Privacy & Security

Hey Ova
Privacy Policy

Effective Date: 15 October, 2025

1. Introduction

Welcome to Hey Ova, an AI-powered voice assistant designed to redefine personal computing through intelligent automation and voice interaction.

At Hey Ova, your privacy and data security are our highest priorities. This Privacy Policy explains how we collect, use, store, and protect your data, including data obtained from Google APIs, and how you can control it.

By using our app or related services, you consent to the data practices described in this policy.

2. Compliance with Google API Services User Data Policy

Hey Ova strictly adheres to the Google API Services User Data Policy, including its Limited Use requirements.

We only access, use, store, and share Google user data to provide the specific functionality that users explicitly request and authorize through Google OAuth.

3. Data Accessed from Google APIs

When you sign in or connect your Google account, Hey Ova may access certain Google data, depending on the permissions you grant.

Specifically, Hey Ova may access:

Important:

• Hey Ova will only access the data that you explicitly consent to share during Google OAuth sign-in.

• Your Google data is never used for advertising purposes.

• You can revoke access at any time through your Google Account Permissions.

• We do not access or store any other Google data beyond the permissions you approve.

Basic Google Profile Information

Your name, email address, and profile picture.

Google Calendar Events

To view, create, update, or delete calendar events only when you explicitly request or authorize these actions.

Gmail (Read and Write)

To read, send, or manage your emails only if you grant explicit permission. This may be used to perform voice-based email actions such as reading new messages aloud, composing emails, or managing your inbox via voice commands.

4. Data Usage

Hey Ova uses the data accessed from your Google account solely to provide the services you explicitly request.

We never use Google user data for advertising, marketing, profiling, or training any external machine learning models.

Specifically:

Hey Ova does not:

• Use Gmail data for advertising or marketing.

• Transfer Gmail data to any external application without user consent.

• Store Gmail message content beyond what's necessary for the requested action.

All access is session-based and revocable at any time through your Google Account settings.

Basic Google Profile Information

Used to personalize your app experience (e.g., greet you by name, associate your account, and sync preferences).

Google Calendar Events

Used to display, create, modify, or delete your calendar events when you use corresponding voice commands.

Example: "Hey Ova, create a meeting at 3 PM tomorrow."

Gmail (Read/Write Access)

Used only when you grant explicit permission to:

• Read emails aloud when you ask (e.g., "Read my latest email").

• Compose or send new emails via voice commands.

• Organize or delete messages at your request.

• Summarize or manage inbox messages locally to help with productivity tasks.

5. Data Sharing and Disclosure

We do not share, sell, or transfer any Google user data — including Gmail or Calendar content — to third parties except in these limited cases:

Third-Party Service Providers

We use a few secure providers to power core app features:

• Deepgram API – processes your voice commands into text (transcription only).

• Microsoft Azure – securely hosts Hey Ova's backend systems, encrypted databases, and API services.

These providers do not have access to your Gmail or Calendar data.

They only process anonymized or minimal necessary data to execute requested commands.

Legal Requirements

We may disclose data if required by law, regulation, or valid legal request — and only to the extent required by applicable law.

6. Data Storage and Protection

We prioritize the protection of all user and Google data through multiple security layers:

Encryption

All Google data (including Gmail or Calendar content) is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Access Control

Access to user data is strictly limited to authenticated sessions and restricted internal systems.

Infrastructure

Data is hosted on Microsoft Azure Cloud using its enterprise-grade security stack. Azure complies with ISO 27001, SOC 2, and GDPR standards, ensuring global best practices for cloud data protection.

No Local Retention of Gmail Content

Hey Ova does not permanently store or log your Gmail message bodies, subject lines, or attachments after an action is completed. Any temporary cache used for processing is deleted immediately after use.

7. Data Retention and Deletion

We retain user data only for as long as required to provide Hey Ova's core services.

Gmail and Calendar Tokens

Retained until you revoke access through your Google Account or delete your Hey Ova account. Upon revocation, tokens and all associated data are immediately deleted.

Voice Recordings

Stored only if you have opted in. You can delete any or all of your recordings at any time directly from the app.

User Account Data

(name, email, preferences) is deleted immediately when you request account deletion.

Upon confirmation, all personal data is removed from our systems and backups within 30 days.

8. User Rights and Controls

You retain complete control over your data:

Revoke Access

Revoke Google data permissions anytime from your Google Account Permissions.

Delete Account and Data

Request full data deletion via in-app settings or by contacting support@heyova.com.

Your data (including tokens, preferences, and voice recordings) is deleted immediately upon request.

Voice Recording Control

You can view, manage, or delete your recordings at any time within the app.

Transparency

Hey Ova always displays when your Google data (email or calendar) is being accessed or used. No hidden data operations occur.

9. Restricted Scope Compliance (Gmail Data)

Hey Ova fully complies with Google's restricted scope requirements for Gmail API data. Specifically:

Data Transfer Restrictions

Gmail data is not transferred, shared, or used outside of user-initiated app features.

Human Access

Gmail content is not read by humans, except when explicitly authorized by the user for troubleshooting.

Usage Restrictions

Gmail data is not used for ads, data mining, or profile building.

Ephemeral Processing

Any Gmail data processed for voice interaction is handled ephemerally and deleted immediately after execution.

Token Security

OAuth tokens are securely stored in Azure Key Vault and deleted as soon as you revoke access.

10. Children's Privacy

Hey Ova is not designed for children under 13. We do not knowingly collect personal data from minors. If such data is discovered, it will be immediately deleted.

11. Modifications to This Policy

We may periodically update this Privacy Policy to reflect operational or legal changes. Any updates will be published at https://heyova.com/privacyPolicy with the revised effective date. Continued use of our services after updates constitutes acceptance of the new policy.

Your Privacy Rights

We believe in transparency and giving you control over your data

Data Protection

Your voice recordings are encrypted and protected with enterprise-grade security measures.

Full Control

You can review, manage, and delete your voice recordings at any time through the app.

No Sharing

We never share your personal voice recordings with external parties without your consent.

Questions About Privacy?

We're committed to transparency. If you have any questions about our privacy practices, we're here to help.