1. Data Controller
When you use Maya, the data controller is:
Eduard Giurgea, Founder & CEO
Email: privacy@mytechupgrade.com
Website: mytechupgrade.com
When Maya is deployed on a business’s website, that business becomes a separate data controller for their own visitors’ data. MyTech Upgrade acts as a data processor on their behalf. Full details are in our Data Processing Agreement (DPA — available on request).
2. Data We Collect
We collect only what is necessary to operate the service:
| Data category | Purpose | Retention |
|---|---|---|
| Voice audio (transient) | Real-time AI responses to website visitors | Not stored — processed in memory only, discarded when the session ends |
| Voice transcripts (transient) | Converted from audio so the AI can process your question | Not stored by default — discarded when the session closes |
| Lead contact info (name, email, phone) | Captured on behalf of the business when a visitor chooses to leave their details | Until the business deletes the lead or closes their Maya account |
| Visitor session data (session ID, browser language, referrer) | Language detection, session continuity, analytics | 90 days |
| Usage analytics (events, click paths, conversation count) | Service improvement, billing, anomaly detection | 90 days |
| Account data (business name, email, billing info) | Account management, billing, support | Duration of subscription + 7 years (EU legal/tax obligation) |
We do not use voice recordings to train AI models. Audio is processed in real time and never stored for training purposes.
3. How We Use It
Our lawful basis for each processing activity under GDPR Art. 6:
- Contract performance (Art. 6(1)(b)): Running your account, delivering the service, handling billing.
- Legitimate interests (Art. 6(1)(f)): Usage analytics, security monitoring, fraud prevention, and improving service reliability. We have assessed that these legitimate interests do not override your fundamental rights and freedoms.
- Legal obligation (Art. 6(1)(c)): Keeping billing records for tax and accounting compliance.
- Consent (Art. 6(1)(a)): Where a business has obtained consent from their visitors for lead capture. The business is responsible for getting and recording that consent.
4. Third Parties & Sub-Processors
We share data only with the processors required to operate Maya. Each is bound by a data processing agreement or equivalent standard contractual clauses:
| Data category | Purpose | Retention |
|---|---|---|
| Supabase (supabase.com) | Database and authentication | EU region (Frankfurt). GDPR-covered. DPA available. |
| Vercel (vercel.com) | Application hosting and edge delivery | EU region available. DPA in place. |
| Google Cloud (cloud.google.com) | Real-time voice AI processing (audio is transient only) | EU and US. Subject to Google's standard Data Processing Terms and EU Standard Contractual Clauses (Commission Decision 2021/914). |
| Paddle (paddle.com) | Payment processing (Merchant of Record) | Paddle.com Market Ltd, acting as Merchant of Record / reseller. PCI-DSS certified. |
| Axiom / Sentry (where enabled) | Error tracking and observability (anonymised where possible) | EU region. Used only where the relevant service is active in our infrastructure. |
We do not sell personal data. We do not share data with advertisers. Full stop.
5. Data Retention
- Voice sessions: Audio and transcripts are not kept after the session ends. They exist only in transient memory during the active conversation.
- Leads: Kept until the business deletes them from their Maya dashboard, or until their account closes (then deleted within 30 days).
- Session and usage analytics: 90 days, then automatically deleted.
- Billing and account records: 7 years from the last transaction (EU tax and accounting law).
6. Your Rights (GDPR Art. 15–22)
If you’re a website visitor whose data was captured by Maya on a business’s site, your rights are with that business — they’re the data controller for your data. MyTech Upgrade will assist within 72 hours of receiving a forwarded request.
If you’re a Maya subscriber (a business customer), here are your rights regarding your own account data:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16):Correct anything that’s inaccurate.
- Erasure (Art. 17):Ask us to delete your data where there’s no legal obligation to keep it.
- Portability (Art. 20): Get your data in a structured, machine-readable format (JSON export available on request).
- Objection (Art. 21): Object to processing based on legitimate interests.
- Restriction (Art. 18): Ask us to limit processing while a dispute is being resolved.
To exercise any right, email privacy@mytechupgrade.com. We’ll respond within 30 days. You can also complain to your national supervisory authority — for example the Irish DPC at dataprotection.ie, or whichever authority covers your EU member state.
8. International Data Transfers
Where your data travels outside the EEA — for example to Google Cloud servers in the US for voice AI processing — we rely on EU Standard Contractual Clauses (SCCs) (Commission Decision 2021/914) as the transfer mechanism. Google LLC is also certified under the EU-US Data Privacy Framework.
9. Security
Technical and organisational measures in place:
- Encryption in transit: TLS 1.3 for all connections.
- Encryption at rest: AES-256 via Supabase/Postgres.
- Access controls: Role-based access; the production database is only reachable via server-side service keys — never exposed to browsers.
- Audit logs: All admin and system actions on lead data are logged.
- Breach notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, as required by GDPR Art. 33. We will notify affected business customers without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
10. Changes to This Policy
We may update this Privacy Policy. Material changes will be notified to business customers by email at least 14 days before the new version takes effect. The “Last updated” date at the top reflects the current version. Continued use of Maya after the effective date constitutes acceptance.
11. Contact
Privacy questions: privacy@mytechupgrade.com
General: hello@mytechupgrade.com
Legal: legal@mytechupgrade.com