At Alera (together with our affiliated companies hereinafter referred to as “Alera,” “we,” “our,” or “us”), we respect your privacy and are strongly committed to protecting any data we receive from or about you. This Privacy Policy describes our practices regarding personal data we collect from you or about you when you use our website, applications, and services (collectively referred to as “Services”).

1. Controller

Alera GmbH

Ursula-Greve-Weg 9

30900 Wedemark

Germany

2. Personal Data We Collect

We collect personal data about you (“personal data”) as described below:

Personal data you provide to us: We collect personal data when you set up an account to use our Services or communicate with us, namely:

• Account Data: When you create an account with us, we collect data associated with your account, including your name, contact information, account login details, date of birth, payment information, and transaction history (collectively the “Account Data”).
• User Content: We collect personal data that you provide when entering into our Services (“Content”), including your instructions (so-called “prompts”) and other content you upload, such as files, images, and audio, depending on the features you use.
• Communication Data: When you communicate with us, e.g., via email or through our pages on social media websites, we may collect personal data such as your name, contact information, and the content of the messages you send (collectively “Communication Data”).
• Other Information You Provide: We collect other information you provide to us, e.g., when you participate in our events or surveys or when you provide us with information to verify your identity or age (collectively the “Other Information You Provide”).

Personal data we obtain through your use of the Services: When you visit, use, or interact with our Services, we receive the following information about your visit, usage, or interactions (collectively the “Technical Information”):

• Log Data: We collect information that your browser or device automatically sends when you use our Services. Log Data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services.
• Usage Data: We collect information about your use of the Services, such as the type of content you view or interact with, the features you use, and the actions you take, as well as your time zone, country, date and time of access, user agent and its version, the type of computer or mobile device, and your computer connection.
• Device Information: We collect information about the device you use to access the Services, such as the device name, operating system, device identifier, and the browser you use. The data collected may depend on the type of device you use and its settings.
• Location Data: For security reasons and to improve your product experience, we may determine the general area from which your device accesses our Services based on information like your device's IP address, e.g., to protect your account by detecting unusual login activities or to provide more precise answers. Additionally, for some of our Services, you may choose to provide more precise location data from your device, such as location data from your device's GPS.
• Cookies and Similar Technologies: We use cookies and similar technologies to operate and manage our Services and to improve your experience. When you use our Services without creating an account, we may, depending on the cookie settings you have made, store some of the information described in this Privacy Policy in cookies, for example, to retain your preferences across multiple browser sessions. For more information about our use of cookies, please see our Cookie Policy.

Information We Receive from Other Sources: We receive information from our trusted partners, such as security partners, to protect us against fraud, abuse, and other security threats to our Services, as well as from marketing providers who provide us with information about potential customers of our business offerings.

3. How We Use Personal Data

We may use personal data for the following purposes:

• To provide, analyze, and maintain our Services, for example, to answer your questions to Alera.
• To improve and develop our Services and to conduct research, e.g., to develop new product features.
• To communicate with you, including sending you information about our Services and events, e.g., about changes or improvements to our Services.
• To prevent fraud, illegal activities, or abuse of our Services and to protect the security of our systems and Services.
• To comply with legal obligations and protect the rights, privacy, security, or property of our users, Alera, or third parties.

We may also aggregate or de-identify personal data so that you can no longer be identified, and use that information for the purposes described above, e.g., to analyze the use of our Services, improve them, and add new features, and to conduct research. We store and use de-identified information in de-identified form and do not attempt to re-identify the information unless required by law.

AI features and model training: Alera uses third-party AI services to generate responses. We do not use your chat content to train our own models. When we use the OpenAI API, data sent to the OpenAI API is not used by OpenAI to train or improve their models unless the customer explicitly opts in, and we do not enable such opt-in.

4. Sharing of Personal Data

We may share your personal data under the following circumstances:

• Suppliers and Service Providers: To assist us in meeting our business operational needs and performing certain services and functions, we may share personal data with suppliers and service providers, including providers of hosting services, customer support services, cloud services, content delivery services, support and security monitoring services, email communication software, web analytics services, payment and transaction processors, and other information technology providers. In accordance with our instructions, these parties will only access, process, or store personal data in the course of performing their duties for us.
• Business Transfers: If we are involved in a strategic transaction, restructuring, insolvency, administration, or transfer of services to another provider (each a “Transaction”), your personal data may be shared with contractors and others supporting the Transaction during the due diligence process and transferred to a successor or affiliate as part of that Transaction along with other assets.
• Government Authorities or Other Third Parties: We may share your personal data, including information about your interactions with our Services, with government authorities, industry representatives, or other third parties in accordance with applicable law, (i) when required to comply with a legal obligation, or when we believe in good faith that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) when we, in our sole discretion, determine that a violation of our terms, policies, or applicable law has occurred; (iv) to detect or prevent fraud or other illegal activities; (v) to protect the security and integrity of our products, employees, users, or the public; or (vi) to protect against liability.
• Affiliates: We may share personal data with our affiliates, i.e., companies that control, are controlled by, or are under common control with Alera. Our affiliates may use this personal data in accordance with this Privacy Policy.
• Business Account Administrators: If you join an Alera Enterprise or business account, the administrators of that account may have access to and control over your Alera account, including the ability to access your content. Additionally, if you create an account with an email address that belongs to your employer or another organization, we may share the fact that you have an account and certain account information, such as your email address, with your employer or organization, for example, so that you can be added to their business account.
• Other Users and Third Parties with Whom You Interact or Share Information: Certain features allow you to interact with other users or third parties or share information. For example, you can share Alera conversations with other users via shared links. You can also send information to third-party applications, such as through custom actions for GPTs or for internet searches to answer questions that benefit from more recent information. Information you share with third parties is subject to their own terms and privacy policies, and you should ensure that you understand those terms and policies before sharing information with them.

4.1 Detailed Information on the Processing of Personal Data

AI Processing

This service allows Alera to generate AI responses. When you use chat features, Alera sends the text you submit (e.g., messages/prompts) and any attachments you choose to send (such as images, audio, or files, depending on the features you use) to the service provider for processing. To generate a relevant response, Alera may also send limited context from your current conversation (e.g., previous messages in the same chat) as well as technical metadata needed to deliver the service (e.g., timestamps and request identifiers).

OpenAI (OpenAI, L.L.C.)

OpenAI is an AI service provider used to generate responses in Alera. Processed personal data: User Content (messages/prompts); attachments you choose to send (images, audio, files); limited chat context (previous messages in the same chat); technical metadata (e.g., timestamps, request identifiers).
Processing location: United States – Privacy Policy.
We share this data only to provide AI responses and related functionality.

Beta Testing

This service allows managing user access to this application or parts thereof to test a specific function or the entire application. The service provider may automatically collect data in personally identifiable form about crashes and the user's use of the application.

TestFlight (Apple Inc.)

TestFlight is a beta testing service provided by Apple Inc. Processed personal data: App information; device information; email address; first name; last name; phone number; username; various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy.

Performance and Content Testing (A/B Testing)

The services listed in this section allow the Owner to track and analyze the user response in terms of web traffic or behavior changes regarding the structure, text, or other components of this application.

Firebase Remote Config

Firebase Remote Config is an A/B testing and configuration service provided by Google LLC or Google Ireland Limited, depending on how the Owner manages data processing. Processed personal data: Various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy; Ireland – Privacy Policy.

Device Permissions for Accessing Personal Data

This application requests certain permissions from users that allow access to the user's device data as described below.

Device Permissions for Accessing Personal Data (this application)

This application requests certain permissions from users that allow access to the user's device data as summarized here and described in this document. Processed personal data: Calendar permission; camera permission; photo library permission; reminders permission.

Payment Processing

Unless otherwise specified, payments are processed via external payment service providers using credit card, bank transfer, or other methods. Users are typically asked to provide their payment details and personal information directly to such payment service providers. This application is not involved in the collection and processing of such information but receives a notification from the respective payment service provider about whether the payment was successfully completed.

Apple Pay (Apple Inc.)

Apple Pay is a payment service provided by Apple Inc. that allows users to make payments via their mobile phone. Processed personal data: Billing address; email address; first name; last name; payment information; phone number; shipping address; various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy.

Payments via the Apple App Store (Apple Inc.)

This application uses a payment service provided by Apple Inc. that allows the Owner to offer the purchase of the app itself or in-app purchases. The personal data processed to carry out the purchases are processed by Apple as described in the privacy policies for the App Store. Processed personal data: Billing address; device information; email address; first name; last name; password; payment information; phone number; username.
Processing location: United States – Privacy Policy.

RevenueCat (RevenueCat, Inc.)

RevenueCat is a payment service provided by RevenueCat, Inc. The service allows the Owner to monitor and analyze the user and their purchase history and may be used to track user behavior. Processed personal data: App openings; device information; trackers; unique device identifiers for advertising (e.g., Google Advertising ID or IDFA); usage data; user ID.
Processing location: United States – Privacy Policy – Opt-out.

Payments via Google Play Store

This application uses a payment service provided by Google LLC or Google Ireland Limited, depending on how the Owner manages data processing, which allows the Owner to offer the purchase of the app itself or in-app purchases. The personal data processed to carry out the purchases are processed by Google as described in the privacy policies for the Google Play Store. Processed personal data: Billing address; device information; email address; first name; last name; payment information; phone number.
Processing location: United States – Privacy Policy; Ireland – Privacy Policy.

Hosting and Backend Infrastructure

This service aims to host data and files that enable the operation and distribution of this application and provide a ready-made infrastructure to run specific functions or parts of this application. Some of the services listed below, if any, may operate through geographically distributed servers, making it difficult to determine the actual location where personal data are stored.

Firebase Cloud Functions

Firebase Cloud Functions is a hosting and backend service provided by Google LLC or Google Ireland Limited, depending on how the Owner manages data processing. Processed personal data: Usage data; various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy.

Firebase Cloud Firestore

Firebase Cloud Firestore is a hosting and backend service provided by Google LLC or Google Ireland Limited, depending on how the Owner manages data processing. Processed personal data: Usage data; various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy.

Firebase Cloud Storage

Firebase Cloud Storage is a hosting service provided by Google LLC or Google Ireland Limited, depending on how the Owner manages data processing. Processed personal data: Usage data; various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy.

Firebase Hosting

Firebase Hosting is a hosting service provided by Google LLC or Google Ireland Limited, depending on how the Owner manages data processing. Processed personal data: Various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy; Ireland – Privacy Policy.

Platform Services and Hosting

These services aim to host and run key components of this application, enabling the provision of this application within a unified platform. Such platforms provide the Owner with a wide range of tools, e.g., analytics, user registration, commenting, database management, e-commerce, payment processing, which imply the collection and processing of personal data.

App Store Connect (Apple Inc.)

This application is provided in the Apple App Store, a platform for distributing mobile apps provided by Apple Inc. App Store Connect allows the Owner to manage this application in the Apple App Store. Processed personal data: Diagnostic data; universally unique identifier (UUID); user ID.
Processing location: United States – Privacy Policy.

Registration and Authentication

By registering or authenticating, users allow this application to identify them and grant them access to specific services.

Firebase Authentication

Firebase Authentication is a registration and authentication service provided by Google LLC or Google Ireland Limited. Processed personal data: Email address; first name; last name; password; phone number; profile picture; social media accounts; username.
Processing location: United States – Privacy Policy; Ireland – Privacy Policy.

Direct Registration and Profiling (this application)

By registering or authenticating directly through this application, users can be identified and granted access to specific services. Processed personal data: Country; date of birth; email address; first name; gender; language; last name; password; username; various types of data.

Google OAuth

Google OAuth is a registration and authentication service provided by Google LLC or Google Ireland Limited. Processed personal data: Various types of data as specified in the service's privacy policy.
Processing location: United States – Privacy Policy; Ireland – Privacy Policy.

5. Storage

We retain your personal data only as long as we need it to provide our Services to you or for other legitimate business purposes, such as resolving disputes, for security reasons, or to comply with our legal obligations. How long we retain personal data depends on a number of factors, such as

• The purpose for which we process the data (e.g., whether we need to retain the data to provide our Services);
• The amount, nature, and sensitivity of the data;
• The potential risk of harm from unauthorized use or disclosure;
• Legal obligations to which we are subject.

In some cases, the duration of data storage depends on your settings. For example, temporary chats from Alera do not appear in your history and are stored for up to 30 days for security reasons. For more information about your control options regarding data, see here.

Deletion: If you delete your account in the app, we delete the data associated with your account (including chat history and profile data).

6. Your Rights

You have the following legal rights regarding your personal data:

• Access your personal data and information about its processing.
• Delete your personal data from our records.
• Correct or update your personal data.
• Transfer your personal data to a third party (right to data portability).
• Restrict the processing of your personal data.
• Withdraw your consent—at any time in cases where we rely on consent as the legal basis for processing.
• Lodge a complaint with a supervisory authority (see below).

You have the following rights to object:

• Object to the processing of your personal data for direct marketing purposes at any time.
• Object to how we process your personal data when our processing is based on legitimate interests.

You can exercise some of these rights through your Alera account. If you are unable to exercise your rights through your account, please submit your request via privacy.alera.app or send it to dsar@alera.app.

We hope we can address your questions or concerns. If you have complaints that we or our Data Protection Officer have not resolved, you can contact a supervisory authority, such as your local supervisory authority. For unresolved complaints concerning the United Kingdom, you can contact the Information Commissioner's Office, and for Switzerland, the Federal Data Protection and Information Commissioner .

A note on accuracy: Services like Alera generate responses by reading a user's request and predicting the words that are likely to appear next as a response. In some cases, the words most likely to appear next are not necessarily the most factually accurate. For this reason, you should not rely on the factual accuracy of the outputs of our models. If you find that the output of Alera contains factually inaccurate information about you and you wish to correct or delete this information, you can make this request via privacy.alera.app or send it to finn@alera.app. We will process your request in accordance with applicable law and the technical capabilities of our models.

7. Children

Our Services are not directed to or intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you have reason to believe that a child under 16 has provided personal data to Alera through the Services, please email us at finn@alera.app. We will investigate any such report and delete the personal data from our systems as appropriate. Users under 18 years of age require the consent of their parents or guardians to use our Services.

8. Security

We employ commercially reasonable technical, administrative, and organizational measures to protect personal data against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error-free. Therefore, you should take special care in deciding what information you send to the Services. Additionally, we are not responsible for circumvention of any privacy settings or security measures contained in the Services or on third-party websites.

9. Legal Bases for Processing

10. Data Transfers

Alera processes your personal data on servers outside the EEA, Switzerland, and the United Kingdom for the purposes described in this Privacy Policy. This includes processing and storing your personal data at our facilities and on our servers in the United States of America. Although data protection laws differ from country to country and these countries may not offer the same level of data protection as your home country, we apply the safeguards described in this Privacy Policy to your personal data regardless of where it is processed. When transferring personal data to countries outside the EEA, Switzerland, or the United Kingdom, we rely on the following transfer mechanisms to comply with applicable data protection laws:

• We rely on the adequacy decisions of the European Commission pursuant to Article 45(1) GDPR when we transfer your personal data to a country that provides an adequate level of protection.
• For other jurisdictions, we use the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR, as well as the UK Data Transfer Addendum.

For more information or to obtain a copy of the appropriate safeguards we have implemented for the transfer of personal data, please contact us at finn@alera.app.

11. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post an updated version and the effective date on this page unless another form of notice is required by applicable law.

12. How to Contact Us

Please contact our Support if you have any questions or concerns not already addressed in this Privacy Policy. Alternatively, you can write to us at finn@alera.app or at the address mentioned above in Section 1 (Controller).

For questions regarding the processing of personal data, you can contact our Data Protection Officer at finn@alera.app.