Privacy Policy

1. Overview

Ally ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights. By using Ally, you agree to this policy.

The key principle: each user gets their own physically isolated server. Your data is not shared with other users, not commingled in shared databases, and not used to train AI models. We do not sell your personal data.

2. Your Dedicated Infrastructure

Unlike most AI services, Ally provisions a dedicated server for every user. This means:

• Your conversation history, memory files, and preferences are stored on infrastructure isolated to your account
• No other user can access your data — it is physically separated, not just logically separated
• When you cancel, your server is decommissioned and all data is removed per our retention schedule

Data location: Your dedicated server is hosted by Hetzner in Nuremberg, Germany (EU). Our central platform is also hosted by Hetzner in Singapore. All data processing complies with applicable EU data protection regulations.

3. Data We Collect

Account Data

• Name and email address (provided at signup)
• Password (bcrypt-hashed, never stored in plain text)
• Google account ID and profile picture (if you sign in with Google)
• Billing information processed by Stripe (we do not store card details)

Usage Data

• Chat messages and conversation history with your AI assistant
• Usage percentage per billing period (displayed as a percentage — no raw counts are exposed)
• Feedback events (ratings on AI responses)
• Scheduled task configurations
• Assistant memory files (notes your assistant saves about your preferences)

Integration Data

• OAuth tokens for connected services (Telegram, Gmail, Google Calendar, Microsoft Outlook) — encrypted at rest
• Data your assistant accesses through connected integrations (emails, calendar events) — stored only on your dedicated server

Technical Data

• IP address (for rate limiting and fraud prevention)
• Server-side logs (request paths, error messages — no message content in logs)
• Timezone and assistant preferences you configure

4. How We Use Your Data

• To provide and maintain the AI assistant service on your dedicated server
• To process payments via Stripe
• To send transactional emails (account verification, password reset)
• To enforce usage limits per your subscription plan
• To detect and prevent fraud and abuse
• To improve your assistant's responses through nightly analysis of your sessions (running on your own server, not shared)

We do not use your data for advertising. We do not sell your data. We do not use your conversations to train third-party AI models.

5. Third-Party Services

We may also route through OpenAI or Google AI as fallback providers when Anthropic is unavailable. Fallback usage is temporary and subject to their respective privacy policies.

6. Data Retention

• Active accounts: data is retained on your dedicated server while your subscription is active
• On cancellation: your server is stopped at the end of your billing period and scheduled for deletion after a 7-day grace period
• Data deletion: all data on your server is permanently deleted after the grace period
• Usage logs: aggregated daily, kept for 12 months

You can export your conversation history and account data at any time from Settings.

7. Data Export

You can export your complete data at any time from Settings > Your Data > Export My Data. This includes your conversation history, assistant memory, scheduled tasks, and account information. Data is exported in standard JSON format for portability.

8. Your Rights (including GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). Regardless of your location, we extend these rights to all users:

• Access: View all data we hold about you via Settings
• Export / Portability: Download your complete data at any time in standard JSON format
• Deletion: Request deletion of your data — cancel your account and all data is removed per our retention schedule
• Correction: Update your name, email, and preferences in Settings
• Restriction: Request that we limit processing of your data
• Objection: Object to processing of your data for specific purposes
• Complaint: You have the right to lodge a complaint with a data protection authority in your jurisdiction

Our legal basis for processing your data is the performance of our contract with you (providing the Service) and our legitimate interests (security, fraud prevention, service improvement).

To exercise any right or for privacy inquiries, contact us at [email protected]. We will respond within 30 days.

9. Security

We implement industry-standard security measures:

• All data in transit is encrypted via TLS/HTTPS
• Each user's data is physically isolated on a dedicated server
• Passwords are hashed using bcrypt (never stored in plaintext)
• Stripe webhook calls are verified by cryptographic signature
• API endpoints enforce rate limiting on all authentication routes

10. Cookies

Ally uses minimal, functional cookies only. We do not use third-party tracking cookies or advertising pixels. Your authentication session is stored in a secure, httpOnly cookie that cannot be accessed by JavaScript. We use browser localStorage only for UI preferences (theme, sidebar state). This data stays in your browser and is not sent to third parties.

For a full breakdown of every cookie and local storage entry we set, see our Cookie Policy.

11. Children

Ally is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe a child has registered, please contact us and we will delete the account.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email and via the in-app changelog before material changes take effect.

13. Contact

For privacy questions or to exercise your rights, contact us at [email protected].