Ally’s GDPR Commitment

What is GDPR?

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It is one of the most comprehensive changes made to data privacy regulations in the last two decades. The GDPR provides the citizens of the EU greater control over their personal data, and unifies a number of existing privacy and security laws under one umbrella law.

Does it affect us?

GDPR applies to all organizations that handle personal data of individuals from the EU region, irrespective of where they are located.

What data does Ally collect?

At Ally, we are committed to ensuring your data is secure with us. We only collect information that is absolutely necessary to support your organization’s OKR process, and deliver a good user experience. The data we collect and store is:

Employee information

  • Name
  • Email address
  • Password (unless your organization uses SSO like SAML, GoogleAuth, etc)
  • Job title
  • Manager’s name
  • Profile picture
  • Timezone

Employees’ goals & updates

  • Objectives and Key Results
  • Check-ins and scores

Employee interactions

  • Likes
  • Comments

Information that helps us deliver a better experience

  • IP Address
  • Operating system
  • Browser or mobile app version

How does Ally use this data?

Ally processes personal data to provide the products and services and for other limited purposes set forth in our Privacy Policy.

How is Ally GDPR compliant?

At Ally, fulfilling our privacy and data security commitments is important to us. We’ve built a robust security framework, and we regularly review our internal access design to ensure the right people have access to the right level of customer data. We have also:

  • Invested in our security infrastructure
  • Audited our data architecture and retention policies
  • Audited our vendors and ensured they comply with the regulation
  • Updated our Privacy Policy
  • Enabled our customers to meet their GDPR obligations

Since we cater to organizations and process data on their behalf, any requests to remove or export an individual’s data has to be routed through the admins of the organization. Individuals can amend their own data.

Removal of data (‘Right to be forgotten’)

To permanently delete an individual’s data, admins can email us at

What gets deleted:

  • Name
  • Email
  • Password
  • Profile picture
  • Timezone
  • Job title
  • IP Address
  • Operating system
  • Browser or mobile app version

What does not get deleted:

  • Objectives and Key Results
  • Check-ins and scores
  • Likes and comments on check-ins

Note: It is possible that in some cases, due to legal or contractual obligations, we would not be able to delete your data immediately, but rest assured, Ally will remove data as soon as it is technically and legally possible.

Exporting data (‘Right to portability’)

To export an individual’s data, admins can email us at

Editing data (‘Right to rectification’)

To rectify inaccurate personal information, an individual can:

  1. Click on their picture on the top right corner of the page, and select ‘Edit Profile’; here, they may update their names, job title, profile picture and timezone
  2. To edit their email address or manager information, individuals can route the request to the Organization admin.
  3. To update their passwords, individuals can select click on their picture on the top right corner of the page, and select ‘Edit Settings’

Admins can edit their users’ information, including email and manager information by navigating to Admin > Users, and clicking on ‘Edit’ under the Actions dropdown.

For any other questions, requests or issues regarding your data and how it is used, please reach out to us at and we’ll be happy to help.

Get started for free today

Achieve Amazing Results, Together!