Privacy Policy

This Privacy Policy ("Policy") describes how Vendra Loque LLC dba alfred, a Wyoming limited liability company ("alfred," "we," "us," or "our"), collects, uses, discloses, and safeguards your personal information when you use the alfred mobile application, website, and related services (collectively, the "Service"). This Policy applies globally to all users of the Service regardless of location.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when using the Service:

• Account Registration Information: Email address, password (stored in hashed form using bcrypt), display name, and profile picture (optional).
• Profile and Preference Data: Shopping preferences, budget ranges, brand preferences, product category interests, priority attributes (e.g., durability, aesthetics, value), and saved searches.
• Search and Query Data: Product search queries, natural language inputs to alfred's AI recommendation engine, filter criteria, and refinement interactions.
• User-Generated Content: Product reviews, ratings, comments, wish lists, saved collections, and any feedback or suggestions submitted through the Service.
• Communications: Information contained in messages you send to us, including support requests, feedback, and correspondence via email or in-app messaging.
• Survey and Research Data: Responses to optional surveys, beta testing feedback, and user research participation data.

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information:

• Device Information: Device type, model, manufacturer, operating system and version, unique device identifiers, screen resolution, language settings, and time zone.
• Usage and Interaction Data: Features accessed, pages viewed, products browsed, recommendation interactions (clicks, saves, dismissals), session duration, navigation paths, scroll depth, tap patterns, and feature engagement metrics.
• Network and Connection Data: IP address, internet service provider, connection type (Wi-Fi, cellular), browser type and version (for web access), and referring URLs.
• Location Data: Approximate geographic location derived from IP address (city/region level). We do not collect precise GPS location unless you explicitly enable location services and grant permission, which may be used to provide localized pricing or retailer availability.
• Performance and Diagnostic Data: Crash reports, error logs, performance metrics, and diagnostic information to maintain and improve the Service.
• Cookie and Tracking Data: Information collected through cookies, pixel tags, web beacons, and similar technologies as described in our Cookie Policy.

1.3 Information from Third Parties

We may receive information about you from third-party sources:

• Authentication Providers: If you sign in using a third-party service (e.g., Google, Apple Sign-In), we receive your name, email address, and profile picture as permitted by that service.
• Affiliate and Retail Partners: Anonymized or aggregated purchase confirmation data for commission attribution purposes. We do not receive your payment details, credit card numbers, or specific transaction amounts from retailers.
• Analytics Providers: Aggregated usage patterns and demographic insights from analytics services (e.g., PostHog).
• Publicly Available Data: Product information, pricing, reviews, and specifications scraped or obtained from publicly available retailer websites and APIs for the purpose of generating recommendations.

1.4 Sensitive Data

We do not intentionally collect sensitive personal data, including but not limited to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, data concerning sex life or sexual orientation, criminal convictions, or government-issued identification numbers. If we become aware that such data has been inadvertently collected, we will delete it promptly.

2. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, we process personal data under the following legal bases pursuant to the General Data Protection Regulation (GDPR) and equivalent local laws:

• Contract Performance: Processing necessary for account creation, service delivery, and responding to your requests.
• Legitimate Interests: Analytics, fraud prevention, service improvement, and affiliate attribution, balanced against your rights.
• Consent: Marketing communications, optional analytics, and non-essential cookies (withdrawable at any time).
• Legal Obligation: Compliance with tax, accounting, and regulatory requirements.

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

3. How We Use Your Information

3.1 Core Service Delivery

Providing, personalizing, and improving the alfred shopping recommendation experience; generating AI-powered product recommendations based on your stated criteria, preferences, and interaction history; processing searches and applying filters; maintaining your account, saved products, price alerts, and preference settings; delivering transactional communications (account verification, password resets, service notifications).

3.2 Service Improvement and Analytics

Analyzing usage patterns to improve recommendation algorithms and user interface design; conducting A/B testing to optimize features and user experience; monitoring Service performance, uptime, and error rates; developing new features and product capabilities; conducting user research (with separate consent where required).

3.3 Safety, Security, and Integrity

Detecting, preventing, and addressing fraud, unauthorized access, and technical issues; enforcing our Terms of Service and policies; verifying account authenticity; protecting the rights, property, and safety of alfred, our users, and the public.

3.4 Affiliate Link Tracking and Commercial Operations

Tracking affiliate link clicks for commission attribution. When you click a product link in alfred, we generate an anonymized click identifier that is shared with affiliate partners for the sole purpose of attributing commissions. We do not share your personal identity, browsing history, or account details with affiliate partners. alfred is a participant in the Amazon Services LLC Associates Program and other affiliate programs. Displaying relevant sponsored content or promoted products (clearly labeled as such); administering premium subscription features (when applicable).

3.5 Communications

Sending you information about Service updates, new features, and changes to our policies; delivering marketing communications about products, offers, or content we believe may interest you (with your consent where required, and always with opt-out capability); responding to your inquiries and support requests.

3.6 Legal and Compliance

Complying with applicable laws, regulations, and legal processes; responding to lawful requests from governmental authorities; establishing, exercising, or defending legal claims; fulfilling tax and accounting obligations related to affiliate commissions.

4. How We Share Your Information

We may share your information in the following limited circumstances:

4.1 Service Providers and Data Processors

We engage trusted third-party service providers who process personal data on our behalf under written data processing agreements. These providers are contractually obligated to use your information only as instructed by us and to maintain appropriate security measures.

4.2 Affiliate and Retail Partners

When you click a product link in alfred, we share anonymized click identifiers with affiliate networks and retail partners for the sole purpose of commission attribution. We do not share your name, email, account details, or browsing history with these partners. The affiliate partners we work with include the Amazon Services LLC Associates Program, other direct retailer affiliate programs, and affiliate aggregation networks. Each affiliate partner processes data under their own privacy policy, which we encourage you to review.

4.3 Sponsored Content Partners

If and when we display sponsored products or brand partnerships, we may share aggregated, non-personally-identifiable analytics with sponsors (e.g., total impressions, click-through rates). We do not share individual user profiles or personal data with sponsors without your explicit consent.

4.4 Legal and Regulatory Disclosures

We may disclose your information if required by law, regulation, legal process, or governmental request; if we believe disclosure is necessary to protect the rights, property, or safety of alfred, our users, or the public; to enforce our Terms of Service or investigate potential violations; in connection with any merger, acquisition, reorganization, asset sale, or bankruptcy proceeding.

4.5 With Your Consent

We may share your information with third parties when you have given your explicit consent to do so.

5. International Data Transfers

Vendra Loque LLC dba alfred is based in the United States (Wyoming). Our primary database infrastructure is hosted in the European Union (Supabase EU Region, Hetzner EU), while certain application services may be hosted in the United States. By using the Service, your information may be transferred to, stored in, and processed in both the United States and the European Union.

5.1 Transfer Mechanisms

For transfers of personal data from the EEA/UK/Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), supplementary measures where necessary including encryption and access controls, and data processing agreements with all service providers that include appropriate transfer safeguards.

5.2 EU-U.S. Data Privacy Framework

We monitor developments under the EU-U.S. Data Privacy Framework and will certify our compliance as appropriate when commercially and operationally feasible. In the interim, Standard Contractual Clauses serve as our primary transfer mechanism.

5.3 Data Localization

We prioritize hosting personal data within the EU where technically feasible. Our core database (Supabase), analytics infrastructure (PostHog), and AI processing are deployed in EU data centers. Certain CDN and edge computing functions may process data through geographically distributed servers to ensure performance.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Our general retention periods are:

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized. Anonymized data (from which you cannot be identified) may be retained indefinitely for statistical and analytical purposes.

7. Your Rights and Choices

7.1 Rights for All Users

Regardless of your location, you have the following rights:

• Right to Access your personal data and receive a copy of the information we hold about you.
• Right to Rectification of inaccurate or incomplete data.
• Right to Deletion of your account and associated personal data.
• Right to Data Portability to receive your data in a structured, commonly used, machine-readable format (JSON).
• Right to Opt Out of marketing communications at any time via the unsubscribe link in any email or through your account settings.
• Right to Withdraw Consent at any time where processing is based on consent.

To exercise any of these rights, visit Settings in the app, or contact us at support@alfred.help. We will respond to your request within 30 days (or sooner where required by applicable law).

7.2 Additional Rights for EEA/UK/Switzerland Residents (GDPR)

Under the General Data Protection Regulation, you additionally have the right to:

• Object to processing of your personal data based on legitimate interests.
• Restrict processing of your personal data in certain circumstances.
• Lodge a complaint with your local supervisory authority (data protection authority). A list of EU supervisory authorities is available at edpb.europa.eu.

GDPR Inquiries: For data protection matters, contact us at legal@alfred.help.

7.3 Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and the California Privacy Rights Act, California residents have the right to:

• Know what categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
• Delete personal information we have collected from you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information (we do not sell your personal information).
• Limit the use and disclosure of sensitive personal information.
• Non-discrimination for exercising your privacy rights.

To submit a California privacy request, email support@alfred.help with the subject line "California Privacy Request" or use the privacy request form in the app. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

California Do Not Track: Some browsers transmit "Do Not Track" (DNT) signals. We honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing. We do not currently respond to other DNT browser signals, as no common industry standard has been established.

7.4 Additional Rights for Brazilian Residents (LGPD)

Under Brazil's Lei Geral de Proteção de Dados (LGPD), you have the right to: confirmation of data processing; access to your data; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data; portability of data to another service provider; deletion of data processed with consent; information about public and private entities with whom we share data; information about the possibility of denying consent and the consequences thereof; and revocation of consent.

To exercise your LGPD rights, contact us at support@alfred.help with the subject line "LGPD Request."

7.5 Additional Rights for Residents of Other US States

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have additional rights under their respective state privacy laws, including the right to access, delete, correct, and opt out of targeted advertising and data sales. To exercise these rights, contact us at the email address above.

7.6 Other Jurisdictions

We comply with applicable data protection laws in all jurisdictions where the Service is available. If you are located in a jurisdiction not specifically addressed above (including but not limited to Canada under PIPEDA, South Korea under PIPA, Japan under APPI, Australia under the Privacy Act 1988, or India under the DPDP Act 2023), please contact us with your specific request and we will respond in accordance with applicable local law.

8. Data Security

We implement industry-standard technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security).
• Encryption at Rest: Personal data stored in our databases is encrypted using AES-256 encryption.
• Password Security: User passwords are hashed using bcrypt with appropriate salt rounds and are never stored in plaintext.
• Access Controls: Role-based access controls (RBAC) restrict internal access to personal data on a need-to-know basis. Multi-factor authentication is required for administrative access.
• Infrastructure Security: Row-Level Security (RLS) policies on all database tables; network segmentation; firewalls; intrusion detection systems.
• Regular Audits: We conduct regular security assessments, penetration testing, and vulnerability scanning.
• Incident Response: We maintain a documented incident response plan and will notify affected users and relevant supervisory authorities of data breaches as required by applicable law (within 72 hours for GDPR-reportable breaches).

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and should notify us immediately of any unauthorized access.

9. Children's Privacy

alfred is intended for users aged 13 and older (or the minimum digital consent age in your jurisdiction, which is 16 in certain EU member states including Germany, the Netherlands, and Ireland). We do not knowingly collect personal information from children under 13 (or the applicable minimum age). If we learn that we have collected data from a child below the applicable minimum age, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@alfred.help. Parents and guardians have the right to review, request deletion of, and refuse further collection of their child's information.

10. Automated Decision-Making and Profiling

alfred uses automated algorithms and artificial intelligence to generate personalized product recommendations. This constitutes profiling under the GDPR. The factors considered by our recommendation algorithm include your stated preferences and priority criteria, product specifications, features, and pricing, availability and retailer reliability, user ratings and review sentiment analysis, price-to-value assessments, and commission rates (as one of multiple factors, disclosed transparently).

These automated processes do not produce legal effects or similarly significantly affect you. Product recommendations are informational suggestions, not binding decisions. You are always free to disregard recommendations and make your own purchasing decisions.

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. As our recommendations are informational and non-binding, they do not fall within the scope of Article 22. However, you may contact us to request human review of any recommendation or to understand the logic involved.

11. Third-Party Links and Services

The Service contains links to third-party retailer websites and may integrate with third-party services. When you click a product link, you leave the alfred Service and enter a third-party website governed by its own privacy policy and terms. We are not responsible for the privacy practices, content, security, or data handling of any third-party websites. We strongly encourage you to review the privacy policies of every third-party site you visit. alfred's responsibility ends when you navigate away from our Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

• Post the updated policy on our website and in the app.
• Update the "Last Updated" date at the top of this policy.
• Send an email notification to your registered email address.
• Display a prominent notice within the app.

Your continued use of the Service after any changes take effect constitutes your acknowledgment of the updated policy. If you do not agree with any changes, you should discontinue use of the Service and request deletion of your account.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• General Privacy Inquiries: support@alfred.help
• Legal Inquiries: legal@alfred.help
• GDPR Inquiries: legal@alfred.help
• General Support: support@alfred.help

Mailing Address:

14. Supplemental Notices

14.1 Amazon Associates Program

alfred is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites and apps to earn advertising fees by advertising and linking to Amazon.com and affiliated sites.

14.2 Other Affiliate Programs

We participate in affiliate programs with other retailers and affiliate networks as described in our Affiliate Disclosure. Commission attribution uses anonymized click identifiers only. See our Affiliate Disclosure for full details.

14.3 PostHog Analytics

We use PostHog as our product analytics platform. PostHog is hosted in the EU (Frankfurt, Germany) and collects pseudonymized usage data to help us understand how users interact with the Service. Data collected through PostHog includes page views, feature interactions, session replays (anonymized), funnel completion rates, and performance metrics.

PostHog operates as a data processor under a written data processing agreement with alfred. PostHog does not sell or share your data with third parties. We have configured PostHog to respect "Do Not Track" browser signals and Global Privacy Control (GPC).

You may opt out of PostHog analytics tracking through your account settings, by using browser privacy extensions, or by enabling "Do Not Track" in your browser settings.

14.4 Push Notifications

If you enable push notifications, we may send you alerts about price drops, product availability, and other relevant updates. You can disable push notifications at any time through your device settings or the app's notification preferences.

14.5 Algorithm Transparency

alfred uses automated algorithms to generate product recommendations. These algorithms consider factors including your stated preferences, product specifications, pricing, user ratings, and commission rates (as one of many weighted factors). Recommendations are generated algorithmically, not by human curators. For more detail, see our Affiliate Disclosure.