PRIVACY NOTICE

Victoria, Australia

This Privacy Notice for A is for App ("we", "us", or "our") describes how and why we might collect, store, use, and/or share ("process") your information when you use our product Suvadu.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice. You can find out more details about any of these topics by clicking the link following each key point, or by using our table of contents below.

• We collect almost no personal data. Suvadu is local-first. All your memories stay on your device at ~/.suvadu/. We never receive, process, or store your memory data. Read more

• We NEVER collect your memory content, search queries, conversation content, your name or email (except via Stripe for purchases), IP addresses, file paths, licence keys, behavioural sequences, or cross-device correlation data. This is a deliberate architectural choice, not a limitation. Read more

• The only analytics we collect is a single anonymous ping on startup sent to Google Analytics 4 (GA4) via the Measurement Protocol. It contains no personal identifiers and cannot be linked back to you. Read more

• We do not sell or share your personal data. The only third party that receives personal information is Stripe, and only when you choose to make a purchase. Read more

• We do not use cookies or browser-based tracking. Read more

• You have rights over your data. Depending on your location, you may have rights under GDPR, CCPA, or Australian Privacy Principles -- including access, deletion, correction, and portability. Read more

• How to contact us. Email hello@aisforapp.com with any questions or requests. Read more

TABLE OF CONTENTS

• What Information Do We Collect?
• How Do We Process Your Information?
• What Legal Bases Do We Rely On to Process Your Information?
• When and With Whom Do We Share Your Information?
• Do We Use Cookies and Other Tracking Technologies?
• Is Your Information Transferred Internationally?
• How Long Do We Keep Your Information?
• How Do We Keep Your Information Safe?
• Do We Collect Information from Minors?
• What Are Your Privacy Rights?
• Do We Make Automated Decisions?
• Do Australian Residents Have Specific Privacy Rights?
• Do California Residents Have Specific Privacy Rights?
• Do EU/UK Residents Have Specific Privacy Rights?
• What About the Cloud Tier?
• How Can You Report Bugs or Send Feedback?
• Do We Make Updates to This Notice?
• How Can You Contact Us?
• How Can You Review, Update, or Delete Your Data?

1. What Information Do We Collect?

Suvadu is built around a simple principle: your data belongs to you, and it stays with you. This is not a marketing choice -- it is an architectural decision baked into the product. We do not operate servers that store your memories, we do not have access to your data, and we have no mechanism to read it even if we wanted to.

Suvadu is a local-first memory service for AI assistants. It runs on your machine as a background process, giving AI tools like Claude, ChatGPT, Cursor, and Copilot a shared long-term memory. All your memories are stored locally at ~/.suvadu/ on your own device.

Data We Never Collect

To be absolutely clear, we never collect:

• Memory content -- what you store in Suvadu
• Search queries or recall strings -- what you ask Suvadu to find
• Conversation content -- between you and your AI tools
• Your name, email address, or any personal identity -- except as provided to Stripe for payment
• IP addresses -- the GA4 Measurement Protocol does not log IP addresses
• File paths -- beyond ~/.suvadu/
• License keys -- we only see your tier: free or pro
• Behavioural sequences or session replays -- we collect aggregate counts only, never ordered events
• Cross-device correlation data -- we use a random identifier with no link to your identity

This is not a limitation we work around. It is a deliberate architectural choice.

Local Installation -- Your Data Stays on Your Machine

When you install Suvadu locally:

• All memories are stored on your device at ~/.suvadu/ (or a directory you configure via SUVADU_DATA_DIR).
• Memory data is stored as Markdown files with YAML frontmatter, plus vector embeddings in a local LanceDB database.
• We have no access to this data. There is no upload, sync, or transmission of memory content.
• You are responsible for backing up your ~/.suvadu/ directory. If you lose the data, we cannot recover it.
• You are responsible for the content you store. We recommend you do not store passwords, API keys, or sensitive credentials in Suvadu.

Anonymous Product Analytics

Each time Suvadu starts, it sends a single anonymous ping to Google Analytics 4 (GA4) via the Measurement Protocol. This data is fully anonymised -- it contains no personal identifiers, no IP address, and cannot be linked back to you as an individual. This helps us understand how many people use Suvadu, on which platforms, and whether people stay.

• Memory content, query text, or any user data
• Your name, email, IP address, or any identifying information
• File paths, license keys, or conversation content
• Behavioural sequences or ordered events

• A random UUID is generated on first startup and stored in ~/.suvadu/client_id.
• It has no connection to your identity, email, or any account.
• If you delete the file, a new random UUID is generated.
• We cannot link this UUID to you as a person.

• A single HTTP POST to Google Analytics on startup, in a background thread.
• It never blocks Suvadu's operation.
• If the network request fails, it fails silently. Suvadu works fully offline.
• The ping is automatically skipped in CI environments.

Payments and Licensing

• Payments are processed by Stripe. When you purchase a Suvadu licence, you provide your payment details directly to Stripe.
• We do not store your credit card number, expiry date, or CVV. Stripe handles all payment data under their own Privacy Policy.
• We receive from Stripe: confirmation of payment, the email address you used to purchase, and the product tier. We use this solely to generate and deliver your licence key.
• Licence validation is offline. Your licence key is validated locally on your machine using Ed25519 public-key cryptography. No server call is made when you activate or use your licence.
• We offer a 30-day money-back guarantee. After purchase, licence keys cannot be revoked (because validation is offline and we have no mechanism to do so).
• Suvadu uses a one-time perpetual licence model. There are no recurring charges or subscriptions.

2. How Do We Process Your Information?

We process information for the following purposes:

3. What Legal Bases Do We Rely On to Process Your Information?

For the purposes of GDPR compliance (applicable to EU/UK users), we identify the following lawful bases:

A is for App is an Australian business subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Because Suvadu is available internationally, we also address the rights of users under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

4. When and With Whom Do We Share Your Information?

Suvadu interacts with the following third-party services:

All data transmitted to third-party services (GA4 startup ping, Stripe payments) is sent over encrypted HTTPS connections.

5. Do We Use Cookies and Other Tracking Technologies?

• Suvadu does not use cookies.
• Suvadu does not use browser-based tracking, fingerprinting, or pixels.
• The suvadu.aisforapp.com website may use standard analytics (see the website's own cookie notice if applicable). This Privacy Notice covers the Suvadu software product.

6. Is Your Information Transferred Internationally?

A is for App is based in Australia. When your personal information is transferred outside of Australia, we comply with APP 8 and take reasonable steps to ensure the overseas recipient handles it in accordance with the APPs.

• The anonymous GA4 startup ping is sent to Google's servers, which may be located outside Australia. Google operates under Standard Contractual Clauses and other transfer mechanisms as described in their privacy policy.
• Payment data is processed by Stripe, which may transfer data internationally under their own data protection framework. Stripe maintains compliance with GDPR, CCPA, and other applicable data protection regimes.
• Bug reports submitted via GitHub are subject to GitHub's data handling practices and may be stored outside Australia.
• Your local memories never leave your machine and are not subject to international transfer.

7. How Long Do We Keep Your Information?

When personal information is no longer needed for the purpose for which it was collected, we will destroy or de-identify it in accordance with APP 11.

8. How Do We Keep Your Information Safe?

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:

• Your local memories are secured by your own operating system's file permissions. We have no access to them.
• Payment data is handled entirely by Stripe under PCI-DSS compliance.
• The only personal information we hold (email addresses from purchases) is stored securely and access is restricted.
• We destroy or de-identify personal information when it is no longer needed for the purpose for which it was collected.

Data Breach Notification

A is for App complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

If we become aware of an eligible data breach (where personal information we hold is subject to unauthorised access, disclosure, or loss, and is likely to result in serious harm), we will:

• Take immediate steps to contain the breach and mitigate harm.
• Assess whether the breach is likely to result in serious harm to any affected individuals.
• If serious harm is likely, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.
• Include in our notification: a description of the breach, the types of information involved, and recommended steps individuals should take.

Given that we hold almost no personal information (only email addresses from Stripe purchases), the scope of any potential breach is extremely limited. Your memory data is stored locally on your device and is never held by us.

For EU/UK users, we will also comply with the 72-hour notification requirement under the GDPR where applicable.

9. Do We Collect Information from Minors?

Suvadu is not directed at children under the age of 13 (or under 16 in the European Union). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hello@aisforapp.com and we will take steps to delete it.

10. What Are Your Privacy Rights?

Depending on your location, you may have certain rights regarding your personal information. These include:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to erasure/deletion: You may request deletion of any personal data we hold. For local data, you control it entirely -- delete ~/.suvadu/ at any time.
• Right to rectification/correction: You may request correction of any inaccurate personal data we hold.
• Right to restrict processing: You may request that we restrict how we use your personal data.
• Right to data portability: Your local memories are stored as standard Markdown files. They are already portable. For data we hold (email address), you may request it in a structured, machine-readable format.
• Right to object: You may object to our processing of your personal data.
• Right to withdraw consent: Where processing is based on consent (bug reports), you may withdraw consent at any time by simply not initiating bug reports.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, email hello@aisforapp.com. We will respond within 30 days (or 45 days for CCPA requests).

See sections 12, 13, and 14 for region-specific rights.

11. Do We Make Automated Decisions?

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you. Suvadu's semantic search uses AI embedding models to match queries to stored memories, but this is a local retrieval function on your own device -- not a decision-making process controlled by us.

12. Do Australian Residents Have Specific Privacy Rights?

A is for App is subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Below is how we comply with each principle relevant to our operations.

APP 1 -- Open and Transparent Management of Personal Information

This Privacy Notice is freely available at suvadu.aisforapp.com/privacy. It clearly describes what personal information we collect, how we collect it, why we collect it, and how you can access or correct it. We keep this notice up to date and make it available at no cost.

APP 2 -- Anonymity and Pseudonymity

You can use Suvadu without identifying yourself to us. The Free tier requires no account, no registration, and no identity disclosure. If you purchase a Pro licence, the only personal information involved is the email address you provide to Stripe for payment processing.

APP 3 -- Collection of Solicited Personal Information

We only collect personal information that is reasonably necessary for our functions:

• Email address (via Stripe): to deliver your licence key and handle refund requests.
• Payment confirmation (via Stripe): to fulfil your purchase.
• Anonymous analytics (via GA4): to understand aggregate product usage. This data is not personal information as it cannot be linked to an individual.

We do not collect sensitive information as defined under the Privacy Act.

APP 4 -- Dealing with Unsolicited Personal Information

If we receive personal information we did not request (for example, in a bug report or email), we will assess whether we could have collected it under APP 3. If not, we will destroy or de-identify it as soon as practicable.

APP 5 -- Notification of the Collection of Personal Information

This Privacy Notice serves as our notice of collection. We describe the types of personal information we collect, the purposes for collection, and any third parties to whom information may be disclosed, at or before the time of collection.

APP 6 -- Use or Disclosure of Personal Information

We use personal information only for the purpose for which it was collected:

• Email addresses are used to deliver licence keys and process refund requests.
• Payment confirmations are used to fulfil purchases.

We do not disclose personal information to third parties except as described in this notice (Stripe for payment processing).

APP 7 -- Direct Marketing

We do not use personal information for direct marketing. We will not send you marketing emails, promotional materials, or advertising. If we ever introduce optional communications (such as release announcements), you will be required to opt in, and unsubscribe will be available, in compliance with the Spam Act 2003 (Cth).

APP 8 -- Cross-Border Disclosure of Personal Information

See Section 6: Is Your Information Transferred Internationally?. Where personal information is disclosed to overseas recipients (Stripe and Google), we take reasonable steps to ensure those recipients handle the information in accordance with the APPs. Both Stripe and Google maintain data protection frameworks that meet or exceed Australian requirements.

APP 9 -- Adoption, Use, or Disclosure of Government-Related Identifiers

We do not collect, use, or disclose government-related identifiers.

APP 10 -- Quality of Personal Information

We take reasonable steps to ensure the personal information we hold is accurate, up-to-date, complete, and relevant. Given the minimal data we collect, this is straightforward. You can contact us at any time to correct information we hold about you.

APP 11 -- Security of Personal Information

See Section 8: How Do We Keep Your Information Safe? for full details on our security measures.

APP 12 -- Access to Personal Information

You have the right to access the personal information we hold about you. The only personal information we may hold is the email address you provided to Stripe when purchasing a licence. To request access, email hello@aisforapp.com. We will respond within 30 days.

APP 13 -- Correction of Personal Information

You have the right to request correction of any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. Contact us at hello@aisforapp.com and we will correct the information within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

13. Do California Residents Have Specific Privacy Rights?

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know: You have the right to know what personal information we collect, use, disclose, and sell. This Privacy Notice provides that information. You may also make a verifiable request for specific pieces of personal information we hold about you.
• Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions under the CCPA.
• Right to opt-out of sale: We do not sell your personal information. We have never sold personal information and have no plans to do so.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, service quality, or access levels.

To exercise your CCPA rights, email hello@aisforapp.com with the subject line "CCPA Request". We will verify your identity before processing your request and respond within 45 days.

14. Do EU/UK Residents Have Specific Privacy Rights?

If you are located in the European Union or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR respectively:

• Right of access: You may request a copy of the personal data we hold about you. The only personal data we may hold is the email address provided to Stripe when purchasing a licence.
• Right to erasure: You may request deletion of any personal data we hold. For local data, you control it entirely -- delete ~/.suvadu/ at any time.
• Right to rectification: You may request correction of any inaccurate personal data we hold.
• Right to restrict processing: You may request that we restrict how we use your personal data.
• Right to data portability: Your local memories are stored as standard Markdown files. They are already portable. For data we hold (email address), you may request it in a structured, machine-readable format.
• Right to object: You may object to our processing of your personal data. Given we process almost no personal data, this is straightforward to honour.
• Right to withdraw consent: Where processing is based on consent (bug reports), you may withdraw consent at any time by simply not initiating bug reports.

To exercise any of these rights, email hello@aisforapp.com. We will respond within 30 days.

15. What About the Cloud Tier?

We plan to offer a Cloud tier in the future. Under this model:

• We deploy Suvadu into your own Google Cloud account via OAuth.
• After deployment, we exit. We do not retain access to your cloud resources or data.
• Your memories are stored in your own cloud infrastructure, under your control.
• Google Cloud's own terms of service and privacy policy apply to your use of Google Cloud.
• We do not operate any hosted service or maintain ongoing access to your data.

This Privacy Notice will be updated when the Cloud tier becomes available.

16. How Can You Report Bugs or Send Feedback?

Suvadu includes optional MCP tools (report_bug and send_feedback) that let you submit bug reports or feature requests through your AI assistant.

• These are user-initiated only. Nothing is sent without you explicitly asking your AI tool to report a bug or send feedback.
• Bug reports may include diagnostics: version, platform, tier, memory count, LanceDB health status, and recent error log lines from ~/.suvadu/mcp.log.
• Bug reports never include memory content, query text, or full log files.
• If the GitHub CLI (gh) is available on your machine, the report is submitted as a GitHub Issue. Otherwise, you receive a formatted report to submit manually.

17. Do We Make Updates to This Notice?

We may update this Privacy Notice from time to time. When we do, we will update the "Last updated" date at the top. For significant changes, we will note them in our release notes on GitHub.

We encourage you to review this notice periodically. Continued use of Suvadu after changes are posted constitutes acceptance of the updated notice.

18. How Can You Contact Us?

If you have questions about this Privacy Notice or your personal information:

ABN: [To be added]

Victoria, Australia

Email: hello@aisforapp.com

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

You may lodge a complaint with your local data protection supervisory authority or the UK Information Commissioner's Office: ico.org.uk.

Email hello@aisforapp.com with the subject line "CCPA Request".

19. How Can You Review, Update, or Delete Your Data?

Based on your location, you may exercise your rights under:

• GDPR (EU/UK): See Section 14
• CCPA (California): See Section 13
• Australian Privacy Principles: See Section 12