Vayl processes your data on your device. Camera data for Adaptive Mode is analyzed locally and never transmitted. OS activity sensing captures behavioral timing patterns — never keystrokes, screen content, or window titles. All sensitive data is encrypted at rest using a key derived from your machine, and you can delete it at any time.
What We Collect
Account Information
Email address (for authentication via Firebase Auth)
Authentication tokens (managed by Firebase)
Account creation date
OAuth provider information (Google or Microsoft, if used for sign-in)
Calendar Data (Optional)
If you choose to connect your Google or Microsoft/Outlook calendar:
Calendar event names, times, and details/descriptions (read-only access)
This data is processed locally on your device and is never stored on our servers
We only access calendar events to personalize audiovisual stimulation for your meetings and tasks
Event details help us understand the context (e.g., "client meeting" vs "deep work") to optimize your cognitive support
You can disconnect calendar access at any time from your account settings
Biometric Data — Adaptive Mode (Optional)
If you choose to enable Adaptive Mode, Vayl uses your device's camera to track eye movements and facial landmarks in order to detect your attention state (e.g., focused, drifting, fatigued) and automatically adjust stimulation in real time. This feature requires your explicit consent before activation.
What is collected:
Derived attention metrics — engagement, overload, and fatigue scores (numerical values between 0 and 1), classified attention state, detection confidence, and raw eye metrics (blink rate, fixation stability, pupil diameter)
Stimulus-response logs — which setting adjustments were made in response to each attention state, along with before/after settings snapshots, so the system can learn which adjustments work best for you
Outcome measurements — your attention state 30, 60, and 90 seconds after each adjustment, used to evaluate whether the adjustment was effective
What is NOT collected:
Raw camera images or video frames are never stored or transmitted — they are processed in real time by an on-device model (MediaPipe) and immediately discarded
No photographs, facial images, or facial geometry are retained
No biometric templates or identifiers that could be used to identify you are created or stored
How it is stored:
All biometric event logs are encrypted at rest using AES encryption with a key derived from your specific machine, meaning the data can only be read on the device that created it
Logs are stored locally in monthly files and automatically deleted after 6 months
A local analytics summary stores only semantic labels (e.g., "deep focus" or "drifting") — not raw eye metrics — for your personal session dashboard. This summary contains no raw biometric values and is automatically deleted after 90 days
A separate "learned profile" (containing only tuning numbers — not biometric data) is stored unencrypted locally for personalization
You can delete all biometric data at any time from the Adaptive Mode settings in the app
No biometric data is ever transmitted to our servers or any third party
OS Activity Data — Context Sensing (Optional)
If you choose to enable OS Context Sensing, Vayl monitors certain system-level behavioral patterns to infer your cognitive state (e.g., deep focus vs. task-switching) and tailor stimulation accordingly. This feature requires your explicit consent before activation.
What is collected:
Keyboard timing metadata — typing velocity, inter-key intervals, pause frequency, and error rate. We capture only timing patterns, never the content of your keystrokes
Mouse dynamics — cursor velocity, movement efficiency, click rate, and idle time
Active application name — the name of the foreground application (e.g., "Visual Studio Code", "Slack"), polled periodically for task-type detection. Window titles, URLs, and file names are not collected unless you explicitly opt in to enhanced context
System context — time of day, session duration, and idle/lock events
What is NOT collected:
Keystroke content — we never record what you type
Screen content, screenshots, or pixel data
Window titles, URLs, or file names (unless you explicitly opt in)
Clipboard content
Network traffic or browsing history
How it is stored:
OS activity data is processed locally in real time and used to compute a cognitive state score
Raw activity data is retained only in short rolling windows (approximately 15 seconds) and then discarded
Only derived cognitive state scores and adaptation logs are persisted, following the same encrypted local storage and automatic deletion policies as biometric data
A local analytics summary also stores categorical labels derived from your activity (e.g., app category, stress level, context-switching frequency) for your personal session dashboard. This contains no raw behavioral data — no typing patterns, cursor positions, or application names — and is automatically deleted after 90 days
You can delete all OS activity data at any time and disable the feature independently of other settings
No OS activity data is ever transmitted to our servers or any third party
Usage Data
App preferences and settings
Session information (when you use the app)
Feature usage analytics (which effects you use)
Payment Information
Payment processing is handled entirely by Stripe. We don't store credit card numbers or payment details on our servers. We only receive:
Subscription status
Customer ID from Stripe
Transaction confirmations
How We Use Your Data
Authentication: To sign you in and maintain your session
Service Delivery: To provide and improve Vayl's audiovisual entrainment features
Personalization: To learn which stimulation adjustments work best for your individual cognitive patterns, using locally stored biometric and behavioral data
Personal Analytics: To provide you with a local session dashboard showing aggregate trends in your attention, energy, and stress patterns over time — using only semantic summaries (e.g., "deep focus", "high energy"), not raw biometric or behavioral data
AI-Assisted Configuration: To generate optimized stimulation parameters based on your selected goals, using third-party AI services (see below)
Customer Support: To respond to your inquiries and requests
Analytics: To understand how users interact with our app and improve it
Legal Compliance: To comply with applicable laws and regulations
Data Storage & Security
Your data is stored securely using industry-standard practices:
Local Encryption: Biometric event logs and OS activity adaptation logs are encrypted at rest on your device using AES encryption with a machine-derived key. This data cannot be read on any other device
Firebase Security: Account and cloud-synced data uses Firebase authentication and security rules
Encryption in Transit: All network communication uses HTTPS/TLS encryption
Automatic Data Retention: Biometric and OS activity adaptation logs are automatically deleted after 6 months. Local analytics dashboard summaries (containing only semantic labels, not raw data) are automatically deleted after 90 days
Access Control: Strict access controls and authentication requirements for all cloud services
Regular Updates: We keep our security measures up to date
Third-Party Services
We use the following third-party services:
Firebase (Google): Authentication, database, and analytics
Stripe: Payment processing (PCI-compliant)
OpenAI: AI-assisted stimulation parameter generation. We send your selected session goals and preferences (not biometric data, OS activity data, or personal information) to generate optimized configurations. Requests are not used to train OpenAI's models
Vercel: Website hosting and performance analytics
Google OAuth: Optional sign-in and calendar access (if you choose to connect)
Microsoft OAuth: Optional sign-in and Outlook calendar access (if you choose to connect)
MediaPipe (Google): On-device face landmark detection for Adaptive Mode. This library runs entirely on your device — no data is sent to Google
Each service has its own privacy policy and security standards. We only share the minimum necessary data with these services to provide Vayl's functionality. Biometric data, OS activity data, and camera images are never shared with any third party.
Your Rights
You have the right to:
Access: Request a copy of your personal data
Correction: Update or correct your information
Deletion: Request deletion of your account and data, including all locally stored biometric and OS activity data
Portability: Receive your data in a machine-readable format
Opt-out: Disable Adaptive Mode and/or OS Context Sensing at any time from the app's settings. Disabling these features immediately stops data collection, and you will be offered the option to delete all previously collected data
Consent Withdrawal: Withdraw your consent for biometric data collection or OS activity sensing at any time, without affecting the core functionality of Vayl
Geographic Restrictions on Biometric Features
Biometric features (Adaptive Mode) are not available to users in Illinois or other jurisdictions with biometric privacy laws that impose a private right of action. Vayl automatically detects your approximate location using IP geolocation before enabling these features, but you agree not to knowingly enable or use biometric features while located in a restricted jurisdiction. All other features of Vayl remain fully available regardless of your location.
State-Specific Rights
Depending on your jurisdiction, you may have additional rights:
Illinois (BIPA): Biometric features are not offered to users in Illinois. If you are located in Illinois, Vayl will prevent you from enabling Adaptive Mode. See our Terms of Service for details
California (CCPA/CPRA): You have the right to know what personal information is collected, to request its deletion, and to opt out of its sale. Vayl does not sell personal information to third parties
European Union (GDPR): You have the right to access, rectify, erase, restrict processing of, and port your personal data. Our legal basis for processing biometric and behavioral data is your explicit consent
Cookies
We use essential cookies for authentication and analytics cookies to improve our service. For detailed information, please see our Cookie Policy.
Children's Privacy
Vayl is not intended for use by children under the age of 16. We do not knowingly collect personal information, biometric data, or behavioral data from children under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will delete the data promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. If we make material changes to how we handle biometric or behavioral data, we will request your consent again before continuing to collect such data under the new terms.
Contact Us
If you have questions about this Privacy Policy, how we handle your data, or wish to exercise any of your rights described above, please contact us at:
Email: privacy@getvayl.com Address: 8 The Green, Suite D, Dover, Delaware 19901, USA