Privacy Policy
Last updated: 2 June 2026 Effective: 2 June 2026
This Privacy Policy explains how ashlo ("ashlo", "we", "our", "us") collects, uses, stores, and discloses personal information when you use the service available at https://ashlo.io (the "Service").
ashlo is operated as a personal project by Zain Alsaffi based in Australia. We aim to handle personal information in line with the Australian Privacy Principles ("APPs") set out in the Privacy Act 1988 (Cth) and applicable equivalent protections (including the GDPR where it applies to you).
If anything in this policy is unclear, contact us at zainalsaffi.bookings@gmail.com.
1. Scope
This policy applies to information collected through:
- The ashlo website at https://ashlo.io (and any sub-domains, including https://api.ashlo.io).
- Account creation, sign-in, and authentication flows.
- File uploads, chat sessions, exam practice, research, case briefing, and any other feature of the Service.
- Billing and payment interactions where you choose to add credits or purchase access.
It does not apply to third-party sites, services, or content that link to or from ashlo.
2. Information we collect
We collect only what is needed to operate the Service.
Account information — when you sign up through Clerk, we receive your name, email address, and a unique user identifier from your authentication provider (e.g. Google, Microsoft, or email/password). We do not receive or store your password.
Uploaded content — files you upload (lecture notes, cases, statutes, past papers, etc.) and any text you paste or type into chats, exam prompts, or research queries. This may include text that you choose to include such as personal study notes or annotations.
Chat and usage data — your prompts, the Service's responses, citations, retrieved chunks of your uploaded files, generated IRAC analyses, mermaid diagrams, exam questions and grades, latency, model usage, and similar operational metadata.
Billing data — if you add credits or pay for access, our payment processor Stripe collects your payment details directly. We receive a Stripe customer ID, transaction amounts, currency, status, and limited metadata. We do not store your full card number, CVC, or bank details.
Technical data — IP address, browser type, device type, approximate location derived from IP, and standard request logs. These are processed by our infrastructure providers (primarily Cloudflare) to deliver and secure the Service.
Cookies and similar technologies — we use a small number of essential cookies, primarily those set by Clerk to maintain your signed-in session. We do not use advertising or cross-site tracking cookies.
3. How we use your information
We use personal information to:
- Provide the Service: authenticate you, store and index your uploaded files, run retrieval and generation pipelines, persist your chat history, and let you return to past sessions.
- Operate billing, manage credits, prevent abuse, and enforce usage caps.
- Maintain reliability and security: detect abuse, debug errors, monitor cost and rate limits, and protect against unauthorised access.
- Improve the Service in aggregate (e.g. measuring latency, retrieval quality, model performance). We do not train any third-party model on your uploaded content.
- Respond to support requests, comply with legal obligations, and enforce our Terms of Service.
We do not sell your personal information.
4. Where your data lives and who processes it
ashlo runs on third-party infrastructure. The following sub-processors handle personal information on our behalf, each under their own privacy commitments:
| Provider | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication, session management | Name, email, IdP identifiers |
| Cloudflare (Pages, Workers, R2, Containers) | Hosting, edge proxy, file storage, request logging | Uploaded files, request metadata, IP |
| Managed Postgres host (with pgvector) | Storing chat history, source chunks, embeddings, billing ledger | Account ID, chat content, file chunks |
| OpenAI | Default reasoning, synthesis, verification, IRAC, exam generation | Your prompts and retrieved chunks for that request |
| Google (Gemini API) | Routing, chronology generation, query rewrite, slide ingestion | Your prompts and retrieved chunks for that request |
| ZeroEntropy | Vector embeddings of uploaded text | Text chunks from your uploads |
| Cohere | Reranking retrieved chunks | Your query and candidate chunks |
| Stripe | Payments and billing | Email, payment details, transaction data |
We have configured these providers to not retain prompts or outputs for training where the provider supports that setting (OpenAI and Google APIs both honour this for paid API tier traffic at the time of writing).
Some of these providers process data outside Australia (most commonly in the United States and the European Union). By using the Service you consent to that cross-border processing. We rely on each provider's contractual safeguards and certifications (e.g. SCCs, DPF) for international transfers.
5. Retention
We keep personal information for as long as your account is active and for a short period afterwards to handle backups, refunds, and disputes.
- Account data: retained while your account exists.
- Uploaded files, chats, embeddings: retained while your account exists; deleted when you delete the file/chat or close your account.
- Billing records: retained for the period required by Australian tax and consumer-law obligations (currently 7 years for transactional records).
- Backups and logs: rolling retention of up to 30 days, after which records are overwritten.
You can delete individual chats and files from inside the app at any time.
6. Your rights
Subject to applicable law you can:
- Access the personal information we hold about you.
- Correct information that is inaccurate or out of date (you can update your name/email through your account).
- Delete your account and the personal information associated with it.
- Export your chats and uploaded files.
- Withdraw consent to optional processing where consent is the basis.
- Lodge a complaint with the Office of the Australian Information Commissioner ("OAIC") at https://www.oaic.gov.au if you believe we have mishandled your information, or with your local data protection authority if you are outside Australia.
To exercise any of these rights, email zainalsaffi.bookings@gmail.com. We aim to respond within 30 days.
7. Security
We use industry-standard measures to protect personal information, including TLS (HTTPS) for all traffic, encryption at rest by our storage providers, scoped authentication through Clerk, an edge proxy with a shared-secret check between the edge and backend, per-user access scoping on all chats and files, and least-privilege secrets management through Cloudflare deploy-time secrets.
No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected users and the OAIC as required by the Notifiable Data Breaches scheme.
Please do not upload information that you are not authorised to share, or that contains highly sensitive personal information about other people (e.g. clients' confidential legal matters) without their consent.
8. Children
ashlo is not directed at children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.
9. AI-specific notice
ashlo is a generative-AI study assistant. You should be aware that:
- Outputs are produced by third-party language models and may contain errors, hallucinations, or outdated information. Do not rely on ashlo for legal advice, medical advice, or any other professional decision.
- Your prompts and the retrieved chunks of your own files are sent to the model providers listed in section 4 in order to generate a response. We do not send other users' content with your prompt.
- We do not use your content to train our own models, and we configure third-party providers to do the same where the option is available.
10. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, post a notice in the app or by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
11. Contact
For privacy questions, requests, or complaints:
- Email: zainalsaffi.bookings@gmail.com
- Operator: Zain Alsaffi (ashlo), Australia
This document is a good-faith plain-English privacy policy. It is not legal advice. Before relying on it commercially you should have it reviewed by a qualified Australian privacy lawyer, particularly if you cross the AUD 3M annual turnover threshold under the Privacy Act, expand to paid customers in the EU/UK, or begin processing sensitive information.