← back to transparency

privacy policy

last updated 01 June 2026 · effective 01 June 2026

aysra is a research instrument. We don't sell what we collect, we don't use what you submit to train AI models, and we try to keep the data we hold proportionate to running the service.

We collect your email address so you can sign in, the EIN you tell us you're affiliated with, the organizations you save and the notes you put on them, the questions and proposal drafts you submit to our AI features, and standard service logs.

We don't sell your information.

We don't use your queries, prompts, notes, drafts, or saved content to train AI models: ours or anyone else's.

The IRS Form 990 data the platform sits on is public, federal record. It is not "your" data, and we don't treat it as such.

Section 1

who we are

aysra is operated by aysra LLC, an Illinois limited liability company ("aysra," "we," "us"). The service includes the website at aysra.com, the application at app.aysra.com, our APIs, and related interfaces.

You can reach us at ask@aysra.com for any privacy question or to exercise a right described below.

Section 2

what aysra is, and what it isn't

aysra is an analysis layer over public IRS data. Most of what you see on the platform (financial figures, grants paid, officer compensation, organizational addresses) comes from Forms 990, 990-PF, 990-EZ, and 990-N that the IRS publishes as a federal public record under 26 U.S.C. § 6104. That data is about nonprofit organizations and the people they themselves list on their public filings; it is not personal data we collect from you, and we do not treat its publication as a privacy matter on our side.

This policy covers the personal information we collect from you when you visit the marketing site, create an account, sign in, save organizations, use AI features, subscribe to a paid tier, or contact us.

Section 3

information we collect

We collect three categories of information.

you give it to us

When you sign in we collect your email address (Firebase magic-link authorization because we don't store passwords). When you set an EIN affiliation we record the EIN you choose, when you changed it, and prior values. When you save an organization or add a note (up to 750 characters), we store that content. When you submit a question to the Ask drawer, AskGrant™, or Global Ask, the text of your question is processed; when you paste a draft proposal into AskGrant™, that draft is processed as described in Section 5. When you contact support we keep your message and our reply. when you subscribe to a paid tier you provide billing details to our payments processor, see Section 6.

created as you use aysra

When you ask the platform a question through the Ask drawer, AskGrant™, Global Search, or Global Ask, we log the question text, the model used, your tier at the time, response token counts, and latency. We also keep standard server logs: IP address, user agent, request paths, timestamps, and error traces. we use Firebase Analytics to understand which features people use.

inferred from your use

We derive things like usage counts against your tier quota, abuse signals (e.g., unusual request volume), and aggregate product metrics. These are operational signals, not profiles we sell or share.

We don't collect Social Security numbers, financial account details, government IDs, health information, biometrics, location beyond IP-derived approximations, or anything we would consider sensitive personal information.

Section 4

how we use it

We use the information above to:

  • Run your account and let you sign in
  • Deliver the features you use (saved orgs, AI surfaces, search)
  • Enforce tier quotas and process subscriptions
  • Monitor, secure, and debug the service
  • Detect and prevent abuse (e.g., automated scraping, credential stuffing)
  • Respond to you when you contact us
  • Improve aysra: measure which features are useful, find bugs, refine prompts and templates
  • Comply with applicable law, court orders, and tax obligations

Where required by law (for users in the EU/UK/EEA), our legal bases are: performance of a contract for account and subscription functions; legitimate interests for security, abuse prevention, analytics, and product improvement; legal obligation for tax and law-enforcement requests; and consent for non-essential cookies and marketing emails.

Section 5

AI features and how prompts are handled

aysra's AI features (Ask drawer, AskGrant™, Global Ask, Global Search ranking) send your question, along with structured data already retrieved from our database, to Google's Gemini API for response generation. We log each request in our internal ai.request_log table: that table captures the model used, your tier, token counts, latency, and cost, but not the text of your prompt or the model's response.

We want to be specific about training:

  • We do not train AI models on your proposal drafts, your saved org notes, your affiliation, or any other content you provide
  • We use Google's Gemini API under terms that, as of the date above, do not permit Google to use API content to train its generally available models. If those terms change in a way we cannot match through configuration, we will update this policy and tell users before the change takes effect
  • We do not provide your content to any AI vendor for model improvement, fine-tuning, or evaluation outside the request needed to answer your question

5.1 AskGrant™ and pasted proposal drafts

AskGrant™ accepts pasted text, typically a draft proposal or a section of one, and returns Socratic questions derived from the funder's behavioral pattern in their IRS filings. When you paste a draft into AskGrant™:

  • The text is transmitted to Google's Gemini API, on the same no-training basis described above, so the model can generate a response
  • We may log inputs, outputs, and associated metadata in a separate AskGrant™ interaction log so we can monitor quality, debug failures, detect abuse, and (in the future) support product features such as revision history or session continuity. Retention is limited to what is necessary for those purposes and is described in Section 8
  • We do not use your drafts to train models or to enrich any public data product
  • We do not sell your drafts and we do not share them with third parties other than the infrastructure and AI vendors listed in Section 6

If we introduce a feature that materially extends retention of pasted content (for example, a saved-draft history visible across sessions), we will give you a setting to control it and we will update this policy before the feature is enabled.

5.2 responsible use of AskGrant™ and other free-text inputs

When you paste text into AskGrant™ or type a free-form question into Ask drawer or Global Ask, you are responsible for the content you submit. Please do not paste:

  • Social Security numbers, government-issued IDs, financial-account numbers, medical-record information, or other sensitive personal identifiers
  • Identifying information about program beneficiaries, donors, or third parties whom you do not have permission or a lawful basis to share with us and our AI infrastructure vendor
  • Material subject to a separate confidentiality, non-disclosure, or attorney-client obligation that would prohibit you from submitting it to a third-party AI service

Removing the names of individuals before pasting is a reasonable default for most users; aysra does not need identifying information about beneficiaries to do its work.

5.3 AI outputs

AI outputs are probabilistic. We mark every AI-generated claim with a kento glyph in the interface so you can tell at a glance which content is AI-synthesized and which is a direct IRS field value (marked with a hanko glyph). aysra does not make decisions on your behalf that have legal or similarly significant effects, and the platform should not be used as a sole basis for hiring, lending, eligibility, or other consequential individual decisions.

Section 6

service providers and third parties

We share personal information only with the vendors we need to run aysra, and only for the purposes described in this policy. Our current subprocessors are:

Vendor Purpose Location
Google Cloud Platform (Cloud SQL, Cloud Run, Cloud Storage) Application hosting, database, file storage United States (us-central1)
Google Firebase (Auth, Hosting, Analytics) Sign-in, frontend hosting, product analytics United States
Google Workspace Email for ask@aysra.com and similar addresses United States
Google Gemini API AI response generation United States
Stripe, Inc. Subscription billing and payment processing United States
Squarespace, Inc. Marketing site aysra.com United States

Stripe handles card numbers directly under its own privacy policy and PCI-DSS controls. We don't store full payment card numbers on our servers: we receive only billing metadata (last four digits, expiry, billing country, subscription state).

We do not sell or "share" personal information for cross-context behavioral advertising as those terms are defined under California law. We do not use third-party advertising trackers.

We will disclose information when legally required (subpoena, court order, valid law-enforcement request), when needed to protect rights or safety, or in connection with a future business transaction (financing, merger, acquisition, or sale of assets), in which case the recipient will be bound by privacy commitments at least as protective as these.

We update this list when subprocessors change. material additions take effect after the notice period described in Section 15.

Section 7

international data transfers

aysra is operated from the United States and stores data on US infrastructure. If you access the service from outside the US, your information will be transferred to and processed in the US. Where required for users in the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (and, for UK transfers, the ICO's International Data Transfer Addendum) with our subprocessors that act outside their home jurisdictions, and we conduct transfer risk assessments before adopting new subprocessors.

Section 8

how long we keep your data

Data Retention
Account profile (email, affiliation) For the life of the account, plus 30 days after closure
Saved orgs and notes For the life of the account, deleted on account closure or on demand
AI request logs (ai.request_log): metadata only, no prompt/response text 24 months, then either deleted or de-identified
AskGrant™ interaction log: pasted drafts and responses, if retained for operations or future product features Up to 24 months; deleted earlier on account closure or on request, subject to abuse-investigation exceptions
Other AI interaction logs (Ask drawer, Global Ask) 24 months, then deleted or de-identified
Server logs and request traces 90 days
Billing records 7 years (US tax and accounting requirements)
Support correspondence 24 months after the ticket closes
Marketing suppression list Indefinite, minimum fields needed to honor your opt-out
Backups 35 days rolling

Deletion from active systems happens within 30 days of an account-closure or deletion request. Backups expire on the rolling schedule above; we do not selectively edit backups, and we do not restore deleted data to production except where required for a security or disaster-recovery event.

Section 9

your rights

Depending on where you live you may have one or more of the following rights. We honor all of them for everyone in the United States; some are guaranteed by California, Illinois, EU, UK, and similar laws and we'll handle them on that basis where required:

  • know / access. get a copy of what we hold about you
  • correct. fix something that's wrong
  • delete. have us delete your account and the data tied to it, subject to legal exceptions (e.g., we keep billing records for tax purposes)
  • export. receive a copy of your data in a portable format
  • opt out of marketing. use the unsubscribe link in any marketing email or email us. transactional emails (sign-in links, billing receipts, security notices) continue regardless
  • withdraw consent for processing that depends on consent (e.g., non-essential cookies)
  • object or restrict certain processing where the law gives you that right
  • complain to a supervisory authority if you're in a jurisdiction that has one. EU/UK users can complain to their national data protection authority. California users can complain to the California Privacy Protection Agency or the California Attorney General

To exercise a right, email ask@aysra.com from the address on your account or use any in-product control we provide. We may need to verify your identity by sending a confirmation link to the account email. We aim to respond within 30 days (45 calendar days for California requests, with one further 45-day extension where allowed).

If you're an authorized agent acting for someone else, we'll ask for written authorization and proof of identity.

Section 10

cookies and similar technologies

We use cookies and similar technologies for three things:

  • essential. sign-in sessions, security, basic site function. these cannot be turned off because the service won't work without them
  • analytics. Firebase Analytics, which uses cookies and a Google measurement ID to help us understand which features people use
  • preferences. remembering your interface choices

We don't use advertising or cross-site tracking cookies. Where the law requires consent for non-essential cookies (e.g., for users in the EEA or UK), we ask for it through a consent banner; you can change your choice at any time.

Section 11

security

We use technical and operational safeguards including encryption in transit (TLS) and at rest, role-based access controls, separate database roles for read and write, audit logging, secret management, magic-link authentication (no stored passwords), and vendor due diligence for our subprocessors. No system is perfectly secure; you're responsible for protecting your email account and not sharing magic-link URLs.

If we experience a security incident that affects your personal information, we will notify you and any required authority as required by applicable law.

Section 12

children

aysra is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. The service is built for adult researchers, fundraisers, journalists, and grantmakers. If we learn we have collected information from a child under 13, we will delete it. Users between 13 and 18 should use the service only with the involvement of a parent or guardian.

Section 13

California disclosures (CCPA / CPRA)

The following table summarizes the categories of personal information we have collected in the prior 12 months, the sources, purposes, and disclosures, using the categories defined in Cal. Civ. Code § 1798.140.

Category Examples Source Purpose Disclosed to
Identifiers Email, IP address, account ID You; automatic Account, security, communication Hosting, email, analytics vendors
Customer records Affiliation, saved orgs, notes, AskGrant™ pasted drafts You Service delivery Hosting vendor, AI vendor (for processing)
Commercial information Subscription tier, billing metadata You; Stripe Billing, tier enforcement Stripe
Internet / network activity Queries, request logs, analytics events Automatic Service operation, abuse prevention, product improvement Hosting, analytics vendors, AI vendor
Inferences Usage patterns, abuse signals Derived Operations, security None outside vendors above

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not knowingly collect or sell personal information of minors under 16.

California residents may exercise the rights described in Section 9 by emailing ask@aysra.com. You may designate an authorized agent to make a request for you. We will not discriminate against you for exercising these rights.

Section 14

EEA / UK disclosures

If you are in the EEA, UK, or Switzerland, the controller is aysra LLC, contactable at the email above. We do not currently have an establishment in the EEA. we do not maintain an Article 27 representative because we do not target users in the EEA, but if you are in the EEA and use aysra you may still exercise the rights described in Section 9 and lodge a complaint with your national data protection authority.

Legal bases are listed in Section 4. international transfer mechanisms are described in Section 7.

Section 15

changes

We may update this policy to reflect changes in our practices, our subprocessor list, applicable law, or the operation of the service. The "last updated" date at the top reflects the most recent revision.

Material changes, including the addition of a new subprocessor with access to personal data, expansion of how we use personal data, or any change that reduces the protections described in this policy, take effect at least 30 days after notice. We will notify users by email to the address on the account and through an in-app notice. During the notice period, you may close your account if you do not wish to continue under the revised terms; account closure triggers the deletion described in Section 8.

Non-material changes, such as typo corrections, clarifying language, and formatting, take effect immediately on posting and do not require advance notice.

Continued use of the service after the effective date of a material change constitutes acceptance of the updated policy.

Section 16

contact

Privacy questions, requests, general contact: ask@aysra.com

postal: aysra LLC, [STREET ADDRESS], [CITY, IL ZIP]

ask@aysra.com →