Alfred
Privacy Policy
Effective 10 April 2026
1. Who We Are
Alfred is operated by Beema Solutions Limited, a company registered in England and Wales. Beema Solutions Limited is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: ojgwoodman@gmail.com
2. What Data We Collect
Account information — Your phone number (WhatsApp identifier), display name, honorific, city/location, latitude and longitude, and timezone.
Messages — Text messages you send to and receive from Alfred, voice message transcripts, and image descriptions. Voice audio files are processed for transcription and then deleted.
Connected accounts — If you choose to connect Google or Microsoft, Alfred can access your calendar events, emails, and contacts through those integrations. OAuth tokens are stored to maintain the connection.
Google user data — When you connect a Google account, Alfred may access your Gmail messages (read, send, organise, and filter), Google Calendar events (view, create, update, and delete), and Google Contacts (read-only). Email and calendar content is processed in real time and cached in memory for up to 10 minutes to serve your requests — it is never written to a database or stored permanently. Only OAuth tokens and your sync preferences are persisted.
Microsoft user data — When you connect a Microsoft account, Alfred may access your Outlook Mail (read, send, organise, and filter), Outlook Calendar events (view, create, update, and delete), and Outlook Contacts (read-only). The same data handling applies: email and calendar content is cached in memory for up to 10 minutes only, never stored permanently.
Tasks and notes — Tasks you create (including subtasks, recurrence rules, labels, priorities, and reminders), task activity logs (creation, updates, completions, reschedules), and wellbeing check-in data.
Memory — Facts and preferences Alfred remembers about you to personalise responses. This includes a "living profile" — a narrative summary regenerated nightly from your recent conversations and stored facts.
Daily journal — Each evening, Alfred generates a short second-person journal entry summarising your day based on conversations, completed tasks, and wellbeing data. These are stored in the database and used for briefings and profile updates.
Briefing topics — If you configure custom briefing topics (e.g. stock prices, news), those topic names and the web search queries they generate are stored.
Feedback — Bug reports, feature requests, and support messages you submit through Alfred.
Billing data — If you subscribe, your Stripe customer ID, subscription ID, subscription status, trial dates, and payment history are stored. Payment card details are held by Stripe and never stored by Alfred.
Usage data — Message counts, AI token usage, and estimated cost per service, used for service management.
Quality and security data — Per-message metadata (response time, AI model used, tools called) for service quality monitoring. Messages flagged as potential prompt injection attempts are logged with a short excerpt for security review.
3. How We Use Your Data
- To provide the Alfred service — processing your messages, managing your calendar, email, tasks, and contacts.
- To personalise Alfred's responses using your stored preferences and memory.
- To send daily briefings and task reminders at your configured times. Custom briefing topics trigger web searches on your behalf (e.g. fetching stock prices or news headlines you have requested).
- To generate nightly journal entries and update your living profile, which improve Alfred's context and personalisation over time.
- To monitor usage, enforce service limits, and track subscription billing.
- To monitor service quality (response times, model performance) and detect prompt injection attempts.
- To improve the service over time.
As the sole operator, Beema Solutions Limited (Oli Woodman) has access to your data for the purposes of providing support, debugging issues, and maintaining the service. Your data is not shared with, sold to, or visible to any other person.
4. Google API Services — Limited Use Disclosure
Alfred's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Alfred only uses Google data to provide and improve the user-facing features you see in the app.
- Alfred does not use Google data for advertising, market research, or to build user profiles for any purpose other than providing the Alfred service.
- Alfred does not sell Google data to third parties.
- Alfred does not use Google data for purposes unrelated to the core functionality described in this policy.
- No human reads your Google data except where (a) you have given explicit consent (e.g. to debug an issue you report), (b) it is necessary to comply with applicable law, or (c) the data is aggregated and anonymised so that it no longer identifies you.
5. Legal Basis (UK GDPR)
We process your data on the following legal bases:
- Contract performance — Processing necessary to provide the Alfred service you signed up for.
- Legitimate interest — Service monitoring, security, and improvement.
- Consent — Optional integrations (Google, Microsoft) are only activated when you explicitly connect them, and can be disconnected at any time.
6. Third-Party Processors
Alfred relies on the following third-party services to function. Your data is shared with them only as necessary to provide the service.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Microsoft Azure OpenAI | AI responses, image recognition, message routing and verification | Messages, images | UK / USA |
| Groq | Voice transcription, text-to-speech | Audio files, text | USA |
| Twilio | WhatsApp message delivery | Phone number, messages | USA |
| Supabase | Database hosting | All stored data | AWS |
| Railway | Application hosting | All processed data | USA |
| Stripe | Subscription billing and payments | Customer ID, subscription status, payment events | USA |
| Gmail, Calendar, Contacts | Account data (if connected) | USA | |
| Microsoft | Outlook Mail, Calendar, Contacts | Account data (if connected) | USA/EU |
| Brave Search | Web search queries (on-demand and custom briefing topics) | Search terms | USA |
| Open-Meteo / OpenWeatherMap | Weather forecasts | Location coordinates | EU / USA |
| Photon (Komoot) | Geocoding for meeting point calculations | Location queries | EU |
| TfL | Journey planning, line status, meeting point routing | Location queries | UK |
| PostHog | Product analytics on the dashboard and landing page | Page views, anonymised usage events | USA |
7. International Transfers
AI processing is primarily handled by Microsoft Azure OpenAI in the UK. Other third-party processors are based in the United States or the EU. International transfers are supported by each processor's own data protection commitments, including standard contractual clauses and equivalent safeguards where applicable.
8. Data Retention
Your data is retained for as long as your account is active. Conversation messages are stored in the database for continuity; the AI only loads the most recent 20 messages as active context, but the full history is retained until you delete your account. OAuth tokens are stored for as long as an integration remains connected. Email and calendar content from connected accounts is cached in memory for up to 10 minutes and never written to the database.
You can delete your account and all associated data at any time by: visiting your dashboard (Settings → Delete Account), asking Alfred directly ("please delete my account"), or emailing ojgwoodman@gmail.com. Deletion removes everything: messages, tasks, contacts, memory, daily journals, usage data, and OAuth tokens.
9. Your Rights
Under UK GDPR, you have the right to:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Ask us to correct inaccurate data.
- Erasure — Request deletion of your data.
- Restriction — Ask us to limit how we use your data.
- Portability — Receive your data in a portable format.
- Objection — Object to processing based on legitimate interest.
To exercise any of these rights, contact ojgwoodman@gmail.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Security
We take reasonable measures to protect your data, including:
- All data is encrypted in transit (HTTPS) and at rest (Supabase).
- Row-level security on all database tables.
- OAuth tokens encrypted at rest with AES-256-GCM and stored server-side only — never exposed to the client.
- Dashboard sessions use httpOnly, secure, sameSite cookies with HMAC-SHA256 JWT.
11. Cookies and Analytics
The Alfred dashboard uses a single httpOnly session cookie for authentication. We do not use advertising cookies.
The dashboard and landing page use PostHog for product analytics. PostHog collects anonymised usage data (page views, feature interactions) to help us understand how the service is used and where to improve it. PostHog may set its own cookies or use local storage for session tracking. No advertising or cross-site tracking is performed. You can opt out by using a browser ad-blocker or disabling JavaScript on the dashboard.
12. Children
Alfred is not intended for anyone under 16 years of age. We do not knowingly collect data from children under 16.
13. Changes to This Policy
This policy may be updated from time to time. Material changes will be communicated via WhatsApp. Continued use of Alfred after changes constitutes acceptance.
14. Contact
For any questions about this privacy policy or your data, contact Beema Solutions Limited at ojgwoodman@gmail.com.