To be transparent about what data we collect, why we use it, and who we share it with (GDPR Art. 13 & 14).

1. Data We Use: Account Data: Your email address. We follow industry best practices to secure your account credentials. Message Content: The text content of the WhatsApp chats you select for analysis. This is sensitive personal data. Message Metadata: Timestamps, sender/receiver identifiers, and message counts. Usage Data: Anonymized data about how you interact with the Ellie Mini application itself (e.g., which features you use), collected via a self-hosted analytics tool. 2. How We Use Your Data (Purpose of Processing): To Provide the Service: We use your message content and metadata solely to generate the insights and visualizations that are the core feature of Ellie Mini. To Improve the Service: We use anonymized usage data to understand which features are popular and to improve the user experience. This includes some diagnostic system information of your phone. To Communicate With You: We use your email address to send essential account-related communications. If you consented to it, we also use your email address for marketing communications from us to you. 3. Our Sub‒processors (Who We Share Data With ‒ GDPR Art. 28): To provide our service, we use a limited number of third-party sub-processors. We have Data Processing Agreements (DPAs) in place with them where required. Google Cloud: For hosting our application servers and database. All data is stored in their EU-based data centers. For transferring Message Content and Metadata of selected WhatsApp Groups or Contacts from your device to AI analysis (see OpenRouter below). OpenRouter: To access large language models (like Google's Gemini) for analyzing your message content. We only use models that have a zero-data-retention policy, meaning your data is not stored by OpenRouter or the model provider, nor is it used for training. The specific AI model used is Gemini 3 Flash Preview. We configure this model with Zero Data Retention (ZDR) enabled. This ensures that Google does not store your prompts or use them to train their models. Clerk: For secure authentication and user management. PostHog and Sentry: For product analytics and crash reporting. 4. International Data Transfers: Our hosting provider Google Cloud, processes your data within the EU. However, our AI sub-processor, OpenRouter, is based in the US. When we send your message data for analysis, it may be processed outside of the European Economic Area (EEA). We have taken steps to ensure your data is protected. We exclusively use AI models with a zero-data-retention policy, and our agreement with OpenRouter includes Standard Contractual Clauses (SCCs) as a safeguard for international data transfers. 5. Data Security & Encryption: We are committed to a 'zero-knowledge' architecture. Your message content and message metadata are stored solely on your device. Only your account information excluding any contact or message data, gets permanently stored on our servers. All WhatsApp data is encrypted at rest on your device via your iPhone’s iOS hardware encryption. All data transferred between your device and our servers is encrypted in transit using industry-standard TLS encryption. Data that is stored on our servers and those of our sub-processors, is encrypted using industry-standard encryption. To store your message metadata and content on your device, an initial synchronization will transfer your WhatsApp Data to Ellie on your device directly. This will happen without any involvement of our servers in the data transfer. To provide you with AI-powered insights, message metadata and content of selected groups and contacts and their conversations with you are going through our servers and sub-processors. The data is not stored by us or the sub-processors and is only used to generate the insights you see. This process ensures that your original, unredacted message content is never stored permanently by us or our AI partners, and our access to it is strictly limited to the automated, in-memory processing required to operate the service. As soon as the analysis is delivered to your device, no record of any contacts and messages is kept. 6. Your Data Rights (GDPR): As a user, you have the right to: Access the data we hold about you. Rectify incorrect data. Erase your data (the "right to be forgotten"), which you can do by deleting your account. Object to processing. 7. Data Retention: We retain your data for as long as your account is active. If you delete your account, we will permanently delete your personal data from our systems within 30 days. These 30 days do not apply to your WhatsApp Message and Contact data, as it is stored on your device only and deleted from the app immediately after the deletion request. 8. Contact Us: If you have any questions about this policy, please contact us at app@getellie.ai