How We Protect Your Data

🧠 AI Interaction & Zero-Knowledge Principles

• Zero-Knowledge AI Design: Our AI coach operates without ever accessing your raw, unencrypted data. All sensitive information is processed through a privacy-preserving architecture.
• Client-Side Processing: When you interact with our AI coach, your encrypted data is first decrypted locally on your device. Only then is contextual information derived for AI processing.
• Secure Context Handling: The AI receives only the necessary context to provide meaningful responses, without accessing or storing your complete unencrypted journal entries or conversations.
• No Training on Your Data: Your personal data is never used to train or improve our AI models. Your private conversations and journal entries remain yours alone.
• Transparent AI Boundaries: Our AI is designed to provide emotional support while maintaining strict privacy boundaries, never accessing data it doesn't need to function.

🔐 End-to-End Encryption

• Client-Side Encryption: Your mood logs, journal entries, chat conversations, and onboarding preferences are encrypted on your device before they ever leave it.
• Zero Access: Eviya's servers store only encrypted data blobs — we cannot read or access your private conversations, even if we wanted to.
• AES-256-GCM Standard: We use AES-256-GCM, a globally trusted encryption standard that protects your data with confidentiality and integrity.

🗝️ Advanced Key Management

• Generated Securely on Your Device: Your encryption keys are created securely on your device using strong cryptographic techniques. We never store or transmit your private keys.
• Unique Keys for Every User: Each user's data is encrypted with a unique key to ensure maximum privacy.
• Key Rotation Support: We periodically refresh encryption keys, maintaining high security standards over time.
• Versioned Records: Every encrypted record tracks its encryption version, allowing seamless upgrades without losing access.

🛡️ Database and Server Security

• Supabase Row-Level Security (RLS): All sensitive database tables implement strict RLS policies, ensuring users can only access their own encrypted data.
• Supabase Edge Functions: Sensitive operations, such as encryption key rotation, are performed securely in isolated server environments.
• Encrypted Data Storage: All data at rest is encrypted with strong standards, ensuring confidentiality even in the event of server compromise.
• Background Re-Encryption: When keys are updated, data is safely re-encrypted in the background without disrupting the user experience.

🔒 Client and Application Security

• No Hardcoded Secrets: Encryption keys are never embedded in client code, reducing the risk of compromise.
• Input Validation and Sanitization: We validate and sanitize user inputs to prevent vulnerabilities such as cross-site scripting (XSS) and injection attacks.
• Rate Limiting: API endpoints are rate-limited to mitigate denial-of-service (DoS) attacks.

🛡️ Service Worker and Web Security

• HTTPS-Only Operations: Service workers and app communications are restricted to secure HTTPS connections.
• Scoped Permissions: Service workers are limited strictly to Eviya's domain, preventing unauthorized access.
• Regular Update Checks: Service workers are configured to regularly check for updates to ensure users are protected with the latest security patches.

🌐 Infrastructure and Hosting

• Encrypted Data at Rest: All user data stored on our servers is encrypted to ensure confidentiality.
• HTTPS Encryption in Transit: Communications between your device and our servers are secured using HTTPS with modern TLS standards (TLS 1.2 and TLS 1.3 where supported).
• Cloud Hosting: Currently hosted on secure cloud infrastructure with strict access controls.
• Data Localization: Our primary data storage is in Mumbai, India, with appropriate safeguards for international data transfers.

🚨 In the Event of a Breach

In the unlikely event of a database breach:

• Only encrypted, unreadable blobs would be exposed.
• No decrypted mood logs, journal entries, chat conversations, or onboarding preferences would be compromised.
• We would promptly notify users and regulators in accordance with applicable laws.

Thanks to our zero-knowledge architecture, your private data remains safe even in worst-case scenarios.

🧠 AI Model Safety

• AI Transparency: You are always interacting with an AI system — never a human.
• No Medical Advice: Eviya's AI is explicitly trained not to diagnose, treat, or provide medical advice. It offers general emotional support and reflection prompts only.
• Privacy Respect: AI-generated interactions are not used for behavioral targeting, profiling, or advertising.
• Encrypted Data Processing: The AI works with data that has been decrypted locally on your device, never on our servers. This ensures your sensitive information remains private even during AI interactions.
• Contextual Understanding: When the AI references your journal entries or previous conversations, it's working with contextual information that was processed securely on your device after local decryption.
• No Persistent Memory: The AI does not maintain a persistent memory of your unencrypted data between sessions. Each interaction is processed securely and independently.

📜 Compliance

Eviya is built in alignment with major global privacy standards:

• GDPR (European Union)
• CCPA/CPRA (California, USA)
• UAE Personal Data Protection Law (PDPL)
• India Digital Personal Data Protection Act (DPDP)

We follow privacy-by-design and security-by-design principles across every layer of our technology.

We are committed to keeping your personal journey with Eviya safe, private, and empowering.