Privacy Policy — Aski

Version 1.6 · Last updated: June 19, 2026

Aski is a conversational assistance mobile app that connects to the user's own ERP systems: Odoo, SAP S/4HANA and SAP Business One. For clarity, wherever this policy mentions "Odoo" or "your instance," it applies equally to your SAP connection (S/4HANA or Business One). This policy describes what data we collect, how we use it, with whom we share it and your rights over it.

1. Data we collect

1.1 Data you provide to us

• Aski account credentials: email address and password (stored as a bcrypt hash, never in plain text).
• Your ERP credentials (Odoo or SAP): server URL, database or service user, and the key or API Key (encrypted at rest with AES-256-GCM).
• Chat messages you type or dictate with the microphone.

1.2 Data generated by your use

• History of queries with the language model (questions, answers, token consumption and latency).
• Microphone audio: it is processed locally on your device using the operating system's speech recognition. Only the transcribed text is sent to our servers. We do not store audio files.
• Billing and subscription history (Google Play Billing purchases).
• FCM token (Firebase Cloud Messaging) to send push notifications.

1.3 Technical diagnostic data (Sentry)

When an error or app crash occurs, we automatically collect:

• Error stack trace
• Device model and Android version
• App version
• Recent events (app lifecycle, anonymized taps, network requests without content)

We do NOT collect your IP address automatically (the isSendDefaultPii option is disabled). We do NOT include the content of your messages or credentials in these reports.

1.4 Data we do NOT collect

• Precise or approximate location
• Device contacts
• Photos, videos or other files
• Advertising identifiers
• Usage metrics of third-party applications
• Behavioral data for advertising profiling

2. System permissions we request

• INTERNET — Connection with our backend and your Odoo instance.
• ACCESS_NETWORK_STATE — Detect whether you have an active connection before sending queries.
• RECORD_AUDIO — Only when you press the microphone button to dictate a query by voice. The audio is processed locally; it is never transmitted.
• VIBRATE — Tactile confirmation when receiving answers or notifications.
• POST_NOTIFICATIONS — Display push notifications sent by the administrator (service notices, operational alerts).

3. How we use your data

• Authenticate you and keep your session active.
• Connect to your Odoo using the credentials you provided.
• Process your queries through Anthropic's Claude language model.
• Manage your account, credits and subscription.
• Detect and fix errors in the app.

We do not perform automated profiling with legal effects on you. We do not sell your data. We do not use your queries or your Odoo information to train artificial intelligence models.

3.1 Email communications

We may send you service-related emails to the email registered in your Aski account:

• Transactional (always active): registration confirmation, password recovery, payment receipts, security notices, material changes to these terms. You cannot disable them without closing the account, since they are part of providing the service.
• Onboarding and support: welcome messages, guides to set up your first Odoo connection, brief improvement surveys during the first 30 days.
• Product news: new features, announcements and occasional promotions about plans and credits.

Each non-transactional email includes a visible link to unsubscribe from that category without affecting transactional notices. You can also request the complete opt-out of non-transactional communications by writing to contacto@aski.dev with the subject "Cancel communications".

4. With whom we share your data

4.1 Anthropic, PBC (United States)

We send the content of your messages and your Odoo schema (model and field names, not business data) to generate answers. Anthropic retains this content for up to 30 days for abuse detection, according to its terms. It does not use it for training.

Policy: https://www.anthropic.com/legal/privacy

4.2 Railway Corp. (United States)

Hosts our backend and database. It has operational access to the infrastructure but does not query the data directly.

Policy: https://railway.com/legal/privacy

4.3 Google LLC — Firebase Cloud Messaging (United States)

Receives your device's FCM token to deliver push notifications. We do NOT share the content of your messages with Google. Each notification contains only a title and a short body.

Policy: https://firebase.google.com/support/privacy

4.4 Google Play Billing (United States)

Processes payments for subscriptions and credit packages. It receives the payment data directly; we only receive confirmation of the transaction.

Policy: https://policies.google.com/privacy

4.5 Sentry — Functional Software, Inc. (United States)

Receives technical reports of errors and performance (described in section 1.3). They do not include the content of your messages or credentials.

Policy: https://sentry.io/privacy/

4.6 Your Odoo instance

When you make a query, the backend connects to your Odoo with the credentials you provided and reads the data needed to answer. This data returns to your device through our backend but is not stored in it beyond the message history.

4.7 LinkedIn — Insight Tag (marketing website only)

Our public website (aski.dev) uses LinkedIn's Insight Tag to measure the effectiveness of our ads —how many visits convert into registrations— and to obtain aggregated audience statistics. When you visit the site, LinkedIn may receive standard browsing data (IP address, browser type, pages visited and, if you are signed in to LinkedIn, your member identifier). The Insight Tag is present only on the public marketing pages; it is NOT used within the app, nor in the sign-in flow, nor on any page with sensitive data. You can disable this tracking from your LinkedIn account's ad settings.

Policy: https://www.linkedin.com/legal/privacy-policy

4.8 Paddle.com Market Limited (United Kingdom) — web payments

For purchases made on our website (app.aski.dev), payments are processed by Paddle, acting as Merchant of Record. Paddle receives the payment data directly; we only receive confirmation of the transaction and the billing data needed to issue the receipt. This does NOT apply to purchases within the Android app, which are processed exclusively via Google Play Billing (section 4.4).

Policy: https://www.paddle.com/legal/privacy

5. Security

• All client ↔ backend and backend ↔ Odoo communication travels over HTTPS/TLS 1.2 or higher.
• Your Aski password is stored as a bcrypt hash.
• Your Odoo API Key is encrypted with AES-256-GCM before being stored.
• Session tokens use JWT signed with a server secret key.
• On your device, credentials are stored in EncryptedSharedPreferences (AES-256-GCM with a key managed by the Android Keystore).
• Operational access to the database is restricted to a minimal number of administrators and is audited.

Sensitive business data: your Odoo credentials and queries to your ERP may contain commercially sensitive information (customers, invoices, inventories). We apply encryption at rest and in transit; only the backend decrypts to fulfill your specific query.

6. Data retention and deletion

6.1 Active account

While your account is active, we keep your profile, encrypted credentials, message history and billing history.

6.2 Account deletion FROM the app (recommended)

• Open Aski → Settings → "Delete my account".
• Confirm by typing "DELETE" (or "ELIMINAR" if your app is in Spanish) and enter your current password.
• The deletion is immediate and permanent.

6.3 Account deletion by email (alternative)

If you cannot access the app, send an email to contacto@aski.dev with the subject "Delete account" and include the email registered in Aski. We process the request within a maximum of 30 calendar days.

6.4 What is permanently deleted

• Your chat history with all connections
• Your Odoo credentials (URL, database, user, encrypted API Key)
• The vocabulary the app learned from your queries
• Your FCM token (push notifications) and all active sessions on your devices
• The notifications the administrator has directed to you

6.5 What is retained by legal requirement

• Billing history (subscriptions, credit purchases, transactions) for 5 years, in accordance with Peru's tax regulations (SUNAT).
• Your internal identifier remains associated with an anonymized email of the type "deleted_<id>@aski.local" without your real email or your password — only to preserve the integrity of the billing records.

6.6 Delete individual connections without deleting the account

From Settings → Odoo Connections → delete specific connections without touching your account or the rest of your data.

7. Your rights

Under Peru's Personal Data Protection Law 29733 and the European Union's General Data Protection Regulation (GDPR), you have the right to:

• Access the personal data we hold about you.
• Rectify incorrect data.
• Delete your account and associated data (see section 6).
• Export your chat history in a portable format (request it by email).
• Revoke access to your Odoo by deleting the credential from the app.
• Object to the processing of your data.

To exercise any of these rights, write to contacto@aski.dev. We respond within a maximum of 7 business days.

8. Minors

Aski is designed for business and professional use. It is not directed to children under 13. If we discover that we have collected data from a child under 13 without verifiable parental consent, we delete that data immediately.

9. Changes to this policy

This policy may be updated to reflect changes in the app, in third-party services or in applicable legislation. When we make material changes, we will notify you through a notice within the app before they take effect.

Version history

• 1.0 — Initial version.
• 1.1 — May 15, 2026: Anthropic retention details, GDPR/Peru rights.
• 1.2 — May 30, 2026: Sentry, FCM, POST_NOTIFICATIONS, account deletion flow by email.
• 1.3 — May 30, 2026: Deletion flow FROM the app (Settings → "Delete my account"), SUNAT anonymization.
• 1.4 — May 30, 2026: Third-party independence, data flow to your Odoo instance, trademark acknowledgment.
• 1.5 — June 5, 2026: Section 3.1 on email communications (transactional, onboarding, news) with the right to unsubscribe per category.
• 1.6 — June 19, 2026: Support for SAP connections (S/4HANA via OData and Business One via Service Layer); policy scope extended to SAP, data flow to your SAP instance and acknowledgment of SAP SE trademarks.

10. Third-party independence and trademarks

10.1 Third-party independence

Aski is independently developed by Jhon Jairo Rojas Ortiz (Peru). We are not affiliated with, associated with, authorized by or endorsed by Odoo S.A., SAP SE, OCA, Anthropic PBC, Railway Corp., Google LLC, Functional Software Inc., or any other mentioned entity. The mentions identify products and services that Aski interacts with.

10.2 Data flow to your instance (Odoo or SAP)

The configured Odoo connections send the AI-generated queries from our server directly to the URL of YOUR Odoo instance (the one you specify) via XML-RPC over HTTPS. Odoo S.A. does not participate: your Odoo data never reaches Odoo S.A. servers, except if your instance is hosted on Odoo.sh (your decision as a customer).

In the same way, the SAP connections (S/4HANA via OData or Business One via Service Layer) send the queries directly to the URL of YOUR SAP system, with the service user your IT team configures. SAP SE does not participate: your SAP data never reaches SAP SE servers. Aski operates in read-only mode and only accesses what that service user can see.

10.3 Trademarks

• Odoo® is a registered trademark of Odoo S.A. (Belgium).
• SAP®, SAP S/4HANA® and SAP Business One® are registered trademarks of SAP SE (Germany).
• Anthropic® and Claude® are registered trademarks of Anthropic PBC (United States).
• Google®, Android®, Google Play®, Firebase® are registered trademarks of Google LLC (United States).
• Railway® is a registered trademark of Railway Corp. (United States).
• Sentry® is a registered trademark of Functional Software, Inc. (United States).
• The other trademarks mentioned belong to their respective owners and are used solely in a descriptive manner.

11. Contact

Data controller:

Jhon Jairo Rojas Ortiz
Email: contacto@aski.dev
Country: Peru