Privacy Policy

1. Introduction

This Privacy Policy explains how Isle ("Isle", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use the Isle apps, the byisle.com website, and related services (together, the "Service").

Isle is the controller of your personal data under applicable UK and EU data protection laws. We are based in the United Kingdom. If you have any questions about this policy or how your data is handled, please contact us at legal@byisle.com.

2. Information We Collect

Account information: your email address, password (stored in hashed form by our authentication provider and, on your device, in the iOS Keychain), username, title, first name, middle name, surname, biography, and profile image.

Profile and location: the country and city you select during onboarding, and, if you enable it, approximate real-time location used for features such as weather and contextual suggestions. You can disable location access at any time from your device settings.

Content you create: workspace nodes, notes, documents, images, media, agents, tracks, challenges, goals, streaks, habits, and any files you upload. Files are stored with our storage provider (Cloudflare R2) and metadata is stored with our database provider (Google Firebase / Firestore).

AI interactions: the prompts, messages, transcripts, and context you submit to AI features (including Flint, Astra, and any agents), and the responses generated for you.

Voice and speech: if you use voice messaging or voice interactions, we process your microphone audio and, where applicable, the text transcription generated by on-device or server-side speech recognition.

Social and sharing data: your follows, followers, profile visibility, and workspace shares (including roles such as owner, admin, editor, or viewer).

Integration data: when you connect third-party services via OAuth, we receive the access tokens and the specific data you authorise (for example, calendar events or emails) so that the integration can function.

Device and usage data: device identifiers, app version, operating system, crash diagnostics, performance metrics, and basic interaction events used to keep the Service reliable and secure. We do not sell this information.

Security data: sign-in events, connected device lists, and information used to detect suspicious activity and abuse.

3. How We Use Your Information

To provide, operate, and maintain the Service, including syncing your workspace across devices, rendering your files, and running AI features on your behalf.

To personalise your experience, including tailoring onboarding, suggesting tracks or goals, and surfacing relevant content.

To communicate with you about product updates, security alerts, and support requests.

To keep the Service secure, detect fraud and abuse, enforce our Terms, and comply with legal obligations.

To improve the Service in aggregate or de-identified form; we do not use your private content to train foundation AI models without your consent.

4. Legal Bases for Processing (UK/EU)

We rely on the following legal bases under the UK GDPR and EU GDPR: performance of a contract with you (to deliver the Service you signed up for), legitimate interests (to secure and improve the Service, subject to your rights), consent (for features such as microphone access, location, and optional marketing communications), and compliance with legal obligations.

5. Sharing Your Information

We share personal data only as described in this policy. We do not sell personal data.

Infrastructure providers: Google Firebase (Authentication, Firestore, Cloud Functions, Storage, App Check) for identity, database, and serverless functions; Cloudflare R2 for file storage; and, where applicable, server-side browser automation providers (such as Playwright) for optional Assist Mode features.

AI providers: when you use AI features, the prompts and context you submit are processed by Google (Gemini models, via the Google Gemini API) and, in some flows, Anthropic (Claude models) in order to generate responses. These providers process your input to return a result and do not use it to train their foundation models.

Third-party integrations: when you connect an external account via OAuth, data flows between Isle and that third party according to the scopes you approve. You can disconnect integrations at any time from settings.

Other users: information you choose to share (for example, your public profile, posts, or workspace shares) becomes visible to the audience you select.

Legal and safety: we may disclose information to comply with legal obligations, respond to lawful requests, or protect the rights, property, and safety of Isle, our users, or the public.

Business transfers: if Isle is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the successor, subject to the protections in this policy.

6. International Data Transfers

Your information may be processed and stored in countries outside your own, including the United States and the European Economic Area, where our infrastructure providers operate. When we transfer personal data out of the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy decisions.

7. Data Retention

We keep personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we delete or anonymise your personal data within a reasonable period, except where we are required to retain it for legal, accounting, or security reasons (for example, fraud prevention or tax compliance).

You can delete individual workspace items, files, or integrations at any time from within the Service.

8. Security

We apply industry-standard administrative, technical, and physical safeguards to protect your personal data, including encrypted transport (HTTPS/TLS), encryption of files at rest with our storage provider, App Check, scoped access tokens, and on-device Keychain storage for credentials. No system is perfectly secure, and we cannot guarantee absolute security.

9. Your Rights

Subject to local law, you have the right to access, correct, delete, or export your personal data; to restrict or object to certain processing; and to withdraw consent at any time.

You can exercise most of these rights directly inside Isle: edit your profile in Account settings, manage device permissions (microphone, location, speech recognition) in your device's system settings, disconnect integrations under Integrations, and delete your account under Account settings. For any request we cannot resolve inside the app, contact us at legal@byisle.com.

If you are in the UK or EEA, you also have the right to lodge a complaint with a supervisory authority (for example, the UK Information Commissioner's Office).

10. Children

Isle is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children below that age. If you believe a child has provided us with personal data, please contact us at legal@byisle.com and we will take steps to delete it.

11. Cookies and Analytics

Our website may use cookies and similar technologies to keep you signed in, remember preferences, and measure traffic. Inside the app we use privacy-respecting diagnostics (such as crash reports and anonymised performance metrics) to keep the Service reliable. We do not use third-party advertising networks to track you across the web.

12. AI and Your Content

When you use AI features, the content you submit and the context you attach are processed by Isle and by our AI providers — Google (Gemini models) and, in some flows, Anthropic (Claude models) — to generate a response. We do not use your private prompts, files, or workspace content to train our own foundation models or to train third-party models without your explicit consent.

If you opt in to share feedback or examples with us, we may use that information to improve the Service, subject to the protections in this policy.

13. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes we will notify you in the app or by email before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact

If you have questions or concerns about this Privacy Policy or about how your personal data is handled, please contact us at legal@byisle.com.