Privacy policy

Last updated: 22 May 2026.

Jotly is a personal AI assistant for notes, lists, reminders, and calendar context. This policy explains what data Jotly collects, why, where it lives, and how to remove it. Jotly is operated by Rob Hutchin as a sole trader based in the United Kingdom. Contact: hello@jotly.co.uk.

1. Who the data controller is

For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is Rob Hutchin, trading as Jotly. You can reach the controller at the email address above.

2. What data we collect

2.1 Account data

• Email address (used as your login identifier).
• If you sign in with Google, Apple, or Facebook: the email address and basic profile information returned by that provider. We do not receive your social-network password.
• A device push token, if you opt in to push notifications. Used only to send Jotly's own reminders.

2.2 Content you put into Jotly

• Notes you write.
• Tasks, lists, and reminders you capture.
• Chat messages between you and Jotly's assistant.
• Photos you upload for OCR (e.g. a photographed shopping list). Stored in encrypted S3, processed by AWS Textract, and not used to train any model.

2.3 Calendar data (if you connect it)

• If you connect Apple Calendar or Google Calendar, Jotly reads your events to surface them alongside your tasks. Read-only — Jotly never writes back to your calendar.
• OAuth refresh and access tokens for the calendar integration are stored in AWS Secrets Manager. We never store them in plaintext, in the database, or in logs.

2.4 Operational data

• CloudWatch logs of API requests for debugging and abuse prevention. These contain user IDs and timestamps; they do not contain note or message bodies.
• Per-user counters of AI calls made each month, used to enforce the fair-use cap.

3. Where the data lives

All Jotly data is hosted on Amazon Web Services in the London (eu-west-2) region.

• DynamoDB (eu-west-2) — your notes, tasks, lists, chat history, and profile.
• S3 (eu-west-2) — uploaded photos and overflow note bodies that are too large to inline.
• S3 Vectors (eu-west-2) — the embeddings used for the "Ask Jotly" retrieval feature. The vectors themselves are numeric representations of your notes; the originals stay in DynamoDB.
• Secrets Manager (eu-west-2) — encrypted storage for calendar OAuth tokens.
• Amazon Cognito (eu-west-2) — authentication. Cognito stores the email + a hashed password for native logins; for social logins it stores the federated identity link.
• Amazon Bedrock — used for AI parsing, tagging, embeddings, and the agentic Ask. We call Bedrock through AWS's managed inference endpoint. Per Anthropic's commercial terms, your prompts and outputs are not used to train the underlying models.

4. How long we keep it

• Notes, tasks, lists, calendar events: kept for as long as your account exists. You can delete any item at any time from inside the app.
• Chat history: auto-deleted after 30 days via DynamoDB TTL. The deletion is permanent.
• Account: kept until you delete it (see below).

5. How we use the data

• To run the Jotly service for you.
• To send you push notifications and reminders you have asked for. You can disable these in your device's notification settings.
• To enforce the monthly fair-use cap on AI calls.
• To debug and operate the service.

We do not sell your data. We do not advertise inside Jotly. We do not use your content to train AI models.

6. Legal basis (UK GDPR Article 6)

• Performance of a contract — to provide the service you signed up for.
• Legitimate interests — for operational logging and abuse prevention. You can object to this by deleting your account.
• Consent — for push notifications and for connecting a calendar. You can revoke either at any time.

7. Your rights

Under UK GDPR you have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your data.
• Export your data in a portable form.
• Object to processing.
• Complain to the UK Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data.

8. Deleting your account

Inside the Jotly mobile or web app, open Settings and choose "Delete account". This:

• Removes every note, task, list, chat message, and event we hold for you.
• Deletes your Cognito identity, so you can no longer sign in.
• If you signed in with Apple, calls Apple's token-revocation endpoint so that your Apple ID is no longer linked to Jotly.
• Removes any stored calendar tokens from Secrets Manager so we can no longer reach your calendar.

The deletion is immediate and irreversible. Cached log lines may survive in CloudWatch for up to 30 days; they contain user IDs and timestamps, not content.

9. Sub-processors

Jotly uses the following sub-processors:

• Amazon Web Services (UK / EU regions).
• Anthropic, via AWS Bedrock, for AI inference.
• Apple, Google, and Meta — only if you choose to sign in with one of them, or connect their calendar.

10. Children

Jotly is not intended for use by anyone under 13. We do not knowingly collect data from children. If you believe a child has signed up, please contact us and we will delete the account.

11. Changes to this policy

We will update this page if the way we handle data changes. Material changes will be highlighted in-app before they take effect.

12. Contact

Questions, requests, or complaints: hello@jotly.co.uk.