2.1Data You Provide Directly

• Account data: name, email address, and OAuth tokens from Google, Apple, or Microsoft. WYLE never stores passwords.
• Personal Value System (PVS): your preferences across health, cost, speed, and reliability that Buddy uses to personalise every action.
• Life obligations: visa expiry dates, Emirates ID numbers, government document deadlines, financial commitments, insurance policies, rent cheque schedules, school fees, and household contracts.
• Family and household data: names, document expiry dates, and relationships for family members and household staff you choose to add.
• Vendor and service data: vendor names, WhatsApp contacts, service history, and reliability ratings you build over time.
• Goals and tasks: objectives, habits, milestones, and task lists you create.
• Voice input: audio processed in real time when you speak to Buddy or use the Hey Buddy wake word.
• Uploaded documents: PDFs, ID scans, insurance documents, receipts, and other files you share with Buddy.

2.2Data Collected Automatically (with Your Consent)

• Email data: with explicit OAuth consent, WYLE reads your Gmail or Outlook inbox using read-only access. Raw emails are never stored. Only structured entities (amounts, dates, vendor names, deadlines) extracted by our AI pipeline are retained.
• Calendar data: with explicit OAuth consent, WYLE syncs with Google Calendar or Microsoft Calendar to read and write events.
• App notifications (Android only): with explicit consent via Notification Listener Service, WYLE reads notifications to detect actionable financial and scheduling information.
• Usage telemetry: anonymised data covering feature usage, session length, and error rates. No personally identifiable information is included.
• Device data: device type, operating system, app version, push notification tokens, and device fingerprint for session security.

2.3Cookies and Tracking Technologies

When you access WYLE via wyle.ai or our web-based interfaces, we may use the following technologies:

• Essential cookies: strictly necessary for authentication, session management, and security. These cannot be disabled without breaking core functionality.
• Analytics cookies: anonymised, aggregated usage data collected via privacy-respecting analytics platforms. No cross-site tracking occurs. You may opt out via your browser settings or the cookie preference centre on wyle.ai.
• Local storage: used on-device to cache encrypted application state for performance. This data remains on your device and is subject to the same AES-256 encryption as all other personal data.

Our mobile applications do not use advertising SDKs, do not request IDFA (iOS) or GAID (Android), and do not participate in cross-app tracking networks.

2.4Data We Do Not Collect

• We do not collect or store bank account credentials, card numbers, or banking login data.
• We do not track you across other apps or websites (NSUserTrackingUsageDescription is not requested).
• We do not store raw audio recordings. Voice is processed in real time and not retained on our servers.
• We do not store raw email content. Only extracted structured entities are retained, encrypted.
• We do not sell your data to third parties, ever.

5.1How Buddy Processes Your Data

• Buddy uses your encrypted PVS, life obligations, and task history to generate personalised plans and recommendations. All AI inference that involves your personal data occurs within WYLE's secure processing environment.
• Where cloud-based large language model (LLM) APIs are used (for example, to parse complex documents or generate natural language responses), only anonymised and encrypted context is transmitted. Your raw personal identifiers are never sent to third-party AI model providers.
• On-device processing is used wherever technically feasible to minimise data leaving your device.

5.2Scoring and Automated Outputs

WYLE calculates several scores that influence how Buddy prioritises actions for you:

• Life Optimisation Score (LOS), Agentic Reliability Score (ARS), Agent Trust Score (ATS), and Certainty Score (CS) are computed from your own data and are used solely to personalise your WYLE experience.
• These scores do not constitute automated decisions with legal or similarly significant effects on you. They are operational tools within your personal WYLE environment.
• You can review the inputs to any score within the WYLE app and correct underlying data at any time.

5.3WhatsApp and Messaging Automation

When Buddy communicates with vendors or third parties on your behalf via WhatsApp or other messaging channels:

• Messages are sent using your explicit instruction and authorisation. WYLE acts as your agent, not as an independent communicator.
• The content of outbound messages is generated from your task instructions and PVS. WYLE does not retain copies of outbound WhatsApp message content beyond the active task session.
• You can review, pause, or revoke Buddy's messaging permissions at any time in Settings > Buddy Permissions.

Zero-knowledge means zero-knowledge. Even under a valid legal request, WYLE cannot produce your personal life data in readable form because we do not hold the decryption key. You do.

7.1Technical and Organisational Measures

In addition to our zero-knowledge encryption architecture, WYLE implements the following security measures:

• Transport layer security: all data in transit between your device and WYLE infrastructure is protected by TLS 1.2 or higher.
• Access controls: WYLE infrastructure access is restricted by role-based access control (RBAC). No WYLE employee can access decrypted user data.
• Infrastructure security: cloud infrastructure (AWS and/or Supabase) is configured with private networking, encrypted storage volumes, and regular security patching.
• Penetration testing: WYLE conducts periodic third-party security assessments. Material findings are remediated on a risk-prioritised basis.
• Employee training: all personnel with access to systems handling user data are trained on data protection obligations and security practices.

7.2Security Incident and Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the UAE Data Office within 72 hours of becoming aware of the breach, in accordance with UAE PDPL obligations.
• Where a breach is likely to result in a high risk to you personally, we will notify you directly without undue delay, describing the nature of the breach, the data affected, likely consequences, and the measures we have taken or propose to take.
• Given our zero-knowledge architecture, any breach of our cloud storage would expose only encrypted blobs that are unreadable without your device-held key. We will nonetheless notify you of any such event.
• Breach notifications will be sent to the email address associated with your WYLE account.

8.1Service Providers

We engage trusted third-party processors to operate the WYLE platform. All processors are bound by contractual data processing agreements:

• Cloud infrastructure: AWS and/or Supabase for encrypted blob storage and compute.
• Authentication: Google OAuth, Apple Sign-In, and Microsoft OAuth for identity verification.
• Push notifications: Firebase Cloud Messaging (Android) and Apple Push Notification Service (iOS).
• Payment processing: our payment provider processes subscription fees. WYLE does not store payment card data.
• AI model APIs: where cloud LLM processing is used, only encrypted and anonymised context is transmitted.

8.2What We Never Do

• We never sell, rent, or trade your personal data.
• We never share identifiable personal data with advertisers.
• We never share your data with third parties for their independent marketing purposes.

8.3Cross-Border Data Transfers

As a UAE-based entity, where your data is processed on servers located outside the UAE, we ensure equivalent protection standards apply in line with UAE PDPL Article 26 requirements governing cross-border data transfers. Transfers to jurisdictions without an adequacy determination are governed by appropriate contractual safeguards.

8.4Disclosure to Authorities

We may disclose data to competent UAE authorities, courts, or regulators where required by applicable UAE law. Given our zero-knowledge architecture, any such disclosure would be limited to account metadata (account ID, subscription tier, anonymised telemetry) as we cannot produce decrypted personal life data.

10.1How to Delete Your Account

You may delete your account and all associated data at any time:

• In-app: navigate to Settings > Account > Delete Account. This initiates immediate deletion of all server-side encrypted blobs and queues your account for permanent removal within 30 days.
• By email: send a deletion request to privacy@wyle.ai from the email address associated with your account. We will confirm and process your request within 5 business days.
• Upon deletion, your encryption key is the only way to recover data held locally on your device. WYLE has no ability to recover server-side data once deletion is confirmed.

10.2Opt-Out of Specific Processing

• AI model improvement opt-in/opt-out: manage via Settings > Privacy > AI Improvement Programme.
• Email integration: revoke OAuth access at any time via Settings > Connections > Email. Revocation immediately stops email reading.
• Calendar sync: revoke via Settings > Connections > Calendar.
• Notification access (Android): revoke via Settings > Connections > Notifications, or via Android system settings.
• Analytics opt-out: opt out of anonymised analytics via Settings > Privacy > Usage Analytics.
• Cookie preferences (web): manage via the cookie preference centre at wyle.ai.