The Aviary Labs

Wren

Privacy Policy

Effective 13 June 2026

The Aviary Labs (“we”, “us”, or “our”) operates the Wren mobile application (“the App”), a personal CRM that helps you stay in touch with the people who matter to you. This Privacy Policy explains what data we collect, how it is stored, who we share it with, and your rights under the New Zealand Privacy Act 2020 and similar laws.

1. Data we collect

To provide its features, the App stores the following information that you choose to enter:

  • Contact records — names, relationships, interests, notes, key dates, life events, key people, and any other details you add about your contacts.
  • Account information — your email address and the sign-in method you choose: Sign in with Apple, Sign in with Google, or email. We store the credentials and tokens needed to keep you signed in and to sync across devices. Where Apple issues us a token, it is encrypted at rest (see section 2) and is revoked when you delete your account.
  • App usage data — a minimal amount of operational data (e.g. error reports, feature timestamps) used to keep the App working and improve reliability.

We do not knowingly collect data about children, and we never collect data about your contacts beyond what you personally choose to record.

Because some of these fields are free-form, they may incidentally contain sensitive information — such as health, religious or philosophical beliefs, or sexual orientation — if you choose to record it. We do not ask for or intentionally collect such information. Where you do enter it, it is protected by the same encryption described below, and you are responsible for having a proper basis to record information about another person.

2. How your data is stored and protected

Your contact records are stored in our cloud database, hosted by Supabase, Inc., in the Asia Pacific (Sydney, Australia) region. We protect this data with the following layers:

  • In transit: all communication between the App and our servers is protected by TLS (HTTPS).
  • At rest: sensitive contact fields (and the Apple sign-in token, where applicable) are encrypted with AES-256-GCM before being written to the database, using a unique initialisation vector per field. Encryption and decryption are performed inside our Supabase Edge Functions (serverless code that runs on our behalf), so encrypted ciphertext — not plaintext — is what is stored at rest.
  • Key custody: the master encryption key is generated inside AWS Key Management Service (KMS), is non-exportable, and is only ever stored in its KMS-wrapped form. Our Edge Functions unwrap it in memory at runtime; it is never written to disk in plaintext and is not accessible to our staff in the course of normal operations.
  • Backups: database backups are stored in AWS S3 in the same Australian region, encrypted with AWS KMS, and automatically deleted after 30 days.
  • Access controls: access to production systems is limited to personnel who require it for support, security, or maintenance, and is logged.

This is strong encryption, but not end-to-end encryption: because decryption happens on our infrastructure, authorised personnel could in principle access your contact data — for example to investigate a security incident, comply with a lawful request, or provide support you have asked for.

Account metadata required to operate the service (such as your email address and sign-in events) is stored in Supabase under industry-standard security controls and is not encrypted at the application layer.

3. AI-powered conversation suggestions

When you ask the App to suggest a conversation starter or to expand on one, we do not send your contact’s identifying details. By design, the request is assembled on our server from a deliberately limited set of non-identifying signals: the relationship type (e.g. “Friend”), the interests you have recorded, and how long it has been since you were last in touch. Your contact’s name, notes, key dates, key people, life events, occupation, and location are never included in these requests and are never sent to any AI provider. (They are still stored — encrypted — on our servers so they can sync across your devices, as described in section 2.)

  • Google’s Gemini API generates the suggestion from those non-identifying signals. The suggestion is returned to your device and is not retained by us beyond what is necessary to deliver the response. Google processes this request as a sub-processor under its own terms; on the paid API tier we use, prompts and responses sent through the Gemini API are not used to train Google’s general-purpose models.
  • Qdrant Cloud (hosted in Australia) is used to find recent, publicly published news and articles relevant to the interests you recorded, so suggestions can reference current events. Only the interest text is used for this lookup; no contact identity is involved.

The AI feature is opt-in per use: these signals are only sent when you explicitly tap to generate a suggestion. If you never invoke the feature, nothing is sent to Google or Qdrant.

4. Sub-processors

We rely on the following third parties to operate the App:

  • Supabase, Inc. — authentication, database hosting (Australia), and the Edge Functions that perform server-side encryption and decryption on our behalf.
  • Amazon Web Services (AWS) — Key Management Service (custody of the master encryption key) and S3 (encrypted database backups), both in the Australian region.
  • GitHub, Inc. — runs the automated job that produces the encrypted backups.
  • Google LLC (Gemini API) — generating conversation suggestions and assistant replies from non-identifying signals when the feature is used.
  • Qdrant Solutions GmbH (Qdrant Cloud) — retrieving relevant public articles based on the interests you record, when the feature is used. Hosted in Australia (Google Cloud, australia-southeast1).
  • Apple Inc. and Google LLC — authentication, when you choose Sign in with Apple or Sign in with Google.

We do not sell your data, and we do not share it with advertisers or analytics brokers.

5. Your rights

You can, at any time:

  • Access and export your data from within the App.
  • Edit or delete any contact record at any time.
  • Delete your account — permanently and irreversibly — either from within the App (Settings → Delete my account & data) or from our web page at theaviarylabs.com/legal/wren/delete-account. The web page verifies control of your account email before deleting. See section 6 for exactly what this removes and what minimal record we retain.
  • Decline AI suggestions at any time — the feature is opt-in per use, so simply not invoking it means nothing is sent to Google or Qdrant.

To exercise these rights, use the in-app controls, the web deletion page, or contact us at support@theaviarylabs.com.

6. Data retention

Contact data is retained for as long as your account is active. When you delete your account, your profile, all contact records, contact history, reminders, and sign-in credentials are erased from our active systems immediately. They are then purged from our encrypted backups as those backups age out, which takes up to 30 days.

To guarantee that a deleted account is not silently restored if we ever have to recover from a backup, we keep one minimal record of the deletion: a random account identifier and the date of deletion. This record contains no personal data — no name, email, or contact information — and exists solely to re-apply your deletion to any restored backup. It is retained as a permanent suppression record.

7. International transfers

Your contact data and backups are stored in Australia (AWS Asia Pacific, Sydney), and the article-retrieval service (Qdrant) is also hosted in Australia. The one exception is Google’s Gemini API, which may process the limited non-identifying signals described in section 3 in other countries.

For users in New Zealand and Australia, that disclosure to Google is a cross-border disclosure under the NZ Privacy Act 2020 / Australian Privacy Principle 8. For users in the EU/EEA and the UK, any processing outside that area (including storage in Australia and the disclosure to Google) is made under Standard Contractual Clauses, or an equivalent approved mechanism, together with the encryption and access controls described above. We rely on the contractual and security commitments of each provider in every case.

8. Children’s privacy

Wren is intended for adults. We do not knowingly create accounts for people under the age required by their local law (16 in New Zealand and the EU, 13 in the United States).

9. Changes to this policy

We may update this Privacy Policy from time to time. The effective date above will be revised when changes are made. We will notify you in-app of material changes before they take effect.

10. Contact

For privacy questions or to exercise any of the rights above, contact:

The Aviary Labs · Christchurch, New Zealand support@theaviarylabs.com