Liloo — Privacy Policy
Effective date: 2026-05-03 Publisher: Liloo (Appfyl), a product of the Liloo team. Contact: privacy@liloosafespace.com · Moderation: moderation@liloosafespace.com
This Privacy Policy explains what personal data Liloo collects, why we need it, who we share it with, and what rights you have. It applies to the Liloo mobile app (iOS and Android) and the marketing site at https://liloosafespace.com/.
1. Who we are
Liloo is an AI-based conflict dialogue simulation platform. Users practise stressful conversations with AI-generated avatars (e.g. toxic mother-in-law, aggressive colleague) in order to train communication skills.
2. Data we collect
2.1 Data you give us
| Data | Why | Stored where | Retention |
|---|---|---|---|
| Email address | Sign-in, account recovery, critical notifications | Firebase Auth | Until account deletion |
| Password (hash) | Sign-in (email method only) | Firebase Auth | Until account deletion |
| Date of birth | Age-appropriate AI responses; COPPA enforcement (min age 13) | Firestore users/{uid} | Until account deletion |
| Country (optional) | Localisation, default language | Firestore users/{uid} | Until account deletion |
| Gender (optional) | Character-adapted dialogue tone | Firestore users/{uid} | Until account deletion |
| Avatars you create | Your custom AI characters | Firestore avatars/ + Postgres | Until avatar deletion |
| Chat messages | Conversation state, to continue the dialogue | Firestore conversations/{id}/messages/{mid} | 90 days rolling, then anonymised |
| Report submissions | Content moderation (Apple 4.7 / Google Play AI Policy) | Backend Postgres | 2 years then deleted |
| Sanctions on your account | Enforcement of our Terms | Backend Postgres | 5 years then deleted |
2.2 Data collected automatically
| Data | Why | Stored where |
|---|---|---|
| Device model, OS version | Crash diagnostics, compatibility | Firebase Crashlytics |
| App version, session start time | Performance monitoring | Firebase Performance |
| Non-identifying event logs | Bug triage | Firebase Analytics (opt-out available in Profile) |
We do not collect: contacts, location, photos/camera, microphone (except when you explicitly tap the record button in chat), advertising ID.
2.3 Web analytics & cookies (liloosafespace.com)
The marketing site (liloosafespace.com) and the web preview
(liloosafespace.com/testdrive/) use Google Analytics 4 to understand
aggregate visitor behaviour — page views, session duration, country,
device type — without identifying you personally.
| Surface | GA4 property |
|---|---|
| Marketing site | G-QXRV785DRH |
| Testdrive (web preview) | G-9JLR62J3L3 |
Web analytics is gated by Google Consent Mode v2. GA4 defaults to
denied and runs in cookieless-ping mode (aggregate, non-identifying
signals only) until you click Accept in the cookie banner shown on
your first visit. Your choice is stored in browser local storage under
the key liloo_consent_v1 and applies to both surfaces. You can
withdraw consent at any time by clearing site data in your browser
settings — the banner will then reappear on your next visit.
Liloo runs no Google Ads or remarketing campaigns. The advertising
consent signals (ad_storage, ad_user_data, ad_personalization)
remain denied regardless of your choice.
This section applies only to the website. Mobile analytics (Firebase Analytics in §2.2) is opt-out via the Profile screen and is not controlled by the website cookie banner.
3. How we use AI (third-party sub-processors)
Liloo uses OpenAI (gpt-4o family) to generate AI character responses.
- When you send a chat message, the text plus a short (up to 20 messages) conversation history is sent to OpenAI's API for processing.
- Your email, UID, real name, date of birth, and location are never sent to OpenAI.
- We send only: the message text, scenario description, avatar character profile, your age bracket (not exact age: one of 5 brackets), and general gender (male/female/neutral).
- Per OpenAI's business data commitment, messages sent via our API are not used to train OpenAI models.
- Pre- and post-processing moderation runs on our backend (see §5).
Other sub-processors:
| Provider | Purpose | Personal data processed |
|---|---|---|
| Google Firebase (Auth, Firestore, Cloud Functions, Storage) | Account sign-in, real-time chat sync, storage | Email, UID, chat messages, avatars |
| DigitalOcean | Backend hosting (Liloo API, Postgres) | Reports, sanctions, usage metadata |
| OpenAI | AI character response generation | Truncated chat history, age bracket, gender |
| Google Analytics 4 | Aggregate web traffic analytics on liloosafespace.com (consent-gated, see §2.3) | Anonymised session data, no personal identifiers |
4. Legal basis (GDPR / UK GDPR / Ukrainian law)
| Purpose | Legal basis |
|---|---|
| Providing the app's core service | Performance of a contract (Art. 6(1)(b) GDPR) |
| Moderating AI and user content | Legitimate interest (safety of users, compliance with Apple/Google policy) |
| Crash & performance diagnostics | Legitimate interest (security and reliability) |
| Optional mobile analytics | Consent (opt-out in Profile) |
| Optional web analytics (GA4) | Consent (cookie banner on first visit, see §2.3) |
| Storing date of birth | Legal obligation (COPPA/GDPR-K minimum-age enforcement) |
5. Content moderation and AI safety
Because Liloo generates AI dialogue, we have a safety pipeline required by Apple Guideline 4.7 and Google Play's Generative AI Policy:
- Input classification — every message you send is checked for self-harm, sexual-minor, violence, weapons, drug-manufacture, and prompt-injection patterns before being sent to the LLM.
- Self-harm routing — if self-harm intent is detected, we do NOT generate a roleplay response. Instead we return an empathetic reply and surface local crisis hotlines.
- Output classification — AI responses are screened for the same rule groups before being shown to you.
- User reports — every AI message has a long-press "Report" action. A moderator reviews each report within 24 hours.
- Sanctions — if you use Liloo to generate prohibited content, we may restrict your account (warning, temporary or permanent block).
Moderation events and reports are logged to audit tables and used only for safety review, not for personalisation or advertising.
6. Children
Liloo is rated 17+ (Apple) / Mature 17+ (Google Play). The minimum age of use is 13 years (COPPA/GDPR-K). We verify age at registration via date of birth and refuse registration for users below 13. Users aged 13-17 still receive age-calibrated responses with softened content.
7. Data retention & deletion
- Account deletion: You can delete your account from Profile → Delete
profile permanently. This cascades:
- Firebase Auth user → deleted via
FirebaseAuth.currentUser.delete() - Conversations & messages → deleted by
onUserDeletedCloud Function - Avatars & sessions in Postgres → deleted by backend
purgeendpoint - User document in Firestore → deleted last as a marker
- Firebase Auth user → deleted via
- Conversation messages are automatically anonymised after 90 days of inactivity (user UID stripped, content replaced with placeholder).
- Reports retain content snapshot for 2 years for moderation audit.
- Sanctions retain for 5 years (legal audit).
8. International transfers
Our servers are hosted in the United Kingdom (DigitalOcean London, LON1 region). The UK is recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision of 28 June 2021), so transfers of personal data from the EEA to our UK servers do not require additional safeguards. Firebase services are hosted by Google globally. OpenAI API calls are routed to OpenAI's US infrastructure under the Standard Contractual Clauses.
9. Your rights
Under GDPR / UK GDPR / Ukrainian law, you have the right to:
- Access — request a copy of your data (email privacy@liloosafespace.com)
- Rectify — correct inaccurate data (most fields are editable in Profile)
- Erase — delete your account (Profile → Delete profile permanently)
- Portability — receive your data in machine-readable form
- Object / restrict — contact us to object to specific processing
- Complain — file a complaint with your local data protection authority
Response SLA: 30 days.
10. Security
- TLS 1.2+ for all network traffic (HTTPS enforced, HSTS enabled).
- Firestore security rules: per-user owner-based access control.
- Backend JWT-based auth with role + scope gating.
- Hashed passwords (bcrypt via Firebase Auth).
- No encryption at rest for chat messages; encryption at rest is provided by Firebase's underlying Google Cloud storage.
11. Changes to this policy
We notify you in-app and by email of material changes at least 30 days before they take effect. Non-material changes (typos, reordering) take effect immediately on publication.
12. Contact
- Privacy questions: privacy@liloosafespace.com
- Moderation / abuse: moderation@liloosafespace.com
- General support: support@liloosafespace.com