Back to app
Last updated: 2026-03-09

Afai Privacy Policy

This policy explains in plain language what data we process in Afai, for what purpose, and on what legal basis. The data controller for your account, conversations, memory, and feedback is Aquaforest sp. z o.o. sp. k. (details below). Stated upfront: Afai is an AI assistant, and conversation content may be processed by external AI model providers.

1. Data Controller and Contact

Controller:
Aquaforest sp. z o.o. sp. k.
Address:
ul. Starowiejska 18, 32-800 Brzesko, Poland
KRS:
0000660869
NIP:
945-212-07-24

We have not appointed a Data Protection Officer (DPO). You can direct data-protection matters to [email protected].

The controller is established in Poland, within the European Union.

2. Data We Process

Account
email, Google profile name, first name, last name, avatar, login timestamps.
Conversations and messages
the content of questions and answers, session titles, language, recognized intents, recommended products and articles.
Attachments
images, PDF files, audio.
Memory
optional facts, if you enable memory.
Feedback
the rating and a record of the related question and answer.
Aquarium profiles
name, type, volume, notes.
Security logs
IP address, browser identifier (User-Agent), sign-in events, rate limits.
Operational and cost data
the model used, token counts, response time.

Identity is established through Google sign-in, which is a source of part of your account data (Art. 14 GDPR).

3. Purposes and Legal Bases

Account and sign-in
Art. 6(1)(b) GDPR — performance of the service contract.
Chat core: answers, context, history, limits
Art. 6(1)(b) GDPR — performance of the service.
Personalization memory
Art. 6(1)(a) GDPR — consent; disabled by default.
Feedback and service quality
Art. 6(1)(f) GDPR — legitimate interest in maintaining service quality and security.
Security, limits, abuse prevention
Art. 6(1)(f) GDPR — legitimate interest.

For the Art. 6(1)(f) basis we balance our legitimate interest against your rights and freedoms and take your objection into account. Do not enter special categories of data within the meaning of Art. 9 GDPR (e.g. about health, opinions, or beliefs) into the chat.

4. Is Providing Data Required

Account data is necessary to authenticate you and to use Afai — without it we cannot provide the service.

Aquarium data, memory, attachments, and feedback are optional. You can use the service without providing them.

5. Data recipients (AI and identity providers)

We share your data with AI providers and with our sign-in (identity) provider. Conversation content, audio, and attachments may be passed by OpenRouter (a processor that routes requests) to AI models. We currently use Gemini (Google) and Perplexity models, which act as processors (sub-processors). For authentication we use Google Sign-In.

OpenRouter
role: processor — routing requests to the selected AI model.
Google / Gemini
AI model; processing may take place outside the European Economic Area (EEA), e.g. in the USA; transfer based on an adequacy decision / the EU-US Data Privacy Framework.
Perplexity
AI model; processing may take place outside the EEA, e.g. in the USA; transfer based on Standard Contractual Clauses (SCC); the provider declares zero data retention.
Google (Sign-In / Identity Services)
Google's sign-in/identity provider; processes authentication data (email address, Google account identifier) to log you into the app; transfer to the USA under the EU-US Data Privacy Framework adequacy decision.

We require providers to enter into data processing agreements (DPAs) and — where possible — to not use data for model training and to apply zero retention. The actual scope of any transfer may depend on the model and endpoint used.

We also use infrastructure providers (hosting, database, security services) who act as processors on our behalf.

6. Attachments and Files

The full content of uploaded files (images, PDFs, audio) is passed to external AI providers for analysis and to generate an answer.

Files are not stored in chat history by default, although their descriptions or metadata may be retained. Do not upload sensitive data or other people’s data without a legal basis.

7. Memory and Optional Consents

Memory is disabled by default and relies on your consent. You can enable and disable it and manage the stored facts (delete individual facts or all of them) in settings.

Disabling memory stops the saving of new facts. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

8. Profiling and Personalization

Automatic intent recognition and the selection of products and articles may constitute profiling within the meaning of Art. 4(4) GDPR.

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you — Art. 22 GDPR does not apply. The service is advisory in nature.

9. Retention

Account
for as long as you hold the account.
Chat history and sessions
until you delete them or delete your account.
Memory
until disabled or the facts are deleted.
Feedback
for a limited time for quality purposes.
Security logs and limits
for a short period.
Operational and cost data
in operational or aggregated form.

After account deletion, some data may remain briefly in backups and logs before being overwritten. Legal obligations may extend the retention period.

10. Your Rights

  1. the right of access to your data,
  2. the right to rectification,
  3. the right to erasure,
  4. the right to restriction of processing,
  5. the right to data portability,
  6. the right to object to processing,
  7. the right to withdraw consent,
  8. the right not to be subject to a decision based solely on automated processing.

To exercise these rights, write to [email protected]. You can delete your account yourself in settings.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl — without prejudice to any other legal remedy.

12. Administrative Access

Only authorized people have access to the data, to the extent necessary to operate, secure, and run the service, with access control and event logging.

13. Children

Afai is intended for people who are at least 16 years old (the consent threshold in Poland for consent-based features). We do not knowingly collect data from people under 16.

14. Cookies

We use only strictly necessary and functional cookies and local storage (localStorage), with no tracking and no advertising.

You can find the details in our Cookie Policy (/cookies).

15. Artificial Intelligence

You are talking to an AI system, not a human. Answers may be inaccurate, incomplete, or out of date and are informational in nature — they do not replace professional advice.

Before critical decisions (dosing, water parameters, livestock health) verify the information yourself. The models we use are described in the section on AI providers.

16. Security

We use encryption in transit (TLS), a session stored in an HttpOnly (not accessible to page scripts) + Secure (sent only over HTTPS) cookie with a SameSite restriction (protection against being sent in cross-site requests), rate limiting, access control, and event logging.

We design the service with privacy in mind — memory is disabled by default, and you can delete your data.

17. Changes to this Policy

We version this policy. For material changes we will inform you and may ask you to accept it again.