Alfred
Privacy Policy
Effective 4 March 2026
1. Who We Are
Alfred is operated by Oli Woodman, based in England. Oli is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: ojgwoodman@gmail.com
2. What Data We Collect
Account information — Your phone number (WhatsApp identifier), display name, honorific, city/location, latitude and longitude, and timezone.
Messages — Text messages you send to and receive from Alfred, voice message transcripts, and image descriptions. Voice audio files are processed for transcription and then deleted.
Connected accounts — If you choose to connect Google or Microsoft, Alfred can access your calendar events, emails, and contacts through those integrations. OAuth tokens are stored to maintain the connection.
Tasks and notes — Tasks you create, daily notes, and wellbeing check-in data.
Memory — Facts and preferences Alfred remembers about you to personalise responses.
Usage data — Message counts, AI token usage, and estimated cost, used for service management.
3. How We Use Your Data
- To provide the Alfred service — processing your messages, managing your calendar, email, tasks, and contacts.
- To personalise Alfred's responses using your stored preferences and memory.
- To send daily briefings and task reminders at your configured times.
- To monitor usage and enforce service limits.
- To improve the service over time.
As the sole operator, Oli Woodman has access to your data for the purposes of providing support, debugging issues, and maintaining the service. Your data is not shared with, sold to, or visible to any other person.
4. Legal Basis (UK GDPR)
We process your data on the following legal bases:
- Contract performance — Processing necessary to provide the Alfred service you signed up for.
- Legitimate interest — Service monitoring, security, and improvement.
- Consent — Optional integrations (Google, Microsoft) are only activated when you explicitly connect them, and can be disconnected at any time.
5. Third-Party Processors
Alfred relies on the following third-party services to function. Your data is shared with them only as necessary to provide the service.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenAI | AI responses, image recognition | Messages, images | USA |
| Groq | Voice transcription, text-to-speech | Audio files, text | USA |
| Twilio | WhatsApp message delivery | Phone number, messages | USA |
| Supabase | Database hosting | All stored data | AWS |
| Railway | Application hosting | All processed data | USA |
| Gmail, Calendar, Contacts | Account data (if connected) | USA | |
| Microsoft | Outlook Mail, Calendar, Contacts | Account data (if connected) | USA/EU |
| Brave Search | Web search queries | Search terms | USA |
| Open-Meteo | Weather data | Location coordinates | EU |
| TfL | Meeting point calculations | Location queries | UK |
6. International Transfers
Most of Alfred's third-party processors are based in the United States. These transfers are supported by each processor's own data protection commitments, including standard contractual clauses and equivalent safeguards where applicable.
7. Data Retention
Your data is retained for as long as your account is active. You can request deletion of your data at any time by contacting Oli at ojgwoodman@gmail.com. Conversation history used for active context is windowed to the most recent 20 messages. OAuth tokens are stored for as long as an integration remains connected.
8. Your Rights
Under UK GDPR, you have the right to:
- Access — Request a copy of the personal data we hold about you.
- Rectification — Ask us to correct inaccurate data.
- Erasure — Request deletion of your data.
- Restriction — Ask us to limit how we use your data.
- Portability — Receive your data in a portable format.
- Objection — Object to processing based on legitimate interest.
To exercise any of these rights, contact ojgwoodman@gmail.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Security
We take reasonable measures to protect your data, including:
- All data is encrypted in transit (HTTPS) and at rest (Supabase).
- Row-level security on all database tables.
- OAuth tokens stored server-side only — never exposed to the client.
- Dashboard sessions use httpOnly, secure, sameSite cookies with HMAC-SHA256 JWT.
10. Cookies
The Alfred dashboard uses a single httpOnly session cookie for authentication. We do not use analytics cookies, advertising cookies, or any third-party tracking.
11. Children
Alfred is not intended for anyone under 16 years of age. We do not knowingly collect data from children under 16.
12. Changes to This Policy
This policy may be updated from time to time. Material changes will be communicated via WhatsApp. Continued use of Alfred after changes constitutes acceptance.
13. Contact
For any questions about this privacy policy or your data, contact Oli Woodman at ojgwoodman@gmail.com.