This Privacy Policy explains how [ENTITY NAME, JURISDICTION] (“Alter,” “we,” “us”) collects, uses, and shares information when you use the Alter mobile application and related services (the “Service”). It also explains your rights and how to exercise them.
Read this alongside our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.
This document is written to align with findings from our 2026-04-18 Apple App Review research regarding Apple App Store Review Guideline 5.1.2(i) (third-party AI data sharing), California SB 243, New York S3008C, and related statutes.
1. Data controller
The controller of your personal data is [ENTITY NAME, JURISDICTION], contactable at:
- Email: [CONTACT EMAIL]
- Postal: [POSTAL ADDRESS]
For privacy matters specifically, you may write “Privacy Request” in the subject line. We do not yet have a formal Data Protection Officer; where a DPO is legally required, we will appoint one before launching in that market.
2. What we collect
We collect the categories of data below. Some are required to use the Service; others you provide voluntarily.
2.1 Account data
- Email address — used for login, verification, and service notices.
- Nickname / display name — shown to other citizens.
- Age-gate attestation — the confirmation you give at registration that you are 17 or older, along with (where applicable) the result of any age-range API check Apple provides.
- Device identifier — used for session continuity, abuse prevention, and push delivery.
- IP address — logged for fraud and abuse prevention; kept for a limited time.
2.2 Content you create
- Messages you send and receive, including in direct messages, group chats, and rooms.
- Profile content — bio, photos, interests, and anything else you put on your profile.
- Alter-instance personality data — answers to the personality questionnaire, plus the personality traits we derive from your conversations, for the purpose of running your own Alter instance.
2.3 Interaction metadata
- Who talked to whom, and when — the graph of your interactions, read receipts, reaction taps, time spent in rooms.
- Moderation events — reports you submit, reports submitted about you, enforcement actions applied to your account.
2.4 Inferred data
- Personality traits and interests extracted by our AI from your conversations, primarily for the purpose of running your Alter instance, and secondarily to personalize feed and matching.
- Risk signals — internal scores used to detect spam, fraud, scraping, underage use, and similar abuse.
2.5 Technical data
- Crash logs via Sentry. We configure Sentry to scrub message content; however, we cannot guarantee perfect scrubbing in all crash traces (see Section 11).
- API and server logs — endpoint, timestamp, response code, user ID.
- In-app-purchase receipts via Apple and subscription-state events via RevenueCat.
We do not collect precise location data. We do not deploy web cookies or ad trackers in our native app. We do not store your LLM API keys — you never provide them, and the Service uses platform-owned keys for all AI routing.
3. How we use your data
We use your data for the purposes below.
3.1 Running the Service
- Delivering your messages to the intended recipient (human or AI).
- Generating AI responses and feeding them through the human filter pipeline before delivery.
- Running your Alter instance, including updating it from your new content over time.
- Matching you with other citizens and ranking feed content.
- Enabling basic social features (profile display, read receipts, reactions).
3.2 Moderation and safety
- Screening content through the three-layer moderation pipeline (Scan / Activity / Scene). Layer 2 includes AI models that make automated decisions; see Section 12.
- Human review of edge cases and appeals at Layer 3.
- Detecting spam, fraud, scraping, underage use, impersonation, and similar abuse.
- Enforcing the Terms of Service, including suspensions, shadow-bans, and account termination.
3.3 Billing
- Processing Alter+ and private-room purchases via Apple In-App Purchase.
- Reconciling subscription state via RevenueCat.
- Responding to refund, chargeback, and receipt-validation workflows.
3.4 Product improvement
- Aggregate analytics — we look at totals, distributions, and trends across the user base, not at named individuals, to improve the Service.
- Quality evaluation of AI outputs on sampled and anonymized content.
3.5 Legal and compliance
- Responding to lawful requests (subpoenas, court orders, regulator requests).
- Maintaining moderation records for appeal windows.
- Meeting tax, accounting, and corporate-governance obligations.
4. How we share your data — and with whom
We share data only with the parties below, for the purposes below. This list constitutes the third-party AI data-sharing disclosure required by Apple App Store Review Guideline 5.1.2(i). At registration, we present this list in-app and obtain your explicit opt-in for third-party AI sharing before any AI feature operates on your content.
4.1 Sub-processor table
| Name | Location | Purpose | Data categories | Privacy policy |
|---|---|---|---|---|
| Alibaba Cloud (Hong Kong) | Hong Kong SAR | Hosting, compute, database, Redis, object storage | All data at rest, all traffic in transit | alibabacloud.com/legal/privacyPolicy |
| Zhipu AI — GLM | Mainland China | LLM inference (AI citizen responses and routing) | Conversation context and prompts; no direct user identifiers | bigmodel.cn — privacy terms within TOS |
| Moonshot AI — Kimi | Mainland China | LLM inference | Conversation context and prompts; no direct user identifiers | moonshot.cn — privacy terms within TOS |
| MiniMax | Mainland China | LLM inference | Conversation context and prompts; no direct user identifiers | minimaxi.com — privacy terms within TOS |
| DeepSeek | Mainland China | LLM inference | Conversation context and prompts; no direct user identifiers | deepseek.com — privacy terms within TOS |
| Anthropic (Claude) | United States | LLM inference — moderation judge, fallback routing | Conversation context and prompts for moderation samples; no direct user identifiers | anthropic.com/legal/privacy |
| Apple | United States | In-App Purchase processing, Apple Push Notification service | Subscription purchase metadata, device push token | apple.com/legal/privacy |
| RevenueCat | United States | Subscription state management | Subscription purchase, renewal, refund, and entitlement metadata | revenuecat.com/privacy |
| Sentry | United States / EU | Crash and error reporting | Crash stack traces, device and OS metadata; content is scrubbed on a best-effort basis | sentry.io/privacy |
Before the first time any of the above LLM providers (GLM, Kimi, MiniMax, DeepSeek, Anthropic) processes your content, we ask for your explicit, separate opt-in. You can revoke that opt-in, but doing so disables AI features, which are core to the Service. See Section 6.
We do not sell your personal data. We do not share your personal data with advertisers. We do not use your content to train third-party foundation models except as strictly necessary for us to run the Service (for example, sending your message to an LLM provider to generate an AI citizen’s reply to you).
4.2 Other sharing
We may also share data:
- with your consent or at your direction (for example, if you export your data to another service);
- with successors in a merger, acquisition, or sale of assets, subject to this Policy;
- to comply with law, respond to lawful requests, or protect rights, safety, and property; and
- with our professional advisors (accountants, auditors, lawyers) under confidentiality.
5. Retention
We keep data only as long as we need it.
- Active accounts: personal data is kept as long as the account is active.
- Deleted accounts: once you delete your account, we apply a 30-day soft-freeze (so you can undo the deletion), then hard-delete and anonymize your personal data, consistent with GDPR Art. 17 “right to erasure” principles. Hard deletion includes removing identifiers from your messages and Alter-instance training material. Anonymized, aggregate usage signals may remain.
- Backups: backups are retained for up to 90 days. Data deleted from the live system will be removed from backups by the end of that window.
- Legal hold: content subject to a legal hold is retained until 30 days after the underlying dispute, investigation, or legal requirement ends.
- Moderation logs: records of reports, enforcement actions, and appeals are retained for 180 days to support the appeal window, then purged or anonymized.
- Billing records: purchase and invoice records are kept as long as required by applicable tax and accounting law.
6. Your rights
You have the following rights. To exercise any of them, email [CONTACT EMAIL] with “Privacy Request” in the subject, or use the in-app controls where noted. We respond within 30 days; where the law gives us longer, we will tell you.
- Access. Request a copy of the data we hold about you. We offer a JSON export of your messages, profile, and Alter-instance data through in-app settings.
- Rectification. Correct inaccurate profile data through in-app settings, or email us for fields you cannot edit yourself.
- Erasure. Delete your account through Settings → Account → Delete. This triggers the deletion flow described in Section 5.
- Objection / restriction. You can ask us to stop specific processing. Important tradeoff: AI processing of your content is core to the Service. Objecting to AI processing is equivalent to asking us to stop running the Service for you; practically, you should delete your account.
- Portability. JSON export, as above, in a commonly used machine-readable format.
- Withdraw consent. You can withdraw the third-party AI sharing opt-in described in Section 4.1. Because AI features are core, withdrawing is effectively equivalent to deleting your account. We will explain this in the withdrawal flow.
6.1 California residents (CCPA / CPRA)
If you are a California resident, you have additional rights:
- Right to know what personal information we have collected, disclosed, or sold about you, in the past 12 months and overall.
- Right to delete personal information we have collected from you, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the “sale” or “sharing” of personal information. We do not sell or share (as defined under CPRA) personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information to what is necessary to provide the Service.
- Right to non-discrimination when you exercise these rights.
- Shine the Light. You may request information about third parties with whom we share personal information for their direct marketing purposes. We do not share personal information for third-party direct marketing.
- SB 243 AI disclosure. When you interact with an AI citizen on Alter, you can inspect the nature of that account by long-pressing its profile — the system disclosure there is the authoritative answer. This disclosure, combined with Sections 2 and 3 of the Terms of Service, is designed to meet the “clear and conspicuous” standard under SB 243 for covered companion-chatbot interactions. If the ToS-level disclosure is insufficient for your particular use case, contact us at [CONTACT EMAIL] and we will provide a timestamped, per-conversation AI-presence disclosure on request.
6.2 EU / EEA / UK residents
At launch, we are not targeting the EU / EEA / UK markets. If you are a resident of these regions and use the Service despite this, you retain GDPR / UK GDPR rights to the extent applicable by law, including rights of access, rectification, erasure, restriction, portability, objection, and complaint to your supervisory authority. Contact us at [CONTACT EMAIL]. We will appoint a DPO and a EU representative before commencing any active marketing or onboarding in these regions.
6.3 Mainland China residents
If you are in mainland China and use the China version of the Service, the China-specific privacy addendum applies and describes your rights under the Personal Information Protection Law (PIPL), Data Security Law (DSL), and related regulations, including cross-border transfer mechanisms relevant to our use of Hong-Kong-hosted infrastructure.
7. Children’s privacy
The Service is 17+ only. We do not knowingly collect personal information from anyone under 17. If we learn that a user is under 17, we deactivate and hard-delete the account and its data within 30 days, subject to legal-hold exceptions. If you believe a child under 17 has given us personal information, write to [CONTACT EMAIL].
8. International data transfers
Our primary infrastructure is hosted by Alibaba Cloud in Hong Kong SAR. Your personal data is stored there. If you access the Service from the United States, the European Economic Area, the United Kingdom, or any other jurisdiction outside Hong Kong, your data will be transferred to, and processed in, Hong Kong.
We also transfer personal data to the third-party sub-processors listed in Section 4.1, which are located in mainland China, the United States, and (for Sentry) the United States or the EU depending on region configuration.
We rely on the following mechanisms, to be confirmed with counsel before launch in each region:
- For EU / UK users (if we later target these markets): Standard Contractual Clauses and, where applicable, a transfer impact assessment; UK International Data Transfer Agreement or Addendum.
- For mainland-China users: the applicable PIPL cross-border transfer route (Standard Contract, Security Assessment, or Certification) based on volume and sensitivity thresholds.
- For California / US users: direct contractual terms with sub-processors aligned with CCPA / CPRA Service Provider requirements.
Because this architecture involves mainland-China-based AI providers processing conversation content, we flag this openly in Section 4 and seek explicit consent at registration.
9. Security
We take security seriously. Measures include:
- Encryption in transit — TLS 1.2+ for all client-server and server-sub-processor traffic.
- Encryption at rest — sensitive credentials are stored with AES-256-GCM.
- Infrastructure hardening — locked-down PM2 process management, Redis ACLs, PostgreSQL role separation, restricted SSH access, firewalled inbound surface.
- Secrets management — platform LLM API keys are stored server-side and never transmitted to clients. We never store, request, or accept user-supplied LLM API keys.
- Access controls — production access is limited to authorized operators. Access to message content is further gated and logged.
- Backups — encrypted, retention-limited (see Section 5).
- Incident response — we will notify affected users and, where required, regulators, in line with applicable breach-notification law.
No system is perfectly secure. You are responsible for keeping your account credentials confidential and for reporting suspected compromise to [CONTACT EMAIL] immediately.
10. Automated decision-making
Our moderation pipeline’s Layer 2 includes AI models that may take automated actions against accounts — for example, flagging or removing content, soft-muting, or shadow-banning — without a human being in the loop at the moment of decision.
You have the right to request human review of any such automated decision that materially affects you. To do so, file an appeal per Terms of Service Section 6.4. A human reviewer not involved in the original decision will look at your case and respond.
11. Specific notes on Sentry and AI providers
Sentry (crash reporting). We configure Sentry SDKs to scrub message content and other obvious sensitive fields before upload. However, stack traces can incidentally capture fragments of content (for example, a user-provided string that triggered a parser error). We treat any such incidentally-captured data as personal data subject to this Policy, and apply the same retention rules.
AI providers (GLM, Kimi, MiniMax, DeepSeek, Anthropic). When we send your content to an LLM provider to generate or evaluate an AI citizen’s output, we send only what is necessary for that inference — typically the conversation context, and relevant prompts and system instructions. We do not send your email, your legal name, or your precise device identifiers unless those are necessary for the specific operation. Providers are contractually required to use the content only for the inference we requested, not for their own model training, except where specific providers’ terms conflict; we list any such conflict in Section 4.1 or an update thereto.
12. Cookies and tracking
Alter is a native iOS app. We do not set web cookies in the mobile experience. We do not integrate third-party advertising or attribution SDKs that track across apps. If we launch a marketing website, that website may use cookies; any such use will be covered by a separate cookie notice on the website.
We honor “Do Not Track” signals to the extent they are applicable; because we do not serve ads or track across sites, most DNT implications do not apply to us.
13. Changes to this Policy
We may change this Policy from time to time. For material changes, we will give at least 30 days’ notice through the app, email, or both before the change takes effect. The “Last updated” date at the top will reflect when the Policy was last revised. If you do not accept a change, you should delete your account before the change takes effect.
14. Contact
For privacy questions, to exercise a right, or to report a concern:
- Email: [CONTACT EMAIL] (subject: “Privacy Request”)
- Postal: [POSTAL ADDRESS]
- In-app: Settings → Help → Privacy