Privacy Policy
Last updated: March 2, 2026
- Lia collects what's needed to run: your profile info, OAuth tokens (encrypted), and memory files
- Lia reads your email and calendar when you ask — and doesn't store the content
- Voice messages are transcribed and the audio is deleted
- No AI training on your data (not Lia, not the AI providers)
- Your data lives in your own isolated workspace — no one else can see it
/disconnectremoves Google access instantly./deletewipes everything.
Who Lia Is
Lia is your AI personal assistant. You interact with Lia via Telegram (@lia_cos_bot). Lia connects to your email, calendar, and the web to handle tasks on your behalf.
This privacy policy explains what data Lia collects, how it's used, who it's shared with, and how you control it.
Contact: hello@belowthesurface.studio
What Data Lia Collects
Information You Give Us
When you start using Lia, she asks for:
- Your name
- Your city (to figure out your timezone)
- Your Telegram user ID (automatically provided by Telegram)
If you connect Google via /connect:
- OAuth tokens that let Lia access your Gmail, Google Calendar, Google Drive, and Google Contacts
- These tokens are encrypted (AES-256-GCM) and stored in Lia's database
If you upgrade to a paid plan:
- Payment information (handled entirely by Stripe — Lia never sees your card details)
- Stripe provides a customer ID and subscription ID to manage your account
Information Lia Accesses (But Doesn't Store)
When you connect Google and ask Lia to do something, she reads:
- Gmail: Your emails (subject, sender, body) — read on-demand, never cached or stored
- Google Calendar: Your events (title, time, attendees, location) — read when needed, not saved
- Google Drive: Files you share or ask about — accessed temporarily, not stored
- Google Contacts: Your contacts list — read to help with emails and meetings, not saved
Critical: Lia reads your email and calendar when you ask her to. She does not store the content. She processes it in-memory during the conversation and then it's gone.
Information Lia Stores
| What | Where | How Long | Can You Delete It? |
|---|---|---|---|
| Your profile (name, city, timezone) | Lia's database (Supabase) | Until you run /delete |
Yes — /delete |
| OAuth tokens (encrypted) | Lia's database | Until you /disconnect or /delete |
Yes — /disconnect or /delete |
| Payment info (Stripe IDs) | Lia's database | Until you /delete |
Yes — /delete |
| Memory files (daily notes, MEMORY.md) | Lia's server (your workspace) | Persistent until /delete |
Yes — /delete |
| Conversation history | Lia's database (Supabase) | Persistent until /delete |
Yes — /delete |
| Pending email drafts | Lia's database (Supabase) | Until sent, rejected, or /delete |
Yes — /delete |
| Contact scores and VIP data | Lia's database (Supabase) | Until /delete |
Yes — /delete |
| Daily message count | Lia's database | Rolling 24 hours | Auto-resets daily |
Information Lia Does NOT Store
- Raw email content (Lia reads it when you ask, then forgets it)
- Calendar event bodies or details
- Voice audio files (Lia transcribes them with OpenAI Whisper, then deletes the audio immediately)
- Anything on third-party servers beyond what the AI providers need to process your requests
How Lia Uses Your Data
Lia uses your data for one reason: to provide the service you signed up for.
Specifically:
- Your name and timezone help Lia greet you and schedule things correctly
- OAuth tokens let Lia access your Gmail, Calendar, Drive, and Contacts when you ask
- Memory files help Lia remember your preferences, contacts, and patterns so she gets better over time
- Payment info (via Stripe) manages your subscription
- Message counts help monitor usage and maintain service quality
Lia does not:
- Sell your data
- Share it with advertisers
- Use it to train AI models
- Show it to other Lia users (your workspace is isolated)
Data Isolation
Each user gets their own isolated workspace. Your data is completely isolated:
- No other user can see your memory files, OAuth tokens, or conversation history
- Database queries are scoped by your user ID — no cross-user access
- Your workspace directory is separate from everyone else's
Think of it like separate apartments in a building. You have your own space. No one else has the key.
Third-Party Services
To provide the service, Lia uses:
| Service | What It Does | What They Access |
|---|---|---|
| Anthropic (Claude) | AI language model for understanding your requests and responding | Your messages to Lia, context from your memory files |
| Google (Gemini) | AI language model (alternative/fallback) | Your messages to Lia, context from your memory files |
| OpenAI (GPT-4, Whisper) | AI model for specific tasks + voice transcription | Your messages, voice messages (audio deleted after transcription) |
| ElevenLabs | Text-to-speech for voice responses | Text of Lia's responses (when you use voice mode) |
| Google APIs | Gmail, Calendar, Drive, Contacts access | Your email, calendar, files, contacts (read on-demand; draft content and contact metadata may be stored temporarily) |
| Stripe | Payment processing | Your payment info (Lia never sees card details) |
| Supabase | Database hosting | Your profile, OAuth tokens (encrypted), payment IDs, message counts |
| Perplexity (Sonar) | Public profile enrichment | Your name and public information (used to build your profile context) |
| Railway | Server hosting | Your workspace files (memory, logs) |
AI Training
Lia does not train AI models on your data.
The AI providers (Anthropic, Google, OpenAI) process your requests to generate responses, but:
- Anthropic: Does not train on API data
- Google: Does not train on API data
- OpenAI: Does not train on API data (Lia uses their business tier)
Your conversations with Lia stay between you and Lia. They don't become training data for future AI models.
Your Controls
You have full control over your data:
/settings— View your account info, subscription, and usage/disconnect— Remove Google access instantly (OAuth tokens deleted, Lia can no longer read your email/calendar)/delete— Delete your entire account (profile, OAuth tokens, memory files, payment records, everything)/export— Download a copy of your memory files
Note: /delete is instant and irreversible. Once you delete, your data cannot be recovered.
Data Retention
- Memory files persist until you run
/delete - OAuth tokens: Stored until you
/disconnector/delete - Payment info: Stripe IDs stored until you
/delete(Stripe keeps their own records per their policies)
Security
Lia takes security seriously:
- OAuth tokens are encrypted with AES-256-GCM before storage
- Database access is restricted and logged
- API keys are stored in environment variables, not code
- Your workspace is isolated from other users
- All connections use HTTPS
If you notice suspicious activity, reach out immediately at hello@belowthesurface.studio.
Children's Privacy
Lia is not intended for children under 13. Lia does not knowingly collect data from users under 13. If discovered, it will be deleted immediately.
Changes to This Policy
If significant changes are made to this privacy policy, you'll be notified via Telegram before the changes take effect. Minor updates (clarifications, typo fixes) won't trigger a notification.
Contact
Questions about privacy? Email: hello@belowthesurface.studio