Privacy Policy
Last updated: April 8, 2026
1. Introduction
Oya ("we", "us", or "our") operates the oya.ai platform — an AI agent building service that lets you create, deploy, and manage AI-powered automations connected to third-party services. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and what rights you have over it.
By using Oya, you agree to the practices described in this policy. If you don't agree, please don't use the service.
2. Information We Collect
2.1 Account Information
When you sign up, we collect:
- Email address and display name
- Authentication data (managed by Supabase Auth — we never store raw passwords)
- GitHub profile information if you connect your GitHub account
2.2 Agent Data
Content you create on the platform:
- Agent configurations, personas, behavior rules, and routines
- Scripts and skill code your agents execute
- Chat messages and thread history between you and your agents
- Knowledge base documents you upload
- Build session logs from agent creation
2.3 Third-Party Credentials
When you connect external services (Google, Slack, Discord, Telegram, Gmail, Google Calendar, Google Drive, Google Sheets, Google Ads, Google Analytics, Google Business Profile, LinkedIn, X, Jira, ClickUp, Apollo, Hunter, Instantly, WhatsApp, Instagram, Facebook Messenger, and others) through OAuth or API keys, we store the tokens and credentials needed to act on your behalf. These are:
- Encrypted at rest in our database
- Never shared with any third party beyond the service you connected
- Used only to perform actions your agents are configured for
- Revocable at any time — disconnect a gateway and the credentials are deleted immediately
2.4 Usage and Billing Data
- API call counts, model usage, and sandbox execution records for billing
- Product analytics events (pages visited, features used) via PostHog
- Error reports via Sentry for debugging
- Payment information processed by Stripe — we never see or store your full card number
3. How We Use Your Information
- Platform operation: Run your agents, execute scripts, process chat messages, and manage your account.
- Third-party integrations: Use your authorized credentials to perform actions on connected services (send emails, post to Slack, read spreadsheets, etc.) strictly as configured by your agents.
- Billing: Track usage, process payments, and manage credits.
- Service improvement: Understand how the platform is used to fix bugs and improve features. We use aggregated, anonymized analytics — never your private agent content.
- Security: Detect and prevent abuse, unauthorized access, and fraud.
- Communications: Send service-related emails (billing alerts, critical updates). No marketing emails unless you opt in.
What We Never Do
- We never sell your data to anyone.
- We never use your data for advertising or ad targeting.
- We never train AI models on your private agent content, chat messages, or credentials.
- We never share your third-party credentials with anyone other than the service you connected.
- We never access your connected services for any purpose other than executing your agent's configured actions.
4. Third-Party Services We Use
We rely on the following infrastructure providers to operate the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication and database hosting | Account data, agent configurations, encrypted credentials |
| Stripe | Payment processing | Email, payment method (handled entirely by Stripe) |
| Daytona | Sandboxed agent script execution | Agent scripts and runtime environment variables (isolated per execution) |
| PostHog | Product analytics | Anonymized usage events (pages, features). No agent content. |
| Sentry | Error monitoring | Error stack traces and request metadata. No user content. |
| LiteLLM | LLM provider routing | Chat messages routed to your selected AI model provider |
Each provider operates under their own privacy policy. We select providers with strong security practices and data protection standards.
5. Google API Services Disclosure
Oya's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What We Access
When you connect Google services, we request only the permissions your agent needs:
- Gmail: Read, send, and search emails on your behalf.
- Google Calendar: List, create, and manage calendar events.
- Google Drive: List, read, create, and manage files.
- Google Sheets: Read, write, and create spreadsheets.
- Google Ads: Read campaign and reporting data.
- Google Analytics: Read GA4 property data and reports.
- Google Business Profile: Manage business listings and reviews.
How We Use Google Data
- Google data is accessed only to perform actions your AI agents are configured for.
- We do not use Google user data for advertising, market research, or any purpose unrelated to your agent's functionality.
- We do not sell, rent, or share Google user data with third parties except as necessary to execute your agent's actions.
- Google OAuth tokens are encrypted at rest and used only for authenticated API calls on your behalf.
- You can revoke access at any time by disconnecting the gateway in your agent settings or via your Google Account permissions.
6. Data Security
We take the security of your data seriously. Our measures include:
- Encryption in transit: All data transmitted between your browser and our servers uses TLS (HTTPS).
- Encryption at rest: Database contents, including OAuth tokens and API keys, are encrypted at rest.
- Hashed API keys: Agent API keys are stored using one-way hashing — we cannot read your raw keys.
- Sandboxed execution: Every agent script runs in an isolated Daytona sandbox with its own filesystem and network. Scripts cannot access other users' data or the host system.
- Credential isolation: Third-party credentials are injected as environment variables only during the specific skill execution that needs them, then discarded from the runtime.
- Access controls: Users can only access their own agents, threads, gateways, and data. Admin access is audited.
- Infrastructure: Hosted on Kubernetes with network policies, horizontal pod autoscaling, and automated deployments via CI/CD.
No system is 100% secure. If you discover a security vulnerability, please report it to [email protected] and we will address it promptly.
7. Data Retention and Deletion
- Active accounts: We retain your data for as long as your account is active and needed to provide the service.
- Deleted gateways: When you disconnect a gateway, the stored credentials (tokens, keys) are deleted immediately from our database.
- Deleted agents: When you delete an agent, all associated data (threads, messages, skills, gateways, triggers, knowledge base entries) is permanently deleted via cascading database deletion.
- Account deletion: You can request full account deletion by contacting us at [email protected]. We will delete all your data within 30 days.
- Billing records: Transaction records may be retained for up to 7 years as required by tax and financial regulations.
8. Your Rights
Depending on your jurisdiction (including GDPR, CCPA, and similar regulations), you have the right to:
- Access: Request a copy of all personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data and account.
- Data portability: Request your data in a machine-readable format.
- Withdraw consent: Revoke consent for data processing at any time (e.g., disconnect OAuth gateways, delete your account).
- Object: Object to certain types of processing.
- Restrict: Request restriction of processing in certain circumstances.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Cookies and Tracking
We use minimal cookies and tracking:
- Authentication cookies: Session tokens to keep you logged in. Essential for the service to function.
- Analytics: PostHog for anonymized product usage analytics. You can opt out via your browser's Do Not Track setting.
We do not use advertising cookies, tracking pixels, or fingerprinting.
10. Children's Privacy
Oya is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. International Data Transfers
Your data may be processed in countries other than your own. Our infrastructure providers operate data centers globally. We ensure that any international transfers comply with applicable data protection laws and that appropriate safeguards are in place.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you via email or an in-app notification.
13. Contact Us
If you have any questions about this Privacy Policy, your data, or your rights, contact us at:
- Email: [email protected]
- Website: oya.ai