Privacy Policy

Last updated: February 10, 2026

1. Introduction

Aura Stream Digital Labs ("we," "our," or "us") operates the QYLLO application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

QYLLO is built on a zero-knowledge encryption architecture. This means your documents are encrypted on your device before being uploaded, and we cannot access, read, or decrypt your stored documents.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Authentication credentials (password hash — we never store your plain-text password)
  • Account creation date

2.2 Social Authentication

If you sign in with Google or Apple, we receive your name, email address, and profile identifier from the authentication provider. We do not receive or store your social media passwords.

2.3 Device & Camera Permissions

Our app requests access to your device camera (android.permission.CAMERA) solely for scanning documents. Camera data is processed locally on your device, encrypted, and then uploaded. We do not stream, share, or retain raw camera data.

2.4 Document Data

Documents you upload are end-to-end encrypted using AES-256-GCM with keys derived from your vault password via PBKDF2. We store only the encrypted ciphertext. We cannot decrypt, view, or access the contents of your documents.

2.5 Usage & Analytics

We may collect anonymized usage data including:

  • App version and platform (iOS/Android/Web)
  • Crash reports and error logs (without document content)
  • Feature usage statistics (aggregated)
  • Device type and operating system version

2.6 Feedback Data

If you submit feedback through our in-app feedback system, we collect your feedback text, feedback type, and basic device context (platform, app version).

3. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Authenticate your identity and secure your account
  • Send expiry notifications and service communications
  • Process and respond to your feedback
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. Third-Party Services

4.1 Firebase (Google)

We use Firebase for authentication, cloud storage (encrypted data only), and database services. Firebase processes data according toGoogle's Privacy Policy.

4.2 Google Cloud Vision API

For document scanning and OCR, images may be processed through Google Cloud Vision API. Images are transmitted securely and are not retained by Google after processing.

4.3 Google AdMob

Free-tier users may see advertisements served by Google AdMob. AdMob may collect device identifiers and usage data to serve relevant ads. You can opt out of personalized ads in your device settings. Premium users do not see ads.

4.4 Google Sign-In / Apple Sign-In

If you choose to sign in with Google or Apple, your authentication is handled by the respective provider's OAuth service. We only receive the information described in Section 2.2.

5. Data Storage & Security

Your encrypted documents are stored in Firebase Cloud Storage. Encryption keys are derived from your vault password using PBKDF2 (600,000 iterations) and are never transmitted to our servers in plain form.

If you enable biometric unlock, a wrapped version of your encryption key is stored in your device's secure enclave (Keychain/Keystore). This key cannot be extracted from the device.

6. Data Retention

We retain your account data and encrypted documents for as long as your account is active. If you delete your account, we will delete your associated data within 30 days, subject to legal retention requirements.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent at any time

To exercise these rights, contact us at privacy@getqyllo.com.

8. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will promptly delete it.

9. International Data Transfers

Your encrypted data may be processed and stored in data centers located outside your country of residence. We ensure appropriate safeguards are in place for any international transfers of personal data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us: