Legal

Privacy Policy

Last updated: June 18, 2026

HeyVasya (“we”, “our”, or “us”), operated by Malex Software BV, describes in this Privacy Policy how we collect, use, and protect your information when you use the HeyVasya service at heyvasya.com (“Service”). The Service is hosted in the European Union and operates in compliance with the General Data Protection Regulation (GDPR) and applicable Dutch data-protection law.

Data controller: Malex Software BV

Registered address: John Napierstraat 20, 1086 ZS Amsterdam, Netherlands

KvK (Chamber of Commerce): 86688103

Email: [email protected]

1. What data we collect

Account and identity data

Your email address, used to create and authenticate your account via one-time passcode.
Your Telegram user ID and/or WhatsApp phone number when you connect a messaging channel.
Your name, if you provide it during setup.

Conversation and interaction data

The messages you send to the assistant and the responses it generates, retained as a conversation log to give the assistant context across sessions.
Structured memory facts (preferences, household context, recurring patterns) that a background memory agent extracts from your conversations and maintains on your behalf.

Special-category data (health and fitness)

If you connect Garmin Connect, the assistant may access health and fitness data such as activity records, heart rate, sleep, and similar metrics. Under GDPR Article 9, health data is special-category data requiring a higher level of protection. We process this data only on the basis of your explicit consent, given at the point of connecting the Garmin integration (Art. 9(2)(a)). You may withdraw that consent at any time by disconnecting the integration in account settings, which immediately stops all processing and causes us to delete stored credentials.

Credentials for third-party integrations

When you connect an external service (such as Gmail, Google Calendar, Garmin Connect, Tesla, Instagram, GitHub, Linear, banking connections via Enable Banking, or others), we store the authentication tokens or credentials required to act on your behalf. All credentials are encrypted at rest using AES-256-GCM. They are decrypted only for the duration of a single agent run and are never transmitted unencrypted outside your isolated execution environment.

Data about third parties in your conversations

When you use the Service, the assistant may process personal data about other individuals — for example, names and contact details mentioned in messages, or information from household members who are themselves users of the Service. We process this data solely to carry out your instructions. You are responsible for ensuring you have an appropriate basis (e.g. consent or legitimate interest) to share information about other people with the Service.

Usage and technical data

Agent run logs (inputs, outputs, errors, model used, token counts) for debugging and quality improvement.
IP address and basic request metadata when you access the web interface, retained for security and abuse prevention.

Cookies and session data

We use essential session cookies necessary to keep you authenticated while you use the web interface. These are strictly necessary for the Service to function and are always active.

With your consent, we also use Plausible, a privacy-friendly, cookieless analytics tool, to measure anonymous, aggregated usage. It sets no cookies, does not track you across sites, and collects no personally identifiable information. We load it only after you accept via our cookie banner; if you reject or make no choice, no analytics script is loaded. We use no advertising or third-party tracking cookies of any kind.

You can change or withdraw your analytics consent at any time: . You can also delete session cookies in your browser settings; doing so will sign you out.

2. How we use your data

We use your data only to provide and improve the Service:

To authenticate you and manage your account.
To execute agent tasks on your behalf — including reading, composing, and sending messages; reading and writing calendar events; querying connected accounts; and any other action you explicitly authorise by connecting an integration.
To maintain your memory and provide contextualised, personalised responses.
To operate scheduled tasks and reminders you configure.
To debug failures and improve reliability.
To comply with legal obligations and protect against misuse, fraud, and security threats.

We do not sell your data. We do not use your data to train third-party AI models. We do not share your data with advertisers.

3. Legal basis for processing (GDPR)

We rely on the following legal bases under Article 6 GDPR:

Processing activity	Legal basis
Account creation and authentication	Contract (Art. 6(1)(b))
Executing agent tasks on your behalf	Contract (Art. 6(1)(b))
Storing third-party credentials	Contract (Art. 6(1)(b))
Memory and personalisation	Legitimate interest (Art. 6(1)(f))
Security logs and abuse prevention	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))

For special-category health data (e.g. from Garmin Connect), we rely additionally on explicit consent under Article 9(2)(a) GDPR, obtained when you connect a health integration. You may withdraw this consent at any time by disconnecting the relevant integration; withdrawal does not affect the lawfulness of processing before withdrawal.

4. Third-party services and international data transfers

Connected integrations

When you connect a third-party integration, data necessarily flows to and from that provider under their own terms and privacy policy. Malex Software BV is the data controller for the personal data it processes in connection with those integrations. Each third-party provider is a separate, independent controller for data it processes under its own terms. You are responsible for ensuring you are authorised to connect those accounts and that doing so complies with the third party's terms.

AI inference providers and transfers to third countries

AI inference is performed using models provided by Google LLC (Gemini) and Anthropic PBC (Claude), both of which are incorporated in the United States. Sending your conversation content to these providers constitutes a transfer of personal data to a third country under Chapter V GDPR.

We rely on the following transfer mechanisms:

EU–US Data Privacy Framework (DPF): where the provider is certified under the adequacy decision adopted by the European Commission in July 2023.
Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR for any transfers not covered by the DPF adequacy decision.

You can request a copy of the applicable transfer safeguards by emailing [email protected]. Our API agreements with both providers include zero-retention and no-training provisions: your data is not used to train or improve their models.

5. Automated decision-making

The Service takes autonomous actions on your behalf (e.g., sending a message, adding a calendar entry) in response to your instructions or a configured schedule. These actions are executions of your explicit instructions and do not constitute solely automated decisions with legal or similarly significant effect within the meaning of Article 22 GDPR. You remain in control: you configure which integrations are connected, which scheduled tasks run, and what scope the assistant operates within. You can revoke any integration or disable any scheduled task at any time from account settings.

6. Data retention

Conversation logs: retained while your account is active, or until you request deletion.
Agent run logs (inputs, outputs, errors, model metadata): retained for up to 30 days for debugging, then deleted.
Memory facts: retained until you delete them via the memory interface or delete your account.
Third-party credentials: deleted immediately when you disconnect an integration or delete your account.
Security and access logs: retained for up to 90 days.

7. Your rights under GDPR

You have the right to: access the personal data we hold about you; correct inaccurate data; request erasure (“right to be forgotten”); restrict processing; receive a machine-readable export (portability); object to processing based on legitimate interest; and, where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We will respond within one calendar month. Where requests are complex or numerous, we may extend this by a further two months and will inform you of the extension within the first month, in accordance with GDPR Art. 12.

You also have the right to lodge a complaint with a supervisory authority. The competent authority in the Netherlands is the Autoriteit Persoonsgegevens (AP) (autoriteitpersoonsgegevens.nl). If you are resident in another EU/EEA member state you may instead lodge a complaint with your local supervisory authority.

8. Data security and breach notification

We use AES-256-GCM encryption for credentials at rest, ephemeral sandboxed containers for each agent run (destroyed after execution), TLS in transit, and strict per-user data isolation. No agent run can access another user's data. Despite these measures, no system is perfectly secure; you accept residual risk by using the Service.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours in accordance with Art. 33 GDPR, and will notify affected individuals without undue delay where required by Art. 34 GDPR.

9. Children

The Service is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

10. Changes to this policy

We will notify you of material changes by email or via an in-app notice at least 14 days before they take effect. The “last updated” date at the top of this page reflects the current version.

11. Contact

For privacy questions, to exercise your rights, or to request a copy of applicable transfer safeguards: [email protected]