Privacy Policy
Effective Date: February 24, 2026 | Last Updated: March 26, 2026
IOU, INC (“we,” “us,” or “our”) operates IOUHome, IOULegacy, Deployed, and IOUForever (collectively, the “Service”). This Privacy Policy explains what information we collect, how we use it, and your choices.
The Service is operated from the United States and is available only to users located in the United States. All data is stored and processed within the United States. This Privacy Policy is governed by U.S. federal and applicable state privacy laws. We do not target, market to, or knowingly collect data from individuals outside the United States.
1. Information We Collect
Account information. When you create an account we receive your name and email address from our identity provider (Microsoft Entra External ID). We do not store passwords — authentication is handled entirely by Microsoft.
Content you upload. Photos, documents, recipes, notes, capsules, and other files you choose to store. Files are stored in Amazon Web Services (AWS) S3, encrypted at rest.
Usage data. We log basic request metadata (timestamps, pages visited, error codes) for security monitoring and debugging. We do not use third-party analytics trackers.
TV & streaming devices. If you pair a Roku or other TV device with your account, we collect a device identifier and device name. A secure token is generated and stored on the TV device (in the Roku Registry) to authenticate API requests. No passwords, personal data, or media files are stored on the TV device itself — content is streamed directly from our servers using time-limited URLs.
2. How We Use Your Information
- To provide and maintain the Service
- To authenticate you and manage your account
- To send transactional emails (welcome, capsule-sealed confirmations)
- To power AI features you explicitly invoke (photo descriptions, recipe suggestions, letter enhancement) — content is sent to Azure OpenAI and is not used to train models
- To detect and prevent abuse or security incidents
3. Data Storage & Security
Your data is stored exclusively in the United States using AWS (US-East-1 region) with DynamoDB and S3, both encrypted at rest. Your data is never transferred to or stored in servers outside the United States. Server-side sessions are stored in DynamoDB with a 31-day expiry. We enforce HTTPS on all connections and apply security headers (HSTS, X-Frame-Options, X-Content-Type-Options).
4. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Microsoft Entra External ID | Authentication | Email, name |
| Azure OpenAI | AI features (opt-in) | Content you submit to AI tools |
| Azure Communication Services | Email delivery | Your email address |
| Amazon Web Services (S3, DynamoDB) | File & data storage | All stored content |
4a. TV & Streaming Device Data
When you pair a TV device (e.g., Roku) with your account:
- Pairing code: A temporary 6-digit code is generated and expires after 10 minutes. It is not stored after pairing completes.
- Device token: A randomly-generated authentication token is created on pairing and stored as a hash in our database. The token is stored locally on the TV device and expires after 30 days.
- Device info: We store a device identifier, device name, and model information to let you manage linked devices from the web interface.
- Media access: The TV device accesses your photos and videos via time-limited signed URLs (4-hour expiry). No media files are cached or stored on the TV device.
- Revocation: You can revoke any linked TV device at any time from the Household page. Revocation immediately invalidates the device token.
5. How AI Features Handle Your Data
The Service includes optional AI-powered features. The table below explains exactly what data each feature sends, which AI model processes it, and what is retained afterward.
| AI Feature | What’s Sent to AI | AI Model | What’s Stored |
|---|---|---|---|
| Photo Description | Your photo (resized to 512px) | GPT-4o-mini (vision) | Only the text description — photo not retained by AI |
| Recipe Scan | Photo of ingredients | GPT-4o-mini (vision) | Only the ingredient list — photo not retained |
| Recipe Import (PDF) | PDF page image (if text unreadable) | GPT-4o-mini (vision) | Only the extracted recipe text |
| Letter Enhancement | Your letter text + recipient details | GPT-4o-mini | Only the enhanced letter — you control what’s saved |
| Voice Chat / Dictation | Audio recording | Whisper (speech-to-text) | Only the text transcript — audio discarded immediately |
| Text-to-Speech | Text to be spoken | GPT-4o-mini TTS | Nothing — audio streamed and not stored |
| AI Chat (all pages) | Page context + your question | GPT-4o-mini | Chat history in your session only (cleared on logout) |
| Document Review | Document text excerpt (max 3000 chars) | GPT-4o-mini | Chat history in your session only |
| Biography Generation | Interview answers you provided | GPT-4o-mini | Only the generated biography — you approve before saving |
6. Your Data Rights
You have full control over your data:
View
You can view all your data through the app. The Trust & Privacy page shows your security settings and the Access Graph shows who can see what.
Export
You can download a complete copy of your data at any time from your account’s Personalize page. Available to all plans.
Delete
To request full account and data deletion, email support@ioutoday.org. All data will be permanently removed within 30 days.
7. Data Retention
We retain your data for as long as your account is active. If you request account deletion, we will remove your data from DynamoDB and S3 within 30 days. Session records expire automatically after 31 days.
8. Health Information
The Service is not a HIPAA-covered entity. We do not operate as a healthcare provider, health plan, or healthcare clearinghouse, and we do not enter into HIPAA Business Associate Agreements.
You may store personal health-related documents for your own convenience. These files are encrypted at rest in AWS S3 and protected by the same security measures as all other content. However, the Service is not designed or certified for the storage of Protected Health Information (PHI) as defined under HIPAA. If you require HIPAA-compliant storage, please use a service certified for that purpose.
9. Children’s Privacy
The Service is not directed at children under 13. In compliance with the Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If you believe a child has provided us with data, contact us and we will delete it promptly.
10. U.S. State Privacy Rights
If you are a resident of a U.S. state with specific privacy legislation (such as the California Consumer Privacy Act or similar state laws), you may have additional rights regarding your personal information, including the right to know what data we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell your personal information. To exercise any data rights, contact us at support@ioutoday.org.
11. International Users
The Service is operated from and available only in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We do not comply with the EU General Data Protection Regulation (GDPR), UK GDPR, Canada’s PIPEDA, or other international privacy frameworks, as the Service is not offered to users in those jurisdictions.
12. Changes to This Policy
We may update this policy from time to time. We will notify you by posting the updated policy on this page with a revised “Last Updated” date. Material changes will be communicated via email.
13. Contact Us
IOU, INC
EIN: 81-2203628
Email: support@ioutoday.org
Web: ioutoday.org