Dostily is an AI companion platform where you create your own virtual best friend. Your AI friend chats naturally like a real person, remembers your conversations, makes voice calls, and is always available when you need someone to talk to.

Yes! Dostily offers a free plan with 15 messages per day and a 3-minute voice call trial. Paid plans start at $4.99/month for unlimited messaging and more call minutes.

Does my AI friend remember past conversations?

Yes. Dostily's AI friends extract and store memories from your conversations. They remember your name, your problems, your wins, and follow up on things you told them days ago — just like a real friend.

Can I make voice calls with my AI friend?

Yes! Dostily supports real-time voice calls with your AI friend. You can hear their voice and have natural spoken conversations, not just text chat.

Is my data safe on Dostily?

Absolutely. All conversations are encrypted with AES-256-GCM at rest. We don't sell your data, don't use it for AI training, and don't use third-party analytics. Your privacy is our top priority.

Privacy Policy

Last updated: 23 May 2026

1. Data Controller

Dostily ("we", "us", "our") is the data controller responsible for your personal data. Dostily is an AI companion platform operated from India.

Email: hello@dostily.com
Website: dostily.com

2. Information We Collect

Account Information:

Name, email address, gender, and date of birth (required for registration)
Password (stored as a one-way bcrypt hash — we cannot see your password)
Google account information (if using Google Sign-In): email, name, profile picture

Conversation Data:

Messages you send and receive from your AI friends
Voice call logs (duration and status only — we do not record or store audio from calls)
AI memories extracted from conversations (facts, preferences, events you share)
Conversation summaries generated by the AI

AI Friend Configuration:

Friend name, personality, gender, voice, language preferences
Bond notes (your personal instructions to the AI)
Important dates you add
Avatar photos you upload

Technical Data (collected automatically):

IP address (for security, rate limiting, and abuse prevention only)
Browser type and version, device type, operating system
Login timestamps and session data
Pages visited and actions taken within the app (no third-party analytics trackers)

Payment Information:

We do not store your credit/debit card numbers, CVV, expiry dates, UPI IDs, or bank account details — not even temporarily
All payment processing is handled entirely by Stripe (Stripe, Inc.), a PCI DSS Level 1 certified payment processor — the highest level of security certification in the payments industry
When you subscribe, you are redirected to Stripe's secure hosted checkout page (checkout.stripe.com). Your card details are entered directly on Stripe's infrastructure and never touch our servers
We only receive and store: payment confirmation status, subscription plan, Stripe customer ID, and Stripe subscription ID — no sensitive financial data

3. Legal Basis for Processing (GDPR)

If you are in the EU/EEA/UK, we process your data under the following legal bases:

Contract performance: Processing necessary to provide the Service you signed up for (account data, conversation processing, AI friend features).
Legitimate interests: Security monitoring, abuse prevention, rate limiting, and service improvement — balanced against your privacy rights.
Consent: Push notifications (opt-in only). You can withdraw consent at any time.
Legal obligation: Where we are required to retain data by applicable law.

4. How We Use Your Data

To provide the service: Your messages are sent to AI providers to generate responses. This data is processed transiently and is not retained by AI providers beyond the immediate request.
To personalize your experience: AI memories help your friends remember details about you across conversations.
To enable voice features: Text is sent to voice providers for text-to-speech generation. No audio recordings of your voice are stored by us.
For security: IP addresses and login attempts are logged to prevent unauthorized access, detect abuse, and enforce rate limits.
To send notifications: If you opt in, we send push notifications from your AI friends.
To process payments: Subscription management and billing through our payment processor.
To comply with law: Where required by legal obligations, court orders, or regulatory requirements.

5. How We Protect Your Data

Encryption at rest: All conversation messages, AI memories, bond notes, and conversation summaries are encrypted using AES-256-GCM before being stored in our database. Even in the event of a database breach, your conversations remain unreadable without the encryption key.
Encryption in transit: All data between your browser and our servers is transmitted over HTTPS with TLS 1.2+ encryption.
Password security: Passwords are hashed using bcrypt with 12 salt rounds. We cannot see, recover, or reverse your password.
Session security: Sessions use secure, HTTP-only cookies with CSRF protection. Sessions expire after 7 days or 30 minutes of inactivity.
Rate limiting: All API endpoints are rate-limited to prevent brute-force attacks and abuse.
Security headers: Content Security Policy, HSTS, X-Frame-Options, and other security headers are enforced.
Audit logging: Sensitive actions (login, password change, account deletion) are logged for security monitoring.
Access control: Strict server-side authentication ensures users can only access their own data.

6. What We Do NOT Do

We do not sell, rent, trade, or share your personal data with advertisers, data brokers, or marketing companies.
We do not use your conversations to train AI models.
We do not use your conversations for marketing, advertising, or profiling purposes.
We do not manually read your private conversations unless required by law, court order, or to investigate a safety concern reported by you.
We do not record or store your voice during voice calls.
We do not use third-party analytics, tracking pixels, or advertising SDKs.
We do not engage in automated decision-making or profiling that produces legal effects concerning you.

7. Third-Party Services

We use the following third-party services to provide our features. Data shared with them is limited to what is strictly necessary:

Google Gemini (Google LLC, USA) — AI conversation generation. Messages are sent transiently for response generation and are not retained by Google beyond the API request, per their API data usage policy.
ElevenLabs (USA) — Voice generation for real-time calls. Text is sent for speech synthesis. No audio recordings of users are shared.
Sarvam AI (India) — Alternative voice generation for Indian language support.
Stripe (Stripe, Inc., USA) — Handles all payment collection, subscription billing, and card storage. Stripe is PCI DSS Level 1 certified. Your card details are entered on Stripe's secure checkout page and are never transmitted to or stored on our servers. Stripe's privacy policy: stripe.com/privacy

Each third-party processor operates under their own privacy policy and data protection obligations. We select processors that maintain appropriate security standards.

8. International Data Transfers

Your data is primarily stored on servers in India. However, to provide the Service, your data may be transferred to and processed in:

United States — For AI processing (Google Gemini) and voice generation (ElevenLabs).
India — Primary data storage and application servers.

For EU/EEA/UK users: These transfers are conducted based on Standard Contractual Clauses (SCCs) or equivalent appropriate safeguards as required by GDPR. By using the Service, you consent to these transfers while being informed of the safeguards in place.

9. Data Retention

Your data is retained as long as your account is active.
Deleted AI friends and their data are permanently deleted within 30 days.
If you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by applicable law (e.g., financial records may be retained for up to 7 years for tax purposes).
Security and audit logs are retained for up to 90 days and then automatically purged.
Anonymized, aggregated data (that cannot identify you) may be retained indefinitely for service improvement.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All Users:

Access: Request a copy of all personal data we hold about you.
Correction: Update or correct inaccurate personal data via Settings.
Deletion: Delete your account and all associated data via Settings or email.
Data Export: Download all your data in machine-readable format (JSON) via Settings.

EU/EEA/UK Users (GDPR):

Right to data portability: Receive your data in a structured, commonly used format.
Right to restrict processing: Request limitation of processing in certain circumstances.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Withdraw consent at any time (e.g., push notifications).
Right to lodge a complaint: File a complaint with your local Data Protection Authority (DPA).

California Users (CCPA/CPRA):

Right to know: Request disclosure of categories and specific pieces of personal information collected.
Right to delete: Request deletion of personal information.
Right to opt-out of sale: We do not sell your personal information. No opt-out is necessary.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Indian Users (DPDPA 2023):

Right to access: Obtain a summary of your personal data and processing activities.
Right to correction and erasure: Request correction of inaccurate data or erasure of data no longer necessary.
Right to grievance redressal: Contact our grievance officer at hello@dostily.com.
Right to nominate: Nominate another person to exercise your rights in case of death or incapacity.

To exercise any of these rights, contact us at hello@dostily.com. We will respond within 30 days (or sooner if required by your local law).

11. Children's Privacy

Dostily is for users aged 18 and above. We do not knowingly collect personal data from anyone under 18 years of age. If we discover that a user is under 18, we will immediately delete their account and all associated data. If you believe a minor is using our Service, please contact us at hello@dostily.com.

12. Cookies & Local Storage

We use only essential cookies required for the Service to function:

session_token — Authentication cookie. Keeps you logged in. (HTTP-only, Secure, SameSite=Lax, expires in 7 days)
csrf_token — Security cookie. Prevents cross-site request forgery attacks. (Secure, SameSite=Lax)

We do not use:

Third-party tracking cookies
Analytics cookies (Google Analytics, Mixpanel, etc.)
Advertising or retargeting cookies
Social media tracking pixels

Because we only use strictly necessary cookies, no cookie consent banner is required. However, you can disable cookies in your browser settings — note that this will prevent you from logging in.

13. Do Not Track

We do not track users across third-party websites. We honor Do Not Track (DNT) signals by default — we have no tracking infrastructure to begin with.

14. Data Breach Notification

In the unlikely event of a data breach that affects your personal data, we will notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR) and report to relevant authorities where legally required. Our encryption-at-rest measures significantly reduce the risk of data exposure even in a breach scenario.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via email or in-app notice at least 15 days before taking effect. Your continued use of the Service after changes take effect constitutes acceptance. The "Last updated" date at the top indicates when the policy was last revised.

16. Contact & Grievance Officer

For any privacy-related questions, concerns, or to exercise your rights:

Email: hello@dostily.com
Grievance Officer (India DPDPA): hello@dostily.com
Response time: Within 30 days of receiving your request

EU users may also contact their local Data Protection Authority. A list of DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en