Privacy Policy

What stays local, what gets routed, and why the split matters.

AutoYou has two pairing modes. Local pairing (via Telegram or Signal) keeps AutoYou-operated infrastructure out of the path — no data is collected by AutoYou Cloud. Cloud Pair is an optional paid feature that routes through app.autoyou.me and requires an account. This page explains exactly what each surface handles.

Local pairing

Telegram or Signal — zero data collected

When you pair your phone to your AutoYou server using your own messaging partner (Telegram bot or Signal), the entire connection is peer-to-peer over WebRTC. AutoYou Cloud does not operate a server in that path. No AutoYou account is needed, no data is sent to AutoYou Cloud, and nothing is stored on AutoYou-operated infrastructure. The messaging platform you choose may still process the pairing message under its own terms and privacy policy.

Cloud Pair

Optional paid feature — limited data collected

Cloud Pair lets you connect to your AutoYou computer from anywhere without switching apps. It requires a sign-in on app.autoyou.me and an active subscription. To provide this service, we collect and store the data described below. Once paired, the actual chat, voice, and browsing traffic still flows peer-to-peer over WebRTC — the cloud only brokers the initial connection.

Website

Public pages on www.autoyou.me

The public website explains the product and hosts the support form. If you submit a support message, the details you provide are delivered to support@autoyou.me. We use Google Analytics 4 on public website pages to understand page views, outbound app/store/donation clicks, and successful waitlist or support-form submissions. We do not send names, email addresses, message text, or other form contents to Google Analytics.

Terminology — which “server” is which

AutoYou involves several distinct systems. This policy uses precise names.

Because “server” appears in many contexts in this product, we use the following terms throughout this policy:

  • autoyou-website (www.autoyou.me) — The static public website you are reading now. It loads Google Analytics 4 for aggregate website analytics and receives support or waitlist details only when you submit those forms.
  • AutoYou Cloud (app.autoyou.me) — AutoYou LLC’s cloud service. Handles accounts, subscriptions, Cloud Pair signaling relay, and device registration. This is the only AutoYou-operated system that processes personal data.
  • Your AutoYou server — The AutoYou software you download and run on your own computer (Windows or macOS). It runs entirely on hardware you control. AutoYou LLC has no access to it, no visibility into it, and it never communicates with AutoYou Cloud unless you explicitly opt in to Cloud Pair.
  • Your AutoYou mobile app — The iOS or Android app on your phone. Connects to your AutoYou server peer-to-peer via WebRTC. When Cloud Pair is active, it also communicates with AutoYou Cloud to initiate that connection.

When this policy says “we collect” or “we store,” it refers to AutoYou Cloud (app.autoyou.me) and the public website analytics described above. Data that stays on your personal AutoYou server or your phone is not collected by AutoYou.

Cloud Pair — data we collect

Only what is needed to authenticate you and manage your subscription

When you use Cloud Pair, the following data is stored on app.autoyou.me (AutoYou Cloud, operated by AutoYou LLC):

  • Email address — used for sign-in and account recovery.
  • User ID — an opaque internal identifier generated by AutoYou. It is not exposed to you in the UI but is permanently linked to your OAuth sign-in account (Apple, Google, or GitHub), enabling identity verification if required.
  • Device name and public encryption key — registered when you pair a phone or your personal AutoYou server so the two can locate each other. “Server” here means the AutoYou software running on your own computer, not AutoYou’s cloud.
  • Subscription status — whether you have an active plan, which tier, and the associated Apple or Google purchase token so we can verify subscription validity.
  • OAuth provider ID — if you sign in with Apple, Google, or GitHub, we store the provider-issued subject identifier. We do not store your provider password.
  • Connection metadata (transfer logs) — each time a Cloud Pair connection is established, we record: the source device ID, the destination device ID, connection timestamp, the byte-count of the relay payload (not its content), and the delivery status. This record is linked to your user ID and persisted in our database. We do not store message text, voice audio, files, or any payload content.

We do not collect or store message content, voice audio, browsing history, files, contacts, location, or any on-device sensor data.

What stays in memory vs. what is persisted: The WebRTC signaling relay (SDP offers and ICE candidates exchanged during connection setup) is held only in process memory and discarded as soon as the connection completes or times out. Connection metadata (as described above) is written to our database and retained while your account is active.

Microphone

Used only when you explicitly start voice features

AutoYou requests microphone access only for voice calls or voice notes. Audio is streamed peer-to-peer to your own server for speech-to-text processing. It is never sent to AutoYou infrastructure. You can disable voice calling in settings.

Camera

Used only for QR-based setup or pairing

QR scanning is used for zero-touch provisioning and authenticator setup. The camera is released immediately after the scan completes. AutoYou does not access the camera in the background.

Browser proxy and files

Traffic moves through your own server, not ours

Browser proxy requests, staged files, and attachments travel over the peer-to-peer WebRTC connection to your AutoYou server. Destination sites receive the request metadata they normally would from your server's IP address, not from AutoYou infrastructure.

No account required

The app works fully without signing in or creating an account

AutoYou does not require you to create an account or sign in to use the app. You can pair with your server using Telegram or Signal and use every feature — chat, voice, browser proxy, notes, file transfer — without ever providing an email address or any personal information to AutoYou.

An account is only needed if you choose to enable Cloud Pair, an optional paid convenience feature. If you never enable Cloud Pair, no data is linked to you and no data leaves your device or your own server.

Encryption in transit

All data is encrypted in transit

Cloud Pair API traffic between your device and app.autoyou.me is served over HTTPS (TLS 1.2+). All API requests, authentication tokens, and relay messages are encrypted end-to-end between your device and the server.

Peer-to-peer traffic (chat, voice, browser proxy, file transfer) between your phone and your AutoYou server uses WebRTC, which encrypts all data channels with DTLS and all audio/video streams with SRTP. This encryption is mandatory in WebRTC and cannot be disabled.

At rest, Cloud Pair account data is stored in an encrypted database on infrastructure we operate. Local pairing credentials and server configuration are stored on your own devices using platform-standard storage (Keychain on iOS, SharedPreferences on Android, filesystem on your server).

Data retention

Kept only while your account is active

Cloud Pair account data (email, user ID, device keys, subscription status) is retained for as long as your account exists. Connection metadata (transfer logs: source/destination device IDs, timestamps, byte-counts) is retained for as long as your account is active and is deleted when your account is deleted.

WebRTC signaling relay data (SDP offers, ICE candidates) is held only in process memory and is discarded as soon as the connection attempt completes or times out. It is never written to disk.

Account deletion

Delete everything from the app or by email

You can permanently delete your Cloud Pair account and all associated data from Settings → Delete Account in the iOS or Android app. Deletion removes your user record, devices, messages, transfer logs, and subscription tokens. You can also request deletion by emailing support@autoyou.me. For full step-by-step instructions, see the account deletion page.

Stored secrets

Connection credentials stay on your devices

Server passwords, QR-derived authenticator data, STUN/TURN credentials, and private encryption keys are stored locally on your phone and your own AutoYou server (your computer). They are never transmitted to app.autoyou.me or any AutoYou-operated infrastructure.

Only the public half of your device’s encryption key pair is registered with AutoYou Cloud, enabling devices to find each other without AutoYou ever having access to the private key needed to decrypt your traffic.

International Users & GDPR

Your rights under GDPR and equivalent privacy laws

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and/or applicable national laws with respect to any personal data AutoYou holds about you. These rights apply only if you have a Cloud Pair account. If you use local pairing, AutoYou holds no personal data about you.

Data Controller: AutoYou — support@autoyou.me.

Legal basis for processing:

  • Contract (Art. 6(1)(b) GDPR) — processing your email, user ID, and device public key is necessary to provide the Cloud Pair service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f) GDPR) — retaining subscription status and OAuth provider identifiers to verify subscription validity and prevent fraud.
  • Legal obligation (Art. 6(1)(c) GDPR) — retaining records as required by applicable law.

You may exercise the following rights by emailing support@autoyou.me. We will respond to verified requests within 30 days.

  • Right of access (Art. 15) — receive a copy of personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations. You may also delete your account directly via Settings → Delete Account in the app.
  • Right to restrict processing (Art. 18) — ask us to limit how we use your data while a dispute is pending.
  • Right to data portability (Art. 20) — receive a machine-readable copy of data you provided to us.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to lodge a complaint — contact your national data protection authority (e.g., the ICO in the UK, or your EU member state supervisory authority) if you believe we have violated your rights.

Cloud Pair account data is stored in the United States. Transfers outside the EEA are made under Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as required by GDPR Chapter V.

California Residents — CCPA / CPRA

Your rights under California privacy law

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with certain rights regarding personal information.

Categories of personal information we collect (Cloud Pair users only):

  • Identifiers — email address, user ID.
  • Device information — device name and public encryption key.
  • Commercial information — subscription tier, status, and App Store / Play Store purchase token.

AutoYou does not collect sensitive personal information, geolocation data, biometric data, message content, browsing history, or audio recordings. We do not sell or share your personal information with third parties for cross-context behavioral advertising or to data brokers.

The full list of categories collected (Cloud Pair users only):

  • Identifiers — email address, opaque internal user ID (linked to your OAuth account), OAuth provider subject identifier.
  • Device identifiers — device name and public encryption key for your phone and your personal AutoYou server.
  • Commercial information — subscription tier, status, and App Store / Google Play purchase token.
  • Internet or other network activity — connection metadata: source device ID, destination device ID, connection timestamp, and relay payload byte-count (not content). This category is required to be disclosed under CCPA §1798.140(v)(1)(H) and is used for service operation and, when legally required, law enforcement compliance.

You have the right to:

  • Know what personal information is collected and how it is used.
  • Request deletion of your personal information.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information (not applicable — we do not sell or share personal information).
  • Limit use and disclosure of sensitive personal information (not applicable — we do not collect sensitive personal information).
  • Non-discrimination for exercising your CCPA rights.

To exercise any right, email support@autoyou.me with subject “CCPA Request”. We will verify your identity and respond within 45 days, with a possible 45-day extension when reasonably necessary.

Law Enforcement & Legal Requests

What we can produce, what we cannot, and how requests are handled

AutoYou LLC will respond to valid, lawfully issued legal process (court orders, subpoenas, warrants) from authorities with jurisdiction over AutoYou LLC, which is incorporated and operated in the United States under the laws of the State of California.

What we can produce (Cloud Pair users only):

  • Account information: email address, user ID, account creation date, OAuth provider and provider-issued identifier.
  • Device registry: device names, public encryption keys, and device registration dates.
  • Connection metadata: for each Cloud Pair relay event — the source device ID, destination device ID, connection timestamp, and payload byte-count. The user ID associated with those device IDs can be correlated with the OAuth identity (Google account, Apple ID, or GitHub account) used to create the account.
  • Subscription records: subscription tier, start date, billing platform, and purchase token.

What we cannot produce (does not exist on our systems):

  • Message content — chat messages, voice, and browsing traffic travel peer-to-peer over WebRTC between the user’s devices and are end-to-end encrypted with DTLS/SRTP. AutoYou Cloud does not route, buffer, or store this content.
  • WebRTC signaling data — SDP offers and ICE candidates are held in process memory only and discarded as soon as the connection completes; they are not logged or persisted.
  • Payload content — the AutoYou Cloud relay transmits end-to-end encrypted payloads between device pairs without decrypting them. Only the byte-count is recorded, never the content.
  • Information about local pairing users — users who pair via Telegram or Signal without using Cloud Pair have no account on our systems and produce no records.

Emergency disclosures: If AutoYou believes in good faith that an emergency involving danger of death or serious physical injury requires disclosure without delay, we may disclose information to appropriate law enforcement without waiting for legal process.

Law enforcement inquiries should be directed to support@autoyou.me with the subject line “Law Enforcement Request.” We will review each request for legal sufficiency before complying and will notify affected users where legally permitted to do so.

Contact

Questions, deletion requests, or reviewer inquiries

If you have a privacy question, a data deletion request, or an app-review inquiry, email support@autoyou.me. We aim to respond within 48 hours.

This Privacy Policy is incorporated into and forms part of AutoYou’s Terms of Use.

Last updated: 2026.