Privacy Policy

1. Interpretation and Definitions

For purposes of this Privacy Policy:

• Account means a unique account created for you to access all or part of the Service.
• Application means the Gwal mobile application.
• Company means Goloak Vrindavan Inc., located in Mumbai, Sector 13, India.
• Device means any device that can access the Service, such as a phone, tablet, or computer.
• Personal Data means information that identifies, relates to, describes, or can reasonably be linked to an individual.
• Processing means any operation performed on Personal Data, including collection, use, storage, disclosure, transfer, and deletion.
• Service Provider means a third party that processes data on behalf of the Company to provide or support the Service.
• Usage Data means technical and operational information collected automatically from Service operation and access.
• Website means gwal.ai and product/legal pages hosted under that domain.
• You means the person or entity using the Service.

2. Categories of Data We Collect

Depending on your use of the Service, we may collect and process:

• Account and identity data: email address, user ID, and profile metadata from auth providers.
• Subscription and billing metadata: plan identifiers, entitlement state, purchase state, restore status, transaction references.
• Service content data: prompts, messages, AI conversations, instructions, optional attachments, and workflow payloads.
• Cloud deployment and connection data: agent IDs, cloud domain, gateway token, model/provider selections, deployment status metadata.
• BYOK data: provider key configuration and related routing preferences when you choose BYOK features.
• Notification data: push token and environment metadata when push permissions are enabled.
• Usage and diagnostics data: app version, OS/platform metadata, error events, and limited operational logs.
• Website preference data: functional client-side preferences (for example, dark/light theme mode).

We do not request contacts or location permissions as part of normal operation.

3. Data Collected Through Permissions

• Microphone and speech recognition: requested only for optional voice input features.
• Photo library access: requested only when you choose to attach images/files.
• Push notifications: requested only if you choose to enable notifications.

You can disable or revoke permissions at any time in device settings.

4. How We Use Data

• To provide, maintain, and secure the Service.
• To authenticate users and manage account sessions.
• To deploy and operate cloud agents.
• To route AI requests according to your selected providers and settings.
• To process subscriptions, restores, and entitlement checks.
• To deliver notifications for enabled features.
• To detect abuse, debug errors, and improve reliability and security.
• To comply with legal obligations and enforce our agreements.

5. Legal Bases for Processing

Where required by law, we rely on one or more of the following legal bases:

• Performance of a contract (providing requested Service features).
• Legitimate interests (security, fraud prevention, reliability, product operations).
• Consent (where required, including optional permissions and specific communications).
• Legal obligations (compliance, lawful requests, records obligations).

6. Third-Party Services and Data Sharing

We may share information with service providers or integration partners required to deliver features, such as:

• Authentication infrastructure providers (including Supabase).
• Subscription and purchase infrastructure (including RevenueCat and app-store billing systems).
• AI providers selected by users (including OpenAI, Anthropic, Google, OpenRouter, and others users configure).
• Cloud and networking infrastructure supporting deployment and runtime operations.
• Push-notification infrastructure (including APNs) when push is enabled.

We do not sell personal data. Users choose AI providers themselves and may use their own API keys. Data may be processed by those providers according to provider terms and policies.

7. BYOK (Bring Your Own Key) Notice

If you provide your own AI-provider API keys, data processing and billing relationships may be directly governed by your arrangement with those providers. You are responsible for your provider account, usage costs, key management, and compliance with third-party terms.

8. Cookies, Tracking, and Similar Technologies

The website currently does not use advertising or behavioral tracking cookies for profiling users. Current website storage usage is primarily functional preference storage (for example, theme preference).

If we materially change website tracking practices in the future, we will update this Policy accordingly.

9. Data Retention

We retain Personal Data only as long as reasonably necessary for the purposes described in this Policy, including service delivery, security, compliance, dispute resolution, and contractual enforcement.

Retention periods vary by category and context. Certain records may be retained longer where legally required or where necessary for fraud prevention or service integrity.

10. International Transfers

Your data may be processed in countries outside your jurisdiction by us or our providers. Data-protection laws may differ across regions. Where applicable, we implement reasonable safeguards to support secure transfer and processing.

11. Security

We use technical, administrative, and organizational safeguards intended to protect personal information. However, no transmission or storage method is fully secure, and absolute security cannot be guaranteed.

12. Your Rights and Choices

Subject to applicable law, you may have rights to:

• Access certain data we hold about you.
• Request correction of inaccurate data.
• Request deletion of eligible data.
• Request export/portability of eligible data.
• Object to or restrict certain processing, where applicable.
• Withdraw consent where processing is based on consent.

To exercise rights, contact us at ai@gwal.ai. We may request verification before processing requests.

13. GDPR/EEA Notice

If you are located in the EEA/UK or a similar jurisdiction, you may have rights under GDPR-equivalent law, including access, rectification, erasure, objection, restriction, portability, and complaint rights with a supervisory authority.

14. California Privacy Notice (CCPA/CPRA)

California residents may have rights to know, access, delete, correct, and receive information about categories of personal information collected, used, and disclosed, subject to legal exceptions.

We do not sell personal information as that phrase is commonly used. To request rights information, contact ai@gwal.ai.

15. Do Not Track

Browser "Do Not Track" settings are not currently responded to with a uniform mechanism, as no consistent industry standard exists for all environments.

16. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child provided personal data without authorization, contact us for review and removal.

17. External Links

The Service may link to third-party services. We are not responsible for third-party privacy practices, and you should review the privacy policy of any external service you access.

18. Business Transfers

In the event of merger, acquisition, reorganization, financing, sale of assets, or similar transaction, personal information may be transferred as part of that process, subject to applicable law.

19. Changes to This Policy

We may modify this Privacy Policy from time to time. Updates will be posted on this page with a revised "Last updated" date. Continued use of the Service after changes become effective indicates acceptance.