Privacy Policy

Last updated: 16 May 2026 · Effective date: 16 May 2026

1. Who we are

The service Aimarcus B2B (the “Service”), reachable at aimarcusb2b.eu, is operated by Prism Hooldus OÜ (the “Controller”, “we”, “us”).

For questions about this Policy or to exercise any right described below, write to the contact email above. We reply within 30 days.

2. What we collect and why

2.1 Account information

When you sign up we store your business email, a one-way hashed password, your workspace name, and the company you represent. Legal basis: performance of the contract you enter with us (GDPR Art. 6(1)(b)).

2.2 Chat content and assistant memory

Every message you exchange with the assistant is stored in your workspace so the assistant can keep context and you can review prior conversations. The assistant additionally maintains a private notebook of stable facts about your business (your name, company, preferences) in a file inside your workspace sandbox. Legal basis: contract performance.

You can export every chat as Markdown, delete any chat, and wipe the assistant’s memory at any time from your workspace settings.

2.3 Files you upload

Files you attach to a chat are stored on our servers, scoped to your workspace, and only accessible to your account and our authorised operators for incident response. Legal basis: contract performance.

2.4 External services you connect

If you connect external services (Gmail via IMAP, Google Calendar / Search Console / Analytics via OAuth, Stripe, GitHub, Cloudflare, HubSpot, Notion, Linear, Pipedrive, Resend, Wise, Twilio, Shopify, Slack, Mailchimp, Telegram) we store the credentials you provided (refresh tokens, app passwords, restricted API keys) encrypted at rest, and use them solely to perform the actions you request inside chat. Legal basis: explicit consent for each integration (GDPR Art. 6(1)(a)).

We never sell, share, or use these credentials outside the assistant turn that you initiated. You can disconnect any service from the Connections page; on disconnect we delete the stored credentials immediately.

For Gmail specifically we connect over IMAP/SMTP using an app password you generate yourself in Google account settings — we do not request restricted Gmail OAuth scopes and we do not transmit your Gmail data to Google verification servers.

2.5 Usage data

We log per-workspace token usage, message counts, and assistant model costs so we can bill correctly and enforce tier limits. We also log standard web access logs (IP, user agent, timestamp) for 90 days for security. Legal basis: contract performance and legitimate interest in service security (GDPR Art. 6(1)(f)).

2.6 Payment data

Payment is handled by Stripe. We never see or store your full card details; Stripe stores a customer ID and a payment method token that we use only to charge or cancel your subscription. See Stripe’s Privacy Policy.

3. Who processes your data on our behalf

We use these sub-processors. All are bound by GDPR-compliant Data Processing Agreements:

We do not transfer personal data outside the European Economic Area except to Anthropic (United States) under the EU-US Data Privacy Framework and standard contractual clauses.

4. How we use Google user data

When you connect Google Calendar, Search Console, or Google Analytics, you grant the assistant a refresh token with the following OAuth scopes:

Aimarcus B2B’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

5. Data retention

6. Your rights under GDPR

You have the right to:

To exercise any right, write to prismestonia@gmail.com. We respond within 30 days.

7. Security

Each workspace runs in its own isolated sandbox on the server. Anthropic OAuth credentials are bind-mounted read-only into the sandbox; tenant credentials are scoped to a single workspace by primary key. We use TLS for every connection, encrypted passwords at rest (bcrypt), restricted API keys where the provider supports them, and an unprivileged Linux user for the sandbox process. We monitor for unauthorised access and review logs daily.

8. Cookies

We use one essential cookie (abk_user) to keep you signed in. We do not use advertising, analytics, or tracking cookies on this domain. No consent banner is required because we operate only essential cookies (GDPR Recital 30, ePrivacy Art. 5(3) exception).

9. Children

The Service is intended for businesses and not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, write to us and we will delete it.

10. Changes to this Policy

We may update this Policy from time to time. The latest version is always at aimarcusb2b.eu/privacy. We will notify active workspaces by email at least 14 days before any material change takes effect.

11. Contact

Questions, requests, complaints — write to:

Prism Hooldus OÜ
Läänemere tee 62, Lasnamäe
13914 Tallinn, Estonia
prismestonia@gmail.com