Privacy Policy
Last updated: 15 March 2026
Ally is operated by John Seery, trading as AllOnOurOwn ("we", "us", "our").
For the purposes of the EU General Data Protection Regulation (GDPR), John Seery trading as AllOnOurOwn is the data controller for personal data collected through the Ally service, except where we process data solely on behalf of users in providing the Service.
Controller: John Seery, trading as AllOnOurOwn
Location: Ireland
Contact: privacy@allonourown.com
1. Data We Collect
1.1 Account Data
- Username, email address, encrypted password hash
- Executive role/title (e.g. CTO, CEO)
- Registered inbound email addresses
1.2 Work Data (user-generated)
- Actions, notes, decisions, commitments, events
- People and organisation records
- Meeting transcripts and conversation logs
- Audio recordings (dictation, voice notes)
- Chat session history
- Documents and scanned content
1.3 Usage Data
- Login/logout timestamps
- Feature usage (which AI features used, token counts)
- Audio transcription usage (file sizes)
- Data access audit trail (which entities you create, update, or delete)
1.4 Technical Data
We do not use cookies or tracking technologies for advertising, behavioural profiling, or cross-site tracking.
Standard server logs may temporarily record technical information such as IP address and browser type for security and operational purposes. We do not sell or share your data with advertisers.
1.5 Cookies
Ally uses essential session cookies required for authentication and security. These cookies do not track users across websites and are not used for advertising or analytics.
2. How We Use Your Data
| Purpose | Legal Basis (GDPR Art 6) |
|---|---|
| Provide the Ally service | Contractual necessity (Art 6(1)(b)) |
| AI features (Chat, Check-in, Extraction, Dictation) | Explicit consent (Art 6(1)(a)) |
| Email processing (inbound email to actions/notes) | Contractual necessity and user consent (Art 6(1)(a)/(b)) |
| Account security (password hashing, login tracking) | Legitimate interest (Art 6(1)(f)) |
| Usage analytics (feature usage, token tracking) | Legitimate interest (Art 6(1)(f)) |
3. AI Processing and Third Parties
3.1 How AI Features Work
When you use AI-powered features, your data is sent to our AI provider for processing. You must explicitly consent to AI processing before using these features. You can enable or revoke consent at any time in Settings.
Data sent to OpenAI is processed solely to generate responses for Ally features. We configure OpenAI services so that your data is not used to train public models.
3.2 Subprocessors
We use a limited number of third-party service providers ("subprocessors") to operate parts of the Ally platform.
| Subprocessor | Purpose | Location |
|---|---|---|
| OpenAI, Inc. | AI text analysis (GPT-4o), speech-to-text (Whisper) | United States |
| Cloudflare, Inc. | Email routing, CDN, HTTPS tunnel | United States |
| Amazon Web Services | Outbound email (SES), DNS hosting (Route 53) | United States |
3.3 International Data Transfers
Your data may be transferred to the United States for processing by our subprocessors. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission.
3.4 What We Send to OpenAI
- Text content from notes, actions, commitments, and conversations (for AI analysis)
- Person names, organisation names, and role information (for context)
- Email body content including forwarded threads (for extraction)
- Audio files (for speech-to-text transcription)
We do not send your password, billing information, or account credentials to any third party.
4. Data Retention
We retain personal data only for as long as necessary to provide the Service and comply with legal obligations.
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Work data (notes, actions, etc.) | Until you delete individual items or your account |
| Audio files | Until you delete individual files or your account |
| Chat sessions | Until you delete sessions or your account |
| LLM usage logs | 90 days (auto-purged) |
| Activity logs | 90 days (auto-purged) |
| Grazer analysis outputs | 30 days (auto-purged) |
| Database backups | 30 days (auto-purged) |
5. Your Rights
Under GDPR (and equivalent regulations), you have the right to:
- Access (Art 15) — Export all your data at any time via Settings > Data Management > Export
- Rectification (Art 16) — Edit any of your data directly in the application
- Erasure (Art 17) — Delete your entire account and all data via Settings > Delete Account
- Data Portability (Art 20) — Export your data in JSON format
- Object to Processing (Art 21) — Revoke AI processing consent via Settings
- Withdraw Consent (Art 7) — Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Restrict Processing — Contact privacy@allonourown.com
Data processed by OpenAI may be temporarily retained according to OpenAI's API data retention policies. We do not control retention within OpenAI systems after processing.
6. Data Security
- All data transmitted over encrypted HTTPS connections
- Passwords stored using industry-standard password hashing (never in plaintext)
- Audio files encrypted at rest using strong encryption
- Session cookies: HttpOnly, Secure, SameSite=Strict
- CSRF protection on all state-changing requests
- Rate limiting on authentication and API endpoints
- Brute-force protection (account lockout after repeated failed attempts)
- Multi-user data isolation enforced at the database query level
- Automated architectural tests prevent data isolation bypasses
Data Breach Notification
In the event of a data breach, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay.
7. Children's Privacy
Ally is designed for business professionals. We do not knowingly collect data from anyone under 16 years of age.
8. Changes to This Policy
We will notify registered users by email of any material changes at least 30 days before they take effect.
9. Contact
- Data Protection Officer: privacy@allonourown.com
- Controller: John Seery, trading as AllOnOurOwn
- Location: Ireland
You also have the right to lodge a complaint with the Data Protection Commission (Ireland) at dataprotection.ie, or with the supervisory authority in your country of residence.