Privacy Policy
Last updated: 24 February 2026
AIOPSOS ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the AIOPSOS platform, website, and related services (the "Service").
1. Information We Collect
1.1 Information You Provide
- Account Data: name, email address, job title, department, bio, skills, and profile avatar when you register or update your profile.
- Organisation Data: company name, industry, size, website, department structure, and organisation logo.
- Assessment Data: responses to AI maturity assessments, quiz answers, and self-reported scores.
- Chat & AI Interaction Data: prompts, messages, uploaded files, and conversation history when using the AI chat interface.
- Billing Data: payment method details are collected and processed directly by Stripe. We store your Stripe customer ID and subscription status but do not store credit card numbers.
- Communications: emails you send to us and feedback you provide through the platform.
1.2 Information Collected Automatically
- Usage Data: pages visited, features used, AI model usage, token consumption, timestamps, and interaction patterns.
- Device & Browser Data: IP address, browser type, operating system, device identifiers, and screen resolution.
- Cookies & Similar Technologies: see our Cookie Policy for details.
2. How We Use Your Information
We process your personal data for the following purposes:
- Providing the Service: authenticating your identity, managing your account, processing AI requests, generating recommendations and roadmaps, and delivering assessment results.
- Billing & Payments: processing subscriptions, managing seat allocation, and handling invoicing through Stripe.
- Communications: sending transactional emails (assessment invitations, reminders, results, approval notifications) and important service updates.
- Analytics & Improvement: understanding how the Service is used, diagnosing technical issues, and improving features.
- Security & Compliance: detecting and preventing fraud, abuse, and security threats; enforcing our Terms of Service; and meeting legal obligations.
- AI Model Routing: selecting the appropriate AI model based on your plan, usage quotas, and query complexity.
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we rely on:
- Contract Performance: processing necessary to provide the Service you signed up for.
- Legitimate Interests: analytics, security, and service improvement, where your rights do not override our interests.
- Consent: for optional cookies and marketing communications, which you can withdraw at any time.
- Legal Obligation: where processing is required by law.
4. Third-Party Service Providers
We share your data with trusted third-party processors who assist in operating the Service. These providers are contractually obligated to protect your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database, file storage | Account data, organisation data, all platform data |
| Stripe | Payment processing | Billing information, email, subscription details |
| OpenAI | AI model inference | Chat prompts and context (no PII sent intentionally) |
| Anthropic | AI model inference | Chat prompts and context |
| Google (Gemini) | AI model inference | Chat prompts and context |
| Mistral | AI model inference | Chat prompts and context |
| Resend | Transactional email delivery | Email address, name, email content |
| Vercel | Hosting and edge delivery | Request metadata, IP address |
5. AI Data Processing
When you interact with our AI features, your prompts and contextual data are sent to third-party AI model providers for processing. Important details:
- We apply guardrails including PII detection and prompt injection prevention to minimise sensitive data exposure.
- AI providers process data according to their own privacy policies and data processing agreements.
- We do not use your data to train our own AI models. Third-party providers' data retention policies vary; we select providers that offer zero-data-retention options where available.
- Chat conversations are stored in our database for your continued access and may be deleted by you at any time.
6. Data Retention
- Account Data: retained for as long as your account is active. Deleted within 30 days of account deletion.
- Chat History: retained until you delete individual conversations or your account.
- Assessment Data: retained for the lifetime of the organisation account to support historical trend analysis.
- Billing Records: retained as required by tax and financial regulations (typically 7 years).
- Audit Logs: retained for up to 12 months for security and compliance purposes.
- Usage Analytics: aggregated and anonymised data may be retained indefinitely.
7. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest.
- Row-level security (RLS) policies to isolate tenant data.
- Secure session management with HTTP-only cookies.
- Rate limiting and abuse prevention.
- Regular security reviews and dependency audits.
No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
8.1 GDPR Rights (EEA Residents)
- Access: request a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Restriction: request limitation of processing.
- Objection: object to processing based on legitimate interests.
- Withdraw Consent: withdraw consent at any time where processing is based on consent.
8.2 CCPA Rights (California Residents)
- Right to know what personal information is collected and how it is used.
- Right to delete personal information.
- Right to opt out of the sale of personal information. We do not sell your personal information.
- Right to non-discrimination for exercising your privacy rights.
To exercise any of these rights, contact us at privacy@aiopsos.com. We will respond within 30 days.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.
10. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top reflects the most recent revision.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
- Email: privacy@aiopsos.com
- General: support@aiopsos.com
If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.