Afterlife AI

Afterlife AI™ Global Data Privacy & Governance Policy

(Version 4.0 | Applicable to Afterlife AI™ and Timeless AI™)

1. Purpose & Scope

This Policy describes how Idy Pty Ltd (“Afterlife AI™”, “Timeless AI™”, “we”, “us”, “our”) collects, processes, stores, and protects personal data in compliance with the EU General Data Protection Regulation (GDPR), UK Data Protection Act 2018, California Consumer Privacy Act (CCPA), and equivalent global privacy frameworks. It applies to all users, beta participants, partners, and contractors worldwide.

2. Core Principles

Afterlife AI™ operates on Privacy-by-Design and Ethics-by-Default. We commit to:

  • Ownership — You own your memories, media, and persona data.

  • Consent — Processing occurs only with informed, explicit, revocable consent.

  • Minimisation — We collect and retain only what’s necessary.

  • Transparency — We explain clearly how and why data is processed.

  • Security — Encryption, access controls, and continuous monitoring protect data.

  • Erasure & Portability — You can delete or export your data at any time.

  • Accountability — Every action is logged and auditable under governance oversight.

3. Information We Collect

We collect only the data you choose to share:

  • Persona Inputs — text, audio, video, and images you provide.

  • Behavioural & Emotional Data — tone, style, and emotional metadata (only with consent).

  • Executor & Trusted Contact Data — permissions, access, and legacy control records.

  • Technical Data — pseudonymised device identifiers and diagnostics.

  • Subscription Data — account tier, billing, and transaction confirmations.

  • Metadata — timestamps, file types, and access logs for auditability.

4. Lawful Basis for Processing

We process personal data under lawful bases consistent with GDPR Articles 6 and 9:

  • Consent — explicit opt-in for all personal and special-category data.

  • Contractual Necessity — to deliver your requested service.

  • Legitimate Interest — to maintain integrity, prevent misuse, and enhance safety.

  • Legal Obligation — to comply with applicable data-protection laws. Sensitive data (such as voice, image, or emotion metrics) is handled only with explicit consent and additional encryption safeguards.

5. How We Use Data

We process your information to:

  • build and maintain your digital persona;

  • enable secure Executor and Trusted-Contact features;

  • operate grief-sensitive and ethical-AI safeguards;

  • conduct privacy-preserving research to improve performance.

We never sell, lease, or monetise personal data for advertising or profiling.

6. Security & Encryption

We use AES-256 encryption at rest and TLS 1.3 in transit, tokenisation, and role-based access control. All data interactions are logged with timestamps and identifiers. Media uploads occur through short-lived, pre-signed URLs to prevent unauthorised access.

7. Retention & Deletion

Data is kept only as long as necessary for service delivery or legal compliance. You may request deletion at any time via in-app controls or by contacting privacy@idy.ai. All backups and derivative data are destroyed within 30 days of confirmed deletion.

8. International Data Transfers

Cross-border transfers follow Standard Contractual Clauses (SCCs) or equivalent mechanisms ensuring GDPR-level safeguards. All subprocessors and partners must maintain equal or stronger privacy standards.

9. User Rights

You have the right to:

  • Access — receive a copy of your personal data.

  • Rectification — correct inaccuracies.

  • Erasure — request deletion (“Right to be Forgotten”).

  • Restriction — limit processing of your data.

  • Portability — export data in machine-readable form.

  • Objection — oppose certain processing or profiling.

  • Withdraw Consent — revoke permission at any time without prejudice. Requests may be sent to privacy@idy.ai.

10. Cookies & Analytics

We use privacy-preserving analytics solely to measure reliability and usage. We do not use behavioural tracking, cross-site cookies, or third-party advertising tools.

11. Data Breach Notification

If a breach is likely to affect your rights or freedoms, we will notify affected users and regulators within 72 hours and publish remediation steps transparently.

12. Children & Vulnerable Users

Users under 18 require verified guardian consent. Grief- or trauma-related contexts are subject to enhanced manual review and ethical oversight.

13. Governance & Accountability

The Data Protection & Ethics Office oversees compliance, privacy impact assessments, and ethical AI governance. An independent Ethics Council periodically reviews consent frameworks, executor processes, and trauma-aware design principles.

14. Contact

Data Protection & Ethics Office

Email: privacy@idy.ai

We respond to verified data-rights requests within 30 days.

15. Policy Updates

This Policy is reviewed annually and whenever regulations change.

16. Acceptance

By using Afterlife AI™ or Timeless AI™, you acknowledge that you have read and understood this Policy and consent to data processing as described.

Appendix A – Global Regulatory Alignment

This Policy aligns with major international frameworks:

  • GDPR (EU Regulation 2016/679) – Articles 5–49

  • UK Data Protection Act 2018 – Part 2 General Processing

  • California Consumer Privacy Act (CCPA) – §1798.100 – 1798.199

  • ISO/IEC 27701:2019 – Privacy Information Management Systems

  • NIST SP 800-53 Rev 5 – Security and Privacy Controls

These frameworks inform the technical, ethical, and legal standards applied to Afterlife AI™ and Timeless AI™.