
This policy explains in plain language what data we process in Afai, for what purpose, and on what legal basis. The data controller for your account, conversations, memory, and feedback is Aquaforest sp. z o.o. sp. k. (details below). Stated upfront: Afai is an AI assistant, and conversation content may be processed by external AI model providers.
We have not appointed a Data Protection Officer (DPO). You can direct data-protection matters to [email protected].
The controller is established in Poland, within the European Union.
Identity is established through Google sign-in, which is a source of part of your account data (Art. 14 GDPR).
For the Art. 6(1)(f) basis we balance our legitimate interest against your rights and freedoms and take your objection into account. Do not enter special categories of data within the meaning of Art. 9 GDPR (e.g. about health, opinions, or beliefs) into the chat.
Account data is necessary to authenticate you and to use Afai — without it we cannot provide the service.
Aquarium data, memory, attachments, and feedback are optional. You can use the service without providing them.
We share your data with AI providers and with our sign-in (identity) provider. Conversation content, audio, and attachments may be passed by OpenRouter (a processor that routes requests) to AI models. We currently use Gemini (Google) and Perplexity models, which act as processors (sub-processors). For authentication we use Google Sign-In.
We require providers to enter into data processing agreements (DPAs) and — where possible — to not use data for model training and to apply zero retention. The actual scope of any transfer may depend on the model and endpoint used.
We also use infrastructure providers (hosting, database, security services) who act as processors on our behalf.
The full content of uploaded files (images, PDFs, audio) is passed to external AI providers for analysis and to generate an answer.
Files are not stored in chat history by default, although their descriptions or metadata may be retained. Do not upload sensitive data or other people’s data without a legal basis.
Memory is disabled by default and relies on your consent. You can enable and disable it and manage the stored facts (delete individual facts or all of them) in settings.
Disabling memory stops the saving of new facts. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
Automatic intent recognition and the selection of products and articles may constitute profiling within the meaning of Art. 4(4) GDPR.
We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you — Art. 22 GDPR does not apply. The service is advisory in nature.
After account deletion, some data may remain briefly in backups and logs before being overwritten. Legal obligations may extend the retention period.
To exercise these rights, write to [email protected]. You can delete your account yourself in settings.
You have the right to lodge a complaint with a supervisory authority, in particular the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl — without prejudice to any other legal remedy.
Only authorized people have access to the data, to the extent necessary to operate, secure, and run the service, with access control and event logging.
Afai is intended for people who are at least 16 years old (the consent threshold in Poland for consent-based features). We do not knowingly collect data from people under 16.
We use only strictly necessary and functional cookies and local storage (localStorage), with no tracking and no advertising.
You can find the details in our Cookie Policy (/cookies).
You are talking to an AI system, not a human. Answers may be inaccurate, incomplete, or out of date and are informational in nature — they do not replace professional advice.
Before critical decisions (dosing, water parameters, livestock health) verify the information yourself. The models we use are described in the section on AI providers.
We use encryption in transit (TLS), a session stored in an HttpOnly (not accessible to page scripts) + Secure (sent only over HTTPS) cookie with a SameSite restriction (protection against being sent in cross-site requests), rate limiting, access control, and event logging.
We design the service with privacy in mind — memory is disabled by default, and you can delete your data.
We version this policy. For material changes we will inform you and may ask you to accept it again.