GDPR · Art. 13 & 14 DISCLOSURE

Privacy Policy

This Privacy Policy describes how MyTech Upgrade collects, uses, and protects data related to your use of Maya.

Last updated: January 2026

1. Data Controller

When you use Maya, the data controller is:

MyTech Upgrade
Eduard Giurgea, Founder & CEO
Email: privacy@mytechupgrade.com
Website: mytechupgrade.com

When Maya is deployed on a business’s website, that business becomes a separate data controller for their own visitors’ data. MyTech Upgrade acts as a data processor on their behalf. Full details are in our Data Processing Agreement (DPA — available on request).

2. Data We Collect

We collect only what is necessary to operate the service:

Data categoryPurposeRetention
Voice audio (transient)Real-time AI responses to website visitorsNot stored — processed in memory only, discarded when the session ends
Voice transcripts (transient)Converted from audio so the AI can process your questionNot stored by default — discarded when the session closes
Lead contact info (name, email, phone)Captured on behalf of the business when a visitor chooses to leave their detailsUntil the business deletes the lead or closes their Maya account
Visitor session data (session ID, browser language, referrer)Language detection, session continuity, analytics90 days
Usage analytics (events, click paths, conversation count)Service improvement, billing, anomaly detection90 days
Account data (business name, email, billing info)Account management, billing, supportDuration of subscription + 7 years (EU legal/tax obligation)

We do not use voice recordings to train AI models. Audio is processed in real time and never stored for training purposes.

3. How We Use It

Our lawful basis for each processing activity under GDPR Art. 6:

  • Contract performance (Art. 6(1)(b)): Running your account, delivering the service, handling billing.
  • Legitimate interests (Art. 6(1)(f)): Usage analytics, security monitoring, fraud prevention, and improving service reliability. We have assessed that these legitimate interests do not override your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): Keeping billing records for tax and accounting compliance.
  • Consent (Art. 6(1)(a)): Where a business has obtained consent from their visitors for lead capture. The business is responsible for getting and recording that consent.

4. Third Parties & Sub-Processors

We share data only with the processors required to operate Maya. Each is bound by a data processing agreement or equivalent standard contractual clauses:

Data categoryPurposeRetention
Supabase (supabase.com)Database and authenticationEU region (Frankfurt). GDPR-covered. DPA available.
Vercel (vercel.com)Application hosting and edge deliveryEU region available. DPA in place.
Google Cloud (cloud.google.com)Real-time voice AI processing (audio is transient only)EU and US. Subject to Google's standard Data Processing Terms and EU Standard Contractual Clauses (Commission Decision 2021/914).
Paddle (paddle.com)Payment processing (Merchant of Record)Paddle.com Market Ltd, acting as Merchant of Record / reseller. PCI-DSS certified.
Axiom / Sentry (where enabled)Error tracking and observability (anonymised where possible)EU region. Used only where the relevant service is active in our infrastructure.

We do not sell personal data. We do not share data with advertisers. Full stop.

5. Data Retention

  • Voice sessions: Audio and transcripts are not kept after the session ends. They exist only in transient memory during the active conversation.
  • Leads: Kept until the business deletes them from their Maya dashboard, or until their account closes (then deleted within 30 days).
  • Session and usage analytics: 90 days, then automatically deleted.
  • Billing and account records: 7 years from the last transaction (EU tax and accounting law).

6. Your Rights (GDPR Art. 15–22)

If you’re a website visitor whose data was captured by Maya on a business’s site, your rights are with that business — they’re the data controller for your data. MyTech Upgrade will assist within 72 hours of receiving a forwarded request.

If you’re a Maya subscriber (a business customer), here are your rights regarding your own account data:

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16):Correct anything that’s inaccurate.
  • Erasure (Art. 17):Ask us to delete your data where there’s no legal obligation to keep it.
  • Portability (Art. 20): Get your data in a structured, machine-readable format (JSON export available on request).
  • Objection (Art. 21): Object to processing based on legitimate interests.
  • Restriction (Art. 18): Ask us to limit processing while a dispute is being resolved.

To exercise any right, email privacy@mytechupgrade.com. We’ll respond within 30 days. You can also complain to your national supervisory authority — for example the Irish DPC at dataprotection.ie, or whichever authority covers your EU member state.

7. Cookies

Maya uses a minimal set of cookies — nothing for advertising, nothing for tracking you across other sites:

Data categoryPurposeRetention
maya_sessionKeeps you logged in (authentication)Session / always-on (necessary)
maya_consentRemembers your cookie choice1 year / necessary
maya_analyticsAnonymous usage analytics (Axiom)90 days / analytics (opt-in)

You can manage non-essential cookies via the banner on your first visit, or email privacy@mytechupgrade.com.

8. International Data Transfers

Where your data travels outside the EEA — for example to Google Cloud servers in the US for voice AI processing — we rely on EU Standard Contractual Clauses (SCCs) (Commission Decision 2021/914) as the transfer mechanism. Google LLC is also certified under the EU-US Data Privacy Framework.

9. Security

Technical and organisational measures in place:

  • Encryption in transit: TLS 1.3 for all connections.
  • Encryption at rest: AES-256 via Supabase/Postgres.
  • Access controls: Role-based access; the production database is only reachable via server-side service keys — never exposed to browsers.
  • Audit logs: All admin and system actions on lead data are logged.
  • Breach notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, as required by GDPR Art. 33. We will notify affected business customers without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

10. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified to business customers by email at least 14 days before the new version takes effect. The “Last updated” date at the top reflects the current version. Continued use of Maya after the effective date constitutes acceptance.

11. Contact