Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Ally ("Data Processor") and you, the user ("Data Controller"), and governs the processing of personal data in connection with the Ally service.

This DPA applies to the extent that Ally processes personal data on your behalf, including data you input into the service and data generated during your use of the platform. It supplements our Privacy Policy and Terms of Service.

2. Roles and Responsibilities

• Data Controller (you): You determine the purposes and means of processing personal data that you input into Ally, including any personal data about third parties that you share with your AI assistant.
• Data Processor (Ally): Ally processes personal data solely on your behalf and only for the purposes necessary to provide the service as described in this DPA and the Privacy Policy.

Ally will process personal data only on documented instructions from you (including the instructions set out in these terms) and will not process your data for any purposes other than providing and improving the Ally service.

3. Types of Data Processed

The following categories of personal data are processed in connection with the service:

Identity and Contact Data

• Name and email address
• Telegram user ID (if Telegram integration is enabled)
• Google account ID (if Google sign-in is used)

Conversation Data

• Chat messages and conversation history with your AI assistant
• Any personal data about third parties you choose to share in conversation
• Assistant memory files (notes your AI agent saves about you over time)
• Session logs (JSONL format, containing full conversation transcripts)

Usage and Operational Data

• Token usage counts per session and per billing period
• Feedback events (thumbs up/down ratings on AI responses)
• Scheduled task (cron) configurations and execution logs
• IP address (retained for rate limiting and fraud prevention)
• Timezone and UI preference settings

Billing Data

• Subscription status and plan type
• Payment records (processed by Stripe — card details are never stored by Ally)

4. Sub-processors

Ally engages the following sub-processors to provide the service. We ensure each sub-processor is bound by data protection obligations no less protective than this DPA.

We will notify you of any intended changes to the above list of sub-processors, giving you the opportunity to object before the change takes effect.

5. Data Retention

• Active accounts: Data is retained for the duration your account is active and your subscription is valid.
• After account deletion: All personal data is retained for 30 days to allow account recovery, then permanently and irreversibly deleted.
• Aggregated usage logs: Anonymised, aggregated statistics (e.g. daily token totals) may be retained for up to 12 months for service improvement purposes.
• Billing records: Financial transaction records may be retained for up to 7 years as required by applicable law.

6. Security Measures

Ally implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher (HTTPS enforced).
• Encryption at rest: Database volumes are encrypted at rest on Hetzner infrastructure.
• Access controls: Access to production systems is restricted to authorised personnel only, with credentials managed via SSH keys and enforced least-privilege principles.
• Authentication security: Passwords are hashed using bcrypt. Session tokens are signed JWTs with short expiry windows.
• Rate limiting: All API endpoints are protected by rate limiting to prevent brute-force and abuse attacks.
• Regular backups: Automated daily PostgreSQL backups with 7-day retention and off-site storage.

7. Data Subject Rights

As Data Controller, you are responsible for responding to requests from data subjects regarding their rights. Ally will assist you in fulfilling these obligations. Data subjects may exercise the following rights:

• Right of Access: View all personal data held by Ally via the Settings page.
• Right to Rectification: Update name, email, and preferences directly in Settings.
• Right to Erasure: Delete the account and all associated data via Settings → Privacy → Delete Account.
• Right to Data Portability: Download a complete export of all personal data in JSON format via Settings → Privacy → Export Data.
• Right to Restriction: Contact us at dpo@myally.app to request restriction of processing.

We will respond to data subject access requests submitted via the above channels within 30 days.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Ally will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:

• A description of the nature of the breach
• The categories and approximate number of individuals and data records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach

9. International Transfers

Some sub-processors listed in Section 4 are based in the United States. Where personal data is transferred outside the country of origin, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or reliance on sub-processors' certifications under applicable data transfer frameworks.

10. Governing Law

This DPA is governed by the laws of Singapore. Any disputes arising under this agreement shall be subject to the exclusive jurisdiction of the courts of Singapore.

11. Contact

For questions about this DPA or data processing matters, contact our Data Protection Officer:

• General enquiries: support@myally.app
• Data protection: dpo@myally.app