Privacy | Ally

Privacy Policy

Ally AI Assistant · Last updated: June 1, 2026 ·

Effective: April 2026Before you read this legal document: Ally also publishes a plain-language version of its privacy commitments at allyapp.one/privacy-principles. That page explains, in human language, what Ally does with your data. This legal Privacy Policy and the plain-language principles page are complementary — the principles page is what we believe, this document is the legal framework for those beliefs.

1. Who We Are

Ally, Inc. ("Ally", "we", "us", "our"), a Delaware C Corporation (EIN: 37-2215465), operates the Ally AI Assistant application available at allyapp.one and via our Progressive Web App (PWA). We are the data controller for personal data processed through the Ally service. Ally, Inc. is incorporated in Delaware, USA and has no establishment in the European Union or European Economic Area. Ally, Inc. is subject to GDPR where it offers services to individuals in the EEA or monitors their behaviour. In accordance with Article 27 of the GDPR, Ally, Inc. will appoint an EU Representative before processing personal data of EEA residents at scale.Ally operates five service tiers: a 5-day full-feature trial (begins on first assistant conversation, extendable to 10 days for active users), a free tier (up to 30 user-initiated conversations per day plus unlimited assistant-initiated conversations, up to 3 proactive messages per week, blurred network map for top connections), a Premium tier ($2.99/month or $29.99/year for Georgia and the English-language service for all other countries; for Argentina, $2.99/month or $29.99/year for the first 200 paid subscribers as a lifetime grandfather and $4.99/month or $49.99/year thereafter — see Terms of Use for full details), a Pro tier at $19.99/month or $179.99/year (for power users), and an Enterprise tier at $79/month or $599.99/year (for high-volume individual users). Subscription data is processed by Paddle.com Market Ltd ("Paddle"), which acts as the Merchant of Record — the legal seller of record — for Ally subscriptions, handling payment processing, billing, and sales-tax collection on our behalf. We collect subscription status and payment history to manage your account.

App preferences: we store your theme preference (dark, light, or system), and which in-app tutorial tips you have seen or dismissed. These are stored to provide a consistent experience across sessions. Lawful basis: contract performance.

Phonebook synchronisation: if you grant permission, Ally checks your device phonebook nightly at 3:00 AM to detect new contacts added since your last sync. Only new contact names and phone numbers are read — existing contacts are not re-read. New contacts found are added to your Ally contact list and you are notified by the assistant. This permission is optional and can be revoked at any time in your device settings. We do not share phonebook data with third parties. Lawful basis: your explicit consent.

Email: info@allyapp.one

Registered agent: Corporation Service Company (CSC), 251 Little Falls Drive, Wilmington, New Castle County, Delaware 19808, USA | Correspondence: Ally, Inc. c/o Tornike Abuladze, 1328 Botetourt Gardens, Norfolk, VA 23517, USA

2. What Data We Collect and Why

2.1 Data You Provide When Registering

The registration form collects five required fields plus one optional field.

2.1A Data You Publish in Your Profile

After registration, you can add and edit two profile fields from the "Edit Profile" screen on the You tab. These fields are SELF-DESCRIBED — you write them, you control them, you can delete them at any time. They are visible to other Ally users who view your profile card. When other users see your self-described content, it appears with a clear visual badge ("✏️ Self-described") that distinguishes it from network-verified information about you.

You can delete either field at any time by clearing it in the Profile Editor and saving — the deleted content is removed from public view immediately and from our backups within 30 days. Self-described content does NOT replace or override information that the network has verified about you (tags); the two layers coexist on your profile card with clear visual distinction.

2.1B Phone Numbers Attached to Your Account

Your account may have up to 3 phone numbers attached. The first is added at registration and is your "primary" number — used for SMS notifications, default OTP login, and as the default phone shown if you publish it via a Service Provider Profile. Additional numbers can be added from Settings → Phone, each verified by OTP before becoming active. We retain phone numbers under contract performance (Art. 6(1)(b)) for as long as they are attached to your account. When you change your number, we run a migration so that data other Ally users have written about you follows the change automatically. The released number remains associated with your account for 7 days as a grace window, after which it is fully unbound. When you remove a number, that number is similarly unbound after 7 days. We do NOT retain released numbers beyond what is necessary to operate the grace mechanism. For your protection: any change to your primary phone number requires you to verify both the old and the new number via OTP, and triggers a 72-hour hold on financial withdrawals. This is a fraud-prevention measure and cannot be bypassed.

2.2 Contact Data You Import

Relationship categories: you may assign one of five relationship warmth categories to your contacts (Ally, Loyal, Connections, Just Contact, or an AI-suggested category). These categories are stored and used to colour-code connection paths and to rank introductions by relationship strength. AI-suggested categories are estimates, not facts, and can be overridden at any time. Relationship category data is never shared with third parties or shown to the contacts being categorised. Lawful basis: legitimate interests.

Special category data (GDPR Article 9): Ally's tag and description pipeline automatically blocks certain categories of sensitive vocabulary from being stored. Specifically, any word or phrase revealing sexual orientation or gender identity is blocked at the point of extraction and never written to our database. This applies to tags derived from contact names, user descriptions, and imported data. If you describe a contact in a way that includes such vocabulary, it is silently discarded. Romantic relationship history and dating app context are handled with the same protection. Lawful basis for the blocking: compliance with Article 9 obligations.When you import your phonebook, Ally processes the names and phone numbers of your contacts. This is the core data that enables the assistant to understand and navigate your network. Important: your contacts have not registered with Ally. We process their data on the basis of legitimate interests. We take this responsibility seriously and have implemented multiple safeguards:

We receive and store the full contact record you import. When you sync your phonebook, Ally takes what is saved in each contact — names, phone numbers, email addresses, the photo you saved, postal address, organisation/job title, and any free-text notes or labels you wrote. The one exception is special-category content, which is filtered out before storage.
What we filter out and never store: words or notes revealing sexual orientation, gender identity, dating-app context, romantic-relationship history, or health conditions are blocked at the point of import and never written to our database (GDPR Article 9 protection).
What other Ally users can and cannot see: the names, notes, and categories you save about a contact stay private to you. Information about a contact becomes a shared signal only when at least two unrelated users independently record the same factual term (employer, profession, city) — and even then, the people who contributed it are never revealed (Symmetric Blindness).
- We do not contact your contacts directly
- We do not sell or share contact data with advertisers or data brokers
- Any person whose number appears in our system may request access or deletion via allyapp.one/privacy/my-data

Where multiple Ally users independently describe the same contact in similar ways, Ally may store derived inferences such as likely profession or employer. Non-registered contacts may view and formally dispute any inaccurate inference via the rights portal. A disputed inference is immediately flagged and reviewed within 30 days.

Photos imported from phonebooks: When you import your phonebook, the photos you have saved of your contacts are processed by an automated content filter (rejecting nudity, photos containing only children, and explicit content). Photos that pass the filter are stored. For contacts who are themselves registered Ally users, those photos can become visible to those users on their own profile — a deliberate transparency mechanism giving every Ally user the right to see what photos of them are circulating and the right to remove any photo they don't want. We do NOT show subjects which user saved a particular photo. You will be reminded of this once during the phonebook sync consent flow. Lawful basis: legitimate interests (Art. 6(1)(f)), supported by an explicit transparency moment in the consent flow.

Tag system: Ally operates a three-tier filtering system for words extracted from contact labels: (a) Blocked words ("red tier") — disrespect, profanity, or relationship-disclosure words — stored privately but never made visible to other users; (b) Convergence-gated words ("yellow tier") — ambiguous words that become visible to other users only when at least two distinct, unrelated users have associated the same word with the same phone number; (c) Immediately visible words ("green tier") — categorically safe descriptors such as first names, surnames, profession names, company names, and cities. Sensitive-category vocabulary is filtered at the input level before any storage, regardless of tier. Tags can be viewed and removed by the tagged contact via the rights portal — each contact has the right to remove up to 3 tags they disagree with.

Mutual contact paths: if your phone number appears in two different Ally users' phonebooks, Ally may surface you as a mutual contact between them. Each user sees only their own name for you; Ally never reveals one user's name for you to another. You can prevent this by registering a permanent opt-out at allyapp.one/privacy/my-data.

Reverse phonebook visibility (between Ally users only): When you and another user are both registered Ally users, and the other user has your phone number saved in their phonebook, Ally may show you that the other user "has you saved" — even when you do not have that user's number. This visibility applies only between two registered Ally users. The visibility is symmetric: each side knows the other has them in their phonebook; neither side can see the name the other saved them under, the description, or the category. Either side may switch this off at Settings → Privacy (default ON for new accounts). Lawful basis: legitimate interests (LIA available on request).

Continuity of contact relationships at registration: A person whose phone number has already been imported by other Ally users may, upon registering, find that the network already contains contextual information about them. Ally may use this pre-existing data to give new users immediate visibility into the connections that already include them. The same per-account controls apply. Lawful basis: legitimate interests.

2.3 Conversation Data

Your conversations with your Ally assistant are stored to provide the service. We store conversation summaries (not full transcripts) for context between sessions. Full conversation logs are retained for 12 months then deleted. Summaries are retained for 3 years to maintain assistant continuity.

2.4 LinkedIn Import (Optional)

If you choose to upload your LinkedIn data export, Ally processes: (a) your own professional history — work positions, education, and skills; (b) your LinkedIn connections — name, email address (if available), current employer, and current job title. Your own professional history enriches the assistant's understanding of your background. Your connections' data is stored to match against your phonebook contacts and to enrich your network map. Connection data is never shared with third parties and can be deleted via our data rights portal. Lawful basis: legitimate interests — you deliberately exported and uploaded this data.

2.5 Learning Data

With your consent (which you can withdraw at any time), Ally builds a personal learning profile based on your communication style, response patterns, and preferences. This enables the assistant to adapt to how you like to communicate. You can view a summary of what we have learned at Settings → My Data, and delete it at any time.

2.5B Avoidance-Word Detection in Your Descriptions

When you describe a contact in your own words (for example, "Maya — ex-girlfriend"), Ally scans your description for words that suggest you wish to avoid that person. If your description contains such a word, the contact may be included in a periodic mixed-list network review ("Proactive Blocking Suggestions") where you can choose to hide that contact from path-finding. The list is always mixed with several other contacts who have no such signals, so the contact cannot be identified as the trigger. We use this feature only to suggest blocks to you. We never share the avoidance signal with the contact. You can disable Proactive Blocking Suggestions entirely at Settings → Privacy. Lawful basis: legitimate interests (LIA available on request).

2.5C Goals You Tell Ally About (Strategic Network Plan)

Ally remembers the goals you tell it about — your professional ambitions, things you want to learn, people you want to meet, communities you want to join. We store: the life area, what you said the goal is, the timeframe, the deadline if any, the mode (Steady or Campaign), the current status, and which other goal it links to, plus an audit trail of lifecycle events.

The Network-Translation Rule: Ally accepts goals in any life area, but only generates relationship-and-network coaching tasks for them. Ally does not coach you on non-network actions like "study for two hours today" or "go to the gym".

Special-category goals (privacy-by-design): When you tell Ally about a goal that touches GDPR Article 9 special categories — health, religion, ethnicity, sexual orientation, political views — Ally stores only the relationship action that would help, never the underlying detail. If even the relationship angle would reveal special-category information, Ally refuses to store the goal entirely and offers single-session help instead.

Retention rules for goals: Active goals are kept indefinitely while you keep them active. Parked goals are kept for three years dormant — at the three-year mark we ask once whether to keep remembering the goal. Completed goals are kept for three years from completion and then deleted, with anonymous aggregate counters retained. Abandoned goals are deleted one year after abandonment.

Your control: You can read, edit, or delete any goal at any time, in chat or in the Goals card UI. You can disable the Goals feature entirely in Settings. Article 15 (access) export includes your goal data; Article 17 (erasure) is hard, immediate, and irreversible per goal. Lawful basis: legitimate interests (Art. 6(1)(f)). All goal data is your own data about yourself — never shared with other users.

2.5D Your Assistant's Growth Card (Network Streak)

Ally tracks a daily streak of your network-building activity and shows it as the Assistant Growth Card at the top of the You tab. Activity that keeps your streak alive includes describing a contact, accepting or completing a coaching task, touching a goal, confirming a positive path search outcome, or sending a warm-up arc message. Simply opening the app, reading proactive messages without acting, free-form chat, and settings edits do NOT count. You earn one auto-freeze every seven days, up to three banked. In V1 we deliberately do not send push notifications about your streak. Two Settings toggles let you hide the card or disable the feature entirely. Article 15 export includes streak data; Article 17 erasure is hard, immediate, and irreversible. Lawful basis: legitimate interests (Art. 6(1)(f)).

2.6 Technical and Usage Data

We collect standard technical data: device type, operating system, app version, IP address (for fraud prevention only), session duration, and feature usage. We use PostHog for analytics and Sentry for error monitoring. Neither receives personally identifiable data.

2.7 Service Provider Profile Data (optional)

If you choose to create a Service Provider Profile (for example, to make yourself findable when other Ally users in your city ask for a plumber, electrician, photographer, designer, lawyer, tutor, or hairdresser), we process: the service types you select, the city you serve, and optionally neighbourhoods served, a free-text description (max 280 characters), an hourly rate, your weekly availability, and years of experience. You also choose how other Ally users may contact you, recorded as a consent record with a timestamp:

Mode A — Direct contact. Searchers may see your name, city, and phone number, and may call you directly. Lawful basis: your explicit consent.
Mode B — Ally chat only. Your phone number is hidden; searchers reach you via in-app message. Lawful basis: your explicit consent.
Mode C — Assistant booking agent (Premium). Your assistant screens incoming requests on your behalf. Your phone number is shared only after you approve a request. Lawful basis: your explicit consent + contract performance for the Premium feature.

You can change the mode, edit any field, or delete the Service Provider Profile entirely at any time. Deleting the profile removes you from search results within 24 hours and deletes the associated consent record. We do not display ratings, reviews, or negative feedback about you publicly.

Network science features:

QR Contact Exchange: when you exchange contacts through Ally's QR feature, we store that you met this person intentionally, the optional context you provide, and the date. Processed under legitimate interests. The QR exchange checks our opt-out registry before storing any contact.

Giving Score: we calculate a personal contribution score based on your network actions. This score is private by default. You can choose to make your score tier visible on your profile. Lawful basis: consent for public display; legitimate interests for the internal score calculation.

Contribution percentile and impact log: Ally calculates your percentile ranking within your city and globally based on your Giving Score, shown only to you and never visible to other users. Your impact log records the type and approximate category of each contribution — it never records who was searching or who was found. Lawful basis: legitimate interests.

Decision Coaching (Premium, Pro, and Enterprise feature): At high-stakes decision moments (hiring, choosing service providers, business deals), Ally may coach your decision process using collective intelligence signals held internally. Available to Premium (one session/day), Pro (twenty sessions/day), and Enterprise (fifty sessions/day) subscribers. When triggered, Ally reads verifiable-only patterns about the subject (employer, job title, tenure, role, service-provider pricing), checks the opt-out registry, and generates questions to ask, verifiable signals flagged with mandatory "please verify" framing, and warm-introduction offers. Ally never asserts qualities of the person being evaluated and explicitly refuses subjective judgments about third persons. Every coaching invocation is logged with a hashed subject phone and retained for two years. Lawful basis: legitimate interests, balanced against the subject's reasonable expectation of privacy. You can disable Decision Coaching in Settings.

Cross-Assistant Learning Protocol: When you and another Ally user exchange a request, both assistants participate and both learn from your decisions. Your assistant learns how you prefer to handle incoming requests based on your own past decisions. After five or more consistent decisions on the same combination, your assistant may handle similar requests autonomously — always with a daily report to you. High-stakes intents (investment, recruitment, job search, legal, medical) always ask you regardless of learning state. Your learned preferences never leave your side of the system. Lawful basis: legitimate interests. You can disable cross-assistant learning in Settings at any time.

Outcome feedback — unified tracking: Ally asks short follow-up questions after certain interactions to learn whether Ally's help was useful, across four types: path search, Decision Coaching warm-introductions, coordinated invitations, and warm-up campaigns. Each question is short (maximum two questions, three-option answer), entirely voluntary, and may be skipped. Your response is used to adjust the Giving Score of the intermediary — positive outcomes increase their score; no response or neutral/negative outcomes produce no penalty. The target person is never contacted or informed. No free-text response is stored — only the outcome category. Lawful basis: legitimate interests.

Public verification page: when you reach Key Connector or Network Pillar tier in the Giving Score system and choose to share your credential, a public verification page is created at allyapp.one/verify/[unique_hash]. This page shows only your tier name, generic contribution counts, the date you earned the tier, and your first name. No surname, no contact names, no Giving Score number. You can disable it at any time. Lawful basis: consent.

Search activity monitoring: Ally monitors for unusual patterns of search activity as a protective measure, tracking when multiple distinct users search for the same phone number within a short time window (phone number + timestamp + searcher count — no searcher identities), retained for 30 days then deleted. Lawful basis: legitimate interests (protecting users from harassment and coordinated stalking).

Public figures and Celebrity Paths: Ally maintains a curated list of public figures in each market. When you search for a public figure, Ally logs the search as a positive engagement event (not a stalking flag). No personal data of public figures is stored beyond their publicly known name and category. Lawful basis: legitimate interests.

Service and marketing communications: Ally may contact you through in-app assistant messages, push notifications, SMS, email, and phone calls (the latter only for critical account or security matters). Mandatory service communications (legal notices, security alerts, subscription changes) cannot be disabled. Marketing SMS includes a STOP opt-out; marketing emails include an unsubscribe link. Lawful basis: contract performance for service communications; consent or legitimate interests for marketing.

Children and minor contacts: Ally is intended for users aged 14 and over (varies by country — see Section 10). We do not knowingly collect or process personal data about individuals under the age of 18 who are not registered users. If a contact is identified as being under 18, their phone number is flagged in our minor protection system and excluded from all network processing. Users aged 14-17 who register are subject to a Young User Protocol. Legal basis for age screening: legitimate interests (protecting minors).

Age threshold by country: The minimum age for processing contact data varies by country and is determined by the country code of the contact's phone number. We apply the legal minimum for the contact's country — for example, +49 (Germany) → 16, +33 (France) → 15, +995 (Georgia) → 14. Where no country-specific law is identified, we apply a conservative default of 16. We periodically re-screen flagged minor contacts as they age into adulthood.

Message feedback: Ally provides a per-message feedback mechanism allowing you to flag individual assistant messages as wrong, unhelpful, off-tone, or inappropriate. This data is used to improve the assistant and, for urgent reports, to alert the Ally management team. Retained for a maximum of 12 months. Lawful basis: legitimate interests and, for inappropriate content reports, legal obligation.

Product testing and feature rollouts: Some users may be included in test cohorts assigned randomly from active users. Test cohort membership does not result in any additional data collection. You may request exclusion from feature test cohorts by contacting us. Ally also maintains a voluntary beta tester group.

Delegation system and referral routing: Ally users may set up Standing Delegations — pre-approved instructions that allow their assistant to automatically route other users to specific contacts for specific types of requests. Referral data (who was referred, when, and to whom) is stored for audit purposes and to calculate the Giving Score. If you are a contact named as the recipient in another user's delegation, you will be notified and can accept or decline.

AI assistant memory and personalisation: Ally's AI assistant builds a memory profile of you through your conversations — communication preferences, topics, goals, and context about your network. This memory is used exclusively to personalise your assistant's responses and is never shared with other users or third parties. You can view your memory profile in Settings and delete any specific entries at any time. Lawful basis: legitimate interests and, for any sensitive data points, consent.

Collective contact intelligence: When other Ally users import their phonebooks, they may have saved your phone number with a label that includes your employer, profession, or other professional information. Ally aggregates these labels across users to build a shared professional knowledge layer. This processing relies only on green-tier tags or convergence-gated yellow-tier tags confirmed by at least two unrelated users. Blocked vocabulary and sensitive categories are never used. The signal is framed as "might be connected to", not a fact, and never reveals the identity of contributing users. Lawful basis: legitimate interests (Art. 6(1)(f)). You may opt out by registering on Ally and enabling the stronger opt-out in Settings, or by contacting info@allyapp.one.

Named helping: if you choose to reveal your identity when answering network queries, your first name and city are shared with the person you helped. Anonymous by default. Lawful basis: consent.

Bubble Visualizer: we analyse the structure of your contact network to identify clusters and structural positions. This analysis is performed on your own contact data and is only shown to you. Lawful basis: contract.

Relationship quality signals: Ally infers three relationship quality dimensions from your conversations — positivity, consistency, and vulnerability indicators — derived entirely from what you tell the assistant. They are used solely to improve the relevance of suggestions and are never shared or used for advertising. Lawful basis: contract performance.

Network map data: when you search for a connection, Ally processes your contact graph to find paths. Free tier users see a blurred version of the top results — path length and trust level are shown, but bridge contact names are hidden until you subscribe to Premium. Based on legitimate interests.

2.8 Public-Source Candidate Research

When you ask your assistant to find people who might fit a need you describe, Ally may research candidates on your behalf by fetching information from publicly available sources, limited to: company directories on company websites, professional profiles publicly visible on LinkedIn, public news and press articles, and authoritative public databases (such as Crunchbase). Ally does NOT query private social networks (Instagram, Facebook, X) for this purpose, and does NOT identify you to those third parties — research queries are anonymised at the proxy layer. Retrieved information is shown to you in chat and cached internally for up to 30 days. Names retrieved from public sources are NOT cross-referenced against contact data shared by other Ally users. The 30-day cache can be cleared from Settings → My Data. Public-source research is part of the Premium tier and above. Lawful basis: legitimate interests (Art. 6(1)(f)).

3. How We Use Your Data

To provide the Ally AI Assistant service you have contracted for
To personalise your assistant and improve its understanding of your networkT
o enable network intelligence features (warm introductions, service discovery, anonymous problem routing)To process payments and manage your subscription via Paddle (our Merchant of Record)
To send you service notifications and your assistant's proactive messages
To detect and prevent fraud, particularly within the referral commission system
To improve the product through aggregated, anonymised analytics
To train and improve our AI models by learning anonymised patterns across our user base
To comply with legal obligations

Referral earnings and wallet data: if you participate in the Ally referral programme, we store your referral chain relationships, commission amounts, commission status, and transaction history. The referral programme is time-bounded — it operates for 12 months per market from each market's launch date, after which no new commission events register; vested balances and the data associated with them remain stored for withdrawal and legal-retention purposes. If you request a withdrawal, we store the USDT wallet address you provide, used solely to process your withdrawal and not shared with third parties. Lawful basis: contract performance.

We do not use your data for advertising. We do not show you ads. We do not profile you for third-party commercial purposes.

3.1 AI model training and cross-user pattern learning

As you use Ally, your interactions become part of an anonymised dataset we use to train and improve the assistant for everyone. This includes the types of requests you make, the paths you search, the outcomes you confirm, the use cases you exercise, and the message framings you respond to. The processing is aggregated — no individual user is identified, no individual user's behaviour is ever surfaced or attributed back to them, and any cross-user pattern requires data from at least ten distinct users before it can influence the system (k-anonymity). Aggregate metrics include differential-privacy noise to prevent reverse engineering of individual contributions. This is separate from the personal AI memory that personalises your own assistant under explicit consent. You retain the right to object under Article 21 GDPR; objection is processed by contacting info@allyapp.one or by deleting your account. Lawful basis: legitimate interests (Art. 6(1)(f)).

4. Lawful Basis for Processing

5. Who We Share Your Data With

We do not sell your data. We share data only with the following categories of recipients, all of which act as data processors under our instruction:

Anthropic (Claude API): conversation processing for AI responses. Anthropic does not retain conversation data beyond the API call.
Supabase (Frankfurt, Germany): database hosting.
Railway (Frankfurt, Germany): backend application hosting.
Paddle (Paddle.com Market Ltd) — Merchant of Record: payment processing, billing, and sales-tax collection on our behalf. Ally does not store your full payment card details.
Resend: transactional email delivery.Sentry: error monitoring (anonymised error data only).
PostHog: product analytics (aggregated, no PII).

All processors are contractually bound to process data only on our instructions and are prohibited from using your data for their own purposes. We may disclose data to law enforcement or regulatory bodies when required by law. We will notify you of such requests where legally permitted.

6. International Transfers

All personal data is stored on servers located in Frankfurt, Germany (EU). Anthropic's API servers are located in the United States. Where data is transferred to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism.

7. How Long We Keep Your Data

Retention consent renewal: Before conversation messages are deleted at 12 months, and before summaries are deleted at 3 years, Ally asks you through the assistant whether you would like to extend retention. If you confirm, the timer resets. If you decline, or do not respond within 30 days, the data is automatically deleted.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access: request a copy of the data we hold about you
Right to rectification: correct inaccurate data
Right to erasure ('right to be forgotten'): request deletion of your data
Right to restriction of processing: ask us to limit how we use your data
Right to data portability: receive your data in a machine-readable format
Right to object: object to processing based on legitimate interests
Rights related to automated decision-making: we do not make solely automated decisions with legal effects on individuals
Right to withdraw consent: where processing is based on consent, you may withdraw at any time

To exercise any right, email info@allyapp.one or use the in-app Settings → My Data section. We will respond within 30 days.

8.1 Rights for Non-Registered Individuals (Contacts)

If you are not a registered Ally user but your phone number may have been imported by someone who is, you have the same data rights. Visit allyapp.one/privacy/my-data, enter your phone number, verify with an OTP, and you can:

View any inferences Ally has stored about your phone number (such as inferred profession or employer) and dispute any that are inaccurate — disputed inferences are flagged immediately and reviewed within 30 days
See how many Ally users have you as a contact (not who — their privacy is also protected)
Request deletion of all data associated with your number
Register a permanent opt-out — preventing any future Ally user from storing your number in the system

9. Cookies and Tracking

The Ally web application uses only essential cookies necessary for authentication and security. We do not use advertising cookies or tracking pixels. We do not use Google Analytics. Our analytics (PostHog) is configured without individual user tracking. Our Progressive Web App (PWA) uses local storage for authentication tokens only. It does not track your browsing activity.

10. Children's Privacy

The minimum age to use Ally depends on the country of the user's phone number — 14 in Georgia, 13 in Argentina (under-13 requires parental consent), and 16 in the EU/EEA (GDPR Article 8). We do not knowingly allow registration below the applicable minimum, and we do not knowingly process personal data about non-registered individuals under 18 (see Section 2 — minor-contact protections). Separately, the referral / earnings programme is restricted to users aged 18 and over. If you believe a child has registered, or that we hold a minor's data improperly, contact info@allyapp.one and we will address it promptly.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption in transit. All data exchanged between your device and our servers is encrypted using TLS.
Encryption at rest. Personal data is stored encrypted at rest (AES-256).
Access controls and logging. Access to production systems is restricted to authorised personnel, protected by two-factor authentication, and recorded in audit logs.
Secure development and testing. We follow secure-development practices and commission independent security testing, including periodic penetration testing.
Backups and recovery. Personal data is backed up regularly with tested restore procedures, so that we can recover your data after an incident.
Breach notification. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33 GDPR) and inform affected individuals where Article 34 requires.

No method of transmission or storage is completely secure; while we work to protect your personal data, we cannot guarantee absolute security. If you have a security concern, contact us at info@allyapp.one.

Privacy Policy

Aliado

EULA