Privacy Policy
Last updated: March 20, 2026 · ShapeLoop OÜ · Registry code: 17394931 · Estonia, EU
1. Who We Are
ShapeLoop OÜ (“we”, “us”) is the data controller for AILO. We are registered in Estonia (EU) and committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and Estonian data protection law.
Contact: hello@ambass.io
2. What Data We Collect
| Data | Why | Legal Basis |
|---|
| Email address | Account creation, magic link login, purchase confirmation | Contract performance |
| Language preference | Serve content in your language | Contract performance |
| Audience choice (Career / Everyday) | Personalize task content | Contract performance |
| Task progress (which tasks completed) | Save your progress, show dashboard | Contract performance |
| AI tool inputs (text you type) | Generate AI responses for you | Contract performance |
| Payment data (via Creem) | Process purchase | Contract performance |
| IP address, browser type | Security, rate limiting, abuse prevention | Legitimate interest |
3. What We Do NOT Collect
- We do NOT use Google Analytics, Facebook Pixel, or any third-party tracking
- We do NOT collect your name, phone number, address, or ID
- We do NOT sell, rent, or share your data with advertisers
- We do NOT use your data to train AI models
Your AI inputs are not used for training. The text you enter into the AI tool is sent to the language model to generate a response and is not stored or used to improve any AI model.
4. How We Use Your Data
- Create and manage your AILO account
- Send you magic link login emails
- Save your task progress across sessions
- Process your payment (via Creem)
- Send you your completion certificate
- Respond to support requests
- Prevent abuse and ensure platform security
We will NOT send you marketing emails unless you explicitly opt in.
5. AI Tool — Data Flow
When you use the built-in AI tool:
- Your text input is sent to a third-party AI model (currently DeepSeek) to generate a response
- The AI model provider may process your input on their servers (see section 7)
- We do NOT permanently store your AI inputs or outputs on our servers
- AI conversation history is stored only in your browser (localStorage) during your session
Do not enter sensitive personal data (health records, financial account numbers, passwords, personal ID numbers) into the AI tool. While we take security seriously, AI model providers are third parties with their own data practices.
6. Where Data Is Stored
All AILO data is stored within the European Union:
- Application server and database: Hetzner, Germany (EU)
- Email delivery: Resend (US-based, but email content is transient)
- Payment processing: Creem (Merchant of Record, processes under their own GDPR compliance)
- AI model: DeepSeek (China-based — see section 7)
Data is encrypted in transit (TLS 1.3) and at rest on our servers.
7. Third-Party Data Processors
| Service | Purpose | Location | Their Privacy |
|---|
| Hetzner | Hosting, database | Germany, EU | Link |
| Resend | Email delivery | US | Link |
| Creem | Payment (MoR) | EU | Link |
| DeepSeek | AI language model | China | Link |
Important note on AI model providers: When you use the AI tool, your text input is sent to DeepSeek’s servers to generate a response. DeepSeek is based in China and operates under Chinese data protection laws. By using the AI tool, you acknowledge this data transfer. If you are uncomfortable with this, you may complete the tasks without using the AI tool, or contact us for alternatives.
8. Cookies and Local Storage
AILO uses:
- localStorage — to save your session, progress, preferences, and onboarding state. This data stays in your browser and is not sent to our servers except as described above.
- Essential cookies — only for authentication (if applicable). No tracking cookies, no advertising cookies.
We do NOT use any third-party cookie-based tracking.
9. Your Rights (GDPR)
As an EU/EEA resident, you have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure (“right to be forgotten”) — request deletion of all your data
- Data portability — receive your data in a machine-readable format (JSON)
- Restriction — limit how we process your data
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at hello@ambass.io. We will respond within 30 days.
10. Data Retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion request.
- AI inputs/outputs: not permanently stored on our servers. Browser localStorage is cleared when you clear your browser data.
- Payment records: retained for 7 years as required by Estonian accounting law.
- Server logs: retained for 30 days for security purposes, then automatically deleted.
11. Data Security
- TLS 1.3 encryption for all connections
- Database access restricted to application layer only
- SSH key-based server access (no password authentication)
- Regular security updates and monitoring
- Magic link tokens expire after 1 hour
12. Children
AILO is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.
13. Data Breach Notification
In the event of a data breach that poses a risk to your rights:
- We will notify the Estonian Data Protection Inspectorate (AKI) within 72 hours
- We will notify affected users without undue delay if the breach poses a high risk to your rights and freedoms
14. Scam Checker (/check) — Public Tool
The AILO Scam Checker at ailo.study/check operates without login. For this tool:
- We do NOT store the messages you submit for checking
- Messages are sent to the AI model, processed, and the response is returned to you
- We log only aggregated usage statistics (total checks per day), not individual message content
- IP-based rate limiting (10 checks/hour) is used to prevent abuse; IP addresses are not permanently stored
15. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. We will notify paid users of significant changes via email.
16. Supervisory Authority
If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: aki.ee
Email: info@aki.ee
17. Contact
ShapeLoop OÜ
Registry code: 17394931
Email: hello@ambass.io