The Aviary Labs

StayConnected

Privacy Policy

Effective May 2026

The Aviary Labs (“we”, “us”, or “our”) operates the StayConnected mobile application (“the App”), a personal CRM that helps you stay in touch with the people who matter to you. This Privacy Policy explains what data we collect, how it is stored, who we share it with, and your rights under the New Zealand Privacy Act 2020 and similar laws.

1. Data we collect

To provide its features, the App stores the following information that you choose to enter:

  • Contact records — names, relationships, notes, key dates, conversation history, and any other details you add about your contacts.
  • Account information — an email address (and authentication credentials) used to sign in and sync your data across devices.
  • App usage data — a minimal amount of operational data (e.g. error reports, feature timestamps) used to keep the App working and improve reliability.

We do not knowingly collect data about children, and we never collect data about your contacts beyond what you personally choose to record.

2. How your data is stored and protected

Your contact records are stored in our cloud database, hosted by Supabase, Inc. We protect this data with the following layers:

  • In transit: all communication between the App and our servers is protected by TLS (HTTPS).
  • At rest: sensitive contact fields are encrypted before being written to the database. Encryption and decryption are performed inside our Supabase Edge Functions (serverless code that runs on our behalf), so encrypted ciphertext — not plaintext — is what is stored at rest.
  • Access controls: the encryption keys used by our Edge Functions are managed as server-side secrets and are not accessible to our staff in the course of normal operations. Access to production systems is limited to personnel who require it for support, security, or maintenance, and is logged.

This means that while we use strong encryption, this is not end-to-end encryption. Because decryption happens on our infrastructure (not solely on your device), authorised systems and personnel could in principle access your contact data — for example to investigate a security incident, to comply with a lawful request, or to provide support you have asked for. We will never sell your data or use it for advertising.

Account metadata required to operate the service (such as your email address and sign-in events) is stored in Supabase under industry-standard security controls and is not encrypted at the application layer.

3. AI-powered conversation suggestions

When you ask the App to suggest a conversation starter — either for a contact you have selected or for one chosen at random from your contacts — the relevant context (the notes and details you have stored about that contact) is decrypted inside our Supabase Edge Functions and sent to Google’s Gemini API to generate a suggestion. The suggestion is returned to your device and is not retained by us beyond what is necessary to deliver the response.

Google processes this request as a sub-processor under their own terms. Per Google’s published API policies at the time of writing, prompts and responses sent through the Gemini API are not used to train Google’s general-purpose models.

The AI feature is opt-in per use: contact data is only sent to Google when you explicitly tap to generate a suggestion (whether for a chosen contact or a random one from your contacts). If you never invoke the feature, no contact data is sent to Google.

4. Sub-processors

We rely on the following third parties to operate the App:

  • Supabase, Inc. — authentication, database hosting, and the Edge Functions that perform server-side encryption and decryption on our behalf.
  • Google LLC (Gemini API) — generating conversation-starter suggestions when the feature is used.

We do not sell your data, and we do not share it with advertisers or analytics brokers.

5. Your rights

You can, at any time:

  • Access and export your data from within the App.
  • Edit or delete any contact record at any time.
  • Delete your account, which permanently removes your contact records and account metadata from our servers within 30 days.
  • Decline AI suggestions at any time — the feature is opt-in per use, so simply not invoking it means no contact data is sent to Google.

To exercise these rights, use the in-app controls or contact us at support@theaviarylabs.com.

6. Data retention

Contact data is retained for as long as your account is active. After account deletion, data is removed from active systems within 30 days and from backups within 90 days.

7. International transfers

Supabase and Google may process data outside New Zealand. Where data is transferred internationally, we rely on the contractual and security commitments of those providers, together with the encryption and access controls described above.

8. Children’s privacy

StayConnected is intended for adults. We do not knowingly create accounts for people under the age required by their local law (16 in New Zealand and the EU, 13 in the United States).

9. Changes to this policy

We may update this Privacy Policy from time to time. The effective date above will be revised when changes are made. We will notify you in-app of material changes before they take effect.

10. Contact

For privacy questions or to exercise any of the rights above, contact:

The Aviary Labs · Burwood, Christchurch, New Zealand support@theaviarylabs.com