or upload audio for transcription or coaching, that audio is sent to our API for processing. Transcription and related AI processing are performed on the server using Google Gemini (or successor services we configure). We do not place Gemini API keys or other server secrets inside the client app.

2.5 Device and technical data

We may collect IP address, device or app identifiers, and diagnostic information needed to operate the API, prevent abuse, and troubleshoot issues. The analytics or crash-reporting tools in use may change between app versions. Contact us if you need the current list for your platform or build.

2.6 Permissions you may grant on your device

The app may request access to features such as notifications, camera, microphone (for speech input), calendar, local authentication / biometrics, or Apple Health (HealthKit) on iOS, only where relevant and if you grant permission. We use such access to provide the features you enable—not for unrelated purposes.

3. How we use data

We use personal data to:

  • Create and manage your account; authenticate you and provide access and refresh tokens to the app (tokens on device are stored using Expo SecureStore, not ordinary unencrypted app storage).
  • Store and display your tasks, habits, journal, and coach conversations.
  • Run AI features (coaching replies, journal analysis, transcription) via server-side calls to Google Gemini (or configured AI providers).
  • Send transactional email (such as verification, password reset, or welcome messages) using SMTP, with outbound mail queued using Bull and Redis on our infrastructure.
  • Operate optional Google Calendar features when you connect Google.
  • Maintain security, integrity, and availability of the Services; comply with law; and enforce our terms.

Some in-app controls may be labeled “Encrypted journal” or “Local-only mode,” or offer “Export Data” or “Delete Account.” Behavior can vary by platform and app version. Do not assume end-to-end encryption or fully offline-only storage unless we state that explicitly for your version of the app.

4. Legal bases (EEA, UK, and similar regions)

Where GDPR or similar laws apply, we rely on one or more of the following:

PurposeTypical legal basis
Providing the Services and your accountPerformance of a contract
Security, abuse prevention, and legal obligationsLegal obligation and/or legitimate interests
Optional integrations (e.g., Google)Consent (where required) and/or contract
Transactional email necessary for your accountContract and/or legitimate interests
Product improvement and optional analytics (if used)Legitimate interests and/or consent, as applicable

You may have additional rights depending on your region (see Your rights below).

5. Third-party services

We use service providers and integrations that process data on our behalf or as joint controllers in some cases:

CategoryExamples / notes
AI and transcriptionGoogle Gemini (server-side) for coaching, journal insights, and audio transcription.
Google accountGoogle OAuth and APIs for calendar/profile features; governed also by Google’s policies.
Email deliverySMTP provider used for transactional messages; queued via Bull / Redis.
InfrastructurePostgreSQL (primary database), Redis (queues), and hosting for our API and stored files.

We require subprocessors to protect personal data appropriately. Their privacy policies also apply to how they handle data on their systems.

6. Security measures

We implement safeguards appropriate to the nature of the Services, including:

  • Password hashing on the server (no storage of plaintext passwords for authentication).
  • TLS encryption in transit between your app and our API where HTTPS is used.
  • Access and refresh tokens on the mobile app stored in Expo SecureStore rather than insecure storage.
  • Server-side storage of secrets (including Gemini and other API keys); not embedded in client builds for those secrets described here.

No method of transmission or storage is 100% secure. We encourage you to use a strong, unique password and to enable device security features.

7. Retention

We retain personal data only as long as needed for the purposes in this policy, unless a longer period is required by law. Retention periods can differ by data category. If you need details for compliance or legal holds, contact us.

8. Your rights

Depending on where you live, you may have rights to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account or certain data.
  • Restrict or object to certain processing.
  • Data portability (receive a copy in a structured, machine-readable form where applicable).
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a supervisory authority.

Self-serve export and account deletion may be available from in-app settings where supported for your platform and region. You can also submit requests by contacting us at the email below.

9. Children

The Services are not directed at children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take steps to delete it.

10. International transfers

We may process and store data in countries other than your own, including where our servers or subprocessors are located. Where required, we use appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) for transfers from the EEA, UK, or Switzerland. Contact us for more information on transfers relevant to you.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy with a new “Last updated” date and, where required by law, provide additional notice. Continued use of the Services after changes means you accept the updated policy, to the extent permitted by law.

12. Contact

For privacy questions, requests, or complaints:

Email: privacy@avatiq.ai

We may update this policy from time to time; the date above reflects the latest version.