Carrotly← Back to home

Legal

Privacy Policy

Last updated: 23 May 2026. This policy describes how CARROTLY PTE. LTD. (UEN 202212557Z) collects, uses, discloses, and protects personal data in connection with our Products. It is written with reference to Singapore's Personal Data Protection Act 2012 ("PDPA").

1. Who we are

Carrotly Pte. Ltd. is the data controller (under PDPA: the "organisation") for personal data collected through our Products, including Aimpress, TooLong.xyz, HeyIsla, and Story Time Together. Our registered office is at 160 Robinson Road, #14-04, Singapore Business Federation Center, Singapore 068914.

You can reach our Data Protection Officer at privacy@carrotly-ai.com.

2. Personal data we collect

Information you give us

  • Account information — name, email address, password (hashed), profile preferences, and (for some Products) information about who the account is used by (e.g. a child's first name and age for Story Time Together).
  • Billing information — processed by Stripe. We receive limited metadata (card brand, last 4 digits, expiry, country, billing address, plan) but do not store full card numbers.
  • Content you submit — text, prompts, files, links, calendar data, social-media drafts, video URLs, story preferences, and similar inputs you provide while using the Products.
  • Communications — emails and support tickets you send us.

Information we collect automatically

  • Usage data — features used, actions taken, errors encountered, approximate timing of activity.
  • Device and log data — IP address, browser type and version, operating system, referrer, time-zone, and similar technical information.
  • Cookies and similar technologies — see Section 9.

Information from third parties

  • If you sign in with Google or Microsoft, we receive your name, email, and profile image as authorised by that provider.
  • If you connect a third-party service (LinkedIn, X/Twitter, Google Calendar, Outlook, YouTube), we receive only the data needed to deliver the feature you enabled — for example, scheduling write permissions or calendar read/write tokens.

3. How we use personal data

We use personal data for the following purposes:

  • To provide, operate, and maintain the Products;
  • To process payments, billing, refunds, and to detect and prevent fraud or abuse;
  • To deliver AI-generated content you have requested, including by sending your prompts and content to large language model providers acting as our processors;
  • To provide customer support and respond to your enquiries;
  • To improve the Products — for example, by analysing aggregated or de-identified usage to understand which features people use;
  • To send service messages (account, security, billing, important changes) and, where you've opted in, marketing emails from which you may unsubscribe at any time;
  • To comply with legal obligations, enforce our Terms, and protect our rights and the rights of others.

4. Legal basis under the PDPA

Under the PDPA, we rely on the following bases for collecting, using, and disclosing personal data:

  • Consent — given when you create an account or enable specific features;
  • Deemed consent by contractual necessity — where processing is necessary to provide the Products you've requested;
  • Legitimate interests — for example, to secure our Products against fraud, ensure service reliability, and develop improvements, where we have assessed the impact on you to be proportionate;
  • Legal obligations — to comply with applicable laws, court orders, or regulatory requests.

You may withdraw consent at any time by contacting privacy@carrotly-ai.com. Withdrawing consent may mean we can no longer provide some or all of the Products to you.

5. Disclosure to third parties

We do not sell personal data. We disclose personal data only to the following categories of recipients, each bound by contractual obligations to keep your data secure and use it only for the purposes we specify:

  • Payment processing — Stripe, Inc. (United States) handles card data and billing.
  • Cloud hosting and infrastructure — Vercel, Amazon Web Services, and similar providers in the United States and European Union.
  • AI model providers — Anthropic (Claude), OpenAI, Google, and similar providers, to generate output you request. Prompts and content you submit may be transmitted to and processed by these providers under their respective terms; we choose providers who offer zero-retention or no-training-by-default arrangements where commercially available.
  • Email and messaging — providers used to send transactional and marketing email and in-product messages.
  • Analytics and error tracking — providers such as PostHog and Sentry used to understand usage and diagnose issues.
  • Professional advisers — auditors, lawyers, and accountants subject to confidentiality obligations.
  • Authorities and others — where required by law, court order, or to protect the rights, property, or safety of Carrotly, our users, or others.
  • Business transfers — in the context of a merger, acquisition, financing, or sale of assets, in which case the recipient must honour this Privacy Policy.

6. International transfers

Some recipients listed above are located outside Singapore (including in the United States and the European Union). When we transfer personal data overseas, we take reasonable steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is comparable to the PDPA — typically through contractual data-processing terms.

7. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, including to meet legal, accounting, or reporting requirements. When personal data is no longer needed, we will delete it or render it anonymous. Specifically:

  • Account data — retained while your account is open and for up to 12 months after closure, except where longer retention is required by law.
  • Content you submit — retained while your account is open; deleted when you delete it, or within 30 days of account closure.
  • Billing records — retained for the period required by Singapore tax and accounting law (currently a minimum of five years).
  • Support correspondence — retained for up to three years from last contact.

8. Security

We implement reasonable technical and organisational measures designed to protect personal data — including encryption in transit (TLS), encryption at rest for sensitive data, access controls, least-privilege engineering practices, and monitoring. No system is perfectly secure, however; we cannot guarantee absolute security and we ask that you also protect your account by using strong, unique passwords and enabling any available multi-factor authentication.

9. Cookies and similar technologies

We use a small number of cookies and similar technologies to keep you signed in, remember preferences, secure the Products against abuse, and understand aggregate usage. Strictly necessary cookies are used without consent because they are needed to deliver the Products you've requested. Analytics cookies, where used, are configured with privacy-respecting defaults; you can disable them in your browser or device settings.

10. Children's data

Most Products are intended for adults. Story Time Together is intended to be operated by a parent or guardian on behalf of a child; we ask for only the limited information needed to personalise stories (typically a first name and age), and we do not knowingly use a child's data for marketing or behavioural profiling. If you believe a child has provided us with personal data without parental consent, please contact us and we will delete the data promptly.

11. Your rights under the PDPA

You have the right to:

  • Access — request a copy of the personal data we hold about you, and information about how it is used and disclosed;
  • Correction — ask us to correct personal data that is inaccurate or incomplete;
  • Withdrawal of consent — withdraw any consent you've given for the collection, use, or disclosure of your personal data;
  • Deletion — ask us to delete your personal data, subject to legal retention obligations.

To exercise any of these rights, email privacy@carrotly-ai.com. We will acknowledge your request within 14 days and respond fully within 30 days where reasonably practicable. A reasonable fee may apply for access requests as permitted by the PDPA.

12. Complaints

If you believe we have not handled your personal data in accordance with the PDPA, please contact us first at privacy@carrotly-ai.com so we can investigate and respond. You also have the right to lodge a complaint with the Singapore Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

13. Changes to this policy

We may update this Privacy Policy from time to time. If a change is material, we will give reasonable notice — typically by email to your account address or a prominent notice in the Product — before the change takes effect.

14. Contact

Questions or requests about this policy?
Email: privacy@carrotly-ai.com
Post: CARROTLY PTE. LTD., 160 Robinson Road, #14-04, Singapore Business Federation Center, Singapore 068914.