Privacy Policy
1. Who we are
The service Aimarcus B2B (the “Service”), reachable at aimarcusb2b.eu, is operated by Prism Hooldus OÜ (the “Controller”, “we”, “us”).
- Estonian registry code: 16894703
- Registered office: Läänemere tee 62, Lasnamäe, 13914 Tallinn, Estonia
- Contact email: prismestonia@gmail.com
For questions about this Policy or to exercise any right described below, write to the contact email above. We reply within 30 days.
2. What we collect and why
2.1 Account information
When you sign up we store your business email, a one-way hashed password, your workspace name, and the company you represent. Legal basis: performance of the contract you enter with us (GDPR Art. 6(1)(b)).
2.2 Chat content and assistant memory
Every message you exchange with the assistant is stored in your workspace so the assistant can keep context and you can review prior conversations. The assistant additionally maintains a private notebook of stable facts about your business (your name, company, preferences) in a file inside your workspace sandbox. Legal basis: contract performance.
You can export every chat as Markdown, delete any chat, and wipe the assistant’s memory at any time from your workspace settings.
2.3 Files you upload
Files you attach to a chat are stored on our servers, scoped to your workspace, and only accessible to your account and our authorised operators for incident response. Legal basis: contract performance.
2.4 External services you connect
If you connect external services (Gmail via IMAP, Google Calendar / Search Console / Analytics via OAuth, Stripe, GitHub, Cloudflare, HubSpot, Notion, Linear, Pipedrive, Resend, Wise, Twilio, Shopify, Slack, Mailchimp, Telegram) we store the credentials you provided (refresh tokens, app passwords, restricted API keys) encrypted at rest, and use them solely to perform the actions you request inside chat. Legal basis: explicit consent for each integration (GDPR Art. 6(1)(a)).
We never sell, share, or use these credentials outside the assistant turn that you initiated. You can disconnect any service from the Connections page; on disconnect we delete the stored credentials immediately.
For Gmail specifically we connect over IMAP/SMTP using an app password you generate yourself in Google account settings — we do not request restricted Gmail OAuth scopes and we do not transmit your Gmail data to Google verification servers.
2.5 Usage data
We log per-workspace token usage, message counts, and assistant model costs so we can bill correctly and enforce tier limits. We also log standard web access logs (IP, user agent, timestamp) for 90 days for security. Legal basis: contract performance and legitimate interest in service security (GDPR Art. 6(1)(f)).
2.6 Payment data
Payment is handled by Stripe. We never see or store your full card details; Stripe stores a customer ID and a payment method token that we use only to charge or cancel your subscription. See Stripe’s Privacy Policy.
3. Who processes your data on our behalf
We use these sub-processors. All are bound by GDPR-compliant Data Processing Agreements:
- Anthropic — provides the language model that powers the assistant. Chat content you send is transmitted to Anthropic for inference. Anthropic does not train on your data under our enterprise terms. See Anthropic Privacy Policy.
- Stripe — subscription billing and payment processing. See Stripe Privacy Policy.
- Resend — sends transactional email (welcome, receipts, password reset). See Resend Privacy Policy.
- Google Cloud / Workspace APIs — only when you explicitly connect Google Calendar / Search Console / Analytics. Access is mediated by an OAuth token you grant. See Google Privacy Policy.
- Server hosting — our backend runs on a dedicated server inside the European Union.
We do not transfer personal data outside the European Economic Area except to Anthropic (United States) under the EU-US Data Privacy Framework and standard contractual clauses.
4. How we use Google user data
When you connect Google Calendar, Search Console, or Google Analytics, you grant the assistant a refresh token with the following OAuth scopes:
https://www.googleapis.com/auth/calendar— list and create events in your primary calendar when you ask the assistant to.https://www.googleapis.com/auth/webmasters.readonly— list your verified sites and read search performance metrics.https://www.googleapis.com/auth/analytics.readonly— list GA4 properties and run reports.openid email— identify the Google account you connected.
Aimarcus B2B’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide the in-chat features you requested.
- We do not transfer Google user data to a third party except for the sub-processors named above, only as needed to provide those features.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read your Google user data, except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where it has been aggregated and anonymised.
5. Data retention
- Active workspace: we keep your data while your subscription is active.
- After cancellation: 30-day grace period during which you can re-subscribe and recover everything; afterwards your workspace and all its data are permanently deleted within 7 days.
- Backups: one rolling daily backup is retained for 7 days, then overwritten.
- Web access logs: 90 days.
- Invoices and billing records: 7 years, as required by Estonian accounting law.
6. Your rights under GDPR
You have the right to:
- Access — get a copy of the personal data we hold about you (Art. 15).
- Rectification — correct inaccurate data (Art. 16).
- Erasure — ask us to delete your data (Art. 17).
- Restriction — limit how we process your data (Art. 18).
- Portability — receive your data in a structured, machine-readable format (Art. 20). Your chat history can be exported as Markdown from the workspace UI.
- Object — object to processing based on legitimate interest (Art. 21).
- Withdraw consent — for any integration where you granted consent, by disconnecting it from the Connections page.
- Lodge a complaint with the Estonian supervisory authority, Andmekaitse Inspektsioon (aki.ee).
To exercise any right, write to prismestonia@gmail.com. We respond within 30 days.
7. Security
Each workspace runs in its own isolated sandbox on the server. Anthropic OAuth credentials are bind-mounted read-only into the sandbox; tenant credentials are scoped to a single workspace by primary key. We use TLS for every connection, encrypted passwords at rest (bcrypt), restricted API keys where the provider supports them, and an unprivileged Linux user for the sandbox process. We monitor for unauthorised access and review logs daily.
8. Cookies
We use one essential cookie (abk_user) to keep you signed in. We do not use advertising, analytics, or tracking cookies on this domain. No consent banner is required because we operate only essential cookies (GDPR Recital 30, ePrivacy Art. 5(3) exception).
9. Children
The Service is intended for businesses and not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, write to us and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time. The latest version is always at aimarcusb2b.eu/privacy. We will notify active workspaces by email at least 14 days before any material change takes effect.
11. Contact
Questions, requests, complaints — write to:
Prism Hooldus OÜ
Läänemere tee 62, Lasnamäe
13914 Tallinn, Estonia
prismestonia@gmail.com