Fundamentals
Data & Sources
What personal data we collect and where it comes from (you, your device, partners).
Purpose of this page
This page explains what data we collect, where it comes from, when we collect it, and the controls you have. Legal details live in Purposes & Legal Bases, Retention, and Recipients & Transfers.
Product scope
AIM operates today as a multi-AI web application, with a mobile app launching soon. We serve B2C users and B2B customers (enterprise workspaces).
What we collect (by category)
Account & Identity. Name, email, workspace membership, role, and password hash. Authentication and storage are handled by Supabase.
Authentication & Security. Login events, MFA signals, session identifiers, and abuse/fraud indicators—captured with data minimization in mind and encrypted in transit and at rest.
Communications. Messages you send us (support or feedback), request metadata, and attachments you upload.
Subscription & Billing. Plan, status, renewal dates, and limited billing metadata. Payments are processed by Stripe; card numbers never touch AIM.
Product Usage & Telemetry. Feature usage, performance metrics, error/crash logs, latency, and basic diagnostics—kept to the minimum needed for reliability and safety.
Device/Network & Trackers. Device type, OS, browser, language, IP (for approximate location), session identifiers, and consent state for non-essential trackers. Google Analytics runs only with consent.
Content You Provide. Prompts, files you upload, and AI outputs (text, images, transcripts) you choose to create or store in AIM.
Integrations (optional & revocable). Limited fields strictly necessary to fulfill your request (e.g., summarize unread Gmail messages; create a Calendar event) from third-party services you connect—such access can be revoked at any time.
Preferences & Marketing. Notification settings, communication preferences, and non-sensitive campaign interactions.
Where the data comes from
From you (sign-up, prompts, uploads, settings, support requests); from your device/browser (telemetry and technical signals); from services you connect (optional Google integrations you authorize); from enterprise admins (for managed workspaces); and from select vendors/processors (Supabase for auth/storage, Stripe for payments, Google Analytics for consented measurement).
When we collect data
At sign-up and authentication (account creation, login, MFA); while using AIM (feature usage, prompts/outputs, reliability telemetry); when connecting integrations (after your explicit authorization and within the scope you select); during payments (via Stripe); and via support/feedback you send us.
Training & fine-tuning (default with opt-out)
By default, prompts and outputs may be used to improve model performance, including models provided by third-party AI vendors. You can opt out in your settings. Where a provider supports its own training opt-out, we honor and propagate your choice when technically available. Opting out does not block core service delivery, but may reduce certain quality signals.
Cookies, consent & access (Consent or Subscription)
On first entry, you choose between Accept & Access (consented use of non-essential trackers, e.g., analytics) or Access Without Tracking via Subscription (a paid, tracking-free alternative offering an equivalent experience). If you refuse and do not select the subscription, access is not granted. Strictly necessary trackers remain active for technical reasons (security, load balancing, session). You can withdraw consent as easily as you gave it (e.g., via a persistent Privacy link).
Location signals
We process approximate location (e.g., IP-based) to understand user distribution and optimize performance. If device-level location is introduced in the future, it will be off by default and activated only with explicit consent.
Security, storage & transfers
All data is encrypted in transit and at rest. AIM uses Supabase for authentication and storage and operates on global data centers, which may involve cross-border transfers. We apply appropriate safeguards (e.g., standard contractual clauses or equivalent) as detailed in Recipients & Transfers.
Minimization, retention & deletion
We apply data minimization and keep data only as long as needed for stated purposes, legal requirements, and product needs. Accounts remain active as long as the subscription is paid. After cancellation or termination, we delete or anonymize data according to the schedules in Retention. Logs, telemetry, and analytics follow operational and legal criteria. You can request deletion through Your Rights.
Regional notes
In the EEA/UK/CH, AIM operates under GDPR/nFADP. In California or other US states, see regional notices (e.g., CPRA) in the Privacy Center. Your rights and choices are described in Your Rights and in the sections above.
Conclusion
AIM explains what we collect (e.g., Account & Identity, Authentication & Security, Communications, Subscription & Billing, Product Usage & Telemetry, Device/Network & Trackers, Content You Provide, Integrations, Preferences & Marketing), where it comes from (you, your device/browser, services you connect, enterprise admins, and select vendors/processors like Supabase, Stripe, Google Analytics), and when we collect it (at sign-up/authentication, while using AIM, when connecting integrations, during payments, and via support/feedback). By default, training & fine-tuning may use prompts/outputs with a clear opt-out; access follows Consent or Subscription (non-essential trackers like Google Analytics only with consent). We process approximate location (IP) and would enable device-level location only with explicit consent. All data is encrypted in transit and at rest; cross-border transfers rely on safeguards (e.g., SCCs). We apply minimization, follow Retention for timelines, and honor deletion via Your Rights. Regional frameworks (GDPR/nFADP, CPRA) apply as described, and versioning appears at the end of the page.
Versioning
Effective date: {YYYY-MM-DD} — Last updated: {YYYY-MM-DD}
Join our Community Forum
Any other questions? Get in touch