Privacy Policy
AI100.io — Brand Visibility Benchmark
Last updated: March 15, 2026
AI100 OÜ, a private limited company registered in the Republic of Estonia, registry code 16993057, registered address Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145 ("Company", "we", "us", or "our") is the data controller responsible for the processing of your personal data when you use the AI100.io website and services ("Service").
We are committed to protecting your privacy and processing your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).
1. Data Controller
AI100 OÜ Registry code: 16993057 Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145, Estonia Email: [email protected]
If you have any questions about this Privacy Policy or our data processing practices, please contact us at the email address above.
2. Personal Data We Collect
2.1. Data you provide directly
| Data category | Examples | Purpose |
|---|---|---|
| Brand and website data | Brand name, website URL, region, language, category | Executing Research Runs |
| Access Key | Your personal key credential | Authentication and access management |
| Communication data | Email address, message content (if you contact us) | Responding to inquiries and providing support |
| Payment confirmation | Transaction reference, payment status (received from payment processor) | Verifying payment and activating Access Keys |
2.2. Data collected automatically
| Data category | Examples | Purpose |
|---|---|---|
| Language preference | Cookie value: ai100_lang (ru/en) |
Maintaining interface language |
| Session data | Encrypted session identifier cookie | Maintaining authenticated session |
| Server logs | IP address, browser type (User-Agent), referring page, timestamp, pages visited | Security monitoring, debugging, abuse prevention |
2.3. Data we do not collect
- We do not collect personal names, physical addresses, phone numbers, or government-issued identifiers through the Service itself.
- We do not receive or store credit card numbers, bank account details, or cryptocurrency wallet addresses. All payment data is processed exclusively by our third-party payment providers (see Section 5).
- We do not use advertising trackers, analytics platforms (such as Google Analytics), retargeting pixels, or browser fingerprinting technologies.
- We do not collect or process personal data of your customers or visitors to your website.
3. Legal Bases for Processing
Under Article 6(1) of the GDPR, we process your personal data based on the following legal grounds:
| Legal basis | Data processed | Purpose |
|---|---|---|
| Performance of contract (Art. 6(1)(b)) | Brand data, Access Key, session data, payment confirmation | Delivering the Service: executing Research Runs, generating Reports, maintaining your access |
| Legitimate interest (Art. 6(1)(f)) | Server logs, IP addresses | Security monitoring, fraud prevention, debugging, Service stability. Our legitimate interest is maintaining Service security and integrity. We have assessed that this processing does not override your rights and freedoms. |
| Consent (Art. 6(1)(a)) | Language preference cookie | Storing your language choice for a better experience. You may withdraw consent at any time by clearing your browser cookies. |
| Legal obligation (Art. 6(1)(c)) | Transaction records, invoicing data | Compliance with Estonian accounting and tax regulations |
4. How We Use Your Data
We use your personal data strictly for the purposes described below. We do not use your data for profiling, automated decision-making, or direct marketing.
- Delivering the Service: Processing brand/website data through AI models, calculating scores, and generating Reports.
- Access management: Authenticating sessions, tracking run usage against key balance, and verifying payment status.
- Service operations: Server monitoring, security incident detection, debugging, and infrastructure maintenance.
- Methodology improvement: We may analyze aggregated, non-identifiable research patterns to improve our scoring methodology. Individual brand data is never used for this purpose in identifiable form.
- Legal compliance: Maintaining financial records as required by Estonian law.
- Communication: Responding to your inquiries if you contact us.
5. Third-Party Data Processors
We share personal data with the following categories of third-party processors, solely for the purposes described. We have ensured that all processors provide adequate safeguards for your data.
5.1. AI model providers
To execute research scenarios, we send queries to third-party AI model APIs (currently OpenAI, LLC, based in the United States). These queries contain category descriptions and research scenarios derived from brand data. We do not transmit Access Keys, session data, email addresses, or any personal identifiers to AI model providers.
Data transferred: Research scenario queries (derived from brand/website data). Transfer mechanism: Standard Contractual Clauses (SCCs) and OpenAI's Data Processing Agreement. OpenAI privacy policy: https://openai.com/privacy
5.2. Payment processors
| Provider | Data they process | Privacy policy |
|---|---|---|
| Stripe, Inc. (USA) | Payment card data, billing details, transaction data | https://stripe.com/privacy |
| Wise (TransferWise Ltd) (UK/EU) | Bank transfer details, transaction data | https://wise.com/privacy-policy |
| [CRYPTO PROCESSOR] | Cryptocurrency transaction data | [URL] |
We receive only payment confirmation and transaction references from these providers. We do not receive, store, or process your payment instrument details (card numbers, bank accounts, wallet addresses).
Transfer mechanism (Stripe): EU-US Data Privacy Framework certification and Standard Contractual Clauses.
5.3. Hosting provider
The Service is hosted on dedicated servers provided by Hetzner Online GmbH, located in Germany (EU). All personal data is stored within the European Economic Area.
Hetzner privacy policy: https://www.hetzner.com/legal/privacy-policy
5.4. CDN and security
We use Cloudflare, Inc. (USA) for DDoS protection and content delivery. Cloudflare may process IP addresses and request metadata in transit. Cloudflare is certified under the EU-US Data Privacy Framework.
Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy/
6. International Data Transfers
Your personal data is primarily stored and processed on servers located in Germany (EU). Some personal data may be transferred to the United States in connection with the following services:
| Recipient | Country | Safeguard |
|---|---|---|
| OpenAI, LLC | USA | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. | USA | EU-US Data Privacy Framework + SCCs |
| Cloudflare, Inc. | USA | EU-US Data Privacy Framework + SCCs |
We only transfer data outside the EEA where adequate safeguards are in place, in accordance with Chapter V of the GDPR.
7. Data Retention
| Data category | Retention period | Rationale |
|---|---|---|
| Research data and Reports | Duration of active Access Key + 12 months | Allowing continued access to past results |
| Server logs | 90 days | Security monitoring and debugging |
| Payment and transaction records | 7 years | Estonian Accounting Act (Raamatupidamise seadus) |
| Communication records | 2 years from last communication | Support continuity |
| Session cookies | Expire within days of inactivity | Technical necessity |
| Language preference cookie | Until cleared by user | User convenience |
After the retention period expires, data is deleted or irreversibly anonymized. Aggregated, non-identifiable statistical data may be retained indefinitely.
8. Cookies
We use a minimal set of cookies, all strictly necessary for Service functionality or based on consent:
| Cookie | Type | Purpose | Duration | Legal basis |
|---|---|---|---|---|
ai100_lang |
Preference | Language selection (ru/en) | Persistent | Consent |
| Access session cookie | Strictly necessary | Maintains authenticated session | Session / several days | Contract performance |
We do not use third-party cookies, advertising cookies, analytics cookies, or tracking technologies.
Because we use only strictly necessary cookies and a single preference cookie, we do not display a cookie consent banner. The preference cookie is set only upon your affirmative action (selecting a language).
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. |
| Restriction (Art. 18) | Request that we restrict the processing of your data in certain circumstances. |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format. Reports are already available in HTML, XLSX, and CSV. |
| Object (Art. 21) | Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds. |
| Withdraw consent (Art. 7(3)) | Withdraw consent for preference cookie at any time by clearing your browser cookies. Withdrawal does not affect the lawfulness of prior processing. |
How to exercise your rights
Contact us at [email protected] with your request. We will verify your identity (e.g., by confirming your Access Key or other identifying information) and respond within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, and we will inform you of any such extension.
Exercising your rights is free of charge. In cases of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act, as permitted by Article 12(5) of the GDPR.
Right to lodge a complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Tatari 39, 10134 Tallinn, Estonia Email: [email protected] Website: https://www.aki.ee
You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of work.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- HTTPS/TLS encryption for all data in transit (via Cloudflare and nginx)
- Access Keys stored as cryptographic hashes (not in plaintext)
- Server access restricted to authorized personnel with key-based SSH authentication
- Regular security updates to server software and dependencies
- File-based storage with appropriate filesystem permissions
- No public-facing database interfaces
No system is completely secure. While we take commercially reasonable precautions, we cannot guarantee absolute security of your data. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the Estonian Data Protection Inspectorate in accordance with Articles 33 and 34 of the GDPR.
11. Children
The Service is designed for business professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
12. Automated Decision-Making
The Service does not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR. The AI models used in Research Runs evaluate brands, not individuals.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. For changes that materially affect how we process your personal data, we will use reasonable efforts to provide advance notice.
Your continued use of the Service after the effective date of the updated policy constitutes acknowledgment of the changes. If you do not agree with the updated policy, you should stop using the Service and may request erasure of your data.
14. Language
This Privacy Policy is available in English and Russian. In case of any inconsistency between versions, the English version shall prevail.
15. Contact
For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:
AI100 OÜ Registry code: 16993057 Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimae tn 5, 10145, Estonia Email: [email protected]
This Privacy Policy is effective as of March 15, 2026.