Privacy Policy

Pally is a personal assistant you reach over iMessage. You text it like a person, and it helps you get things done: answering questions, remembering what matters, following up, researching, reaching people, and taking action across the apps you connect.

Pally runs as a secure cloud service. To understand your messages and carry out what you ask, it processes your message content and the data from your connected accounts on our infrastructure, including with AI.

We design Pally to process only what it needs, keep that data encrypted in transit and at rest, retain nothing at the AI processing layer, and leave you in control of every connection.

Here is what we process and why.

Messages and requests you send Pally

• The messages you send Pally over iMessage, including text and any media or attachments you share
• The requests you make and the context needed to carry them out

We process these to understand you and respond.

Memory

• Things you ask Pally to remember
• Profile details you share, such as your name, location, work, interests, and preferences
• Follow-ups, reminders, and open tasks

We store these so Pally can bring them back at the right time. You can ask Pally to forget anything at any time, and we delete it.

Connected accounts

• When you connect an app — WhatsApp, Gmail, Outlook, Google Calendar, Google Drive, Granola, Notion, Linear, or Slack — you authorize Pally to access the data needed to do what you ask, such as reading recent messages, checking your calendar, or drafting an email

Pally only uses the connections you turn on, and only for the tasks you request. You can disconnect any app at any time, which revokes Pally's access. With WhatsApp, Pally watches connected chats only to flag messages that need you and to prepare your catch-ups; it never joins or replies in your conversations, and never sends anything without your approval.

For most integrations, we store none of your data. Pally reaches in only for what you ask for, on demand, and your information stays in those platforms — your email stays in Gmail, your notes stay in Notion, and so on.

WhatsApp is the exception. So Pally can catch you up and flag what matters in the background, your WhatsApp data is processed and stored on a dedicated server that we encrypt in transit and at rest. As with every connection, you stay in control and can disconnect or delete it at any time.

Secure account sign-in

When you connect a website account, you sign in yourself through a secure browser session run by our browsing providers. Pally never sees, requests, types, or stores your passwords or one-time codes.

To keep you signed in for the tasks you authorize, these providers may store your session credentials, fully encrypted in transit and at rest. Their handling is governed by their own privacy policies: Browser Use, Browserbase, Bright Data.

Account and authentication data

• Your phone number and email, account identifiers, and authentication tokens used to recognize you and keep your account secure

AI processing

Pally uses the AI model providers listed below to understand your messages and decide how to help. They process your prompts and outputs under zero-retention terms: nothing is stored after processing, subject to narrow legal and abuse-monitoring exceptions.

Usage and diagnostics

• Pseudonymous usage events, app and operating-system version, device type, and general performance metrics

We use first-party, internal analytics to keep Pally reliable. We do not use third-party analytics or advertising trackers, and we do not send marketing emails.

Billing

Pally is free during early testing, so we do not currently collect payment information. If paid plans launch, payments will be handled by a third-party payment processor and this policy will be updated first.

Customer support

• Your email address and anything you choose to include in your message
• Diagnostic logs only if you explicitly choose to send them

Under GDPR, we rely on the following legal bases.

Contract (Article 6(1)(b))

To provide the Pally service and its features, including understanding and responding to your messages, remembering what you ask, connecting the apps you choose, and managing your account.

Legitimate interests (Article 6(1)(f))

• Keeping the service reliable and secure
• Preventing fraud, abuse, and misuse
• Understanding general usage patterns to improve Pally

We carry out legitimate-interest balancing tests where required.

Consent (Article 6(1)(a))

• Optional analytics and diagnostics
• Optional product communications
• Each app connection you choose to authorize

Legal obligations (Article 6(1)(c))

To comply with tax, accounting, regulatory, and consumer-protection laws.

GDPR (EU/UK)

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure, the right to be forgotten (Art. 17)
• Right to restriction (Art. 18)
• Right to portability (Art. 20)
• Right to object to processing (Art. 21)
• Right to withdraw consent at any time
• Right not to be subject to automated decision-making (Art. 22)

CCPA/CPRA (California)

• Right to know what categories of personal information we collect
• Right to access specific pieces of information
• Right to deletion
• Right to correct inaccurate information
• Right to opt out of sale or sharing (we do not sell or share data for advertising)
• Right to limit the use of sensitive personal information
• Right to non-discrimination

You can exercise any of these rights at any time by contacting privacy@pally.com, and we may take reasonable steps to verify your identity. Many controls are also available right in the chat: you can ask Pally what it remembers, tell it to forget something, or disconnect any connected app.

• Messages and memory: retained while your account is active and until you remove them. You can ask Pally in chat to forget anything, or to delete your data — for a single integration or all of it — and we carry it out.
• Connected apps (other than WhatsApp): we store none of your data. Pally accesses what you ask for on demand, and your information stays in those platforms.
• WhatsApp: processed and stored on a dedicated server, encrypted in transit and at rest, and removed when you disconnect or request deletion.
• AI processing: zero retention — both AI model providers process prompts and outputs under zero-retention terms and do not keep them after processing, subject to narrow legal and abuse-monitoring exceptions.
• Secure browser sign-in: session credentials are stored, fully encrypted, by our browsing providers to keep you signed in, and removed when you disconnect or delete.
• Account and authentication data: kept while you maintain an account.
• Internal analytics: retained for a limited period, then deleted or aggregated.
• Support communications: kept only as long as needed to resolve your issue.

Pally is a texting service, so it does not depend on browser cookies to work. Where we use cookies or similar technologies, they are strictly necessary to operate the service — for example, to keep a secure browser sign-in session active while you connect an account. We do not use advertising, marketing, or cross-site tracking cookies.

Pally Technologies, Inc. is based in the United States, and your data may be processed there. If you are located in the EU or UK, we rely on legally recognized safeguards for these transfers:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs) with our service providers
• Appropriate technical and organizational safeguards

We may access, preserve, or disclose your information if we believe in good faith that it is reasonably necessary to comply with a law, regulation, legal process, or enforceable governmental request; to enforce our Terms and policies; to detect, prevent, or address security, fraud, or technical issues; or to protect the rights, property, or safety of our users, the public, or Pally. Where we are legally permitted, we will make reasonable efforts to notify you of legal requests for your data.

We implement industry best practices to protect your data, including:

• Encryption of data in transit and at rest
• Strict tenant isolation, so your data is never exposed to other users
• Least-privilege access controls and logging
• Minimization of personal data across our systems
• Regular security reviews

No system is perfectly secure, but we design Pally to minimize what is collected, retain nothing at the AI layer, and keep what remains encrypted and tightly controlled.

We work with a small set of service providers, each bound by data-processing agreements. They process only what their function requires, and none of them receive your data for advertising.

We do not sell or share your data with advertisers. A current list of subprocessors is available on request.

Pally is intended for adults. You must be at least 18 to use Pally, and we do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has used Pally, contact us and we will delete the data.

We may update this policy from time to time. If changes are significant, we will notify you by text, email, or in-app before they take effect.

Pally Technologies, Inc.

Email: privacy@pally.com

Address: 643 Teresita Blvd, San Francisco, California, US 94127