Privacy Policy

thAIng is operated by ThAIng Inc. ("thAIng", "we", "us"). We provide a private AI infrastructure layer for residences, buildings, and operations — including a voice companion (Aura), a content engine, resident workflows, and a multi-tenant admin console. This policy describes what we collect, why we collect it, who we share it with, and your rights.

We collect the following categories of personal information, all of which are linked to your user identity. None of it is used for advertising or sold to third parties.

• Contact info — your display name and email address, used for authentication, communication, and customer support.
• Identifiers — your thAIng user ID (Supabase) and the Expo push token of your installed mobile devices, used for session continuity and push notifications.
• Payment info — when you purchase a subscription or pay rent, Stripe processes the payment. thAIng never touches your full card number; we receive tokenized references plus billing email, plan, and status.
• User content — content you create or submit through the app, including:
  • Voice conversations with Aura (audio + transcribed text)
  • Photos you attach to maintenance requests
  • Photos you show Aura via the "show Aura" camera feature
  • Scenes, automations, agent preferences, and saved memories you create
  • Text messages and notes
• Usage data — interaction events for the governance audit log (which voice command fired, which scene was activated, who approved or rejected a request), plus security telemetry (rate-limit consumption, failed auth attempts).
• Diagnostics — if Sentry is configured for your workspace, crash reports and performance traces.
• Purchase history — your subscription plan, renewal status, and historical entitlements.

We do not collect: your precise or coarse GPS location, your phone contacts, your browsing history outside our app, your search history outside our app, advertising identifiers, health data, or financial information beyond what Stripe needs for payment.

We use the information we collect to:

• Authenticate you and keep you signed in
• Power Aura's voice conversations and personalize them based on your stated preferences and recent conversations
• Execute the actions you ask Aura to perform (scenes, device commands, music, calendar lookups)
• Process payments and manage subscriptions
• Send maintenance, guest, and household notifications
• Operate the multi-tenant audit log so workspace owners can review every action taken in their home
• Enforce rate limits and spending caps that protect you from runaway costs and abuse
• Debug crashes and improve reliability

We do not use your data to train third-party AI models on your conversations. Aura's underlying LLM providers (Anthropic, OpenAI) operate under enterprise agreements that exclude your inputs from model training.

We rely on the following third-party subprocessors to deliver the service. They process your data only on our behalf, under a data processing agreement, and never for their own purposes.

• Supabase (US) — database, authentication, and file storage of record
• Vercel (US) — application hosting and edge delivery
• Anthropic (US) — large-language-model responses for Aura (text conversations + photo understanding)
• OpenAI (US) — large-language-model responses for non-Aura agents
• ElevenLabs (US) — text-to-speech synthesis for Aura's voice
• Deepgram (US) — speech-to-text for Aura's Live (full-duplex) mode
• Apple SFSpeechRecognizer (on-device, default for half-duplex mode) — no cloud round-trip
• fal.ai (US) — video generation for Aura's content engine
• Tavily (US) — web search for Aura's live-information answers
• Stripe (US) — payment processing
• Composio (US) — OAuth-protected tool execution proxy for Gmail, Calendar, Drive, Slack, Notion, and similar integrations you connect
• LiveKit (US) — real-time audio transport in Live mode
• Expo / EAS (US) — mobile app distribution and push notification delivery
• Sentry (US, optional) — crash and performance telemetry

We do not sell your personal data to anyone. We do not share it with advertisers or data brokers. We do not engage in cross-app or cross-website tracking.

All data is transmitted over TLS. Our database provider (Supabase) encrypts disk storage at rest at the infrastructure layer. We use Row Level Security in PostgreSQL to enforce per-tenant isolation, run a per-user spend cap to limit the financial blast radius of a compromised account, and audit every governance-significant action. We do not currently encrypt individual fields at the application layer, and we do not claim end-to-end encryption for Aura voice conversations — your audio is necessarily decrypted in our processing pipeline so the model can respond.

Voice: when you speak to Aura, your audio is captured by your device. In the default half-duplex mode it is transcribed on-device by Apple's SFSpeechRecognizer (no cloud round-trip). In Live mode it streams to Deepgram for transcription. The resulting transcript is sent to Anthropic for an LLM response, then to ElevenLabs for text-to-speech. Aura conversation transcripts are stored in your workspace so she can recall context across sessions; you can delete any conversation from the in-app history.

Camera: photos you capture for maintenance requests are uploaded to your workspace's private storage bucket and shown to the assigned vendor only. Photos you show Aura via the "show Aura" button on the voice screen are sent inline to Anthropic for the response and are not stored long-term unless you save them to a conversation.

We retain your data for as long as your account is active. You can permanently delete your account at any time from the mobile app: Settings → Delete account. The deletion is immediate and irreversible. It removes:

• Your user record
• Every workspace you own (cascades to memberships, scenes, automations, posts, memories, push tokens, conversations, audit logs)
• Your Stripe customer record reference (Stripe's own retention rules apply to historical invoices for tax and regulatory purposes)

If you only want to leave a workspace owned by someone else, ask the workspace owner to remove your membership.

You have the right to access, correct, port, or delete your personal data. To exercise any of these rights, email support@thaing.ai from the address on your account. We will respond within 30 days. California residents have additional rights under the CCPA, including the right to know what categories of personal information we collect and the right to direct us not to sell your personal information (we do not sell it). EU/UK residents have additional rights under GDPR/UK GDPR.

thAIng is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children in those age brackets. If you believe a child has provided information to thAIng, please contact us at support@thaing.ai and we will delete it promptly.

Our subprocessors are based in the United States. If you access thAIng from outside the United States, your data will be transferred to and processed in the United States. For EU/UK residents, we rely on the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses to legitimize the transfer.

We will update this policy when our practices change. The "last updated" date at the top of this page reflects the most recent revision. For material changes that affect how we handle your data, we will notify you by email or in-app message.

Questions about this Privacy Policy or our data practices? Email support@thaing.ai.