Privacy Policy
Effective date: 2026-05-15 · Last updated: 2026-05-17
1. Who we are
Aria is a product of Lab 28 Technologies - FZCO (“Lab 28 Technologies”, “we”, “us”, “our”), a free-zone company registered in Dubai, United Arab Emirates. Aria is an AI cofounder that operates on data you connect to it — your email, calendar, business documents, and the decisions and facts you log over time. This policy explains exactly what we access, how we use it, how long we keep it, and the rights you have over it.
Questions: roger@28labs.ai.
2. What data we collect
We collect three categories of data, and only what is necessary to run the product:
a) Account data
When you sign up, we store your email address and an authentication token (via Supabase Auth). We do not store your password — sign-in is via magic link or Google OAuth.
b) Google account data (when you connect Gmail / Calendar)
If you choose to connect your Google account, Aria requests the following scopes via Google OAuth:
https://www.googleapis.com/auth/gmail.readonly— read access to email headers, subjects, bodies, attachments, and labels. Aria uses this to (i) summarize your recent inbox into a daily digest you can review, (ii) detect invoices, supplier documents, and other patterns you ask Aria to handle, and (iii) answer questions you ask Aria in chat that reference your email (e.g., “what did [sender] email about last week?”). Aria never modifies, deletes, or sends email through this scope.https://www.googleapis.com/auth/calendar.events— view and edit events on your primary calendar. Aria uses this to (i) display upcoming events in your daily snapshot, (ii) check freebusy availability when scheduling meetings, and (iii) create, update, or delete calendar events when you explicitly ask Aria to (e.g., “schedule a follow-up with [contact] next Tuesday at 3pm”). Aria does not modify your calendar settings, share calendars, or delete entire calendars — only individual events on your primary calendar, and only when you explicitly ask.
Aria does not request the gmail.send scope as of 2026-05-14. We may request it in a future verification cycle; if and when we do, we will update this policy and require fresh consent.
c) User-provided data
Anything you type into Aria, upload to Aria (documents, PDFs), or that Aria captures from your usage (decisions you log, facts you mention, priorities you set, motions you configure). This is the data you choose to share to make Aria useful for your business.
3. How we use your data
We use your data only to provide and improve the Aria service for you. Specifically:
- Display your email, calendar, and account data inside the Aria app interface.
- Generate summaries, drafts, and recommendations using AI language models (see Section 4).
- Detect patterns in your email (invoices, recurring vendors, action items) for the features you enable.
- Run motions and automations you explicitly configure (e.g., a review-response drafter, an invoice auto-filer).
- Maintain a memory of decisions, facts, and context you share so Aria can reference them in future conversations.
- Operate and secure the service (authentication, error tracking, abuse prevention).
We do not train AI models on your data. We do not sell your data, share it with advertisers, or use it for marketing purposes. We do not use your data to train, fine-tune, or evaluate any AI model operated by us or by any third party. Our AI providers' commitments to the same are described in Section 4.
Data minimization. Aria requests only the OAuth scopes necessary to deliver the user-facing features you have enabled. We send only the excerpts of your data that are relevant to a given task to our AI providers (for example, the specific email thread Aria is summarizing in a given turn, not your entire mailbox). See Section 5 for our Limited Use disclosure regarding Google data specifically.
4. AI processing (Anthropic Claude)
Aria uses Anthropic's Claude language models to generate summaries, drafts, and responses. When you interact with Aria, relevant excerpts of your data (e.g., the email thread Aria is summarizing, the document you uploaded) are sent to Anthropic's API for processing.
Under Anthropic's commercial API terms, data sent through the API is not used to train Anthropic's models. Anthropic retains API inputs and outputs for a limited operational period for abuse prevention. We are working with Anthropic to confirm a zero-data-retention configuration on our account; we will update this section once that configuration is in place. Refer to Anthropic's privacy policy for current details.
Anthropic is the only AI provider Aria currently transmits your data to. If we add an additional AI provider in future, we will update this section and our subprocessor list (Section 10) before that provider begins processing customer data.
5. Google API Services User Data Policy — Limited Use disclosure
Aria's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide or improve user-facing features that are prominent in the Aria interface.
- We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data unless we have obtained the user's affirmative agreement, for specific messages; doing so is necessary for security purposes (such as investigating abuse); to comply with applicable law; or for Aria's internal operations and only when the data has been aggregated and anonymized.
6. Shopify data and access
When you connect a Shopify store to Aria, we use the Shopify Admin API to read the data needed to power your dashboard and chat context. Aria requests the minimum scopes required and treats Shopify data as live: we fetch on demand and do not cache business records in our database.
Scopes we request. By default Aria requests read_orders, read_products,read_customers, and read_inventory. The first three power the revenue, customer-context, and product-lookup features described above; read_inventory lets Aria surface low-stock and stockout information in the dashboard. All four are read-only - Aria cannot modify, create, or delete data in your store. You can review and revoke these from your Shopify admin at any time (Settings - Apps and sales channels - Aria - Uninstall).
What we persist vs. what we read live. The only Shopify-related record Aria stores in its database is the OAuth connection itself: the shop domain (e.g. your-store.myshopify.com) and the access token, kept per-account in the cogman.shopify_auth table with row-level security. Orders, products, customer records, and any other Shopify resource are fetched from Shopify in real time when you load the dashboard or ask Aria a question, and are not written to Aria's database.
How customer data is handled. Aria does not store Shopify customer records (name, email, phone, address, order history) in its own database. References to a customer in Aria's chat memory are limited to what you have typed or what Aria has surfaced in conversation; we do not bulk-import a customer list.
Compliance with Shopify Partner requirements. Aria implements the four mandatory Shopify compliance webhooks:
customers/data_request- acknowledged within seconds; since we hold no Shopify customer records, the response is that no exportable data is stored.customers/redact- acknowledged within seconds; the handler is structured to clear any PII (email, phone) we may hold for the affected customer if a future Aria feature begins caching customer references.shop/redact- fires 48 hours after a merchant uninstalls Aria; we delete thecogman.shopify_authrow for that shop. Live-fetched data was never persisted, so no further purge is needed.app/uninstalled- fires immediately on uninstall; we delete the access token row right away so the connection cannot be re-used.
All four webhook handlers verify Shopify's HMAC signature against our app's client secret before processing, and respond within the 5-second SLA Shopify requires.
Where Shopify data flows. Excerpts of your Shopify data may be included in inference calls to Anthropic for chat responses (e.g. when you ask Aria “how were sales today?”), subject to the same Limited Use principles as Section 4. We do not send Shopify data to advertising networks or any party other than the subprocessors listed in Section 10.
To request deletion of Shopify-derived data outside the standard uninstall flow, email roger@28labs.ai.
7. Where your data is stored and how it is isolated
Aria stores your data in Supabase (PostgreSQL), hosted on AWS in the Asia Pacific (Mumbai) region (`ap-south-1`). All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Per-account isolation. Every record Aria stores is tagged to the account that owns it. Database row-level security policies enforce that an authenticated session can only read and write rows belonging to that session's account. Authentication tokens, including Google OAuth refresh tokens, are stored under the same isolation - no user's tokens are reachable from another user's session.
8. Internal access to data
Production data access by Lab 28 Technologies personnel is limited to a small number of named operators, and is permitted only for the following purposes:
- Investigating and resolving issues you report to us (support and debugging).
- Investigating suspected abuse, fraud, or security incidents.
- Operational tasks that cannot be performed without access (e.g., applying a database migration).
- Compliance with applicable law.
Named operators do not browse customer data casually. We do not export customer data in bulk except for documented operational reasons. We do not share access credentials with anyone outside the named-operator set. We are in the process of enabling per-operator audit logging across our production database; once active, we will reference the logging mechanism here.
If you would like to know who currently has named-operator access, email roger@28labs.ai.
9. How long we retain your data
- Account and profile data: while your account is active, and for up to 90 days after deletion (for backup recovery).
- Email metadata and content fetched from Gmail: cached for up to 365 days from the date of access, then purged unless you have explicitly captured an item (priority, fact, decision, expense). Captured items persist for the life of your account.
- Calendar data: cached for the duration of your session and re-fetched live; not persisted long-term.
- Decisions, facts, priorities, motions, and other captured items: persist for the life of your account; deletable individually or on account deletion.
- Logs (authentication, errors, abuse signals): 30-90 days.
You can request deletion of any specific item or your entire account at any time. See Section 11.
10. Subprocessors
We do not sell your data. We do not share your data with third parties for marketing or advertising. We share data only with the limited set of service providers (“subprocessors”) we use to operate Aria. Each subprocessor is contractually obligated to protect your data and use it only to provide their service to us.
| Provider | Purpose | What they may see |
|---|---|---|
| Anthropic | Claude API — primary AI inference | Excerpts of your data sent in each inference call (e.g., the email thread being summarized, the document being processed, conversation history relevant to the current turn). |
| Supabase | Database (PostgreSQL), authentication, file storage | All data Aria stores. Hosted on AWS in the Asia Pacific (Mumbai) region. |
| Render | Application hosting (Singapore region) | Application traffic passing through Aria's servers in transit; no persistent customer data stored on Render. |
| OAuth provider for Gmail and Calendar access | Only invoked when you choose to connect Google. Google sees the API calls Aria makes against your authorized scopes. | |
| Shopify | OAuth provider and Admin API for connected stores | Only invoked when you choose to connect a Shopify store. Shopify sees the Admin API calls Aria makes against your authorized scopes. Aria does not cache Shopify data in its own database; only the OAuth access token is persisted. |
| ElevenLabs | Voice synthesis for the optional Telegram integration | Only invoked when you connect Telegram and Aria responds via voice. Receives only the text Aria converts to speech for that specific message. |
| Telegram | Optional messaging integration | Only invoked when you connect Telegram. Receives messages you send to and from the Aria bot. |
We may also disclose data if compelled by law (subpoena, court order) or to prevent fraud or abuse. We will notify you of any such disclosure unless legally prohibited from doing so. If we add or remove a subprocessor, we will update this section and, for material additions, notify active customers in advance.
11. Your rights
You have the right to:
- Access all data we hold about you.
- Export your data in a portable format.
- Delete specific items or your entire account.
- Revoke Google OAuth at any time via myaccount.google.com/permissions. Revocation immediately stops Aria's ability to read your Gmail and Calendar; cached data is purged within 30 days.
- Object to specific uses or restrict processing.
To exercise any of these rights, email roger@28labs.ai. We respond within 30 days.
12. International users
Aria is operated from the United Arab Emirates with data stored on AWS infrastructure in the Asia Pacific (Mumbai) region. If you are in a jurisdiction with specific data protection rights (e.g., GDPR in the EU/EEA, UK GDPR, CCPA in California), those rights apply to your data. For users in the European Economic Area or the United Kingdom, please note that your data is processed and stored outside the EEA/UK; we will support GDPR-compliant data-transfer mechanisms (including Standard Contractual Clauses where required) for customers who request a Data Processing Agreement. Contact us at roger@28labs.ai to exercise jurisdiction-specific rights or request a DPA.
13. Children
Aria is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you become aware that a child has shared data with Aria, contact us and we will delete it.
14. Security incidents
We take security seriously. If we become aware of a security incident that has resulted in unauthorized access to, disclosure of, or loss of your data, we will notify you without undue delay - and within 72 hours of confirming the incident where feasible, consistent with the notification timeline in GDPR Article 33. The notice will describe what we know about the incident, what data was affected, the steps we are taking to contain and remediate it, and what (if anything) you should do.
If you believe you have discovered a security issue in Aria, please email roger@28labs.ai with the subject line “Security” and we will respond promptly.
15. Changes to this policy
We may update this policy from time to time. Material changes will be notified to you by email (to the address on your account) and announced in-app before they take effect. The “Last updated” date at the top of this page indicates the latest revision.
16. Contact
Lab 28 Technologies - FZCO
Roger Graham, Founder
Dubai, United Arab Emirates
Email: roger@28labs.ai