1. Overview
Ally ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights. By using Ally, you agree to this policy.
We do not sell your personal data. We collect only what is necessary to provide the Service and improve it for you.
2. Data We Collect
Account Data
- Name and email address (provided at signup)
- Password (bcrypt-hashed, never stored in plain text)
- Google account ID and profile picture (if you sign in with Google)
- Billing information processed by Stripe (we do not store card details)
Usage Data
- Chat messages and conversation history with your AI assistant
- Token usage counts per session and per day
- Feedback events (thumbs up/down ratings on AI responses)
- Scheduled task configurations
- Assistant memory files (notes your agent saves about you)
Technical Data
- IP address (for rate limiting and fraud prevention)
- Server-side logs (request paths, error messages — no message content in logs)
- Timezone and assistant preferences you configure
3. How We Use Your Data
- To provide and maintain the AI assistant service
- To process payments via Stripe
- To send transactional emails (account verification, password reset)
- To enforce usage limits per your subscription plan
- To detect and prevent fraud and abuse
- To improve the service through aggregated, anonymised usage analytics
- To nightly-analyse your agent sessions (using AI) to improve response quality over time
We do not use your data for advertising, and we do not train third-party AI models on your conversation data.
4. Third-Party Services
| Service | Purpose | Data Shared |
|---|
| Anthropic (Claude) | AI model provider | Chat messages, context |
| Stripe | Payment processing | Email, subscription data |
| Resend | Transactional email | Email address, message content |
| Telegram | Optional chat integration | Messages you send via Telegram |
| Hetzner | Server hosting | All data stored on our servers |
We may also use OpenAI or Google AI models as fallback providers when Claude is unavailable. Fallback usage is limited and subject to their respective privacy policies.
5. Data Retention
- Active accounts: data is retained while your account is active
- Deleted accounts: data is retained for 30 days to allow recovery, then permanently deleted
- Usage logs: aggregated daily, kept for 12 months
- Feedback events: kept for 12 months to improve quality
6. Your Rights
You have the following rights regarding your data:
- Access: View all data we hold about you via Settings
- Export: Download your complete data (Settings > Privacy > Export)
- Deletion: Delete your account and all associated data (Settings > Privacy > Delete Account)
- Correction: Update your name, email, and preferences in Settings
- Portability: Your conversation data is exported in standard JSON format
To exercise any right or for privacy inquiries, contact us at privacy@myally.app.
7. Security
We implement industry-standard security measures:
- All data in transit is encrypted via TLS/HTTPS
- Passwords are hashed using bcrypt (never stored in plaintext)
- Authentication tokens use signed JWTs (HS256) with 7-day expiry
- Stripe webhook calls are verified by cryptographic signature
- API servers enforce rate limiting on all authentication endpoints
- Infrastructure runs on dedicated servers (not shared hosting)
8. Cookies
Ally does not use third-party tracking cookies. We use browser localStorage to store your authentication token and UI preferences (theme, last-seen changelog). This data stays in your browser and is not sent to third parties.
9. Children
Ally is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe a child has registered, please contact us and we will delete the account.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you by email and via the in-app changelog before material changes take effect.
11. Contact
For privacy questions or to exercise your rights, contact us at privacy@myally.app.