AIstein Company Privacy Notice

1. Client Representatives and Direct Users: Individuals who register for or use the AIstein website, console, or products for internal business purposes, where AIstein acts as a data controller (e.g., when you interact with aistein.ai as a direct customer or administrator, or use our specialized enterprise plans like AIstein Team or Enterprise).
2. Commercial Services Processing: This Notice also describes AIstein's role when it acts as a data processor (or "service provider") when processing personal data on behalf of commercial customers (the data controller) using AIstein’s Commercial Services. In these cases, the terms of the commercial agreement and the customer's own privacy policies govern the processing of that data.

This Notice describes your privacy rights, especially as they pertain to data where AIstein is the controller. More information about your rights, and how to exercise them, is set out in Section 4 (“Rights and Choices”).

• If your company is located in Canada, please read section 11 of this Notice.
• If your company is located in Brazil, please read section 12 of this Notice.

---

1. Collection of Personal Data

   • We collect the following categories of personal data:

   Personal Data the Client or User Provides to Us Directly

   • Identity and Contact Data: AIstein collects identifiers, including name, business email address, business phone number, and job title when a user signs up for an AIstein account, or to receive information on our Services. We may also collect or generate indirect identifiers (e.g., “CLIENT-USER-12345”).

   • Payment Information: We shall collect the Client's payment information (e.g., billing details, credit card numbers where applicable) if the Client chooses to purchase access to AIstein’s products and services.

   • Inputs and Outputs (Client Data): Users are able to interact with our Services in a variety of formats, including but not limited to chat sessions, coding, and agentic sessions (“Prompts” or "Inputs"), which generate responses and actions (“Outputs”) based on Inputs. This includes third-party applications the Client chooses to integrate with our Services. If the Client includes personal data or references external content in its Inputs, we will collect that information and this information may be reproduced in Outputs. For Commercial Services, Inputs and Outputs are generally governed by the Client's agreement with AIstein.

   • Feedback on Services: We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input ("Feedback"). If a user rates an Output, we will store the entire related conversation as part of the Feedback.

   • Communication Information: If a user communicates with us (e.g., via support email or chatbot), we collect the user's name, contact information, and the contents of any messages sent.

   Personal Data We Receive Automatically from Your Use of the Services

   When users access the Services, we also receive certain technical data automatically (collectively “Technical Information”). This includes:

   • Device and Connection Information: Consistent with device or browser permissions, device or browser information such as device type, operating system information, browser information, IP address (including information about the location of the device derived from the IP address), and identifiers.

   • Usage Information: We collect information about the use of the Services, such as the dates and times of access, links clicked, pages viewed, and other information about how the Services are used.

   • Log and Troubleshooting Information: We collect information about how our Services are performing (e.g., log files, error reports, feature use at the time of error).

   • Cookies & Similar Technologies: We and our service providers use cookies, scripts, or similar technologies (“Cookies”) to manage the Services, recognize the user, customize the experience, and analyze the use of our Services. For more details, please visit our Cookie Policy.

   Note: For Clients under specific commercial contracts (e.g., Enterprise plans), Inputs and Outputs may be excluded from model training. This is governed by the executed commercial agreement.

---

2. Uses of Personal Data Permitted Under Applicable Data Protection Laws

   • We use personal data (where AIstein is the data controller) for the following business and commercial purposes:

     • To provide and maintain the Services: To facilitate products and services offered to the Client with respect to its AIstein account, which are governed by the Client's Terms of Use.

     • To enhance the platform: To provide, maintain and facilitate optional services and features that enhance platform functionality and user experience.

     • To communicate: To send information about our Services, events, technical announcements, and marketing materials.

     • Account Administration: To create and administer the Client's AIstein account and facilitate payments.

     • Security and Compliance: To prevent and investigate fraud, abuse, violations of our Usage Policy, unlawful or criminal activity, unauthorized access, protect our rights, and to meet legal, governmental, and institutional policy obligations.

     • Issue Resolution: To investigate and resolve disputes and security issues; to debug and repair errors.

     • Improvement and Research: To improve the Services and conduct research, including model training (unless covered by an opt-out or specific commercial agreement).

     • Enforcement: To enforce our Terms of Use and related agreements.

     Inputs and Outputs for Model Training: We may use Inputs and Outputs to train our models and improve our Services, unless the Client opts out through its account settings or is covered by a specific commercial agreement. Even if the Client opts-out, we will use Inputs and Outputs for model improvement when: (1) conversations are flagged for safety review, or (2) materials are explicitly reported via feedback mechanisms.

---

3. How We Disclose Personal Data

   • AIstein will disclose personal data (where AIstein is the data controller) to the following categories of third parties:

     • Affiliates & Corporate Partners: Between and among AIstein's affiliates and related entities.

     • Service Providers & Business Partners: With service providers and business partners for purposes including data hosting, compliance, research, auditing, data processing, and providing the services (e.g., cloud hosting providers). A list of our sub-processors is available upon request for commercial customers.

     • Significant Corporate Events: As part of a merger, corporate transaction, bankruptcy, or transfer of business assets.

     • Third-Party Websites and Services: When the Services involve integrations with, or direct users to, external third-party services. Such interaction is subject to the third party’s privacy policy.

     • Legal/Regulatory Requirements: To governmental regulatory authorities as required by law, in response to requests, or to assist in investigations. Also, to third parties in connection with claims, disputes, or litigation, or if disclosure is necessary to protect health and safety, prevent fraud, enforce our legal rights, or as otherwise required by applicable law.

     • With Consent: When an individual or the Client gives us permission or directs us to disclose this information.

   The Client also must not abuse, harm, interfere with, or disrupt our Services, including, for example, introducing viruses or malware, spamming or DDoSing Services, or bypassing any of our systems or protective measures.

---

4. Rights and Choices

   • Depending on the jurisdiction where the Client or user is located, the following rights may apply to personal data processed by AIstein as a data controller:

     To exercise your rights, you or an authorized agent may submit a request by emailing us at privacy@aistein.ai. We may verify your request by confirming your identity.

     • Right to Know/Access: The right to know and receive a copy of what personal data AIstein processes about you, including categories of data, sources, purposes, and disclosures.

     • Deletion: The right to request that we delete personal data collected from you, subject to certain legal exceptions (e.g., retaining data for legal compliance).

     • Correction: The right to request that we correct inaccurate personal data.

     • Objection: The right to object to processing of your personal data, including processing based on legitimate interests.

     • Restriction: The right to restrict our processing of your personal data in certain circumstances.

     • Withdrawal of Consent: The right to withdraw consent where processing is based on consent.

     • Opt-out of Targeted Marketing: AIstein does not "sell" personal data. You can opt-out of sharing your personal data for targeted advertising to promote our products and services.

     AIstein gives the Client access to tools to manage data within the Privacy Settings of the AIstein Console.

---

5. Data Transfers

   When you access our website or Services, your personal data may be transferred to our servers in the US, or to other countries outside the European Economic Area (“EEA”) and the UK.

   Where information is transferred outside the EEA or the UK, we ensure it benefits from an adequate level of data protection by relying on:

   • Adequacy Decisions: Decisions from the European Commission (or equivalent decisions under other laws) recognizing that a country outside of the EEA offers an adequate level of data protection.

   • Standard Contractual Clauses (SCCs): Contractual clauses approved by the European Commission (or their approved equivalent for the UK and Switzerland) used to transfer data to certain affiliates and third parties in countries without an adequacy decision.

---

6. Data Retention, Data Lifecycle, and Security Controls

   AIstein retains personal data for as long as reasonably necessary for the purposes and criteria outlined in this Privacy Notice and as required by applicable laws.

   Aggregated or De-Identified Information

   We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct research, study user behavior, and train our AI models as permitted under applicable laws and Client agreements.

   Security Controls

   We implement appropriate technical and organizational security measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.

   ---

7. Children

   AIstein may update this Privacy Notice from time to time. We will notify the Client of any material changes, as appropriate, and update the Effective Date at the top of https://www.aistein.ai/legal/privacy.

   ---

8. Changes to Our Privacy Notice

   • AIstein may update this Privacy Notice from time to time. We will notify the Client of any material changes, as appropriate, and update the Effective Date at the top of https://www.aistein.ai/legal/privacy.

---

9. Contact Information

   • If you have any questions, complaints, or requests regarding this Privacy Notice or your personal data, you can contact us:

     • Email: privacy@aistein.ai

     You have the right to lodge a complaint with the supervisory authority in the place in which you live or work.

---

10. Legal Bases for Processing

    • Purpose	Type of Data	Legal Basis
      To provide and maintain Services (under Terms of Use)	Identity/Contact, Payment, Inputs/Outputs, Technical Info, Feedback	Contract
      To enhance platform functionality	Identity/Contact, Technical Info, Feedback	Legitimate Interests (to improve product functionality and user experience)
      To communicate and promote Services	Identity/Contact, Communication Info, Technical Info	Contract/Consent/Legitimate Interests (to promote services and send direct marketing)
      Account Administration and Payments	Identity/Contact, Payment Info, Feedback	Contract
      Security, Fraud Prevention, and Compliance	All Categories	Legal Obligation/Legitimate Interests (to protect business/users, enforce terms, and cooperate with authorities)
      Issue Resolution and Debugging	Identity/Contact, Technical Info, Inputs/Outputs, Feedback	Legitimate Interests (to resolve complaints, maintain continuous function)
      Improve Services and Research (including model training)	Technical Info, Inputs/Outputs, Feedback	>Legitimate Interests/Consent
      To enforce Terms of Use	Identity/Contact, Inputs/Outputs, Technical Info	Contract/Legitimate Interests (to enforce rules and maintain platform integrity)

---

11. Supplemental Disclosures for Residents of Canada

    • Consent: By consenting to this Notice, the Client confirms understanding and consent to the collection, use, processing, and disclosure of personal data in accordance with this Notice. Consent may be withdrawn subject to legal or contractual restrictions and reasonable notice.

      • Cross-jurisdictional Transfers: The Client acknowledges and agrees that personal data may be transferred or disclosed for processing and storage outside of Canada, including to the United States and other countries, where laws regarding the protection of personal data may differ.

---

12. Supplemental Disclosures for Residents of Brazil

    • Legal Bases: AIstein may rely on different grounds where permitted by and in accordance with the Brazilian General Data Protection Law (LGPD), such as the "exercise of legal rights."

    • Data Subject's Rights: LGPD grants rights including confirmation of processing, access, correction of incomplete/outdated data, anonymization/blocking/erasure, portability, and information about shared data. These rights are not absolute.

    • International Data Transfers: AIstein relies on Standard Contractual Clauses (SCCs) for data transfers from Brazil where required and where not covered by an adequacy decision.

---

I have revised the Privacy Notice to reflect the company AIstein (aistein.ai) and a focus on enterprise/commercial users. Would you like to review the corresponding Terms of Use I created previously or move on to a new request?