Legal
Last updated: April 2026
We collect information you provide directly to us when you create an account, connect social media platforms, configure your AI voice settings, or contact our support team. This includes:
When you connect social media platforms (YouTube, Instagram), we access your public profile information and comment data through official platform APIs. We collect:
This data is collected solely to provide our AI moderation and reply generation services.
We automatically collect usage data including interaction logs with our AI engine, feature usage patterns, performance metrics, and device/browser information. This data helps us improve our agentic AI system and optimize the 3-tier intelligence engine for better response quality.
When you connect your YouTube channel, NAWA syncs publicly available comments on your videos. This includes commenter display names, profile images, comment text, and timestamps. This data is:
When you connect your Instagram Business or Creator account, NAWA receives comments on your Instagram posts via Meta's webhook system. This includes commenter usernames, comment text, and timestamps. This data is:
By connecting your Instagram account, you authorise NAWA to process comments on your posts for AI classification and community management. This processing is necessary for the performance of our contract with you (GDPR Article 6(1)(b)) and is conducted under your authorisation as the account owner.
By connecting your YouTube channel, you authorise NAWA to process publicly available comments on your videos for AI classification and audience intelligence. This processing is necessary for the performance of our contract with you (GDPR Article 6(1)(b)) and is conducted under the creator's authorisation as the channel owner.
We acknowledge that it is not practically possible to individually notify every YouTube commenter that their publicly available comment is being processed by NAWA. We rely on the "disproportionate effort" exemption under GDPR Article 14(5)(b), as commenter data is obtained from a publicly accessible source (YouTube) and individual notification would involve disproportionate effort given the volume of comments processed.
Your data is used exclusively to provide and improve the NAWA service. This includes:
Our semantic caching system stores anonymized response patterns to improve reply quality and reduce AI processing costs. Cached data is used only for your account and is never shared across users or used to train external AI models.
We may use aggregated, anonymized usage statistics to improve our platform, publish benchmarks, or develop new features. This data cannot be used to identify any individual user or their content.
NAWA uses artificial intelligence to process comments on your connected social media channels. This includes:
These processes are automated but do not produce decisions with legal effects or similarly significant consequences for commenters. Reply suggestions require your explicit approval before being posted to any platform.
You have the right to request human review of any AI classification. Contact privacy@trynawa.com to exercise this right.
We do not sell your personal data. We do not share your content, comments, or AI-generated replies with any third party for advertising or marketing purposes.
We share data with the following categories of service providers strictly as needed to operate NAWA:
| Provider | Purpose | Data Shared | Location | Transfer Basis |
|---|---|---|---|---|
| Supabase (AWS) | Database, authentication, edge functions | Account data, comments, platform tokens | Singapore / United States | SCCs + DPA |
| Anthropic (Claude) | AI reply generation (English) | Comment text, voice profile context | United States | SCCs + DPA |
| IBM / HUMAIN (ALLaM) | Arabic language AI classification | Arabic comment text (anonymized) | Saudi Arabia | Adequacy (GCC) |
| Stripe | Payment processing | Billing information, payment methods | United States | SCCs + PCI DSS |
| Resend | Transactional and lifecycle email | Email address, name | United States | SCCs + DPA |
| Google (YouTube API, OAuth, GA4) | Platform integration, authentication, analytics | OAuth tokens, channel data, page views | United States | SCCs + DPA |
| Meta (Instagram Graph API) | Platform integration, webhooks, OAuth | OAuth tokens, account metadata, comments | United States / Ireland | SCCs + DPA |
| PostHog | Product analytics | Anonymized usage events, page views | European Union | EU hosting (no transfer) |
| Meta (Pixel) | Marketing attribution | Page views, conversion events | United States | Consent-gated + SCCs |
| ByteDance (TikTok Pixel) | Marketing attribution | Page views, conversion events | Singapore / United States | Consent-gated + SCCs |
| LinkedIn / Microsoft (Insight Tag) | Marketing attribution | Page views, conversion events | United States | Consent-gated + SCCs |
| Vercel | Web hosting, CDN, edge middleware | HTTP requests, static assets | Global (edge network) | SCCs + DPA |
| Cloudflare (Turnstile) | Bot protection, CDN | IP address, browser fingerprint | Global (edge network) | SCCs + DPA |
All service providers are bound by data processing agreements (DPAs) that require them to protect your data and use it only for the purposes we specify. Cross-border transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission and recognized by the UAE Data Office under Federal Decree-Law No. 45 of 2021 (PDPL). Marketing pixels (Meta, TikTok, LinkedIn) only fire after explicit user consent via our cookie consent banner. We may disclose information if required by law, regulation, or valid legal process.
Under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the UAE Personal Data Protection Law (PDPL, Federal Decree-Law No. 45 of 2021 as amended), you have comprehensive rights over your personal data.
To exercise any of these rights, contact us at privacy@trynawa.com. We will respond to your request within 30 days. For GDPR-related requests, our Data Protection Officer can be reached at the same address. For UAE PDPL inquiries, we maintain a dedicated compliance team familiar with UAE-specific requirements.
We process personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account data (email, name) | Performance of contract (GDPR Art. 6(1)(b), PDPL Art. 4) |
| YouTube comment sync | Performance of contract with creator + creator authorisation |
| Instagram comment sync | Performance of contract with account owner + account owner authorisation |
| AI classification of comments | Performance of contract (GDPR Art. 6(1)(b)) |
| Payment processing | Performance of contract + legal obligation (GDPR Art. 6(1)(b)(c)) |
| Email communications (transactional) | Performance of contract (GDPR Art. 6(1)(b)) |
| Email communications (marketing) | Consent (GDPR Art. 6(1)(a), PDPL Art. 5) |
| Analytics (GA4, PostHog) | Consent (GDPR Art. 6(1)(a), ePrivacy Art. 5(3)) |
| Marketing pixels (Meta, TikTok, LinkedIn) | Consent (GDPR Art. 6(1)(a), ePrivacy Art. 5(3)) |
| Support tickets | Performance of contract (GDPR Art. 6(1)(b)) |
| Security logging | Legitimate interest (GDPR Art. 6(1)(f)) |
We retain your data for as long as necessary to provide the Service and comply with legal obligations. Specific retention periods are outlined below:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of active account |
| Comment data & AI replies | Duration of subscription |
| AI chat conversations | 90 days, then auto-purged |
| Support tickets | 1 year after resolution |
| Semantic cache entries | 7 days after account deletion |
| Personal data (post-deletion) | Erased within 30 days |
| Payment records | 7 years (UAE financial regulations) |
| Analytics & usage logs | 90 days (aggregated indefinitely) |
| Anonymized statistics | Indefinite (non-identifiable) |
We implement industry-standard security measures to protect your data:
Access to user data is restricted to authorized personnel on a need-to-know basis. We conduct regular security audits, penetration testing, and vulnerability assessments.
In the event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by GDPR and PDPL regulations, providing details about the nature of the breach and steps being taken to mitigate its impact.
NAWA uses YouTube API Services. By connecting your YouTube account, you also agree to be bound by the Google Privacy Policy.
NAWA's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
NAWA accesses YouTube data (channel comments, video metadata, and reply posting) exclusively to provide AI-powered community management features. We limit our use of YouTube data as follows:
You can revoke NAWA's access to your YouTube data at any time via your Google Account permissions page or through your NAWA account settings.
NAWA uses the Instagram Platform APIs. By connecting your Instagram account, you also agree to be bound by Meta's Privacy Policy and Platform Terms.
NAWA's use and transfer of information received from Instagram APIs adheres to Meta's Platform Terms, including the restrictions on prohibited use and sharing of platform data.
NAWA accesses Instagram data (comments on your Instagram media, basic account metadata, and reply posting) exclusively to provide AI-powered community management features. We limit our use of Instagram data as follows:
You can revoke NAWA's access to your Instagram data at any time via your Instagram Account permissions page or through your NAWA account settings. Upon revocation, NAWA will cease accessing your Instagram data and will delete it within 30 days in accordance with Section 5 of this policy.
NAWA is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. Our Terms of Service require that users be at least 18 years old or the age of majority in their jurisdiction.
If we discover that we have collected personal data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact us at privacy@trynawa.com.
The data controller for the purposes of GDPR and UAE PDPL is:
Nawa Labs FZ-LLC
RAKEZ Business Zone
Ras Al Khaimah, United Arab Emirates
License No. 47026996
General inquiries: hello@trynawa.com
Privacy & data subject requests: privacy@trynawa.com
Support: support@trynawa.com
We aim to respond to all inquiries within 48 hours and to all formal data subject requests within 30 days.