NyrA Swarm Little Buddy Privacy Policy Draft

Status: Draft for attorney review

Last updated: 2026-05-31

Scope: NyrA Swarm Little Buddy desktop app only

This draft is not legal advice. It is a working publication draft that should be reviewed after the business name, legal entity, domain, support inbox, pricing, hosted AI cap, and final provider stack are confirmed.

Plain-English Summary

NyrA is a Windows desktop companion that can use your microphone, camera, screen, local memory, third-party AI providers, and visible computer-control actions only after you grant the relevant permissions in the app.

NyrA should not be marketed as local-only, always-listening to everything, unrestricted computer control, voice identity recognition, or biometric learning. The app is designed around explicit consent, visible controls, local export/delete controls, paid-license checks, and high-impact action approval gates.

Data We Collect Or Process

NyrA may collect or process these categories, depending on your settings and use:

• Account and billing data: checkout email, Stripe customer ID, subscription status, invoices, cancellation state, and device activation status.
• Device and license data: app version, device activation ID, entitlement status, offline grace status, and license refresh timestamps.
• Voice data: microphone audio for transcription or live voice features when microphone consent is enabled.
• Screen and camera data: screenshots or camera frames when you ask NyrA to look and the relevant consent is enabled.
• Chat and command content: prompts, responses, task context, and instruction history.
• Local memory and passive context logs: saved preferences, context notes, and recent work context when memory or passive log consent is enabled.
• Computer-control action data: requested action, action type, target app/path/URL/coordinate, result, timestamp, approval status, and error output.
• Support data: emails, diagnostics, screenshots, logs, and files you choose to send to support.
• Website/dashboard data: form entries and uploads added through the launch command center or future cloud dashboard.

How We Use Data

NyrA uses data to:

• Provide voice, chat, screen-look, camera-look, automation, memory, and support features.
• Verify paid subscription status and activate the desktop app.
• Route prompts and media to configured AI providers when third-party AI consent is enabled.
• Keep local memory and logs only when those options are enabled.
• Diagnose bugs, billing errors, entitlement failures, installation issues, and safety incidents.
• Enforce license, consent, and high-impact action gates.
• Improve product reliability, support workflows, and release readiness.

Local Storage

NyrA stores app settings, license cache, consent settings, local memory, and logs on the user's device. Local memory and passive context logs should be optional, reversible, exportable, and deletable from the app.

The current implementation includes:

• First-run consent controls.
• Settings Privacy & Consent toggles.
• Local privacy export.
• Memory/log deletion.
• Main-process NYRA_CONSENT_REQUIRED enforcement for microphone, camera, screen, third-party AI, local memory, passive context log, and computer-control features.

Third-Party Providers

NyrA may send user prompts, voice transcriptions, screen/camera frames, and task context to third-party AI providers only when the relevant feature and third-party AI consent are enabled.

Current or planned providers include:

• OpenAI for chat, transcription, text-to-speech, realtime voice, and vision routes.
• Anthropic, Google Gemini, and xAI/Grok for selected swarm routes if configured.
• Stripe for checkout, subscription billing, invoices, customer portal, refunds, and entitlement-related customer IDs.
• Cloudflare for the planned command-center API, D1 database, R2 uploads, and scheduled intake triggers.
• Email provider for support inbox operations.

Provider data use and retention are governed by the provider's terms and data policies. NyrA should disclose provider links on the public website before paid beta.

The working provider-data map is maintained in AI_PROVIDER_DATA_FLOW_DRAFT.md. That file should be refreshed before publication because provider policies change, and the public policy must match the actual provider stack shipped in the app.

OpenAI Data Controls

The app should default OpenAI Responses API calls to store:false unless the user or business explicitly enables storage for a documented reason. OpenAI's current API data controls state that API endpoint data is not used for training by default, and that abuse monitoring and endpoint retention vary by endpoint.

Billing And Payments

Payments are processed through Stripe. NyrA should not store full credit card numbers, bank account numbers, card security codes, or raw Stripe secret keys in the desktop app or command-center files.

Customers should be able to manage billing, invoices, payment methods, and cancellation through Stripe Customer Portal once the live Stripe integration is deployed.

Choices And Controls

Users should be able to:

• Turn microphone/live listening on or off.
• Turn camera look on or off.
• Turn screen look on or off.
• Turn third-party AI processing on or off.
• Turn local memory on or off.
• Turn passive context log mode on or off.
• Turn computer-control permission on or off.
• Export local privacy data.
• Delete local memory and logs.
• Cancel future subscription renewals through the billing portal.
• Contact support for billing, license, privacy, or deletion questions.

Retention Draft

This retention schedule must be reviewed before publication:

Children

NyrA is not intended for children under 13. The product should not knowingly collect personal information from children. If the app is later marketed to minors, the children's privacy policy and consent process must be redesigned before launch.

Biometric And Voice Identity Position

NyrA should not claim biometric voice recognition, voice identity authentication, or voiceprint learning unless a separate explicit enrollment, consent, accuracy, retention, and deletion process is implemented and legally reviewed. Current voice features should be described as voice input, transcription, realtime conversation, and context handling, not identity recognition.

Security

NyrA uses consent gates, paid-feature gates, typed IPC, high-impact action approval, and local export/delete controls. The security policy should also document vulnerability reporting, support triage, dependency updates, signing, and incident response.

Breach And Incident Response

If personal information is compromised, NyrA should investigate, contain the incident, document the scope, notify affected users when legally required, and follow applicable state and federal requirements. South Carolina breach notification rules may apply if personal identifying information of South Carolina residents is involved.

Contact

Support email: nyrasupport@gmail.com pending user creation/confirmation.

Do not publish this policy until:

• The support inbox exists and is monitored.
• The legal business name and address/contact approach are chosen.
• The domain and public policy URLs exist.
• The attorney review is complete.

Source References

• FTC Privacy and Security: https://www.ftc.gov/business-guidance/privacy-security
• FTC Protecting Personal Information: https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business
• OpenAI Data Controls: https://platform.openai.com/docs/guides/your-data
• Stripe Checkout: https://docs.stripe.com/payments/checkout
• Stripe Customer Portal: https://docs.stripe.com/customer-management
• South Carolina Code Section 39-1-90: https://law.justia.com/codes/south-carolina/title-39/chapter-1/section-39-1-90/
• FTC Biometric Policy Statement: https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-biometric-information-section-5-federal-trade-commission