Privacy Policy
How TinieAI Ltd handles your personal data when you use Recallify.
Effective from May 2026 · Version 2.0 (replaces the Privacy Policy dated 29 April 2024). TinieAI Ltd, a company registered in England and Wales, is the controller of your personal data; contact us at info@recallify.ai.
Summary
We collect the personal data you give us when you sign up, the content you record or upload to Recallify, and basic usage information from the app. We use it to provide the Recallify service to you and to keep the product working well.
We do not sell your data. We do not use your content for advertising. Our AI sub-processors do not use your content to train their models.
You can access, correct, export, or delete your data at any time, either through the app or by emailing info@recallify.ai. If you are not happy with how we handle your data, you have a right to complain to the UK Information Commissioner's Office.
1. About this Privacy Policy
This Privacy Policy explains how TinieAI Ltd collects, uses, and protects your personal data when you use the Recallify app on iOS or Android, or visit recallify.ai. TinieAI Ltd is the controller of your personal data for the purposes of UK GDPR.
This policy is written to be readable. The technical detail behind it, including our full sub-processor list and internal data retention schedule, is recorded in our internal Records of Processing Activities.
If anything in this policy is unclear, please contact us at info@recallify.ai before continuing to use Recallify.
2. Information we collect
2.1 Information you give us
- Account details when you sign up: your name, email address, and where you choose email and password authentication, a password (which we never store in plaintext).
- Content you record, type, or upload to the app: voice recordings, notes, transcripts, summaries, tasks, reminders, quizzes, and any files you import.
- Subscription status, where you take out a paid subscription.
- Anything you send us through customer support, including questions, complaints, and any information you choose to include.
2.2 Information we collect automatically
- Device information: device type, operating system version, app version, and language.
- Usage data: events such as opening the app, recording, generating a summary, or completing a quiz. We use this to understand how the product is used and to make it better. We do not log the content of your recordings or notes as part of usage data.
- Technical information: IP address and similar identifiers, used for security and abuse prevention.
2.3 Information we do not collect
- We do not collect payment card details directly. Payments are handled by the Apple App Store and Google Play.
- We do not use your voice for speaker identification or voice-print processing.
- We do not collect special category data, such as health information, intentionally. See section 4.
3. How we use your information
We use your personal data for the purposes set out below. Each purpose has a lawful basis under UK GDPR.
| Purpose | Lawful basis |
|---|---|
| Providing Recallify to you, including transcription, summaries, task and reminder extraction, and quiz generation, and storing your content so you can access it across devices. | Article 6(1)(b): performance of our contract with you under our Terms of Use. |
| Maintaining and improving the product, including debugging, monitoring service quality, and developing new features. | Article 6(1)(f): our legitimate interests in running and improving the service. We balance this against your interests and rights, and we keep usage data separate from your content. |
| Customer support, when you contact us with a question, complaint, or feedback. | Article 6(1)(b) and (f) depending on the nature of your request. |
| Complying with legal obligations, including responding to lawful requests from authorities and meeting our regulatory duties. | Article 6(1)(c): legal obligation. |
| Responding to safeguarding concerns where there is a risk of serious harm to you or another person. | Article 6(1)(d): vital interests, in line with our internal Safeguarding and Adverse Event Policy. |
| Research, only where you separately give explicit consent through an ethics-approved study. | Article 6(1)(a): explicit consent, taken at the point of study enrolment. |
We do not make decisions about you that have legal or similarly significant effects using automated processing alone. The AI outputs in Recallify (transcripts, summaries, tasks, quizzes) are tools you review and edit; they are not decisions made about you.
4. Sensitive personal data
Recallify is used by many people with cognitive or health conditions, and the content you record or upload may include information that UK GDPR treats as special category data. This is most often health information about yourself, but could also include other kinds of sensitive information such as religious views, political opinions, or details about your sexual orientation if you choose to record content on those topics.
We do not actively solicit special category data. Where your content contains it, our lawful basis is your explicit consent (Article 9(2)(a)). You give that consent when you submit the content to the app, and you can withdraw it at any time by deleting the content, closing your account, or contacting us.
In the rare situation where there is a risk of serious harm to you or another person, we may rely on the vital interests condition (Article 9(2)(c)) and on our Safeguarding and Adverse Event Policy.
5. How our AI works
Recallify uses AI to perform four bounded functions on the content you give it: transcription, summarisation, extraction of tasks and reminders, and active-recall quizzes. We want to be clear about how this works and what it does not do.
What we send to AI sub-processors
To perform the functions above, we send your content to specialist AI service providers acting on our behalf as data processors. These include an automated speech recognition provider for transcription and a large language model provider for summarisation, task extraction, and quiz generation. We use enterprise-grade contractual terms with these providers.
What our AI sub-processors do not do with your content
- They do not use your content to train their AI models.
- They keep your content only for as long as needed to carry out the task, and for limited security and abuse-prevention purposes, after which it is deleted.
- They do not use your content for any purpose other than providing the service to us.
What Recallify itself does not do
- Recallify is not a chatbot or a conversational AI agent. It does not maintain a relationship with you, hold opinions, or generate clinical, emotional, or moral advice.
- Recallify is not a medical device. It does not diagnose, treat, or recommend treatment. If you have a health concern, please contact a healthcare professional.
- Recallify does not browse the internet or take actions in the world on your behalf based on your content.
AI output accuracy
AI-generated outputs (transcripts, summaries, tasks, quizzes) can contain inaccuracies. You can review and edit any AI output before relying on it. We keep your transcript alongside the summaries, tasks, and quizzes generated from it, so you can compare and correct them. We do not keep your original recording — it is processed and then deleted, and is never stored online long-term.
6. Who we share your information with
We share your personal data only with the categories of recipient set out below, each under contracts that meet UK GDPR requirements. If you would like more detail about how your own personal data is processed, please contact info@recallify.ai.
| Category of recipient | What they do |
|---|---|
| Cloud infrastructure provider | Hosts and stores your content and account data. |
| Automated speech recognition provider | Transcribes your voice recordings. |
| Large language model provider | Generates summaries, tasks, and quizzes from your content. |
| Analytics provider | Captures aggregated usage data so we can understand how Recallify is used. Does not see the content of your recordings or notes. |
| Email and customer support provider | Handles inbound and outbound support correspondence. |
| Payment and authentication | Apple App Store, Google Play, Apple Sign In, Google Sign In. These services operate under their own privacy policies. |
| Professional advisors | Lawyers, auditors, and similar professional advisors, where required for the running of the business. |
| Authorities | Law enforcement, regulators, and other authorities where required by law or for safeguarding purposes. |
We do not sell your personal data. We do not share your personal data with advertising networks. We do not allow our sub-processors to use your data for their own marketing or model training.
7. International transfers
Your information is stored in the United Kingdom and the European Union, which have mutual data-protection adequacy. Some processing tasks — in particular AI transcription and summarisation — are carried out by specialist providers that may process your content in the United States. Where personal data is transferred outside the UK and EU in this way, we protect it with the safeguards UK GDPR requires, which depending on the provider are one or more of:
- Adequacy regulations made by the UK government for the destination country.
- The UK Extension to the EU-US Data Privacy Framework, where the provider is certified.
- The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum.
Any content sent to these providers for processing is deleted once the task is complete. We carry out a transfer impact assessment for each transfer to a country without a UK adequacy decision.
8. How long we keep your information
| Type of information | Retention period |
|---|---|
| Account details and content | While your account is active. If you delete content or close your account, we delete it from our systems within 30 days. |
| Subscription and payment records | Up to seven years after the end of the financial year, in line with HMRC record-keeping requirements. |
| Customer support correspondence | Up to two years from the closure of the support case. |
| Adverse event records (safeguarding) | Six years from closure of the record, under our internal Safeguarding and Adverse Event Policy. |
| Anonymised analytics | Retained on an ongoing basis. This data is no longer personal data once anonymised. |
We do not keep your recordings: the original audio or video file is deleted as soon as it has been processed.
9. Your rights
Under UK GDPR you have the following rights. To exercise any of them, please contact info@recallify.ai. We respond within one calendar month (the statutory timeframe), and there is no charge for most requests.
- Access. You can ask for a copy of the personal data we hold about you.
- Rectification. You can ask us to correct any personal data that is inaccurate. Most content in Recallify is directly editable in the app.
- Erasure. You can ask us to delete your personal data. You can also delete content and close your account directly in the app.
- Restriction. You can ask us to stop using your personal data in certain circumstances.
- Portability. You can ask for a copy of your personal data in a structured, commonly used, machine-readable format.
- Objection. You can object to processing based on our legitimate interests, including for product analytics.
- Withdraw consent. Where we process your personal data on the basis of consent, you can withdraw that consent at any time.
- Not be subject to solely automated decision-making with legal or similarly significant effects. Recallify does not make decisions of that kind about you.
You also have the right to complain to the UK Information Commissioner's Office about how we handle your personal data. The ICO can be contacted at ico.org.uk or on 0303 123 1113. We would, of course, prefer the chance to put things right first. Please contact us at info@recallify.ai before contacting the ICO if you can.
10. How we protect your information
- Your personal data is encrypted in transit between your device and our servers, and at rest in our cloud storage.
- Access to production systems is restricted to authorised personnel who need it to operate the service.
- We are Cyber Essentials certified and we maintain an internal Information Security Incident Response procedure.
- We run automated security scanning on every change to our code, and regularly review our security arrangements.
No system is perfectly secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and contact you directly where appropriate, in line with our incident response procedure.
11. Children and age
Recallify is intended for users aged 18 or over (or the local digital age of consent, where higher). We do not knowingly collect personal data from anyone under that age.
If we become aware that an under-age account has been created, we close the account and delete the associated personal data within 30 days. If you believe a child has used Recallify, please contact us at info@recallify.ai so we can act on that.
From time to time we run separate research studies that may involve children, with appropriate parental consent, ethics approval, and a separate data protection framework. Those studies are not run through the consumer Recallify product and are governed by their own privacy information, which is provided to participants at enrolment.
12. Cookies and similar technologies
The Recallify app uses standard mobile identifiers (such as the iOS Identifier for Vendors and the Android Advertising ID, where you have not opted out) to keep you signed in, support analytics, and detect abuse. We do not use these identifiers for cross-site advertising.
Our website recallify.ai uses a small number of cookies for essential site functionality and basic analytics. The website includes a cookie notice with more detail and the option to manage your preferences.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make changes that materially affect your rights or how we process your personal data, we will let you know in advance through the app or by email. The current version is always available at recallify.ai/privacy_policy/, with the effective date at the top.
14. How to contact us
For any question or request about this Privacy Policy, or about how we handle your personal data, please contact us:
- Email: info@recallify.ai
- Post: TinieAI Ltd, 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE
Our Data Protection Lead is M. Berkan Sesen. To contact him directly about a data protection matter, please email info@recallify.ai and mark your message for his attention.
If you are not satisfied with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk or on 0303 123 1113.