Afterlife AI™ Global Data Privacy & Governance Policy

Version 4.0 | Applicable to Afterlife AI™ and Timeless AI™

1. Purpose & Scope

This policy describes how Idy Pty Ltd (operating as Afterlife AI™ and Timeless AI™) handles personal data. It complies with GDPR, UK Data Protection Act 2018, CCPA, and equivalent global frameworks. Applies to all users, beta participants, partners, and contractors worldwide.

2. Core Principles

Ownership — Users own their memories, media, and persona data. Consent — Processing requires informed, explicit, revocable consent. Minimisation — Only necessary data collected and retained. Transparency — Clear explanations of data processing methods and purposes. Security — Encryption, access controls, and continuous monitoring. Erasure & Portability — Users can delete or export data anytime. Accountability — All actions logged and auditable under governance oversight.

3. Information We Collect

Persona Inputs — text, audio, video, images provided by users. Behavioural & Emotional Data — tone, style, emotional metadata (consent-dependent). Executor & Trusted Contact Data — permissions, access, legacy control records. Technical Data — pseudonymised device identifiers and diagnostics. Subscription Data — account tier, billing, transaction confirmations. Metadata — timestamps, file types, access logs for auditability.

4. Lawful Basis for Processing

Processing occurs under GDPR-compliant bases: Consent — explicit opt-in for personal and special-category data. Contractual Necessity — to deliver requested services. Legitimate Interest — to maintain integrity, prevent misuse, enhance safety. Legal Obligation — compliance with data-protection laws. Sensitive data (voice, image, emotion metrics) requires explicit consent and additional encryption safeguards.

5. How We Use Data

Data processing enables: building and maintaining digital personas; enabling secure Executor and Trusted-Contact features; operating grief-sensitive and ethical-AI safeguards; conducting privacy-preserving research to improve performance. The organization does not sell, lease, or monetize personal data for advertising or profiling.

6. Security & Encryption

Technical safeguards include: AES-256 encryption at rest, TLS 1.3 encryption in transit, tokenisation and role-based access control, logged data interactions with timestamps and identifiers, short-lived pre-signed URLs for media uploads.

7. Retention & Deletion

Data retention follows necessity principles. Users may request deletion via in-app controls or by contacting privacy@idy.ai. All backups and derivative data destroyed within 30 days of confirmed deletion.

8. International Data Transfers

Cross-border transfers comply with Standard Contractual Clauses (SCCs) or equivalent mechanisms ensuring GDPR-level safeguards. All subprocessors and partners maintain equal or stronger privacy standards.

9. User Rights

Users have rights to: Access — receive a copy of personal data. Rectification — correct inaccuracies. Erasure — request deletion (Right to be Forgotten). Restriction — limit processing. Portability — export data in machine-readable form. Objection — oppose certain processing or profiling. Withdraw Consent — revoke permission anytime without prejudice. Requests directed to privacy@idy.ai.

10. Cookies & Analytics

Privacy-preserving analytics measure reliability and usage only. No behavioural tracking, cross-site cookies, or third-party advertising tools employed.

11. Data Breach Notification

In event of breach affecting user rights or freedoms, the organization notifies affected users and regulators within 72 hours and publishes remediation steps transparently.

12. Children & Vulnerable Users

Users under 18 require verified guardian consent. Grief- or trauma-related contexts subject to enhanced manual review and ethical oversight.

13. Governance & Accountability

A Data Protection & Ethics Office oversees compliance, privacy impact assessments, and ethical AI governance. An independent Ethics Council periodically reviews consent frameworks, executor processes, and trauma-aware design principles.

14. Contact

Data Protection & Ethics Office. Email: privacy@idy.ai. Response timeframe: 30 days for verified data-rights requests.

15. Policy Updates

Annual review occurs, plus updates whenever regulations change.

16. Acceptance

Using Afterlife AI™ or Timeless AI™ constitutes acknowledgment of reading and understanding this policy and consent to described data processing.

Appendix A – Global Regulatory Alignment

GDPR (EU Regulation 2016/679) – Articles 5–49. UK Data Protection Act 2018 – Part 2 General Processing. California Consumer Privacy Act (CCPA) – §1798.100–1798.199. ISO/IEC 27701:2019 – Privacy Information Management Systems. NIST SP 800-53 Rev 5 – Security and Privacy Controls.