FAQ

Security and GDPR

Where data lives, how it is protected, which AI models we use, retention, deletion, and the DPA.

#Where is data stored?

In the EU. The database and application servers run in Frankfurt (Neon PostgreSQL and Vercel). Data is encrypted in transit (TLS 1.3 on public endpoints, encrypted on internal connections too) and at rest (AES-256).

#Are AI models trained on our data?

No. With all AI model providers we have contractually ensured that no training happens on platform data. Emails, sign-in tokens, and payment details are not sent to AI models at all.

#Which AI models do you use?

Claude models from Anthropic, through the OpenRouter routing service. The AI inference itself runs in the USA. What goes to the model is the conversation content and the necessary context (first name, level, score), never your email, sign-in tokens, or payment details. For voice input we use a speech-to-text service; only the audio of your answer goes to it, and from there only text is processed. Details are in our security package, which we will gladly send to your security team.

#What should I not write to Aimee?

Personal data of third parties, contract numbers, passwords, access keys, and confidential documents. Aimee will never ask you to upload a document or share sensitive details. If something like that does come up in the conversation, that is not right - let us know.

#How long do you keep data and how do I delete it?

We keep data for the lifetime of the account, at most within the limits of our privacy policy (a maximum of 3 years from completing the assessment). You can handle deletion and export yourself right in the app: in your profile you will find a "Data and privacy" section where you download an export of all your data in a machine-readable form (JSON) and where you can permanently delete the account - deletion removes the account and all linked data. Data disappears from backups within 7 days and from operational telemetry within 90 days. An organization can request bulk deletion at support@aibility.cz.

#Who is the controller and who is the processor of personal data?

In a company deployment your organization is the data controller and Aibility is the processor under a data processing agreement (DPA). For individual purchases, Aibility is the controller under the privacy policy.

#Do you have a DPA and a list of subprocessors?

Yes. The data processing agreement (DPA), the privacy policy, and the current list of subprocessors are available for your DPO or security review on request at support@aibility.cz. We report any incident to the supervisory authority within 72 hours under the GDPR; customers with a processing agreement are informed within 48 hours.

#How do payments work?

Through Stripe, as a one-time payment. You enter your payment card directly in the Stripe checkout; the card number never reaches us. Invited participants of company programs are not affected by payments at all.

#Can we limit which AI tools the platform recommends?

Yes. The organization sets its company context: approved tools, restrictions, and internal rules. Aimee and the recommendations then prefer the tools you allow. The buttons for opening external AI tools can also be turned off for the whole organization. Participants then simply copy the prompts into the tools your company has approved.

#Do you have penetration tests and ISO 27001?

The platform has passed a penetration test, the findings are fixed, and another test is planned for Q3 2026. Our information security management (ISMS) is built according to ISO/IEC 27001:2022, with independent certification planned. We provide the documentation for review on request.

On this page