Skip to main content
Back to home

Privacy Policy

Last updated: February 7, 2026

1. Information We Collect

Account Information

When you create an account, we collect your email address, display name, and optional profile photo. We use Supabase Auth for authentication and do not store your password directly.

User Content

We store conversations, messages, tasks, topics, and associated metadata you create through the Service. When end-to-end encryption is enabled, message content is encrypted client-side and cannot be read by Sylva servers.

Voice Data

Audio recordings are temporarily processed via AssemblyAI for transcription and optionally stored in Supabase Storage. You can configure automatic deletion after 7, 30, or 90 days.

Usage Data

We collect anonymous usage metrics including message counts, feature usage, and session data to improve the Service. We use Vercel Analytics for web analytics.

2. How We Use Your Information

  • Provide the Service: Process messages through AI models, generate search embeddings, run background agents, and deliver features you use.
  • Improve the Service: Analyze aggregate, anonymized usage patterns to improve features and performance.
  • Security: Detect and prevent unauthorized access, fraud, and abuse.
  • Communication: Send essential account notifications (password resets, security alerts).

3. Third-Party Services

We use the following third-party services to operate Sylva:

  • Supabase — Database, authentication, file storage, and edge functions hosting.
  • Anthropic (Claude) — AI conversation processing. Your non-encrypted messages are sent to Anthropic for generating responses.
  • OpenAI — Text embeddings for semantic search. Message content is sent to OpenAI to generate search vectors.
  • AssemblyAI — Voice transcription. Audio data is temporarily processed and not retained by AssemblyAI after transcription.
  • Vercel — Application hosting, analytics, and performance monitoring.

4. End-to-End Encryption

When you enable end-to-end encryption, your messages are encrypted using RSA-OAEP-4096 and AES-GCM-256 on your device before being sent to our servers. We store only the encrypted ciphertext and cannot decrypt your content. Note that:

  • AI features require sending plaintext to generate responses
  • Search embeddings are generated client-side in E2E mode
  • Recovery requires your BIP39 recovery phrase — if lost, encrypted data cannot be recovered

5. Data Storage and Security

Your data is stored in Supabase (powered by PostgreSQL) with row-level security policies ensuring that you can only access your own data. All data is encrypted at rest and in transit using TLS. Files are stored in Supabase Storage with signed, time-limited access URLs.

6. Your Rights

You have the right to:

  • Access your data via the Settings > Security > Export feature
  • Delete your account and all associated data via Settings > Account
  • Correct your profile information at any time
  • Port your data by exporting in JSON or Markdown format

7. Cookies and Local Storage

We use essential cookies for authentication and session management. We use IndexedDB (via Dexie.js) for offline caching. We do not use third-party tracking cookies.

8. Children's Privacy

Sylva is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use of the Service after changes constitutes acceptance.

10. Contact

For privacy-related inquiries, please contact us at privacy@sylva.app.