Privacy
Policy.

We use your data to provide, improve, and protect our services. Specific uses include:

• Account creation, management, and service delivery
• Delivering personalised wellness programmes and AI companion interactions
• Operating our safety monitoring systems
• Processing payments and managing subscriptions
• Responding to support and clinical enquiries
• Improving our platform through anonymised, aggregated analysis (Tier 2 and Tier 3 data only)
• Complying with legal obligations and responding to lawful requests
• Operating our safeguarding reporting pathway where required

We do not sell your personal data. We do not use Tier 1 sensitive data for AI model training or commercial development.

Where applicable law requires a legal basis for data processing, we rely on the following:

• Contract performance - to provide the services you have subscribed to
• Legitimate interests - platform security, fraud prevention, and service improvement using Tier 2 and Tier 3 data
• Legal obligation - where we are required to process data by law or regulatory authority
• Consent - for optional features and any processing of Tier 1 sensitive data beyond service delivery
• Vital interests - in safeguarding situations where processing is necessary to protect life

NOYO's consumer-facing AI systems provide emotional support and companionship. They are not clinical tools. AI systems process your inputs to generate responses in real time. You acknowledge that AI outputs are probabilistic, may be incomplete, and do not constitute professional advice of any kind.

AI conversation data is classified as Tier 1 - Sensitive. It is stored to enable session continuity, encrypted in transit and at rest, and is never used for AI model training or shared with third parties outside of legal and safeguarding obligations.

You may delete your conversation history at any time in your account settings. Crisis-related interactions may be retained in accordance with our safeguarding obligations.

Note on professional AI tools: NOYO operates separate AI systems (ERAS and HAM) exclusively for licensed clinical professionals and authorised institutions under separate agreements. These systems operate under a distinct data governance framework and are not subject to this section.

We do not sell your personal data. We share data only in the following limited circumstances:

• Service providers - cloud hosting (AWS/Supabase), payment processing, and email delivery, all bound by data processing agreements
• Safeguarding and crisis - where a user-reported concern meets the threshold for disclosure to relevant authorities under our Safeguarding Policy
• Legal requirements - where required by law, regulation, or valid legal process
• Business transfers - in the event of a merger or acquisition, with appropriate data protection protections in place

Tier 1 sensitive data is never shared for commercial purposes under any circumstances.

NOYO operates globally. Your data may be transferred to and processed in countries outside your country of residence. Where such transfers occur, we ensure appropriate safeguards are in place including Standard Contractual Clauses or equivalent approved mechanisms. By using the Platform, you consent to such transfers subject to these protections.

We retain your data for as long as your account is active or as long as necessary to provide our services. Following account deletion, certain records may be retained for legal compliance purposes for a period of up to 7 years, after which all personal data is permanently deleted or anonymised.

AI conversation data is retained as described in Section 07. Tier 3 platform and analytics data may be retained in anonymised form indefinitely for platform improvement purposes.

We implement appropriate administrative, technical, and organisational safeguards to protect your personal data against unauthorised access, loss, or misuse. All data is encrypted in transit and at rest. Tier 1 sensitive data is subject to additional access controls and audit logging.

No system is completely secure. We cannot guarantee absolute protection, but we are committed to maintaining the highest reasonable standard of data security for a platform operating in the mental wellness space.

Depending on your country of residence, you may have the following rights regarding your personal data:

• Right to access the data we hold about you
• Right to correct inaccurate or incomplete data
• Right to delete your data, subject to legal retention requirements
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent at any time without affecting prior lawful processing

To exercise any of these rights, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

The Platform is exclusively for adults aged 18 and over. We do not knowingly collect, process, or retain personal data from any individual under the age of 18, globally and without exception.

If we become aware that an account has been created by or data has been submitted by a person under 18, we will immediately suspend the account, delete all associated data, and take appropriate steps. If you believe a minor has accessed the Platform, contact us immediately at [email protected].

We use cookies and similar technologies for platform functionality, analytics, and performance optimisation. Full details of the cookies we use, their purposes, and how to manage your preferences are set out in our Cookie Policy.

NOYO's AI systems process your inputs automatically to generate responses. However, NOYO does not engage in fully automated decision-making that produces legal or similarly significant effects on users without human oversight. Our safety monitoring systems may flag interactions for human review where risk signals are detected.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or a prominent notice within the Platform. Your continued use of the Platform after changes are made constitutes acceptance of the updated Policy.

For all data protection and privacy enquiries:

[email protected]

NOYO Global - Never On Your Own

User inputs may be processed by AI systems to generate responses, improve system performance, enhance safety monitoring, and refine service delivery. Where this involves Tier 1 Sensitive data, processing is subject to the heightened protections described in our Data Classification framework.

Data may be anonymised and aggregated for research, analytics, and system optimisation purposes. Anonymised data no longer identifies you and is not subject to the same restrictions as personal data.

NOYO retains personal data only as long as necessary for the purposes for which it was collected. NOYO reserves the right to retain certain data for extended periods where required for legal compliance, security, fraud prevention, or dispute resolution.

Data may be processed by approved third-party service providers acting on NOYO's behalf, under strict confidentiality and data protection obligations. NOYO does not sell personal data to third parties.

NOYO reserves the right, at its sole and absolute discretion, to suspend, restrict, modify, or terminate access to any part of the Platform, services, or accounts at any time, with or without notice, for any reason, including but not limited to suspected violations of these policies.

All provisions which by their nature should survive termination shall survive, including but not limited to liability limitations, indemnification, arbitration, intellectual property protections, and non-circumvention obligations.

If any provision of this policy is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.

Failure by NOYO to enforce any provision of this policy on any occasion shall not constitute a waiver of its right to enforce that provision or any other provision on any other occasion.

NOYO shall not be liable for any failure or delay in performance arising from causes beyond its reasonable control, including but not limited to natural disasters, infrastructure outages, cyberattacks, pandemics, or governmental actions.

NOYO may assign, transfer, or delegate its rights and obligations under this policy without restriction and without prior notice. You may not assign your rights or obligations without NOYO's prior written consent.

This policy is governed by and construed in accordance with the laws of Mauritius (including the Data Protection Act 2017), without regard to its conflict of law provisions.

Any dispute arising out of or in connection with this policy shall be resolved by binding arbitration under internationally recognised arbitration rules. You agree to resolve all disputes individually and waive any right to participate in, or bring claims as part of, any class action, collective proceeding, or representative action.

Where mandatory consumer protection laws in your country of residence provide rights that cannot be contractually excluded, those rights are preserved.