GDPR Compliance

This GDPR Notice provides additional information for users in the European Economic Area, United Kingdom, and Switzerland, or any user whose personal data is processed under the General Data Protection Regulation or similar regional data protection laws.

This notice supplements, and should be read together with, our Privacy Policy.

For purposes of the Services described in this notice, Lofy AI acts as the controller of personal data processed through the website, account system, AI assistant, reminders, memories, scheduling features, subscriptions, and related integrations.

• Identity and account data, such as phone number, email address, profile details, and account identifiers.
• Authentication and security data, including session-related information, verification records, and access-control logs.
• User-submitted content, including prompts, messages, memories, reminders, calendar details, feedback, uploaded audio, and uploaded images.
• Integration and connected-account data, including Google Calendar-related authorization and event references where you approve such access.
• Billing and subscription data, including subscription status, plan information, and payment-related metadata handled with billing providers.
• Operational, analytics, and diagnostic data used to maintain, secure, and improve the Services.

• Performance of a contract, where processing is necessary to provide the Services you request, maintain your account, process reminders or events, and operate approved integrations.
• Legitimate interests, where processing is reasonably necessary to secure the Services, prevent abuse, maintain logs, troubleshoot failures, understand usage, and improve service quality.
• Compliance with legal obligations, where we must retain records, respond to lawful requests, or satisfy regulatory, tax, accounting, or enforcement requirements.
• Consent, where required by applicable law for specific types of optional processing or integration permissions.

Your personal data may be transferred to and processed in countries outside the EEA, UK, or Switzerland because the Services rely on international infrastructure, cloud vendors, analytics providers, communications providers, payment processors, integration providers, and AI providers.

Where required by applicable law, we will rely on appropriate transfer mechanisms or safeguards for such transfers.

We retain personal data for as long as reasonably necessary to provide the Services, maintain operational and security records, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the category of data and the legal or operational purpose involved.

We may also maintain limited backup, archival, or logging records for a period of time after active records are changed or deleted.

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete personal data.
• Request deletion of personal data in circumstances permitted by law.
• Request restriction of certain processing activities.
• Object to processing based on legitimate interests where applicable.
• Request portability of personal data where the right applies.
• Withdraw consent where processing depends on consent.
• Lodge a complaint with your local supervisory authority.

You may contact us to exercise your privacy rights or ask questions about how your personal data is processed. We may request information necessary to verify your identity before fulfilling certain requests.

You may also manage some profile, account, and integration settings directly through the Services where those controls are available.