Privacy Policy
Effective: March 19, 2026 | Controller: David Rewenda, [email protected]
Summary: ALLY stores your data exclusively on your account. We never sell your data to third parties. Data is processed solely to provide the service and in compliance with GDPR (EU Regulation 2016/679).
1. Data Controller
The controller of your personal data is:
David Rewenda
Email: [email protected]
Website: allyforlife.ai
Czech Republic
2. What Data We Process
2.1 Registration and Profile Data
- First name, last name, email address
- Date of birth, gender (optional)
- Profile photo (optional)
- Contact phone number (optional)
- Family information β names, relationships, dates of birth (entered by you)
2.2 Financial and Document Data
- Uploaded documents (PDFs, photos of documents, invoices, contracts)
- Invoice records, shopping receipts, expenses
- Bank and insurance details (account numbers, type β not passwords)
- Document numbers (ID card, passport) β stored in the encrypted Vault section
2.3 Communication and Email Data
- IMAP email credentials (password stored only during active connection, encrypted)
- Email metadata processed automatically (sender, subject, attachments)
- Attachment content processed by AI for document categorization
2.4 Calendar Data
- Events entered into the ALLY calendar (birthdays, anniversaries, document expiry dates)
- When Google Calendar is connected: OAuth 2.0 access tokens and synchronized events
2.5 Technical and Operational Data
- IP address, browser and device (for security and diagnostics)
- Application activity logs (logins, processed documents)
- Push notifications (subscriber token stored locally)
3. Purpose and Legal Basis for Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the ALLY service (AI assistant, documents, calendar) | Performance of contract (Art. 6(1)(b)) |
| AI data processing (categorization, summaries, analysis) | Performance of contract + legitimate interests |
| Email monitoring and attachment processing | Performance of contract based on your settings |
| Sending notifications and briefings | Your consent (withdrawable at any time) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Billing and accounting | Legal obligation (Art. 6(1)(c)) |
4. Third Parties and Processors
We use the following processors to provide the service:
| Third Party | Purpose | Location |
|---|---|---|
| OpenAI | AI query processing (GPT-4) | USA (SCCs) |
| Railway | Cloud hosting and data storage | USA (SCCs) |
| Google Calendar API (optional) | USA (SCCs) | |
| Stripe | Subscription payment processing | USA/IE (SCCs) |
| SerpApi | Flight price search (optional) | USA (SCCs) |
SCCs = Standard Contractual Clauses for data transfer to third countries.
We never sell your data. Third parties process data solely within the scope of their specific service.
5. Google API Services
ALLY's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Google Calendar data solely to provide and improve the calendar synchronization feature within ALLY. We do not use Google user data for advertising or share it with third parties except as necessary to operate our service.
6. Data Retention
- Account data: for the duration of the subscription + 30 days after cancellation
- Documents and files: for the duration of the account, or until manual deletion
- Financial records: 5 years (statutory requirement for accounting documents)
- Activity logs: 90 days
- Email credentials: until IMAP connection is disconnected
7. Your Rights (GDPR)
As a data subject, you have the following rights:
- Right of access β obtain a copy of your data
- Right to rectification β correct inaccurate data
- Right to erasure β "right to be forgotten" (in the app: Settings β Delete Account)
- Right to data portability β export data in machine-readable format
- Right to object β to processing based on legitimate interests
- Right to withdraw consent β at any time for consent-based processing
- Right to lodge a complaint β with the Office for Personal Data Protection (ΓOOΓ), www.uoou.cz
To exercise your rights, contact: [email protected]
8. Security
- All communication is encrypted (HTTPS/TLS)
- Passwords are hashed; we never store passwords in readable form
- Sensitive sections (Vault) are protected by a PIN code
- JWT tokens have limited validity
- Data is stored on an isolated Railway Volume (inaccessible to other applications)
9. Cookies and Local Storage
ALLY does not use third-party tracking cookies. We use:
- localStorage β to store the JWT token (login session), display settings
- sessionStorage β for temporary UI states
We do not use Google Analytics, Facebook Pixel, or other tracking tools.
10. Changes to This Policy
We will notify you of material changes by email or in-app notification at least 14 days in advance. The current version is always available at app.allyforlife.ai/privacy-en.
11. Contact
David Rewenda
Email: [email protected]
Website: allyforlife.ai