Privacy Policy
AI100.io — Brand Visibility Benchmark
Last updated: June 7, 2026
ECONDATA TECHSCRIBE LTD, a private limited company registered in the Republic of Cyprus, registration number HE 455945, registered address Peiraios 30, Floor 1, Flat/Office 1, Strovolos 2023, Nicosia ("Company", "we", "us", or "our") is the data controller responsible for the processing of your personal data when you use the AI100.io website and services ("Service").
We are committed to protecting your privacy and processing your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and Cyprus Law 125(I)/2018 on the Protection of Natural Persons with regard to the Processing of Personal Data.
1. Data Controller
ECONDATA TECHSCRIBE LTD Registration number: HE 455945 VAT: CY60046398P Registered address: Peiraios 30, Floor 1, Flat/Office 1, Strovolos 2023, Nicosia, Cyprus Email: [email protected] Director: Vitalis Makris
If you have any questions about this Privacy Policy or our data processing practices, please contact us at the email address above.
2. Personal Data We Collect
2.1. Data you provide directly
| Data category | Examples | Purpose |
|---|---|---|
| Brand and website data | Brand name, website URL, region, language, category | Executing Research Runs |
| Access Key | Your personal key credential | Authentication and access management |
| Communication data | Name, email address, and message content (if you contact us via the contact form) | Responding to inquiries and providing support |
| Payment confirmation | Transaction reference, payment status (received from payment processor) | Verifying payment and activating Access Keys |
2.2. Data collected automatically
| Data category | Examples | Purpose |
|---|---|---|
| Language preference | Cookie value: ai100_lang (en/ru/de/fr/es) |
Maintaining interface language |
| Session data | Encrypted session identifier cookie | Maintaining authenticated session |
| Server logs | IP address, browser type (User-Agent), referring page, timestamp, pages visited | Security monitoring, debugging, abuse prevention |
| Analytics data (cookieless) | Aggregate, anonymous page-view events via self-hosted Plausible Analytics | Measuring traffic patterns. See Section 5.5 for details. |
2.3. Data we do not collect
- We do not collect personal names, physical addresses, phone numbers, or government-issued identifiers through the Service itself.
- We do not receive or store credit card numbers, bank account details, or cryptocurrency wallet addresses. All payment data is processed exclusively by our third-party payment providers (see Section 5).
- We do not use retargeting pixels, advertising trackers, or browser fingerprinting technologies.
- We do not collect or process personal data of your customers or visitors to your website.
- Our analytics is cookieless and self-hosted (see Section 5.5); beyond that we do not embed third-party tracking.
3. Legal Bases for Processing
Under Article 6(1) of the GDPR, we process your personal data based on the following legal grounds:
| Legal basis | Data processed | Purpose |
|---|---|---|
| Performance of contract (Art. 6(1)(b)) | Brand data, Access Key, session data, payment confirmation | Delivering the Service: executing Research Runs, generating Reports, maintaining your access |
| Legitimate interest (Art. 6(1)(f)) | Server logs, IP addresses, cookieless analytics events, language preference cookie | Security monitoring, fraud prevention, debugging, Service stability, and understanding aggregate usage via cookieless analytics. We have assessed that this processing does not override your rights and freedoms. |
| Legal obligation (Art. 6(1)(c)) | Transaction records, invoicing data | Compliance with Cyprus accounting and tax regulations |
4. How We Use Your Data
We use your personal data strictly for the purposes described below. We do not use your data for profiling, automated decision-making, or direct marketing.
- Delivering the Service: Processing brand/website data through AI models, calculating scores, and generating Reports.
- Access management: Authenticating sessions, tracking run usage against key balance, and verifying payment status.
- Service operations: Server monitoring, security incident detection, debugging, and infrastructure maintenance.
- Methodology improvement: We may analyze aggregated, non-identifiable research patterns to improve our scoring methodology. Individual brand data is never used for this purpose in identifiable form.
- Legal compliance: Maintaining financial records as required by Cyprus law.
- Communication: Responding to your inquiries if you contact us.
5. Third-Party Data Processors
We share personal data with the following categories of third-party processors, solely for the purposes described. We have ensured that all processors provide adequate safeguards for your data.
5.1. AI model providers
To execute research scenarios, we send queries to third-party AI model APIs. As of the latest update, our active providers are:
| Provider | Region | Privacy policy |
|---|---|---|
| OpenAI, LLC | USA | https://openai.com/privacy |
| Google LLC (Gemini API) | USA | https://policies.google.com/privacy |
| xAI Corp. | USA | https://x.ai/legal/privacy-policy |
| DeepSeek AI | China | https://deepseek.com/privacy |
These queries contain category descriptions and research scenarios derived from brand data. We do not transmit Access Keys, session data, email addresses, or any personal identifiers to AI model providers.
Transfer mechanism: Standard Contractual Clauses (SCCs) for non-EU/EEA providers; EU-US Data Privacy Framework where applicable.
We may add or replace AI model providers over time as the methodology evolves. The list above reflects current production providers and is updated when changes occur.
5.2. Payment processors
| Provider | Data they process | Privacy policy |
|---|---|---|
| Revolut (Revolut Bank UAB / Revolut Ltd) | Card payment data (payment amount, currency, transaction reference, masked card metadata). We do not receive or store full card numbers. | https://www.revolut.com/legal/privacy/ |
| NOWPayments | Cryptocurrency transaction data (payment amount, currency, transaction reference). We do not receive or store wallet addresses. | https://nowpayments.io/privacy-policy |
We receive only payment confirmation and transaction references from this provider. We do not receive, store, or process your payment instrument details (wallet addresses, transaction signatures).
5.3. Hosting provider
The Service is hosted on dedicated servers provided by Hetzner Online GmbH, located in Germany (EU). All personal data is stored within the European Economic Area.
Hetzner privacy policy: https://www.hetzner.com/legal/privacy-policy
5.4. CDN and security
We use Cloudflare, Inc. (USA) for DDoS protection and content delivery. Cloudflare may process IP addresses and request metadata in transit. Cloudflare is certified under the EU-US Data Privacy Framework.
Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy/
5.5. Analytics (self-hosted, cookieless)
We measure aggregate traffic patterns with Plausible Analytics, which we self-host on our own servers in Germany (EU) — the same Hetzner infrastructure described in Section 5.3. No third-party analytics processor is involved, and analytics data never leaves our EU infrastructure.
What we collect: aggregate, anonymous page-view events, referring page, browser and device class, and approximate geographic region derived from your IP address. Your IP address is not stored.
What we do NOT collect through analytics: no cookies or device identifiers are set; no name, email address, Access Key, brand data submitted for Research Runs, or any personally identifying information.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Because Plausible sets no cookies and stores no information on your device, it does not rely on consent under ePrivacy Directive Art. 5(3), and no consent banner is shown.
Plausible privacy policy: https://plausible.io/privacy (self-hosted edition; data is held by us, not by Plausible).
5.6. Operational notifications (Telegram)
When you submit the contact form, or when a payment is confirmed, we receive an internal alert through Telegram (Telegram FZ-LLC, United Arab Emirates) at a private operator account. The alert contains the data you submitted — for the contact form: your name, email address, and message; for payments: email address and order reference — and is used solely to respond to you and operate the Service, never for marketing. Telegram processes this data on servers outside the EEA; we limit it to the operational minimum and rely on Article 49(1)(b) GDPR, as the transfer is necessary to act on your request.
Telegram privacy policy: https://telegram.org/privacy
6. International Data Transfers
Your personal data is primarily stored and processed on servers located in Germany (EU). Some personal data may be transferred outside the EEA in connection with the following services:
| Recipient | Country | Safeguard |
|---|---|---|
| OpenAI, LLC | USA | Standard Contractual Clauses (SCCs) |
| Google LLC (Gemini API) | USA | EU-US Data Privacy Framework + SCCs |
| xAI Corp. | USA | Standard Contractual Clauses (SCCs) |
| DeepSeek AI | China | Standard Contractual Clauses (SCCs) |
| Cloudflare, Inc. | USA | EU-US Data Privacy Framework + SCCs |
| Telegram FZ-LLC | United Arab Emirates | Art. 49(1)(b) GDPR — transfer necessary to act on your request |
We only transfer data outside the EEA where adequate safeguards are in place, in accordance with Chapter V of the GDPR.
7. Data Retention
| Data category | Retention period | Rationale |
|---|---|---|
| Research data and Reports | Duration of active Access Key + 12 months | Allowing continued access to past results |
| Server logs | 90 days | Security monitoring and debugging |
| Payment and transaction records | 7 years | Cyprus tax and accounting law |
| Communication records | 2 years from last communication | Support continuity |
| Session cookies | Expire within days of inactivity | Technical necessity |
| Language preference cookie | Until cleared by user | User convenience |
After the retention period expires, data is deleted or irreversibly anonymized. Aggregated, non-identifiable statistical data may be retained indefinitely.
8. Cookies
We use a small set of first-party cookies only. We set no analytics or marketing cookies — our analytics is cookieless (see Section 5.5) — so we do not show a cookie consent banner.
| Cookie | Type | Purpose | Duration | Legal basis |
|---|---|---|---|---|
ai100_lang |
Preference | Language selection (en/ru/de/fr/es) | Persistent | Legitimate interest |
| Access session cookie | Strictly necessary | Maintains authenticated session | Session / several days | Contract performance |
You can delete cookies for ai100.io via your browser settings at any time. See our Cookie Policy at /cookies for a complete list and instructions.
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. |
| Restriction (Art. 18) | Request that we restrict the processing of your data in certain circumstances. |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format. Reports are already available in HTML, XLSX, and CSV. |
| Object (Art. 21) | Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds. |
| Withdraw consent (Art. 7(3)) | We currently rely on no consent-based processing (our analytics is cookieless and based on legitimate interest). You may still clear your browser cookies for ai100.io at any time. Withdrawal does not affect the lawfulness of prior processing. |
How to exercise your rights
Contact us at [email protected] with your request. We will verify your identity (e.g., by confirming your Access Key or other identifying information) and respond within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, and we will inform you of any such extension.
Exercising your rights is free of charge. In cases of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act, as permitted by Article 12(5) of the GDPR.
Right to lodge a complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Office of the Commissioner for Personal Data Protection (Cyprus) 1 Iasonos Street, 1082 Nicosia, Cyprus Email: [email protected] Website: https://www.dataprotection.gov.cy
You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of work.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- HTTPS/TLS encryption for all data in transit (via Cloudflare and nginx)
- Access Keys stored as cryptographic hashes (not in plaintext)
- Server access restricted to authorized personnel with key-based SSH authentication
- Regular security updates to server software and dependencies
- File-based storage with appropriate filesystem permissions
- No public-facing database interfaces
No system is completely secure. While we take commercially reasonable precautions, we cannot guarantee absolute security of your data. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the Office of the Commissioner for Personal Data Protection (Cyprus) in accordance with Articles 33 and 34 of the GDPR.
11. Children
The Service is designed for business professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
12. Automated Decision-Making
The Service does not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR. The AI models used in Research Runs evaluate brands, not individuals.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. For changes that materially affect how we process your personal data, we will use reasonable efforts to provide advance notice.
Your continued use of the Service after the effective date of the updated policy constitutes acknowledgment of the changes. If you do not agree with the updated policy, you should stop using the Service and may request erasure of your data.
14. Language
This Privacy Policy is available in English and Russian. In case of any inconsistency between versions, the English version shall prevail.
15. Contact
For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:
ECONDATA TECHSCRIBE LTD Registration number: HE 455945 Registered address: Peiraios 30, Floor 1, Flat/Office 1, Strovolos 2023, Nicosia, Cyprus Email: [email protected] Director: Vitalis Makris
This Privacy Policy is effective as of June 7, 2026.