Privacy

Terms of Use


Effective date: 10 September 2025

Contact: contact@heyally.ai


Ally for macOS (“Ally,” “we,” “our”) is a privacy‑first audio recording and transcription app.  This Privacy Policy describes how we process information when you use Ally, your rights, and how you can exercise control.  Ally processes your recordings and transcripts locally on your device; network calls are limited to licensing and downloading models.  We never sell your data or use it for advertising.

Key principles and summary

Data minimization and on‑device processing:  In line with Apple’s privacy pillars—data minimization, on‑device processing, transparency and control, and security —Ally processes all audio and transcript content locally.  We do not transmit your recordings or transcripts to our servers.  Under App Store guidance, “collect” means transmitting data off a device for longer than necessary to serve a request ; because Ally does not send your content off‑device, it is not collected.

Personal data definition:  Audio and transcripts are treated as personal information Regulatory authorities (e.g., the California Attorney General) consider audio recordings personal information that must be produced in a data request Ally keeps this data on your device; we do not access or store it.

Consent is your responsibility:  The U.S. federal wiretap law permits one‑party consent, but many states require all participants to agree If you call across state lines, you must follow the strictest applicable law In the European Union, recording conversations is considered data processing, so you need permission from all participants You are responsible for ensuring that you have the legal right to record conversations.

Limited data we collect:  Ally transmits only limited licensing data—such as a random device identifier, bundle ID, app version, and an App Store receipt—to obtain a local transcription license.  We do not collect analytics, crash reports, or advertising identifiers.  We never sell your data or share it with marketers.

User rights:  Privacy laws require that you disclose categories of personal information collected, how it’s used and stored, third‑party access, user rights, and security measures Ally users can access, export or delete their recordings and transcripts at any time directly from their device.  For the minimal licensing data we collect, you can contact us at privacy@heyally.ai to request access or deletion.

No Data Protection Officer (DPO) required:  Under EU rules, a DPO is required only when an organisation’s core activities involve large‑scale processing of sensitive data or large‑scale, regular and systematic monitoring Small operations such as a local doctor or law firm are exempt Ally does not process personal data on a large scale and therefore does not appoint a formal DPO; the founder handles privacy enquiries.

Privacy manifest compliance:  Apple now requires apps and third‑party SDKs to include a privacy manifest describing data usage.  From May 1 2024, new or updated apps that don’t describe their use of required reason APIs are not accepted We maintain PrivacyInfo.xcprivacy for Ally and any integrated SDKs and declare required APIs and data types.

Information we process

1. Audio and transcripts (personal data, local only)

Audio you record:  The microphone audio you choose to record.  Recording starts only when you initiate it and stops when you end the session.  We never record in the background without your action.

Transcripts and speaker labels:  Transcripts generated from your audio and optional speaker diarization are stored on your device.  Because audio and transcripts are personal information , we treat them as sensitive and keep them local.

Optional metadata:  Meeting titles or participant names you add to a session are stored with the transcript.  This data remains on your device.

2. Session metadata (local)

Session ID, start and end times, duration, file size, word count, speaker count, and model name.  Used to manage files and restore sessions.  Stored locally in the Vault.

3. Device diagnostics (local only)

Disk free space, memory usage, and battery state.  We use this information to pause or stop recording when resources are low to prevent data loss.  Diagnostics are not transmitted.

4. Licensing and configuration data (networked)

Random device ID:  A UUID stored in your Keychain.

Bundle ID and app version:  Sent to our licensing service to verify entitlements.

App Store receipt or StoreKit transaction token:  Used only to obtain a transcription model license.  We store the active license key and expiry locally.

5. Preferences and bookmarks

Export folder bookmarks and options saved in UserDefaults.  These do not contain transcript content.

We do not collect advertising identifiers, analytics, or crash data.  We do not use third‑party analytics or advertising SDKs.

How we use information

Core features:  Record audio, transcribe on‑device, optionally diarize speakers, and export results.  These functions happen locally and rely on models downloaded to your device.

Reliability and safety:  Monitor disk space, memory and battery to avoid data loss.  These checks stay local.

Notifications:  Send local notifications when transcription completes.  The notification payload may include transcript text and file paths to enable quick actions.  We do not send remote push notifications for transcripts.

Licensing:  Request a time‑limited API key from our Cloudflare Worker to initialize local models.  Licensing requests transmit only the limited data listed above.

Storage locations

  1. Protected Vault (app container): ~/Library/Application Support/Ally/Vault/<session-id>/ stores audio files, transcripts (JSON), session metadata, and vault metadata.  Files persist until you delete them.

  2. User‑selected export folders: Default suggestion is ~/Documents/Ally/Meetings/…, but you can choose any folder.  Ally saves a security‑scoped bookmark to enable writing there.  The folder may contain a Markdown transcript and, optionally, a copy of the audio file.

  3. Recovery data (temporary): ~/Library/Application Support/ai.heyally.mac/Checkpoints/ stores metadata and, in future versions, short audio checkpoints for crash recovery.  We intend to clear this after successful completion; you can delete it manually.

  4. Model files: Downloaded transcription and diarization models are stored under Application Support or a configured location.  These are machine learning assets, not your content.

  5. Preferences: Stored via UserDefaults and Keychain for export settings and license keys.

Data retention and deletion

Audio and transcripts persist in the Vault and export folders until you delete them.  There is no automatic expiration.

Licensing keys are stored locally and expire after a set period.  We refresh keys as needed.  We retain licensing records only as long as necessary to validate entitlements and comply with legal obligations.  You may request deletion of licensing data via privacy@heyally.ai.

Recovery data is intended to be temporary and may be cleared after a successful session.  You can manually delete the Checkpoints folder.

Your choices and rights

Recording control:  You decide when to start and stop recording.  Ally never records without your action.  You are responsible for obtaining consent from participants; U.S. states and other jurisdictions have different consent requirements for call recording  .

Access and deletion:  All audio and transcripts are stored locally.  You can access them using Finder and delete them at any time.  For licensing data, email privacy@heyally.ai with your request.  In jurisdictions like the EU and California, users have rights to access, correct, or delete personal data ; because we hold only minimal licensing data, we will accommodate such requests.

Exports:  Choose where to save transcripts and whether to include audio in exports.  You can re‑export or delete files at any time.

Notifications:  Enable or disable notifications in System Settings.  Disabling notifications prevents transcript text from appearing in the notification centre.

Legal basis and compliance

Consent for recordings

United States:  Federal law allows recording if one party consents, but many states require consent from all participants If participants are in different states, you must follow the strictest law applicable Ignoring consent requirements can lead to criminal and civil penalties.

European Union:  Under the GDPR, recording conversations constitutes data processing, and you must have a lawful basis.  In most cases this means obtaining freely given, specific, informed and unambiguous consent from all participants .

Other jurisdictions:  Canada’s PIPEDA and Australia’s state laws also generally require explicit consent for recordings When in doubt, obtain consent from every participant.

Data protection officer (DPO)

The GDPR requires appointing a DPO if your core activities involve processing sensitive data on a large scale or regular and systematic monitoring of individuals It is not mandatory for small businesses like local doctors or small law firms Ally does not process personal data on a large scale; therefore, a formal DPO is not required.  The founder acts as the privacy contact and can be contacted at: privacy@heyally.ai

International data transfers

Our licensing endpoint and model hosts may be located outside your country.  These services receive only the limited licensing payload (device UUID, bundle ID, app version, App Store receipt).  No audio or transcript content is sent.  For EU/UK users, we implement standard contractual clauses and similar safeguards to protect transferred data.

Security measures

  • App sandbox:  Ally runs inside the macOS sandbox, limiting file system access.

  • Keychain:  License keys and the device identifier are stored securely in Keychain.

  • Encryption:  Audio and transcripts are stored as normal files.  If you require disk encryption, enable FileVault or store exported files in an encrypted folder.  We plan to add optional vault encryption in future versions.

  • Logging:  We use the system logger (os.Logger).  Release builds avoid logging transcript content.  Developer/debug builds may log limited content for troubleshooting.

  • On‑device processing:  By processing data on device and not transmitting it, we minimize data collection and comply with Apple’s privacy pillars.

Third parties and service providers

  • Argmax SDK (WhisperKit Pro/SpeakerKit Pro):  Provides local transcription and speaker diarization.  Requires a license key which we obtain as described above.  The SDK downloads model files but does not receive your audio or transcripts.

  • Cloudflare Worker (licensing service):  Validates app entitlements and issues the Argmax API key.  Receives only the licensing payload; no audio or transcript data.

  • Apple/macOS services:  Use notifications, Keychain, and the app sandbox.  No user content is transmitted.

  • We do not use ad networks, analytics SDKs, or social media SDKs.  We never sell or share personal data with marketers.

Permissions requested

  • Microphone:  Required to record audio.  You choose when to grant and revoke permission.

  • Notifications:  Used to inform you when transcription completes.  You can disable notifications in System Settings.

  • File access:  Ally requests access only to folders you choose for exports.  We use security‑scoped bookmarks to access those folders.  We do not have unrestricted access to your file system.

  • Network:  Used only to obtain/refresh licensing keys and to download model files.  No audio or transcript content is transmitted.

  • Not used:  We do not request camera, screen recording, location, accessibility, or contact permissions.

Children’s privacy

Ally is not directed at children under the age required for parental consent (such as 13 or 16, depending on jurisdiction).  Do not use Ally to record children without proper consent.  If you are a parent or guardian and believe that a minor has used Ally without consent, please contact us.

Changes to this policy

We may update this Privacy Policy to reflect changes in our app or legal requirements.  When we do, we’ll update the “Effective date” above and, if appropriate, notify you in the app or on our website.  We also commit to updating our privacy manifest (PrivacyInfo.xcprivacy) and disclosing reasons for any newly added required‑reason APIs .

Contact

For questions, privacy requests, or concerns, email privacy@heyally.ai We will respond promptly and work to resolve any issue.  Because Ally does not collect your audio or transcripts, most privacy requests can be satisfied by you deleting files on your device.


To receive an email notification when this policy changes, subscribe below:

© 2025 Synthos Labs LLC. All right reserved

© 2025 Synthos Labs LLC. All right reserved