Datenschutzerklärung
Wie aiteam Ihre personenbezogenen Daten in Übereinstimmung mit der EU-Datenschutz-Grundverordnung (DSGVO) und dem dänischen Datenschutzrecht erhebt, verwendet und schützt.
Zuletzt aktualisiert: 2026-03-28
1. Introduction
aiteam ApS ('we', 'us', 'our') is the data controller for personal data processed through the aiteam platform at aite.am. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection legislation.
This policy explains what data we collect, why we collect it, how we process it, and your rights as a data subject.
2. Data We Collect
We collect the following categories of personal data:
Account Data
- Full name
- email address
- profile picture
- function role
- notification preferences
Organisation Data
- Company name
- corporate email domain
- industry
- sub-industry
- estimated size
- headquarters location
- description
Platform Usage Data
- Assessment responses
- agent registrations
- governance configurations
- metric entries
- task activities
- implementation guide progress
AI Consultant Data
Conversation content, context snapshots (anonymised organisational scores and metrics sent to the AI model — never PII)
Technical Data
- IP address
- browser type and version
- device information
- access timestamps
- pages visited
3. How We Use Your Data
We use your data for the following purposes:
- Providing and operating the platform features you subscribed to
- Personalising your AI Consultant experience with your organisation's context
- Generating anonymised industry benchmarks (your company is never identified)
- Sending service communications, product updates, and security notifications
- Calculating partner commissions based on aggregated subscription data
- Improving the platform through anonymised usage analytics
- Complying with legal obligations (tax records, audit logs)
4. AI-Specific Data Processing
Our AI features are powered by Anthropic's Claude models. We take great care to protect your privacy when using AI services.
- AI Consultant: AI Consultant: When you use the AI Consultant, we send anonymised organisational context (readiness scores, industry, company size, maturity level) to Anthropic's API. We never send personally identifiable information such as employee names, email addresses, or individual user data.
- Shadow AI Detector: Shadow AI Detector: The endpoint detection scripts collect only metadata about AI tools found on devices — tool names, vendors, and detection source. All user identifiers are SHA-256 hashed with an organisation-specific salt. No prompts, responses, or content are captured.
- Employee Help Desk: Employee Pack Help Desk: Employee queries to the AI Help Desk are processed via Claude Haiku. Queries include the question text and anonymised organisational context. Employee names and personal details are not included in API calls.
- Knowledge Engine: Knowledge Engine: Document embeddings are generated using OpenAI's text-embedding-3-small model. Only document text chunks are sent for embedding — no user data or organisational context is included.
5. Legal Basis for Processing
We process your data under the following legal bases:
| Purpose | Legal Basis | Details |
|---|---|---|
| Platform operation | Contract performance | Providing the platform you subscribed to |
| Service improvement | Legitimate interest | Improving features, fixing issues, analytics |
| Marketing emails | Consent | Optional — you can withdraw at any time |
| Tax & audit records | Legal obligation | Required by Danish and EU law |
| Security monitoring | Legitimate interest | Protecting platform and users from threats |
6. Data Retention
We retain different categories of data for different periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Active subscription + 90 days | Service provision + grace period |
| AI Consultant conversations | 12 months | Context continuity and service quality |
| Audit logs | 7 years | Regulatory requirement (EU AI Act, tax) |
| Anonymised benchmarks | Indefinitely | Aggregated, non-personal data |
| Technical logs | 90 days | Security and debugging |
7. Data Sharing & Sub-Processors
We share data with the following service providers, all bound by data processing agreements:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database hosting & authentication | EU (Frankfurt) |
| Vercel | Application hosting & edge functions | EU (Stockholm/Paris) |
| Anthropic | AI processing (Claude models) | US (SCCs in place) |
| Stripe | Payment processing | EU/US (PCI DSS Level 1) |
| Resend | Transactional email delivery | US (SCCs in place) |
We never sell your data. Partner admins can view aggregated customer metrics (scores, adoption rates) but never individual user data, AI conversations, or raw assessment responses.
8. Your GDPR Rights
Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your data ('right to be forgotten')
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format (JSON export available in Settings)
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw consent at any time for consent-based processing
To exercise any right, contact steven@aite.am. We will respond within 30 days as required by GDPR.
9. Cookies
We use essential cookies for authentication and session management, and preference cookies for language and theme settings. We do not use advertising or tracking cookies.
For full details, see our Cookie Policy.
10. International Transfers
All primary data storage is within the EU (Frankfurt, Germany). AI processing via Anthropic may involve data transfer to the US, protected by Standard Contractual Clauses (SCCs) as approved by the European Commission.
No personally identifiable information is included in AI API calls — only anonymised scores, aggregated metrics, and organisational context.
11. Automated Decision-Making
The aiteam platform uses AI to generate recommendations, readiness scores, risk classifications, and advisory content. These outputs are advisory in nature and do not constitute automated decision-making with legal or similarly significant effects as defined by GDPR Article 22. All final decisions regarding AI adoption, governance, and compliance remain with you and your organisation. Human oversight is always required before acting on AI-generated recommendations.
12. Children's Privacy
The platform is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 30 days before the changes take effect. The 'Last updated' date at the top of this page indicates when the policy was last revised.
14. Contact the Data Protection Officer
For any privacy-related questions or to exercise your rights, contact our Data Protection Officer.
You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).
Fragen zu dieser Richtlinie?
Unser Team hilft Ihnen gerne bei allen Fragen.