Privacy Policy

1. Introduction

Welcome to PersonaLLM. We are committed to protecting your privacy and ensuring you have a safe experience using our application. This Privacy Policy explains what data we collect, how it is processed, who it is shared with, and your rights under applicable data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

PersonaLLM is operated from the United Kingdom. By using the App, you agree to the practices described in this policy.

2. Data Controller

For the purposes of UK data protection law, the data controller is Koya Ventures Ltd, a company registered in England and Wales, trading as PersonaLLM ("we", "us", "our").

Contact: support@personallm.app

PersonaLLM is registered with the UK Information Commissioner's Office (ICO). Registration number: [pending].

3. Data Stored on Your Device

PersonaLLM is designed with a local-first architecture. The following data is stored entirely on your device using Apple's SwiftData framework and is never transmitted to us or any third party:

• Chat conversations and message history
• Character definitions, lore entries, and uploaded documents
• Character memory (RAG embeddings and vector stores)
• Generated images and videos saved to your gallery
• Text-to-speech audio (processed on-device)
• Speech-to-text voice input (processed entirely on-device; voice recordings are not stored or transmitted)
• Downloaded on-device AI models (stored locally for offline text generation)
• App settings, preferences, and custom API keys (stored locally on your device)

Biometric authentication. If you enable Face ID or Touch ID app lock, biometric data is processed entirely by Apple's Secure Enclave on your device. We never receive, store, or have access to your biometric data.

We do not have access to read your private conversations or locally stored media unless you explicitly choose to share content on the Community Platform.

4. Data Shared with Third-Party AI Services

When you use cloud-based features, your data is transmitted through our secure proxy server to the following third-party AI providers. We will ask for your explicit consent before transmitting any data to these services.

We may update the specific AI providers we use from time to time to improve quality or availability. The categories of data shared and the purposes for sharing remain the same. Material changes to providers will be reflected in this Privacy Policy.

On-device features — including character memory (RAG), text-to-speech, speech-to-text, and local AI models — do not transmit any data to third parties.

5. Community Platform

If you choose to use the Community Platform, the following data is collected:

• Account information: Provided via Sign in with Apple (we receive only the identifiers Apple provides; your real email may be hidden by Apple's Private Relay)
• Uploaded characters: Character name, description, personality, scenarios, and avatar image — these become publicly visible
• Usage data: Download counts and ratings for shared characters
• Content reports: If you report a character or media item, we collect the report reason, optional details you provide, and your account identifier. Reports are used for content moderation and are not publicly visible.

Community participation is entirely optional. The core App functions without it.

6. Proxy Server & Logging

Our proxy server routes requests between the App and third-party AI providers. We do not store the content of your conversations, AI responses, chat prompts, or image generation prompts on our servers.

We log the following metadata only for operational purposes (analytics, error tracking, and abuse prevention):

• Timestamps and response times
• Token counts (input/output) and estimated cost
• AI model and provider used
• HTTP status codes and error messages
• Device identifier (see Section 6a below)
• Session identifiers

Generated images are temporarily stored on our servers for up to 24 hours to allow your device to download them. After 24 hours, they are automatically and permanently deleted.

We also collect feedback and bug reports you voluntarily submit through the App. These include your feedback text, device identifier, app version, and device model. Feedback is used solely to improve the App and is not shared with third parties.

6a. Device Identifiers & Credits

To manage your credit balance, subscription entitlements, and prevent abuse, we collect your device's vendor identifier — an anonymous ID assigned by Apple that is unique to our app on your device. This identifier:

• Cannot be used to identify you personally or track you across other apps
• Changes if you uninstall and reinstall the App (your credit balance on our server will no longer be accessible unless linked to Sign in with Apple)
• Is used to associate your credit balance, subscription status, purchase history, and usage sessions

If you use Sign in with Apple to restore purchases, we also store the anonymous Apple user identifier provided by Apple (not your name or email) to link your credits across devices. When linked, your credit balance persists even if you reinstall the App or switch devices.

6b. Crash & Performance Diagnostics

The App may automatically send crash reports and performance diagnostics to our server using Apple's MetricKit framework. These reports contain technical information about app crashes, hangs, and resource usage — they do not contain any of your conversations, characters, or generated content. Diagnostic data is associated with your device identifier and app version.

6c. Subscription Data

If you subscribe to PersonaLLM Premium, Apple processes your payment and manages your subscription entirely through the App Store. We do not receive, store, or have access to your payment method, billing address, or financial information.

We receive the following from Apple's StoreKit framework on your device:

• Your subscription status (active, expired, in billing grace period, or revoked)
• Product identifier and subscription group
• Original purchase date, expiration date, and renewal date
• Transaction identifiers (anonymous, Apple-assigned)

This information is checked locally on your device to determine your access level. We do not transmit subscription status to our servers except as an anonymous request-type header ("X-Request-Type: subscriber") included with cloud AI requests so that our proxy can apply the correct service tier. No Apple ID, payment details, or personally identifiable subscription information is sent to our servers.

Subscription billing, renewal, cancellation, and refunds are managed entirely by Apple. See Section 9 of our Terms of Service for full details on auto-renewal terms and cancellation.

7. Legal Basis for Processing

Under UK GDPR, we process your data on the following bases:

• Consent (Article 6(1)(a)): For transmitting your data to third-party AI services. You can withdraw consent at any time by disabling cloud features in the App's settings. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
• Contract (Article 6(1)(b)): For processing necessary to provide the service you requested, including community platform account management, fulfilling credit purchases, and managing your subscription entitlements (verifying subscription status to provide the correct service tier).
• Legitimate interest (Article 6(1)(f)): For temporary logging of request metadata (timestamps, token counts, error codes) to diagnose technical errors, prevent abuse, and maintain service availability. We have assessed that this processing is necessary for our operational needs and does not override your rights, given that no conversation content is logged and metadata logs are automatically deleted after 90 days.

8. International Data Transfers

Our third-party AI providers (OpenRouter, Atlas Cloud, Alibaba Cloud, RunPod) and infrastructure provider (Cloudflare) may process data outside the United Kingdom, including in the United States and China.

Where data is transferred outside the United Kingdom, it is protected by one or more of the following safeguards:

• The UK-US Data Bridge (where the recipient is certified under the EU-US Data Privacy Framework with UK Extension)
• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses

Note: Only processed text prompts (not your raw conversation messages) are sent to Alibaba Cloud for image and video generation. No personal identifiers are included in these prompts.

You may request a copy of the relevant safeguards by contacting us.

9. Data Retention

• On-device data: Retained until you delete it or uninstall the App
• Proxy server request logs (metadata only — no message content): Automatically deleted after 90 days
• Generated images on our servers: Automatically deleted after 24 hours
• Credit balance and transaction history: Retained for the lifetime of your device identifier (resets if you reinstall the App)
• Subscription transaction records: Retained on your device by Apple's StoreKit framework. We do not store subscription records on our servers. Apple retains purchase records in accordance with their privacy policy
• Crash and performance diagnostics: Retained for up to 180 days
• Community uploads: Retained until you remove them or request account deletion
• Purchase records: Retained as required by applicable tax and accounting law

You may request deletion of all server-side data associated with your device at any time by contacting us at support@personallm.app.

10. Automated Decision-Making & Content Moderation

PersonaLLM uses AI models to generate text, images, and videos in response to your inputs. This processing is automated but does not constitute automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 of the UK GDPR. No decisions about your access, rights, or account status are made solely by automated means without human involvement.

To comply with applicable law and App Store requirements, we apply automated content moderation at multiple stages:

• Input filtering: Your text prompts are checked against a keyword blocklist on our proxy server before being forwarded to AI providers. Prompts that match prohibited categories (child safety, real-person exploitation, self-harm, terrorism) are blocked and not forwarded. The blocked prompt is not stored.
• AI safety instructions: AI models are instructed via system prompts to refuse generating prohibited content.
• Image prompt sanitization: Prompts for image generation are processed by an AI model to remove inappropriate content before being sent to the image generation service.
• Character creation filtering: On-device keyword filtering checks character names, descriptions, and other fields during creation and editing. Characters that match prohibited categories (minors, illegal activity) are blocked before any data leaves your device.
• Image generation filtering: Additional keyword filtering is applied within the image generation pipeline to replace unsafe terms with safer alternatives.

If your content is blocked and you believe this was in error, you may contact us at support@personallm.app for human review.

11. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you (Article 15)
• Rectify inaccurate personal data (Article 16)
• Erase your personal data — "right to be forgotten" (Article 17)
• Restrict processing of your data (Article 18)
• Data portability — receive your data in a structured, machine-readable format (Article 20)
• Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing (Article 7(3))

To exercise any of these rights, contact us at support@personallm.app. We will respond within one month as required by law. If your request is complex, we may extend this by a further two months, but we will inform you within the first month.

These rights are provided free of charge, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse to act.

12. Complaints

If you are unhappy with how we have handled your personal data, we encourage you to contact us first at support@personallm.app so we can try to resolve your concern. We will acknowledge your complaint within 5 working days and aim to provide a full response within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113

13. Children's Privacy

PersonaLLM is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a user under 18, we will delete that data and terminate their access promptly.

14. Cookies & Website

The PersonaLLM website (personallm.app) does not use tracking cookies, analytics scripts, or third-party advertising. Our administrative dashboard uses session cookies for authentication purposes only; these are not accessible to App users.

The iOS App does not use cookies or web-based tracking technologies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date above and posting the revised policy on our website. Your continued use of the App after changes take effect constitutes acceptance of the revised policy.

16. Contact Us

If you have any questions or concerns about this Privacy Policy or your data, please contact us at support@personallm.app.