Privacy Policy
This policy explains what personal information Truyou Ltd ("Truyou", "we", "us") collects when you use the Truyou application and websites (the "Service"), how we use it, who we share it with, how long we keep it, and the rights you have over it. We try to write it in plain English. Where the law uses specific terms (UK GDPR, EU GDPR, CCPA), we explain what they mean for you.
If anything is unclear, email [email protected].
1. Who we are
Truyou is a service for writing memoirs, journals, recipes, travel logs, family histories, and other personal records. The data controller for personal information processed through the Service is Truyou Ltd, registered in England & Wales. You can contact us at [email protected].
2. Personal information we collect
We only collect what we need to run the Service.
2.1 You provide directly
- Account details: email address, password (hashed by Firebase Authentication, never visible to us in plain text), display name, year of birth, city and country of birth, preferred spelling dialect.
- Content you create: memoir chapters, journal entries, recipes, travel logs, photos, audio recordings, family tree entries, places, and any other text or media you upload.
- Imported data: if you use the Social Media Importer, files you choose to upload from other services.
- Subscription and household details: plan tier, household members, and (in future) billing information held by our payment processor.
2.2 Collected automatically
- Technical data: IP address, browser, device type, and operating system, used for security, abuse prevention, and rate limiting.
- Usage data: which pages and features you use, error reports, and performance metrics. We use privacy-respecting product analytics (see Cookie Policy).
- Cookies and similar technologies: see the Cookie Policy.
2.3 We do not knowingly collect
- Special category data (race, religion, sexuality, health, biometrics) unless you choose to write about it in your own content. If you do, you control it; we treat it with the same protections as other content.
- Information from children under 16 (EU/UK) or under 13 (US). See section 9.
3. How we use your information
| Purpose | Lawful basis (UK/EU GDPR) |
|---|---|
| Provide the Service: store your content, sync between devices, generate AI suggestions you ask for. | Performance of contract |
| Account creation, authentication, and session management. | Performance of contract |
| Process subscription payments (when enabled). | Performance of contract |
| Send service emails (security alerts, billing receipts, important changes). | Legitimate interests / legal obligation |
| Detect fraud, abuse, and security incidents; enforce rate limits and our Terms. | Legitimate interests |
| Improve the Service through aggregated, de-identified analytics. | Legitimate interests / consent for non-essential cookies |
| Comply with legal obligations (tax, accounting, regulator requests). | Legal obligation |
| Marketing emails (only if you opt in). | Consent |
4. AI processing of your content
Some Truyou features use third-party AI providers (currently OpenAI and Anthropic) to generate text, narratives, recipes, transcriptions, or images at your request. When you trigger an AI feature:
- We send only the content needed for that request to the provider.
- We do not use your content to train AI models, and we contractually require providers not to use it to train their general models.
- Providers may retain prompts briefly for abuse monitoring, then delete them, in line with their own published policies (typically 30 days or fewer).
- We never send your content to AI providers without you initiating an action that requires it.
If you don't want any AI processing, simply don't use the AI features.
5. Who we share your information with
We do not sell your personal information. We share it only with these categories of recipient, under contracts that bind them to handle it lawfully:
- Hosting and infrastructure: Google (Firebase Authentication, Firestore, Cloud Storage, Cloud Functions). Data is processed in their facilities.
- AI providers: OpenAI (United States) and Anthropic (United States) — only when you trigger AI features (see section 4).
- Payment processor: Stripe (when payment processing is enabled). Truyou never sees full card numbers.
- Analytics and error reporting: PostHog (or equivalent) for product analytics and Sentry (or equivalent) for error tracking. Configured to minimise personal data.
- Email: a transactional email provider for security and billing emails.
- Professional advisers: lawyers, accountants, and auditors when legally necessary.
- Authorities: if compelled by valid legal process, or to protect our rights, your safety, or others' safety.
- Successors: in the event of a merger, acquisition, or sale of assets, your information may transfer to the acquirer, who must honour this policy.
6. International data transfers
Some recipients (Google, OpenAI, Anthropic, Stripe) are based in the United States or process data globally. When we transfer personal information outside the UK or EEA, we rely on appropriate safeguards: the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, or an equivalent mechanism. Copies are available on request.
7. How long we keep your information
- Account data and content: kept while your account is active. When you delete your account (see section 8), your profile, content, and uploaded media are erased from our production systems immediately. Residual copies in our hosting provider's encrypted backups age out within 30 days and are not restored or accessed except where strictly necessary to recover from a system failure.
- Billing records: retained for 7 years to meet UK tax and accounting law.
- Security and abuse logs: typically up to 12 months.
- Anonymised analytics: indefinitely (no longer personal data).
8. Your rights
You have the following rights, free of charge, in most circumstances:
- Access a copy of the personal information we hold about you.
- Rectify inaccurate or incomplete information.
- Erasure ("right to be forgotten") — delete your account and content. You can do this directly from Account Settings → Danger Zone → Delete Account, or by emailing us.
- Portability — download your content in a machine-readable format. You can do this from Account Settings → Export My Stories, or by emailing us.
- Restrict or object to certain processing, including direct marketing.
- Withdraw consent at any time for processing based on consent (e.g. analytics cookies, marketing email).
- Not be subject to a solely automated decision with legal or similarly significant effects.
California residents have equivalent rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sharing" or "sale" of personal information. We do not sell or share your personal information for cross-context behavioural advertising.
To exercise any right, use the in-app controls or email [email protected]. We will respond within 30 days (UK/EU) or 45 days (California). If you're unhappy with how we handle a request, you can complain to:
- UK: Information Commissioner's Office (ICO).
- EU: your local supervisory authority.
- California: the California Attorney General's Office.
9. Children
The Service is not intended for children under 16 in the UK or EU, or under 13 in the United States. We do not knowingly collect personal information from children below those ages. If you believe a child has provided us information, contact [email protected] and we will delete the account.
10. Security
We use Firebase Authentication for credentials, encrypt data in transit (TLS) and at rest, scope database access by user via Firestore Security Rules, rate-limit our APIs, validate all inputs server-side, and follow secure development practices. No system is perfectly secure; if we become aware of a breach affecting your information, we will notify you and the relevant supervisory authority within the timescales required by law.
11. Changes to this policy
If we make material changes, we will notify you by email or in-app notice and update the "Last updated" date above. Continued use of the Service after changes take effect means you accept the updated policy.
12. Contact
Truyou Ltd, United Kingdom
Email: [email protected]