Legal
Privacy Policy
Last updated: 7 July 2026
Applies to Ashti (https://ashti.ai)
Who we are
Ashti is an AI-guided mediation service for couples and teams. We are based in Lisbon, Portugal, in the European Union. We are the data controller for the personal information described in this policy.
- Company: Relay Spatial, Unipessoal Lda (Ashti). NIPC: 519203054.
- Privacy contact: privacy@ashti.ai.
We know the conversations you bring to Ashti are among the most personal things you have. We built the product to protect them, and we try to explain here, in plain language, exactly what we do with your data and the choices you have.
The short version
- We collect what we need to run your mediation, take payment, and keep your account secure. Nothing more.
- Your conflict content is treated as highly sensitive. We ask for your explicit consent to process it.
- We never sell your data, and we do not use your private content for advertising.
- Some of the companies that help us run Ashti are based in the United States. Where that is the case, we rely on approved safeguards for the transfer.
- You can access, correct, export, or delete your data at any time.
What we collect
- Account and identity information. Your name, email address, and sign-in details. If you sign in with Google, we receive a Google identifier and your basic profile details.
- Your mediation content. This is the heart of the service and the most sensitive data we hold. It includes your intake answers, the messages you exchange in mediation, the account you give of a conflict, and any images you choose to upload. In a joint space, it also includes the shared resolution we help create.
- Payment information. When you pay, our payment processor handles your card details directly. We receive a confirmation and limited billing information such as your name, email, and the last four digits of your card. We do not store your full card number.
- Technical and security information. To keep the service safe and working, we process limited technical data such as your IP address, device and browser type, and counters we use for rate limiting and abuse prevention. Some of this is used to detect misuse, including unusual pasting patterns.
- Communications. If you email us or receive transactional emails from us, we process those messages.
Why we use your data, and our legal basis
We only use your data for clear purposes, each with a lawful basis under the GDPR.
- To provide the mediation service you signed up for, including intake, the guided conversation, and generating your blueprint or joint resolution. Legal basis: performance of our contract with you.
- To process your sensitive mediation content. Because this content is so personal, we treat it as special-category data and ask for your explicit consent to process it. You can withdraw that consent, and we explain below what happens when you do. Legal basis: your explicit consent.
- To take payment and meet our accounting and tax obligations. Legal basis: performance of our contract, and compliance with legal obligations.
- To keep Ashti secure and prevent abuse, including rate limiting and fraud prevention. Legal basis: our legitimate interests in protecting the service and our users.
- To send you service emails such as sign-in, receipts, and important notices. Legal basis: performance of our contract.
We do not use your private mediation content to train advertising profiles, and we do not sell your data to anyone.
How the AI works with your content
Ashti uses AI models to guide conversations and to help create a resolution. To do this, the relevant parts of your content are sent securely to specialist providers that run these models on our behalf. We choose providers on terms that are intended to prevent your content from being used to train their models and to limit how long they keep it.
If you are in a joint space, the shared resolution is written to be readable by both people. Our system is designed so that material that is private to one person is not quoted, attributed, or revealed to the other. This protection is built into how the resolution is created and is checked automatically.
Who we share data with
We use a small set of trusted service providers to run Ashti. They act on our instructions under data processing agreements. Our current providers include:
- Vercel, for hosting and running the application.
- Neon, for our database.
- Vercel AI Gateway and its model providers (including OpenAI, Cohere, and a Llama provider), for the AI that powers mediation.
- Pinecone, for the search index that helps ground our AI responses. It receives a numeric representation of your query, not the raw text of your conversation.
- Google, for sign-in when you choose it.
- Stripe, for processing payments.
- Resend, for sending service emails.
- ElevenLabs, our voice partner, when you use voice features: converting your speech to text (voice input) and reading the facilitator's words aloud (voice output). We have disabled any use of this content for training their models, and they retain it only on a limited basis under their privacy policy. See “Voice features” below.
- Upstash, for rate limiting and abuse prevention. This does not include your conversation content.
- Google Analytics, for anonymous, opt-in usage measurement on our public pages, only if you accept the cookie banner.
We keep an up-to-date list of these providers and will update it if it changes.
Bring Ashti to Work: if you ask us to introduce Ashti to your HR contact, we process their name and work email once, on the basis of legitimate interest, to send that single introduction after you confirm the request from your own inbox. We do not email them again unless they reply, and we delete unengaged HR contact details within 90 days.
We do not sell your personal data. We may disclose data if the law requires it, or to protect the safety of our users.
If your employer covers Ashti
Some organizations pay for Ashti as a workplace benefit through a per-seat subscription. If yours does, here is exactly what they can and cannot see.
- Your organization learns only two kinds of numbers: how many seats are in use, and how many reports were generated across the whole team in a billing period.
- Your organization never learns whether you personally used Ashti, what you wrote, who you used it with, or what any report says. This boundary is enforced in our code and covered by automated tests, and even our own internal administration tools cannot read your content.
- If your organization's coverage is paused or ends, you will see a notice in the app. Your conversations and any reports you already unlocked remain yours and stay readable.
Voice features
Ashti offers optional voice, both are off until you choose to use them, and each is designed to keep your voice private.
- Speaking instead of typing (voice input). When you use the microphone button, short segments of your speech are sent, over an encrypted connection, to our voice partner ElevenLabs solely to convert them to text. We have turned off any use of this content for training their models, and they retain it only on a limited, temporary basis under their privacy policy. Silence is never transmitted. The resulting text appears in your message box, where you can review, edit, or delete it before anything is sent, and only that text is kept by Ashti. We are working toward a zero-retention agreement and EU-based voice processing as we grow.
- The facilitator speaking aloud (voice output). When you turn this on, we send only the facilitator's own neutral words to the same provider so they can be read back to you. Your private messages are never sent for this.
We ask for microphone access only when you choose voice input, and you can decline or revoke it in your browser at any time without losing any other feature.
International transfers
Some of our providers are based in the United States. When your data is transferred outside the European Economic Area, we rely on legally approved safeguards, such as the EU-US Data Privacy Framework where a provider is certified, or Standard Contractual Clauses, together with additional protections where needed. Where an EU hosting option is available and suitable, we work to use it, and we are actively working to keep more processing within the EU.
You can ask us for more detail about the safeguards that apply to a specific transfer using the contact details below.
How long we keep your data
- We keep your account and mediation content for as long as your account is active. When you close your account, your mediation spaces and their content are deleted within 30 days.
- We keep payment and billing records for 10 years, as required by Portuguese accounting and tax law.
- Security and technical logs are kept only for as long as needed to protect the service.
When a retention period ends, or when you ask us to delete your data and we are able to, we remove it from our systems.
Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct data that is wrong or incomplete.
- Delete your data (the right to be forgotten), subject to any legal reason we must keep some of it.
- Export your data in a portable format.
- Object (Art. 21) to certain processing.
- Restrict (Art. 18) certain processing.
- Withdraw consent at any time for the sensitive-content processing you consented to. Withdrawing consent does not affect processing we already carried out lawfully, and it may mean we can no longer provide parts of the service.
- Complain to a supervisory authority. In Portugal this is the CNPD (Comissão Nacional de Proteção de Dados, www.cnpd.pt). You can also contact the authority in your own country.
To exercise any of these rights, contact us at privacy@ashti.ai. We will respond within the time the law allows, normally within one month.
A note on conversations that involve another person: when you describe someone else in your mediation, that content may also be their personal data. We handle it carefully and minimise it, and we ask you to share only what is needed for your mediation.
How we protect your data
- Data is encrypted in transit.
- Access to your content is limited, and administrative access is tightly controlled.
- We apply rate limits and abuse protections to defend the service.
- Our resolution feature is specifically designed so private material is not exposed to the other person in a joint space.
- We choose service providers with security and privacy commitments, under data processing agreements.
No service can promise perfect security, but we take these responsibilities seriously and keep improving our protections.
Age requirement
Ashti is intended for adults. You must be 18 or older to use the service. It is not directed at children, and we do not knowingly collect data from anyone under 18.
Changes to this policy
If we make meaningful changes to how we use your data, we will update this policy and, where appropriate, let you know directly.
Contact us
If you have any questions about your privacy or this policy, please contact us at privacy@ashti.ai. We are based in Lisbon, Portugal.