Legal document
Privacy Policy
How ShyAI collects, uses, shares, protects, retains, exports, and deletes personal data.
1. Scope and contact
This Privacy Policy applies to the ShyAI Android app, service, support, and this website. ShyAI is the service named in this policy and in its Google Play listing. For privacy questions or rights requests, contact support@dublikmax.helioho.st.
ShyAI is for adults aged 18 or older. The service records your age self-attestation but does not collect your birthdate for the v1 launch.
2. Data we handle
| Category | Examples | Source |
|---|---|---|
| Account and identity | Email address, display name, account ID, password hash, age attestation, verification and recovery records | You and the service |
| Content | Character definitions, avatars, prompts, chat messages, reports, appeal context, blocks, and moderation state | You, generated replies, and reviewers |
| Usage and device | Quota usage, request and response timing, app version, device/network metadata, IP-derived security signals, consent state, and advertising identifiers when allowed | App, device, and providers |
| Security and operations | Session records, rate-limit events, request IDs, audit events, moderation evidence, deletion tombstones, error and service logs | Service and authorized operators |
| Support and rights | Messages, request details, identity-verification steps, export records, and deletion status | You and support |
Please do not put unnecessary real-world sensitive information in prompts, characters, reports, or support messages. Roleplay can reveal sensitive interests or circumstances; ShyAI treats private conversation content as sensitive even where a legal classification differs.
3. Why we use data
- Provide the service: create and secure accounts, deliver conversations, store history, manage characters, apply quota, and respond to requests.
- Protect users and the platform: moderate content, investigate reports, enforce rules, prevent fraud and abuse, and maintain service integrity.
- Communicate: deliver verification, password recovery, support, policy, and operational messages.
- Improve reliability: diagnose failures, measure performance, reconcile quota and ad events, and test changes without using message text as advertising context.
- Meet obligations: keep required consent and audit evidence, honor privacy rights, respond to lawful process, and protect legal claims.
- Show ads: serve permitted AdMob inventory. Personalized requests occur only after required affirmative consent.
Depending on your location and the activity, processing may rely on performing the service contract, legitimate interests in security and reliable operation, your consent, or a legal obligation. Where consent is the basis, you may withdraw it without affecting earlier lawful processing.
4. AI, moderation, and private chat
ShyAI sends the content and context needed for a request to its moderation and AI generation providers. OpenRouter routes AI generation to the model configured for the service. Safety systems check chat input and output; blocked unsafe output is not delivered as a user-visible reply.
Private conversation text is not routinely shown to human reviewers. A reviewer can receive the minimum necessary evidence after your report or appeal, during a narrowly authorized safety investigation, or when law requires access.
Prompts, chat text, character definitions, and report text are not supplied to advertisers as targeting context. ShyAI does not use solely automated decisions to produce legal or similarly significant effects. Durable public-content and account enforcement receives human review.
5. Service providers and disclosures
ShyAI uses providers for defined operational purposes:
| Provider or category | Purpose | Data involved |
|---|---|---|
| Railway | Application hosting and managed Redis | Account and content traffic, operational records, cached quota and rate-limit state |
| Neon | Managed PostgreSQL database | Account, content, consent, moderation, and deletion records |
| Cloudflare | DNS, public website, and R2 avatar storage/delivery | Website/network requests, avatar objects, object keys |
| OpenRouter and model provider | AI text generation | Prompt, required conversation context, model and request metadata |
| Moderation provider | Automated text and image safety checks | Character, chat, report, and avatar content as needed |
| Email delivery provider | Verification, password recovery, and service messages | Email address and one-time message content |
| Google Play | App distribution and platform services | Store account and device information handled under Google’s terms |
| Google AdMob and UMP | Advertising and consent management | Consent state, device and advertising data permitted by your choices and applicable law |
Providers process data under their terms and ShyAI’s service arrangements. We may also disclose the minimum necessary data to comply with valid legal process, protect users or the public from credible harm, investigate abuse, or complete a business transaction subject to appropriate safeguards and notice.
Providers can process data in countries different from yours, including the United States. ShyAI uses provider settings and contractual or legal safeguards appropriate to the transfer where required. Contact us for information about the mechanism relevant to your data and location.
6. Advertising, sale, and sharing
ShyAI does not sell personal information for money. Personalized AdMob activity may be considered “sharing” for cross-context behavioral advertising under some laws. Where applicable, ShyAI asks for consent or provides a choice before making a personalized ad request. You can reopen privacy options in the app and refuse or withdraw personalization.
Refusal results in a permitted non-personalized or limited ad, or no ad. The public website does not use advertising, analytics cookies, or cross-site tracking. Because it does not sell or share website visitor data for cross-context behavioral advertising, a Global Privacy Control signal does not trigger a separate website transaction.
7. Retention and deletion
Active account and content data remains while the account or content is in use. When you delete the account, ShyAI anonymizes account identity, revokes sessions, clears consent and export records, blanks conversation, character, and report details, and schedules avatar objects for deletion. Deleted personal content leaves active systems within 7 days.
A limited deletion tombstone prevents restored backups from resurrecting erased data. Some minimal audit, security, fraud-prevention, legal-hold, or transaction records may be kept longer when reasonably necessary and lawful. Those records are access-controlled, purpose-limited, and do not restore deleted content to the active service.
See Account Deletion for the in-app path and external request instructions.
8. Your choices and privacy rights
Depending on your location, you may have rights to:
- know whether and how personal data is processed and receive access to it;
- correct inaccurate or incomplete personal data;
- delete data, subject to limited legal exceptions;
- restrict or object to certain processing;
- receive portable data in a machine-readable format;
- withdraw consent and object to or opt out of sale or qualifying sharing;
- limit certain uses of sensitive personal information where applicable;
- receive equal service and not be discriminated against for exercising a right; and
- complain to your local data-protection or privacy authority.
The app provides a JSON data export, limited to three requests per 24 hours, and an account deletion action. You may also email support@dublikmax.helioho.st. We may ask for information needed to verify the request and protect the account. An authorized agent can make a request where local law permits, subject to authority and identity verification.
9. Security
ShyAI uses encrypted transport, salted password hashing, rotating sessions, access controls, separated production environments, rate limits, audit trails, and restricted operator access. Providers receive only the data needed for their function. No system is perfectly secure; contact us promptly if you believe your account or data is at risk.
10. Changes and questions
We update this policy when data practices, providers, product behavior, or legal requirements materially change. The version and effective date above identify the current policy. ShyAI requests renewed acceptance when required.
Send privacy requests or questions to support@dublikmax.helioho.st. We aim to respond without undue delay and within the deadline required by applicable law.