Effective date: 1 January 2026 · Last updated: 1 March 2026
1. What we collect
Account data
When you create an Ayla account, we collect your name, work email address, and organisation name. This is used for authentication and billing communication only.
API usage data
Each API call logs the request timestamp, endpoint called, response code, and latency. We do not log the full message body of messages you route through the platform. Where message content is evaluated (e.g. for Sender ID compliance), only a hashed representation is retained.
Signals data
Our fraud and delivery intelligence systems process the following signals per message: sender ID, MSISDN (pseudonymised), corridor identifier, timestamp, message type category, and delivery receipt code. Full MSISDNs are pseudonymised using a one-way hash before storage.
Agent session data
When you deploy the Ayla Agent, session transcripts are retained for up to 30 days for quality, compliance, and debugging purposes. Transcripts are stored encrypted and are accessible only to your account and Ayla's compliance team under your data processing agreement.
2. How we use it
We use the data we collect exclusively to:
- Operate and improve the Ayla intelligence platform
- Detect fraud and anomalous messaging patterns
- Score delivery routes and predict carrier degradation
- Provide customer support and resolve technical issues
- Generate anonymised, aggregated industry benchmarks (no individual customer data)
- Comply with applicable law and regulatory obligations
We do not use your data to train AI models without explicit written consent. We do not sell, rent, or share your data with third parties for marketing purposes under any circumstances.
3. Data retention
API logs: 90 days · Signals data: 12 months (aggregated) · Agent transcripts: 30 days · Account data: Duration of contract + 12 months · Audit logs: 7 years (regulatory requirement)
You may request early deletion of any data category except audit logs required for regulatory compliance. See Section 5 for how to exercise this right.
4. Third-party processors
We use a limited set of sub-processors to operate the platform. Each is subject to a data processing agreement with equivalent or stronger protections than this policy:
- Anthropic (Claude AI) — Sender ID compliance reasoning. Only sender metadata is transmitted, not message content.
- Termii — Carrier routing and A2P delivery. Operates under its own data processing terms with carriers.
- Hetzner / DigitalOcean — Cloud infrastructure hosting. Data residency options available on enterprise plans.
- Stripe — Billing and payment processing. Ayla does not store payment card data.
5. Your rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or port the personal data we hold about you. You may also have the right to object to or restrict certain processing. To exercise any of these rights, contact privacy@termii.com. We respond within 30 days.
For enterprise customers subject to NDPR (Nigeria) or GDPR (EU/UK), a Data Processing Agreement is available on request and is required before processing personal data of your end users.
6. Security
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Access to production systems is restricted to authorised personnel via hardware security keys and reviewed quarterly. We maintain an incident response plan and will notify affected customers within 72 hours of discovering a breach affecting their data.
7. Contact
For privacy questions, data requests, or DPA inquiries: privacy@termii.com
Postal address: Ayla Technologies Ltd, Victoria Island, Lagos, Nigeria.