Privacy Policy

How we collect, use, and protect your personal information

Version 1.1.0 · Last updated: February 2026 · Governing Law: England and Wales

Quick Summary

Before the legal language, here is what matters in plain English:

Your business plans stay on your device. We do not store your business plans, financial models, or session transcripts on our servers.
AI processing is ephemeral. When you use AI features, your content is sent to the AI provider, processed, and returned. It is not stored after the request completes.
We collect the minimum we need. Account details, subscription status, an anonymous device identifier, and aggregated usage metrics. That is all we hold on our servers.
We never sell your data. Not to advertisers, data brokers, or anyone else.
You are in control. You can export, correct, or delete your data at any time.
One contact for everything: legal@innovatorly.ai

1. Who We Are

Innovatorly Ltd (trading as TorlyAI) is the data controller for personal data processed through the torly.ai website ("Website") and the TorlyAI Desktop application ("Desktop App"), collectively referred to as the "Service".

We are registered with the Information Commissioner's Office (ICO) as a data controller. For all privacy-related enquiries, contact legal@innovatorly.ai.

2. What This Policy Covers

This Privacy Policy applies to:

The Website — torly.ai, including all subdomains
The Desktop App — TorlyAI Desktop (macOS, Windows, Linux)
Account services — registration, authentication, subscription management
AI-powered features — business plan generation, idea assessment, financial modelling, interview preparation

This policy does not apply to third-party websites or services that we link to. We encourage you to read their privacy policies separately.

3. What Data We Collect

Data You Provide to Us

Account Data — name, email address
Profile Data — nationality, professional background, skills
Business Data — business ideas, plans, financial projections
Payment Data — billing address, payment method (via Stripe)
Communications — support emails, feedback
Authentication Data — OAuth tokens (Google, Apple), API keys (BYOK)

Data We Collect Automatically

Device Identifier — anonymous, non-reversible hash generated locally
Device Metadata — operating system, app version
Usage Metrics — features used, session count (aggregated)
Error Data — anonymised crash reports
Website Analytics — pages visited, referral source, country (via cookies)
Project Registration — project ID, activation date, status

Data We Do Not Collect

Precise GPS location
Biometric data (fingerprints, facial recognition)
Full payment card numbers (handled entirely by Stripe)
Browsing history outside the Website
Contents of files on your device (other than what you provide to the Service)
Reversible hardware identifiers (serial numbers, MAC addresses)

4. How We Use Your Data

Purpose	Legal Basis
Providing the Service	Performance of contract
AI content generation	Performance of contract
Subscription management and billing	Performance of contract
Licence validation	Performance of contract
Account security	Legitimate interest
Product improvement (anonymised metrics)	Legitimate interest
Website analytics	Consent (cookie banner)
Marketing communications	Consent
Legal compliance	Legal obligation

You have the right to object to any processing based on legitimate interest. Contact legal@innovatorly.ai to exercise this right.

5. Where Your Data Is Stored

Local Storage (Desktop App)

Your business plans, financial models, session transcripts, discovery sessions, and all Project content are stored locally on your device in encrypted form (AES-256-GCM).

We do not have access to your locally stored data. If you lose your device, we cannot recover your local data.

Our Servers

The only data we store on our servers is:

Account profile (name, email) — for authentication
Subscription status — for billing and licence validation
Project registration metadata — for per-project licensing
Device registration metadata — for licence validation
Aggregated usage metrics — for product improvement
Billing records — for legal and tax compliance

All server-side data is hosted in the United Kingdom (AWS eu-west-2, London).

What We Explicitly Do Not Store on Our Servers

Your business plans or drafts
Your financial models or projections
Your chat session transcripts
Your discovery sessions or idea evaluations
Your interview preparation records
Your exported documents

6. AI Processing and BYOK

Free Tier (Website — Server-Side AI)

When you use the free AI-powered assessment on the Website, your input is transmitted from your browser to our servers, forwarded to the AI provider (currently Anthropic Claude Haiku), processed, and returned. Neither we nor the AI provider retain your content after the request completes.

Paid Tiers (Desktop App — BYOK, Client-Side AI)

When you use AI-powered features on the Desktop App (business plan generation, financial modelling, interview preparation, agent conversations, autopilot):

The Desktop App validates your licence with our servers (licence check only — no content is transmitted)
Your input is sent directly from your device to the AI provider's API over TLS 1.2+, using your own API key stored locally on your device
The AI provider processes your request and returns a response directly to your device
TorlyAI's servers are not in the AI request path
Neither we nor the AI provider retain your content after the request completes

How BYOK Protects Your Privacy

Your API key is stored locally on your device in encrypted form (AES-256-GCM via your OS keychain)
Your API key is never transmitted to TorlyAI servers — it remains on your device at all times
AI requests are sent directly from your device to the AI provider's API
Usage and billing for the AI model are between you and the AI provider directly
You may switch between supported providers at any time from the Desktop App settings

Supported AI Providers

Anthropic (Claude Sonnet, Claude Opus) — recommended default
OpenAI (GPT-4o, o3)
Google AI Studio (Gemini 2.5 Pro)
AWS Bedrock (Claude via AWS)
Google Cloud Vertex AI (Gemini, Claude via GCP)

When using BYOK, your data is sent directly from your device to your chosen provider. We do not intermediate, log, or store any AI request or response content. You are responsible for reviewing your chosen provider's privacy policy.

7. Data Sharing

Data Shared by TorlyAI Servers

Anthropic — free-tier assessment input only (server-side Claude Haiku)
Stripe — billing information for payment processing
Google / Apple — OAuth authentication data (if you use social sign-in)
AWS — server-side account and metadata (UK data centre)

Data Shared by Your Device (BYOK)

When using BYOK on a paid plan, your device sends AI requests directly to your chosen provider. TorlyAI does not intermediate, log, or have access to these requests.

What We Never Do

Sell your personal data to any third party, for any reason
Share your data with advertisers or data brokers
Allow third parties to access your business plans — they are stored only on your device
Share data with UKVI, endorsement bodies, or government agencies without your explicit consent or a valid legal requirement
Use your data to train AI models — neither ours nor any third party's

8. Device Identification and Licence Enforcement

The Desktop App generates an anonymous device identifier when you first sign in. This identifier is created using non-reversible hashing on your device. It does not contain your device serial number, MAC address, or any personally identifiable hardware details.

We use it for:

Licence validation — confirming your subscription is active and the Project is authorised
Abuse prevention — detecting patterns consistent with account sharing
Device management — allowing you to view and deactivate devices from your account

You can view devices associated with your account on torly.ai, deactivate a device at any time, or request deletion of all device data by contacting us.

9. Cookies and Analytics

The Website uses cookies. When you first visit, you will see a cookie banner allowing you to accept or decline non-essential cookies.

Strictly Necessary — authentication, security, session management (no consent needed)
Analytics — understanding how visitors use the Website (consent required)
Preferences — remembering your settings like language and theme (consent required)
Marketing — measuring communication effectiveness (consent required)

We do not use third-party advertising cookies or retargeting pixels. The Desktop App does not use browser cookies. Desktop analytics (if enabled) are aggregated, anonymised, and controllable via Settings > Privacy.

10. Data Retention

Data	Retention
Account data	Account lifetime + 30 days
Business plans & Project content	Until you delete (stored locally)
Session transcripts	Until you delete (stored locally)
Billing records	6 years (UK tax law)
Consent records	6 years from withdrawal
Aggregated analytics	24 months
Error logs	30 days

When You Delete Your Account

Within 24 hours: account access disabled, all processing stopped
Within 30 days: all personal data deleted from our servers, confirmation email sent
Retained only as required by law: anonymised transaction records (6 years)
Local data on your devices is not affected — you retain full access to your files

11. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Restriction — request that we limit how we use your data
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interest
Withdraw Consent — withdraw consent for any consent-based processing
Automated Decisions — not be subject to solely automated decision-making with legal effects

How to Make a Request

Email: legal@innovatorly.ai
Desktop App: Settings > Privacy > Data Rights
Website: Account Settings > Privacy

Response Times

Simple requests: within 72 hours
Complex requests: within 30 calendar days
Extensions (if needed): maximum 90 days total

12. Data Security

Encryption at Rest

AES-256-GCM for all locally stored data including credentials and business plans

Encryption in Transit

TLS 1.2+ for all network communications between your device and servers

Key Management

PBKDF2 key derivation, API keys stored in your OS keychain

GDPR Compliant

Full compliance with UK GDPR and Data Protection Act 2018, registered with the ICO

Data Breach Notification

In the event of a personal data breach, we will notify the ICO within 72 hours where required and notify affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact legal@innovatorly.ai immediately and we will delete it.

Complaints

If you are unhappy with how we handle your personal data, we encourage you to contact us first at legal@innovatorly.ai so we can try to resolve the issue.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, new features, or legal requirements. For material changes, we will notify you by email at least 14 days before they take effect. Your continued use after changes constitutes acceptance.

Contact Us

Email: legal@innovatorly.ai

Company: Innovatorly Ltd (trading as TorlyAI)

Registered in: England and Wales

The full, legally binding version of this Privacy Policy is available at docs/legal/PRIVACY_POLICY.md.

Back to Home