PRIVACY
Your data, your rights. We built AINTECH on the principle that your data belongs to you -- always.
EU Data Residency
Frankfurt, Amsterdam & Paris only
GDPR Compliant
Full compliance since day one
No Data Selling
We never sell or trade your data
Right to Delete
Full erasure within 30 days
We NEVER Sell Your Data. Period.
Unlike US BigTech, your data is not our business model. We make money by providing excellent AI infrastructure, not by monetizing your information. This commitment is contractually binding, independently audited, and documented in our SOC 2 Type II report.
Table of Contents
1. Data We Collect
Personal Data
When you create an AINTECH account, we collect your full name, email address, company name, job title, and billing information (payment method, billing address, VAT number). For Enterprise customers, we may also collect information about authorized team members including names and email addresses. This data is strictly necessary to provide our Services, manage your subscription, and comply with EU tax and invoicing requirements.
Usage Data
We collect anonymized and aggregated usage metrics including API call volumes, feature usage patterns, model selection preferences, latency measurements, error rates, and platform navigation patterns. This data is used exclusively to improve platform reliability, optimize routing algorithms, and inform product development decisions. We never log the content of your API requests, prompts, or model responses unless you explicitly enable debug logging in your account settings.
Technical Data
We automatically collect IP addresses, browser type and version, operating system, device type, screen resolution, access timestamps, and referring URLs for security monitoring, abuse prevention, and service optimization. Technical data is processed only within the EU and is retained for a maximum of 90 days, after which it is automatically and permanently deleted.
API & Model Interaction Logs
For performance monitoring and debugging purposes, we log API request metadata including endpoint called, HTTP method, response status code, response time, token count, and model version used. We do NOT log request bodies, prompt content, or model output content. If you enable optional verbose logging for your own debugging purposes, that data is stored encrypted and is automatically purged after 7 days.
2. How We Use Data
Service Provision
We use your data exclusively to provide, maintain, and operate the AINTECH Services. This includes authenticating your identity, routing API requests, processing model inference, managing billing and invoicing, providing customer support, and sending essential service notifications such as security alerts, billing updates, scheduled maintenance windows, and SLA reports.
Platform Improvement
Anonymized and aggregated usage data -- stripped of all personal identifiers and customer-attributable information -- is used to improve platform performance, optimize ROUTER routing algorithms, develop new features, and inform infrastructure capacity planning. Individual user data, prompt content, or model outputs are never used for these purposes. Our analytics pipeline ensures k-anonymity with k >= 50 before any data enters the improvement pipeline.
Security & Compliance
We process technical data and usage patterns for automated security monitoring, threat detection, abuse prevention, fraud detection, and compliance enforcement. This processing is based on our legitimate interest in maintaining platform security and integrity (GDPR Art. 6(1)(f)), and where required, on our legal obligations under EU cybersecurity regulations including NIS2.
Communication
We use your email address to send essential service notifications that are necessary for the operation of your account. Marketing communications, including product announcements, feature highlights, blog digests, and event invitations, are strictly opt-in. You can manage your communication preferences at any time through your account settings or by clicking the unsubscribe link in any marketing email. We will never contact you via phone for marketing purposes.
What We NEVER Do
We NEVER sell, rent, lease, trade, or otherwise monetize your personal data. We NEVER use your data, prompts, or model outputs to train, fine-tune, or improve AI models. We NEVER share your data with advertisers, data brokers, or marketing partners. We NEVER use tracking pixels, fingerprinting, or cross-site surveillance technologies. This is not merely a policy choice -- it is a foundational architectural principle embedded in the design of the AINTECH platform.
3. Data Storage & Residency
EU-Only Infrastructure
All customer data is stored and processed exclusively within the European Union. Our primary data centers are located in Frankfurt (Germany) and Amsterdam (Netherlands), with disaster recovery facilities in Paris (France) and Dublin (Ireland). Data never leaves EU/EEA jurisdiction under any circumstances unless you explicitly configure cross-region replication and provide the required legal basis for the international transfer. Our infrastructure runs on EU-owned and operated data centers -- we do not rely on US hyperscaler regions.
Encryption Standards
All data is encrypted at rest using AES-256-GCM with customer-specific encryption keys. Data in transit is protected by TLS 1.3 with perfect forward secrecy -- we have permanently disabled TLS 1.0, 1.1, and 1.2 across all endpoints. Encryption keys are managed through our CORTEX security system backed by FIPS 140-2 Level 3 certified Hardware Security Modules (HSMs) physically located within our EU data centers. Keys are automatically rotated every 90 days.
Backup & Redundancy
Encrypted backups are stored in geographically separate EU data centers for disaster recovery with a Recovery Point Objective (RPO) of zero data loss and a Recovery Time Objective (RTO) of under 60 seconds. Backup data is subject to the same encryption standards, access controls, and retention policies as primary data. Backup deletion follows the same schedule as primary data deletion.
Data Center Certifications
All AINTECH data centers hold Tier IV certification, ISO 27001, ISO 14001, SOC 2 Type II, and comply with the EU Code of Conduct for Cloud Service Providers. Physical access to data centers requires multi-factor biometric authentication, pre-authorized security clearance, and security escort at all times. Environmental controls include redundant power (N+1), cooling, fire suppression, and 24/7 on-site security personnel.
4. Your Rights Under GDPR
Right of Access (Art. 15)
You have the right to obtain confirmation of whether AINTECH processes your personal data, and if so, to receive a complete copy of all personal data we hold about you in a structured, commonly used, machine-readable format. You can submit a Data Subject Access Request (DSAR) through your account settings dashboard, via the API, or by emailing dsar@aintech.eu. We process all DSARs within 30 days as required by GDPR.
Right to Rectification (Art. 16)
You can update, correct, or supplement your personal data at any time through your account settings. If you discover inaccuracies in data that you cannot directly modify, contact us at privacy@aintech.eu and we will rectify the data within 5 business days and confirm the correction in writing.
Right to Erasure (Art. 17)
You can request the complete deletion of your personal data at any time. Upon receiving an erasure request, we will permanently delete all your personal data from our systems within 30 calendar days, including from all backups and redundant storage systems. Exceptions apply only where data retention is legally required (e.g., tax invoicing records retained for 7 years under Spanish tax law). We will inform you of any exceptions and the legal basis for continued retention.
Right to Data Portability (Art. 20)
You can export all your data at any time in standard, machine-readable formats including JSON, CSV, and YAML through the account dashboard export tool or via the data export API endpoint. We support full data portability with zero proprietary lock-in. Exported data packages include account information, usage history, configurations, API keys (hashed), audit logs, and all stored content.
Right to Object (Art. 21)
You can object to any processing of your personal data based on legitimate interest (Art. 6(1)(f)). Upon receiving an objection, we will cease the contested processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. For direct marketing purposes, your right to object is absolute and we will cease processing immediately upon request.
Right to Restrict Processing (Art. 18)
You can request that we restrict processing of your personal data while we verify the accuracy of contested data, assess an objection you have raised, determine whether our legitimate interests override your rights, or where you need the data for legal claims. During restriction, data is stored but not actively processed.
Right Regarding Automated Decisions (Art. 22)
AINTECH does not make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Where automated systems are used for security monitoring or abuse detection, human review is always involved before any action is taken against your account.
6. Third-Party Sharing
No Data Monetization
We NEVER sell, rent, lease, trade, or otherwise commercially exploit your personal data. We NEVER monetize your data through advertising, profiling, or data brokerage. Your data is not a product -- you are our customer, not our commodity. This commitment is contractually binding, independently audited annually, and documented in our SOC 2 Type II report.
Sub-processors
We use a strictly limited number of EU-based sub-processors for essential infrastructure services: Stripe (payment processing, EU entity), Resend (transactional email delivery, EU region), and Hetzner (infrastructure, Germany). Each sub-processor is contractually bound by Data Processing Agreements (DPAs) that meet or exceed GDPR Article 28 requirements. A complete, up-to-date list of sub-processors with their purposes and locations is available at aintech.cloud/legal/sub-processors.
Law Enforcement Requests
We will only disclose personal data to law enforcement authorities when legally compelled by a valid court order issued by a competent EU court. We will notify affected users of any disclosure request unless prohibited by law from doing so. We have never received a national security order, gag order, or bulk data request, and we would vigorously challenge any such request in the competent European courts.
No US Jurisdiction Exposure
AINTECH S.L. is incorporated, registered, and operates entirely within the European Union (Spain). We are not subject to the US CLOUD Act, FISA Section 702, Executive Order 12333, or any non-EU government data access programs. We have no US subsidiaries, no US data processing, and no US legal entities. Your data is protected exclusively by EU law.
7. Data Retention
Account Data
Account information (name, email, company, preferences) is retained for the duration of your active subscription plus 30 calendar days after account deletion to allow for account recovery and data export. After this period, account data is permanently and irreversibly deleted from all systems including backups.
Usage & Technical Logs
API usage logs and technical data (IP addresses, access logs, error logs) are retained for 90 days for security monitoring and performance analysis purposes. After 90 days, this data is automatically and permanently purged. Debug logs enabled by customers are purged after 7 days.
Billing Records
Invoices, payment records, and tax-related documents are retained for 7 years as required by Spanish tax legislation (Ley General Tributaria) and EU VAT regulations. These records contain the minimum necessary billing information and cannot be deleted before the mandatory retention period expires.
Deletion Schedule
Data deletion requests are processed within 30 calendar days. Primary data stores are purged first, followed by backup systems within the standard backup rotation cycle (maximum 14 additional days). We provide written confirmation of complete data deletion upon request. Our deletion process is independently audited as part of our annual SOC 2 Type II assessment.
8. Security Measures
Encryption
All personal data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Customer-managed encryption keys (CMEK) are available on Professional and Enterprise plans. Hardware Security Modules (HSMs) provide tamper-resistant key storage with automatic 90-day rotation cycles.
Access Controls
Internal access to customer data is restricted by role-based access controls (RBAC) with the principle of least privilege strictly enforced. All internal access is logged in immutable audit trails. Access to production systems requires multi-factor authentication, VPN connection from approved locations, and time-limited session tokens. Quarterly access reviews ensure permissions remain appropriate.
Security Audits
We undergo annual ISO 27001 certification audits by TUV Rheinland, continuous SOC 2 Type II monitoring, and quarterly penetration testing by independent security firms (NCC Group, Cure53). Vulnerability scanning is automated and continuous across all systems. Results summaries are available to Enterprise customers upon request.
Incident Response
Our Security Incident Response Team (SIRT) operates 24/7/365. In the event of a data breach affecting personal data, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay as required by Article 34. Post-incident reviews with root cause analysis are published within 5 business days of incident resolution.
9. Children's Privacy
Age Restrictions
The AINTECH Services are designed for business and professional use and are not directed at individuals under the age of 16. We do not knowingly collect, process, or store personal data from children under 16 years of age. If you believe that a child under 16 has provided us with personal data, please contact us immediately at privacy@aintech.eu.
Parental Consent
In the event that we discover we have inadvertently collected personal data from a child under 16 without verified parental consent, we will take immediate steps to delete that data from our systems within 48 hours. We implement technical measures including age-gating during account registration to prevent underage access.
10. International Transfers
EU-Only Processing
As a foundational principle, AINTECH processes all customer data exclusively within the European Economic Area (EEA). Our infrastructure, sub-processors, and support operations are all based within the EU. Under normal operations, no personal data is transferred outside the EEA.
Standard Contractual Clauses
In the exceptional circumstance that a data transfer outside the EEA becomes necessary (for example, if you explicitly configure delivery to a non-EU endpoint), such transfers will be governed by EU Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914, supplemented by a Transfer Impact Assessment (TIA) documenting the legal framework of the recipient country.
Adequacy Decisions
We recognize and rely on EU adequacy decisions where applicable for transfers to countries that the European Commission has determined provide an adequate level of data protection. Currently, this includes the United Kingdom, Switzerland, Japan, Republic of Korea, and other recognized jurisdictions. We maintain an up-to-date register of recognized adequacy decisions.
11. Contact & Data Protection Officer
Data Protection Officer
Our Data Protection Officer (DPO) can be reached at dpo@aintech.eu or by post to: AINTECH S.L., Attn: Data Protection Officer, Partida Secanet, Calle Setines Nº 106, 03570 Villajoyosa, Alicante, Spain. The DPO is independent, reports directly to the AINTECH board of directors, and cannot be dismissed or penalized for performing their duties.
Privacy Inquiries
For general privacy questions, data processing inquiries, or to exercise any of your GDPR rights, contact privacy@aintech.eu. We respond to all privacy inquiries within 5 business days. Complex requests requiring investigation may take up to 30 days, and we will inform you of any such extension.
DSAR Requests
Data Subject Access Requests can be submitted through your account settings dashboard, via the dedicated DSAR API endpoint, or by emailing dsar@aintech.eu. We verify the identity of all DSAR requestors before processing. All DSARs are processed within 30 calendar days as required by GDPR Article 12(3).
Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority at any time. Our lead supervisory authority is the Spanish Data Protection Agency (Agencia Espanola de Proteccion de Datos -- AEPD), which can be reached at www.aepd.es. You may also use the EU Online Dispute Resolution platform at ec.europa.eu/odr.
Version History
January 15, 2026
Added EU AI Act provisions, expanded data retention section, updated sub-processor list
October 1, 2025
Added children's privacy section, updated international transfer mechanisms
June 15, 2025
Major rewrite for GDPR enforcement updates, added DSAR automation
January 1, 2025
Initial privacy policy publication
Data Protection Framework Compliance
AINTECH maintains compliance with multiple overlapping data protection frameworks to ensure comprehensive coverage across all jurisdictions where our customers operate. Our compliance program is continuously updated to reflect regulatory changes and enforcement guidance.
Full compliance since founding. Annual audit by TUV Rheinland.
Compliant with UK Data Protection Act 2018.
New Swiss Data Protection Act compliance verified.
Transparency and governance obligations met.
Cybersecurity and incident reporting requirements met.
Cookie consent and electronic communications compliant.
Last updated: January 15, 2026
Effective date: February 1, 2026
Questions about our privacy practices? We are here to help.