Privacy Policy
This Privacy Policy describes how Ayuuto ("we", "us", "our") collects, uses, and shares information when you use the Kayd mobile application and the website at ayuuto.ca (together, the "Service"). Kayd is operated by Ayuuto, based in Canada.
Plain-language summary. Kayd is a coordination tool for rotating savings circles. We collect the minimum information needed to run your circle: your account info, the circles you're a member of, your contributions, and any proof images you choose to attach. We don't sell your data, we don't run ads, and we don't handle money — your group pays each other directly.
1. What we collect
1.1 Information you provide
- Account information: email address, display name, and (optionally) profile avatar.
- Authentication identifier: when you sign in with Apple or Google, we receive a stable identifier from those providers. With Sign in with Apple, you may use Apple's Hide-My-Email relay; we only ever see the relay address.
- Circle activity: the circles you create or join, contribution amounts and dates, payout order, round status, dispute notes, and any proof image you choose to attach to a contribution.
- Support correspondence: if you email us at support@ayuuto.ca we keep a copy of the message and our reply.
1.2 Information collected automatically
- Push tokens: if you grant notification permission, we store an Expo Push token tied to your account so we can deliver round-related notifications to your device.
- Crash and error data: when the app crashes or hits an unexpected error, we collect anonymized stack traces, device model, and OS version via Sentry. We strip personally identifiable information from these reports before they leave your device.
- Backend request logs: server-side requests to our API are logged with a request identifier, the function name, and timing. These logs do not include the contents of your messages, contributions, or proofs.
- Trust score: derived from your on-time contribution history. We compute this server-side; it is not shared outside circles you are a member of.
1.3 What we do NOT collect
- We do not collect payment instruments, bank account numbers, or card numbers — Kayd does not handle money.
- We do not run third-party advertising trackers, behavioural analytics, or fingerprinting SDKs.
- We do not collect contacts from your phone, your camera roll, or your location.
- We do not sell your personal information.
2. How we use information
- To run the Service: create your account, show your circles, record contributions, deliver notifications, resolve disputes.
- To communicate: transactional emails (invites, password resets) and in-app push notifications. We do not send marketing email.
- To keep Kayd safe and reliable: investigate bugs, prevent abuse, enforce rate limits, fix security issues.
- To meet legal obligations: respond to lawful requests, comply with applicable laws.
3. How we share information
We share information only as needed to run the Service or as required by law.
3.1 Visibility within the app
- Your display name and avatar are visible to other members of any circle you join.
- Your contribution status, dates, and proof images are visible to other members of the same circle.
- Your trust score is visible to members of any circle you are in.
- Other members cannot see your email address unless you display it yourself.
3.2 Service providers
We use the following third-party processors:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | All account and circle data; hosted in Canada (Central) region |
| Expo (push delivery via APNs & FCM) | Deliver push notifications | Push token, notification title and body |
| Apple — Sign in with Apple | Authentication | Stable user identifier; relay email if used |
| Google — Sign in with Google | Authentication | Stable user identifier and email address |
| Mailtrap | Send transactional email (invites, password resets) | Recipient email and message body |
| Sentry | Error reporting | Anonymized crash traces, device model, OS version (PII scrubbed before transmission) |
| Cloudflare | DNS and content delivery for ayuuto.ca | Standard request logs (IP, user agent) for the website only |
3.3 Legal disclosures
We may disclose information if we are required to do so by law, regulation, court order, or other legal process; to enforce our Terms of Service; or to protect the rights, safety, or property of users, the public, or Ayuuto.
3.4 No sale of personal information
We do not sell, rent, or share your personal information for advertising or commercial purposes outside what is described above.
4. International transfers
Kayd's primary database and storage are hosted in Canada (Central) on Supabase. Some of our service providers (Apple, Google, Sentry, Mailtrap, Cloudflare) are headquartered in or operate from the United States and may process data there. By using Kayd, you understand that your information may be transferred to and processed in jurisdictions other than your own, subject to safeguards required by applicable law.
5. Data retention
- Account data is retained while your account is active.
- Circle and contribution data is retained as long as the circle exists. Archived circles are retained so members can access historical records.
- Notifications older than 90 days are automatically deleted from our servers.
- Crash reports are retained by Sentry for up to 90 days under our default plan.
- Backend request logs are retained for up to 30 days and used only for debugging and abuse prevention.
- If you delete your account, we delete your profile, push tokens, and personal information within 30 days. We may retain anonymized records of closed circles for the integrity of the audit ledger seen by other members; those records will not include identifying information about you.
6. Your rights
Depending on where you live (e.g., under PIPEDA in Canada, GDPR in the EEA/UK, or CCPA in California), you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated personal data.
- Export a copy of your data in a portable format.
- Object to or restrict certain processing.
- Withdraw consent where processing is based on consent (e.g., push notifications).
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email support@ayuuto.ca. We will respond within 30 days. We may need to verify your identity before acting on your request.
7. Account deletion
You can delete your account at any time from inside the Kayd app (Profile → Delete account) or by emailing support@ayuuto.ca from the address associated with your account. Account deletion is described in detail under Section 5 (Data retention).
8. Security
We protect your data with industry-standard practices, including:
- HTTPS/TLS encryption for all data in transit.
- Encrypted database storage at rest, managed by Supabase.
- Row-level security policies that restrict each user's view to circles they belong to.
- Rate limiting and abuse prevention on sensitive endpoints.
- Service role keys stored in encrypted vaults, rotated periodically.
No system is perfectly secure. If you believe your account has been compromised, contact support@ayuuto.ca immediately.
9. Children's privacy
Kayd is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact support@ayuuto.ca and we will delete it.
10. Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, notify you in-app or by email before the change takes effect. Continued use of Kayd after a change means you accept the revised Policy.
11. Contact us
For questions about this Policy or your data:
- Email: support@ayuuto.ca
- Privacy-specific concerns: privacy@ayuuto.ca
- Mail: Ayuuto, Privacy Officer, Canada (full address available on request)