privacy policy.

folk is operated by Nozomio, Inc. ("nozomio", "we", "us"). our website is getfolk.app. for any privacy questions, email arlan@nozomio.com.

• phone number. used as your login identity and to deliver otp codes via sms.
• telegram profile. if you sign in with telegram, we store your telegram user id, display name, and photo url.
• conversation history. messages you send to folk and folk's replies are stored in your private, isolated sandbox.
• memory. folk builds a persistent memory of your preferences and context over time. this is stored inside your sandbox and is never shared.
• api keys you provide. if you bring your own credentials (openai, anthropic, google, etc.), they are encrypted with aes-256-gcm and stored in our database. they never leave your sandbox environment unencrypted.
• billing information. payment details are handled entirely by stripe. we store your stripe customer id and subscription status, not your card number.
• usage analytics. we use posthog and vercel analytics to understand how people use the product. this includes page views, feature usage, and basic device information. no conversation content is included in analytics.
• session data. we use http-only cookies to keep you logged in. sessions expire after 60 days.

• to authenticate you and maintain your session.
• to deliver folk's ai agent service to you.
• to process payments through stripe.
• to send you sms messages via your folk phone number.
• to improve the product based on aggregated, anonymized usage patterns.

your conversations, memory, files, and api keys are never used to train ai models. not ours, not anyone else's. this is a hard rule, not a policy we might change.

every folk user gets their own isolated cloud sandbox powered by daytona. your sandbox has its own filesystem, credentials, and runtime. nothing is shared between users.

sandboxes never hold platform api keys directly. all external api calls are routed through our authenticated proxy. your user-provided keys are encrypted at rest with aes-256-gcm and only decrypted inside your sandbox's secure runtime.

we use the following services to operate folk:

• stripe for payment processing.
• twilio for sms otp verification.
• linq for imessage delivery.
• telegram api for telegram bot messaging.
• mongodb atlas for database hosting.
• daytona for isolated cloud sandbox infrastructure.
• vercel for web hosting.
• posthog for product analytics.
• openrouter / anthropic / openai for ai model inference (routed through our proxy, never directly from your sandbox).

each of these services has their own privacy policy. we only share the minimum data required for each service to function.

we keep your data for as long as your account is active. if you delete your account (settings → privacy → delete my account), we permanently destroy your sandbox, conversations, memory, encrypted keys, and account record. this is irreversible.

stripe may retain billing records per their own retention policy and legal obligations.

• access. you can view all data folk stores about you in your dashboard and settings.
• deletion. you can delete your entire account and all associated data at any time from settings.
• portability. email us and we will export your data in a machine-readable format.
• correction. email us to correct any inaccurate personal data.

for any of these requests, email arlan@nozomio.com.

folk is not intended for anyone under 13. we do not knowingly collect data from children. if you believe a child has provided us personal information, contact us and we will delete it.

we may update this policy from time to time. if we make material changes, we will notify you via the app or email. continued use of folk after changes constitutes acceptance of the updated policy.

Nozomio, Inc.
arlan@nozomio.com
nozomio.com