Last Updated: December 14, 2024
Introduction
Rekora (“we,” “our,” or “us”) is a family memories and stories application that helps families preserve their history through voice recordings, build knowledge graphs of family relationships, and receive AI-powered insights. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our mobile application and services.
We take your privacy seriously. This policy is written in plain language to help you understand exactly what data we collect and how we use it.
Quick Summary
| What We Collect | Why | Who Processes It |
|---|---|---|
| Email & password | Account creation | Us (stored securely) |
| Voice recordings | Preserve family stories | AWS (transcription) |
| Family tree info | Build your family history | Us |
| Your questions & interactions | Provide AI advice | Anthropic (Claude AI) |
| Push notification tokens | Send you alerts | Expo |
Key Points:
- Your voice recordings and transcripts are yours
- We do NOT sell your data to anyone
- AI providers do NOT train on your data (API usage)
- You can delete your data at any time
1. Information We Collect
1.1 Information You Provide Directly
Account Information
- Email address (required for account creation)
- Password (stored encrypted, never in plain text)
Family Circle Information
- Circle name (your family or group name)
- Person profiles you create (names, relationships, birth/death dates, gender)
- Family relationships (parent, child, spouse, sibling, etc.)
- Nicknames and how family members refer to each other
Voice Recordings and Stories
- Audio recordings you make through the app
- The transcripts generated from those recordings
- Episode titles and descriptions you provide
Personal Details About Family Members
- Biographical information (dates, locations, occupations)
- Personality traits, likes, dislikes, and hobbies
- Catchphrases and speech patterns
- Life events (graduations, weddings, births, etc.)
- Employment and education history
Your Questions and Interactions
- Questions you ask the “Oracle” advice feature
- Your responses to story prompts
- Notes and descriptions you add
1.2 Information Collected Automatically
Device and Usage Data
- Push notification tokens (to send you alerts)
- Basic device information for app functionality
- App usage patterns (which features you use)
Technical Data
- IP address (for security and abuse prevention)
- Timestamps of your activities
- API request logs (for debugging and security)
1.3 Information Generated by AI Processing
When you use our AI features, we generate:
- Transcripts from your voice recordings
- Extracted entities (people, places, organizations mentioned)
- Personality summaries of family members
- AI-generated follow-up questions
- Semantic embeddings (mathematical representations for search)
2. How We Use Your Information
2.1 Core Service Functions
| Purpose | Data Used |
|---|---|
| Create and manage your account | Email, password |
| Transcribe your recordings | Audio files |
| Build your family knowledge graph | Names, relationships, traits, events |
| Provide AI-powered advice | Your questions + relevant family context |
| Send notifications | Push tokens, email |
| Enable search across your stories | Transcripts, embeddings |
2.2 Service Improvement
We use aggregated, anonymized data to:
- Improve transcription accuracy
- Enhance AI response quality
- Fix bugs and technical issues
- Understand which features are most useful
2.3 What We Don’t Do
- We don’t sell your data to advertisers or data brokers
- We don’t share your family stories with other users
- We don’t use your content for marketing purposes
- We don’t allow AI providers to train on your data
3. Third-Party Services and How They Handle Your Data
We use carefully selected third-party services to provide our features. Here’s exactly what each service receives and their privacy commitments:
3.1 Anthropic (Claude AI)
What we send: Your questions, relevant family context for generating advice, transcripts for entity extraction
Their privacy commitment:
- API data is NOT used for model training by default
- 7-day log retention for API requests (for abuse prevention)
- Zero Data Retention option available for maximum privacy
- Data is processed in the United States
More info: Anthropic Privacy Center
3.2 VoyageAI (Search Embeddings)
What we send: Text from your transcripts to generate searchable embeddings
Their privacy commitment:
- Zero-day data retention option available
- Customers can opt-out of data being used for model training
- We have enabled the opt-out for your data
More info: VoyageAI Privacy Policy
3.3 Amazon Web Services (AWS)
AWS S3 - Audio Storage
- What we store: Your audio recording files
- Their commitment: Your content is your property; AWS provides infrastructure only
- Security: Encrypted at rest and in transit
AWS Transcribe - Speech-to-Text
- What we send: Your audio files for transcription
- Their commitment: Processes audio only to provide transcription; content not used for training AWS models
- Data handling: Audio and transcripts deleted after processing completes
AWS SES - Email
- What we send: Your email address, notification content
- Their commitment: Processes emails only for delivery
More info: AWS Privacy Notice
3.4 Expo (Push Notifications)
What we send: Push notification tokens, notification messages
Their privacy commitment:
- Tokens used solely for delivering notifications
- Does not share push tokens with third parties for marketing
More info: Expo Privacy Policy
3.5 Langfuse (Internal Monitoring)
What they receive: Anonymized metadata about AI processing for quality monitoring
Their privacy commitment:
- 1-month retention after account termination
- Used solely for service monitoring and debugging
More info: Langfuse Privacy Policy
3.6 PostgreSQL Database
Your data is stored in a PostgreSQL database that we operate. This is not a third-party service - we maintain full control of this infrastructure.
4. Data Storage and Security
4.1 Where Your Data is Stored
- Database: Secure PostgreSQL servers
- Audio files: AWS S3 (Sydney, Australia region - ap-southeast-2)
- Processing: AWS services in Australia where possible
4.2 Security Measures
We implement multiple layers of security:
| Layer | Protection |
|---|---|
| Passwords | Hashed using industry-standard algorithms |
| Data in transit | TLS/HTTPS encryption |
| Data at rest | AES-256 encryption |
| Access control | Role-based permissions within circles |
| API security | JWT tokens with expiration |
| Audit logging | All significant actions are logged |
4.3 Data Isolation
Each family “circle” is completely isolated:
- You can only see data in circles you belong to
- Users cannot access other families’ data
- Each circle member can control their own privacy settings
5. Data Retention
5.1 How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Audio recordings | Until you delete them |
| Transcripts & stories | Until you delete them |
| Family tree data | Until you delete it or leave the circle |
| Push notification tokens | Until you disable notifications or delete account |
| System logs | 30 days |
| AI processing logs | 30 days (anonymized) |
5.2 When You Delete Data
- Deleted conversations: Immediately removed from active use
- Deleted episodes: Audio files and transcripts permanently deleted
- Account deletion: All personal data removed within 30 days
5.3 Third-Party Retention
| Service | Their Retention |
|---|---|
| Anthropic (API) | 7 days (logs only) |
| VoyageAI | Zero-day (opted out) |
| AWS Transcribe | Deleted after processing |
| Expo | No long-term storage of notification content |
6. Your Privacy Controls
6.1 What You Can Do
View your data: Access all your recordings, transcripts, and family information in the app
Edit your data: Update or correct any personal information
Delete your data:
- Delete individual episodes
- Delete person profiles
- Delete your entire account
Control AI context:
- Exclude specific family members from AI advice using “Person Exclusions”
- Choose which stories and context the AI can access
Manage notifications:
- Enable/disable push notifications
- Control which types of notifications you receive
6.2 Data Export
You can request a copy of all your data by contacting us at privacy@rekora.app.
6.3 Account Deletion
To delete your account:
- Contact us at privacy@rekora.app
- We will verify your identity
- All your personal data will be deleted within 30 days
Note: If you’re the only owner of a circle, you’ll need to transfer ownership or delete the circle first.
7. Children’s Privacy
Rekora is designed for families, which naturally includes children. However:
- Users must be 13 years or older to create an account
- Parents/guardians may create accounts and record stories involving children under 13
- We do not knowingly collect information directly from children under 13
- If you believe we have inadvertently collected data from a child under 13, please contact us immediately
8. International Data Transfers
If you are located outside Australia:
- Your data may be processed in Australia and the United States
- We ensure appropriate safeguards are in place for international transfers
- AWS, Anthropic, and other providers maintain appropriate data protection certifications
9. Your Legal Rights
Depending on your location, you may have rights including:
For All Users:
- Right to access your data
- Right to correct inaccurate data
- Right to delete your data
- Right to data portability (export)
For Australian Users:
Your rights under the Privacy Act 1988 and Australian Privacy Principles (APPs) apply.
For EU/UK Users:
If you’re in the EU or UK, you have additional rights under GDPR including:
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent
- Right to lodge a complaint with a supervisory authority
For California Users:
Under CCPA, you have the right to:
- Know what personal information we collect
- Request deletion of your personal information
- Opt-out of the sale of personal information (we don’t sell your data)
- Non-discrimination for exercising your rights
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We’ll update the “Last Updated” date at the top
- We’ll notify you via email or in-app notification
- Continued use after changes means you accept the updated policy
We will never make changes that retroactively allow us to use your data in ways we didn’t disclose.
11. Contact Us
If you have questions about this Privacy Policy or our data practices:
Email: privacy@rekora.app
Response time: We aim to respond within 48 hours
For data protection inquiries in the EU, you may also contact your local supervisory authority.
This privacy policy is designed to be understandable. If anything is unclear, please contact us and we’ll explain further.