heyRosie.aiheyRosie.ai

Legal

Privacy Policy

Effective April 23, 2026

We at heyRosie.ai (“HeyRosie,” “we,” “us,” or “our”) want you to understand what information we collect, and how we use and share it. HeyRosie is a personal memory and family connection platform that helps you capture, organize, and share your most meaningful moments using AI. To do so, we collect and process user information to build memories, recognize faces, generate journals, and help you connect with people that matter to you (the “HeyRosie Product”).

This Privacy Policy explains how we collect, use, and protect personal information when you use our services — including the HeyRosie Product accessible via web or mobile application, visit our website, or access any other applications or services that link to this Privacy Policy (collectively, the “Services”).

Personal Information We Collect

Personal information you provide to us directly:

Account information, such as your name and email address used to log into your account. We use Firebase Authentication to verify your identity. You may also provide a profile picture and other biographical information. This information helps others connect with you and allows us to personalize your experience with the Services.

Photos, videos, and media. We collect photos, videos, and other media files you choose to upload to create memories, build your photo vault, or enrich your journal. These assets may include embedded metadata such as timestamps, location data (GPS coordinates), and device information (EXIF data). You control which media you upload, and you may delete uploaded media at any time.

Voice notes and audio recordings. When you record voice notes for memories or interact with the Voice Biographer feature, we collect and process your audio. Audio is transcribed using AI-powered speech recognition to generate text descriptions, titles, and memory narratives. Both the original audio and the transcription are stored.

Text notes, descriptions, and journals. We collect the text content you provide, including notes, memory descriptions, edited summaries, and journal entries. Sensitive text content — including notes, voice transcriptions, and journal digests — is encrypted using AWS Key Management Service (KMS) with AES-256 encryption before storage.

User-provided content (Inputs). We collect the data, text, questions, and feedback you submit to the HeyRosie Product (“Inputs”). These Inputs are determined solely by you and may, at your discretion, include personal or sensitive information. We do not require or encourage the inclusion of sensitive data in Inputs, and you are responsible for ensuring that any Inputs comply with applicable laws and do not violate the rights, including privacy rights, of others.

Generated content (Outputs). When you interact with the HeyRosie Product, we may process your Inputs to generate AI-based responses (“Outputs”) such as memory summaries, journal entries, photo descriptions, and chat responses. These Outputs may reflect, reproduce, or infer personal information from your Inputs — about you or others — even if that information was not directly written or stated.

Facial recognition data. When you upload photos, we may use facial detection and recognition technology (powered by AWS Rekognition) to identify and group faces across your photos. This biometric data includes face embeddings, bounding box coordinates, and associated metadata such as estimated age range and detected expressions. Face data is stored in a collection unique to your account and is never shared across users. You can delete individual faces, persons, or your entire face collection at any time.

Contact information of your connections. We may, with your permission, help you connect with other HeyRosie users. Where you provide us with personal information of third parties, such as your connections, it is your responsibility to inform them about the processing of their personal information in accordance with this Privacy Policy, and to confirm that they have given their permission.

Connected app data. With your explicit authorization, we may access data from third-party services you connect to HeyRosie, including Google Calendar, Gmail, Google Photos, Google Tasks, and Outlook. This data is used to enrich your daily journal and provide contextual insights. Connected app data is synced on a rolling 30-day window and is not permanently archived.

Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us online.

Information we obtain from third parties:

Third-party log-in. If you create an account or log into the Services using third-party services, such as Google, we will receive your name and email address as permitted by your profile settings on the third-party service in order to authenticate you via Firebase Authentication. The information we receive depends on the settings, permissions, and privacy policies of the third-party service. You should always check the privacy settings and notices in the relevant third-party services to understand what data may be disclosed to us.

Automatic data collection:

When you visit, use, or interact with the Services, we automatically log certain information, including:

  • Usage data, such as feature usage patterns, navigation paths, and interaction history with AI tools. We use a privacy-focused analytics system that processes content summaries rather than raw user data.
  • Device data, such as operating system type, device type (phone, tablet, web), and language settings.
  • General location information, such as city, state, or geographic area determined from your device's IP address, for security purposes such as detecting unusual login activity.
  • Photo metadata. When you upload photos, we may extract and process embedded metadata including GPS coordinates, timestamps, altitude, and device information. This data is used to organize your memories chronologically and geographically.

How We Use Personal Information

We use personal information for the following purposes:

To operate our Services:

  • Create and organize memories. We process your photos, voice notes, and text to build rich memory records with AI-generated titles, descriptions, and summaries.
  • Recognize and group faces. We use facial recognition to identify people across your photos, helping you tag and organize memories by the people in them.
  • Generate journals. We analyze data from your connected apps and daily activity to create personalized daily journal entries.
  • Power AI conversations. We process your chat inputs to generate contextual responses about your memories, notes, and personal history.
  • Transcribe audio. We convert voice notes and audio recordings to text for memory descriptions and searchability.
  • Enable sharing. We generate secure share links so you can share memories with connections or anyone you choose.
  • Deliver notifications about activity relevant to you, such as connection requests, memory collaborations, and shared content.
  • Communicate with you about our Services, including announcements, updates, security alerts, and support messages.
  • Respond to your requests, questions, and feedback.

To develop and improve our Services:

  • Personalization. We analyze your usage patterns and content to improve recommendations, search relevance, and product behavior.
  • Troubleshooting and enhancement. We monitor how the Services are used, troubleshoot issues, and improve functionality.
  • Product development. We identify opportunities for new features and enhance the performance of the HeyRosie Product.

For compliance and protection:

  • Verify accounts and activity
  • Find and address violations of our terms or policies
  • Investigate suspicious activity
  • Detect, prevent, and combat harmful or unlawful behavior
  • Maintain the integrity of our Services

How We Protect Your Information

We implement multiple layers of security to protect your personal information:

  • Encryption at rest. Sensitive content — including notes, voice transcriptions, and journal digests — is encrypted using AWS Key Management Service (KMS) with AES-256-GCM encryption via Fernet cipher before storage. Encrypted data is compressed with gzip before encryption for additional protection.
  • Encryption in transit. All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
  • Authentication. We use Firebase Authentication with JWT token verification. Every authenticated request is verified server-side before processing.
  • Isolated face collections. Each user's facial recognition data is stored in a separate, user-specific collection. Face data is never shared or merged across users.
  • Secure memory sharing. Shared memory links use UUID v4 tokens with 122 bits of entropy, making them computationally infeasible to guess.
  • Access controls. Protected API endpoints require valid authentication tokens. Public endpoints are limited to health checks, shared content access (via secure tokens), and static resources.

Unfortunately, no method of data transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

How We Disclose Personal Information

Service providers:

Your data — including Inputs, photos, and Outputs — may be processed by third-party service providers that help us operate the Services:

  • AI and language model providers (Groq). Text content, memory descriptions, and queries are sent to Groq's LLM API for summarization, journal generation, and chat responses. Groq operates as a stateless API processor and does not retain your data for model training.
  • Facial recognition (AWS Rekognition). Photos are sent to AWS Rekognition for face detection and recognition. AWS does not use customer images for training its models. Photos are processed temporarily and not retained by AWS beyond the API call.
  • Cloud infrastructure (Firebase/Google Cloud, MongoDB). User accounts, authentication, file storage, and database hosting are provided by Google Cloud (Firebase) and MongoDB.
  • Connected app integration (Composio). OAuth tokens for connected apps (Gmail, Calendar, etc.) are managed through Composio for secure third-party authorization.
  • Email delivery (SendGrid). Transactional emails such as connection requests and memory collaboration invitations are delivered via SendGrid.
  • Push notifications (OneSignal). Feature notifications and engagement messages are delivered via OneSignal.

No training on your data. We do not use your personal data to train any AI or machine learning models — neither our own nor those of our third-party providers. Your memories, photos, notes, and conversations are never used as training data.

Professional advisors:

We may disclose personal information to professional advisors, such as lawyers, bankers, auditors, and insurers, where necessary in the course of the professional services they render to us.

For compliance, fraud prevention, and safety:

We may disclose personal information for the compliance, fraud prevention, and safety purposes described above.

Business transfers:

We may sell, transfer, or otherwise share some or all of our business or assets, including personal information, in connection with a business transaction such as a merger, consolidation, acquisition, reorganization, or sale of assets, or in the event of bankruptcy or dissolution.

Other users:

Some of your information, including your name and profile picture, may be visible to your connections. When you share a memory, the recipient can view the memory content, photos, and descriptions via a secure link. You control what you share and with whom.

Your Choices

Control your content:

  • You choose what photos, notes, voice recordings, and memories to create and upload.
  • You choose who to share memories with — specific connections, or anyone via a secure link.
  • You choose which third-party apps to connect for journal enrichment, and can disconnect them at any time.

Access or update account information:

Users who have registered for an account may review and update their personal information through the Services or by contacting us.

Delete your information or account:

You can delete specific content at any time:

  • Memories: Delete individual memories, which moves them to a 30-day recovery period before permanent deletion.
  • Photos: Delete individual photos from your photo vault.
  • Notes: Delete notes (soft delete with 30-day recovery, then permanent removal).
  • Face data: Delete individual faces, specific persons, or your entire face recognition collection.
  • Chat history: Clear your conversation history with heyRosie.
  • Connected apps: Disconnect third-party apps to stop data syncing.

Account deletion. You may request permanent deletion of your account and all associated data by contacting us. Upon account deletion:

  • Your memories, photos, notes, journals, face data, connections, and chat history will be permanently deleted.
  • It may take up to thirty (30) days to complete the deletion process.
  • After deletion, it may take an additional 30 days to remove data from backups and disaster recovery systems.

Data Retention

We retain your information for as long as your account is active or as needed to provide the Services. Specific retention periods:

Data TypeRetention
Memories, photos, notesUntil you delete them
Deleted items (soft delete)30 days, then permanently removed
Connected app dataRolling 30-day sync window
Chat historySession-based, until cleared
Journal entriesUntil you delete them
Face recognition dataUntil you delete faces/persons/collection
Account dataUntil account deletion

We reserve the right to retain information as needed to comply with legal obligations, resolve disputes, enforce our agreements, or protect our or others' interests.

Opt-out of marketing communications:

You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions in the communications you receive from us, or by contacting us as provided in the “How to Contact Us” section below.

Biometric Data Notice

HeyRosie uses AWS Rekognition to detect and recognize faces in photos you upload. This constitutes the collection of biometric data. Important details:

  • Purpose: Face detection and recognition is used solely to help you identify and tag people in your memories and photos.
  • Storage: Face embeddings are stored in a user-specific collection isolated from all other users.
  • No cross-user sharing: Your face data is never shared with, matched against, or accessible to other users.
  • No third-party training: AWS Rekognition does not use customer images or face data to train or improve its models.
  • Deletion: You can delete individual faces, specific persons, or your entire face collection at any time via the app or API. Upon account deletion, all face data is permanently removed.
  • Consent: By uploading photos and using face recognition features, you consent to the collection and processing of biometric data as described in this policy. You may disable face recognition features by not uploading photos or by deleting your face collection.

Third-Party Services and Links

The Services may contain links to or integrations with third-party websites, services, or applications. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through HeyRosie.

Connected third-party services (Google Calendar, Gmail, Google Photos, etc.) are accessed using OAuth authorization tokens managed securely through our integration provider. We only access the data you explicitly authorize, and you can revoke access at any time.

Security

We use organizational, technical, and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration, and destruction of personal information we maintain. These measures include:

  • AES-256 encryption (via AWS KMS) for sensitive content at rest
  • TLS/HTTPS encryption for all data in transit
  • Firebase Authentication with JWT token verification
  • Isolated, per-user face recognition collections
  • Secure UUID-based sharing tokens (122-bit entropy)
  • Privacy-focused analytics that process summaries, not raw user data

Children

The Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child without the consent of the child's parent or guardian as required by law, we will delete it. If you believe we have collected information from a child under 13, please contact us immediately.

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete your personal information, subject to certain exceptions.
  • Right to opt-out of the sale of personal information. We do not sell your personal information.
  • Right to non-discrimination for exercising your CCPA rights.

To exercise these rights, contact us using the information in the “How to Contact Us” section.

International Users

If you are accessing the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using the Services, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the effective date at the top of this Privacy Policy and posting it on the Services. If you are a registered user, we may notify you via email of material changes.

How to Contact Us

Please direct any questions or comments about this Privacy Policy to:

heyRosie.ai
Email: [email protected]