PRIVACY POLICY

Effective date: 1st January 2026

AIMAI Ltd is committed to protecting personal data and handling it responsibly, securely and in accordance with applicable UK data protection law, including the UK GDPR and the Data Protection Act 2018.

This Privacy Policy explains how AIMAI Ltd collects, uses, stores, shares and protects personal data when you use our website, PRISM, our governed AI platform, and any related services, workspaces, assistants, tools, integrations and support services.

1. Who we are

AIMAI Ltd provides governed AI systems and related services, including PRISM, a platform designed to help organisations deploy and operate AI assistants, workflows and knowledge-led tools with governance, oversight and control.

Depending on the circumstances, AIMAI Ltd may act as:

  • Data controller, where we decide why and how personal data is processed, for example in relation to our website, account administration, support, commercial relationships and certain platform operations.
  • Data processor, where we process personal data on behalf of our clients in connection with their use of PRISM, their workspaces, assistants, knowledge, threads, integrations and related services.

2. Contact details

AIMAI Ltd
Office 18, The Globe Innovation Centre
Slaithwaite
HD7 5JN
United Kingdom

Telephone: 01484 767892
Email: info@aimai.co.uk

3. Scope of this policy

This Privacy Policy applies to personal data processed in connection with:

  • our website and related communications;
  • PRISM and associated client environments;
  • shared threads and client-level threads;
  • the PRISM Knowledge Base and client-level knowledge features;
  • Approvals, Audit records and governance features;
  • custom assistants and workflow tools;
  • admin management and partner access features;
  • in-built support and support-related communications;
  • integrations with third-party systems used as part of a client engagement; and
  • sales, onboarding, service delivery, billing and compliance processes.

4. The personal data we may collect

We may collect and process the following categories of personal data:

  • Identity data, such as name, job title, employer, username or similar identifier.
  • Contact data, such as business email address, telephone number and correspondence details.
  • Account and access data, such as login details, user role, permissions, authentication records and workspace membership.
  • Communications data, such as messages, enquiries, support requests, feedback and other correspondence.
  • Client and workspace content, such as prompts, thread content, uploaded files, knowledge entries, approvals, instructions, outputs, comments and records created or stored in PRISM.
  • Technical and usage data, such as IP address, browser type, device information, timestamps, session data, logs, diagnostics and service interaction data.
  • Transactional and commercial data, such as billing records, payment-related records, contract information and service history.
  • Marketing and preference data, such as communication preferences and records of consent or opt-out choices.

We ask clients and users not to submit special category personal data or other highly sensitive personal data into PRISM unless this is necessary, lawful, authorised and supported by appropriate safeguards.

5. How we collect personal data

We may collect personal data:

  • directly from you when you contact us, request information, engage our services or use our website;
  • from your employer or organisation when accounts, access or services are provisioned for you;
  • through your use of PRISM, including threads, knowledge features, assistants, support features and related platform tools;
  • automatically through cookies, logs, telemetry, security monitoring and other technical means;
  • from integrated third-party systems used as part of a client engagement, such as CRM, accounting, ERP or workflow tools; and
  • from service providers and business partners who support our operations.

6. How we use personal data and our lawful bases

We process personal data only where we have a lawful basis to do so. These lawful bases may include:

  • Performance of a contract, where processing is necessary to provide services, administer accounts, deliver PRISM functionality, support users or take steps before entering into a contract.
  • Legitimate interests, where processing is necessary for the operation, improvement, security, governance and support of our business and services, provided those interests are not overridden by your rights and interests.
  • Legal obligation, where processing is necessary to comply with applicable laws, regulations or lawful requests.
  • Consent, where you have given consent, for example in relation to certain marketing communications or optional cookies and similar technologies.

We may use personal data to:

  • provide, operate, maintain and improve our website and services;
  • provision and manage PRISM accounts, workspaces, permissions and environments;
  • enable the use of threads, knowledge features, assistants, approvals, audit and support functions;
  • process prompts, files, instructions and outputs within PRISM and associated AI-enabled workflows;
  • support integrations with third-party systems used by clients;
  • provide customer support, issue resolution and service communications;
  • monitor platform use, service performance, reliability and security;
  • maintain records of decisions, approvals, activity and governance actions;
  • manage commercial relationships, invoicing and payment processes;
  • send service updates and, where lawful, marketing communications; and
  • comply with legal, regulatory and contractual obligations.

7. PRISM-specific processing

PRISM is AIMAI’s governed AI platform. It is designed to support controlled, knowledge-grounded and auditable AI usage across client and organisational workflows. In connection with PRISM, personal data may be processed through the following features and capabilities:

Threads and client-level threads

PRISM enables users to create and participate in shared threads and client-level threads. These may contain prompts, responses, uploaded material, instructions, comments, decisions and other content relevant to a workflow or engagement. This information may include personal data where entered by users or received through connected systems.

Knowledge Base and client-level knowledge

PRISM may store and use organisational knowledge and client-specific knowledge to improve consistency, relevance and governance. Knowledge entries may contain personal data where this is included in source material or administrative content provided by clients or users.

Approvals

PRISM includes approval mechanisms to support review and publication controls. Approval records may contain personal data such as names, roles, timestamps, comments and decision history.

Audit

PRISM may maintain audit records relating to system use, prompts, outputs, approvals, actions taken and the context relied on at the time. These records help support security, governance, oversight, troubleshooting and accountability.

Custom assistants and workflow tools

PRISM may include custom assistants and workflow features configured for specific use cases. Personal data may be processed where it is included in prompts, source material, integrations, outputs or workflow actions.

Integrations

PRISM may connect with third-party systems used by a client, including CRM, accounting, ERP or other operational platforms. Where enabled, PRISM may receive, analyse, transform or return data, including personal data, as instructed by the client and subject to agreed controls.

Admin management and partner access

PRISM includes user, group, permission and access management features. These may process personal data such as identity, role, organisation, access level and usage history. External partner access may also be configured by clients where appropriate.

In-built support

Support requests and issue records submitted through PRISM may contain personal data, including contact details, user activity context and any content necessary to investigate or resolve an issue.

AI processing within PRISM

PRISM may use third-party AI and machine learning providers to process prompts, content, files, images or audio submitted through the platform. This processing is used to generate outputs, assist with workflows and deliver platform functionality. Clients and users are responsible for ensuring that personal data entered into PRISM is appropriate, lawful and authorised for the intended use.

8. Sharing personal data

We may share personal data where necessary with:

  • our group, advisers and professional service providers where reasonably required;
  • hosting, infrastructure, monitoring and communications providers that support delivery of our services;
  • AI and machine learning providers used to deliver PRISM and related functionality;
  • technology providers supporting source control, DNS, SSL/TLS and payment operations;
  • third-party systems integrated as part of a client engagement, where configured or authorised by the client;
  • law enforcement, regulators, courts or other authorities where required by law or to protect our legal rights; and
  • a purchaser, investor or successor in connection with a merger, acquisition, financing or sale of assets, subject to appropriate confidentiality obligations.

9. Third-party providers and sub-processors

AIMAI uses third-party providers to support the operation of its website, PRISM and related services. These currently include:

  • Amazon Web Services (AWS), including EC2, RDS, S3, SES, SNS and CloudWatch, for hosting, database, storage, email, SMS and monitoring.
  • OpenAI, for general large language model processing.
  • Anthropic, for large language model processing.
  • Google, including Imagen, for image generation.
  • Deepgram, for audio transcription and speech processing.
  • GitHub, for source code hosting and deployment support.
  • Fasthosts, for DNS and domain management.
  • Let’s Encrypt, for SSL/TLS certificate issuance.
  • Stripe, for payment processing, where implemented. This is currently planned.

Third-party connectors, such as Sage 50, CRM systems, accounting platforms and other client-selected systems, may also be integrated on a client-by-client basis. These will be disclosed or documented as applicable for the relevant engagement.

AIMAI continuously evaluates emerging AI and language model capabilities. Additional AI providers or models may be adopted over time where needed to support service quality, performance or capability. Any new sub-processors will be disclosed accordingly.

Aside from the third-party providers listed above, user management, logging, workflow orchestration and the API layer are developed and operated in-house on AWS infrastructure.

10. International transfers

Some of our service providers may process personal data outside the UK. Where personal data is transferred internationally, AIMAI takes steps to ensure that appropriate safeguards are in place, which may include the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, adequacy regulations, or other lawful transfer mechanisms recognised under UK data protection law.

11. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide services, maintain records, resolve disputes, enforce agreements, comply with legal obligations and support security, governance and audit requirements.

Retention periods may vary depending on the nature of the data, the client relationship, the service configuration and any legal or regulatory requirements. Where we act as a processor, retention is generally governed by the client’s instructions and the applicable contractual arrangements.

12. Security

AIMAI uses appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures may include:

  • access controls and permissions management;
  • authentication and account security controls;
  • environment separation and infrastructure controls;
  • encryption in transit through SSL/TLS;
  • monitoring, logging and diagnostics;
  • secure hosting and storage arrangements; and
  • governance and operational controls designed to support safe use of AI and client data.

No method of transmission or storage is completely secure, but we work to maintain a level of security appropriate to the risk involved.

13. Cookies and similar technologies

AIMAI uses cookies and similar technologies on its website and within platform environments. These may be used for strictly necessary functions such as secure sign-in, session continuity, access control, routing, remembering preferences, security, fraud prevention, diagnostics and consent recording.

We may also use analytics or embedded third-party technologies where applicable and permitted. Further information is available in our Cookie Policy.

14. Your rights

Subject to applicable law, you may have the right to:

  • request access to the personal data we hold about you;
  • request correction of inaccurate or incomplete personal data;
  • request deletion of your personal data in certain circumstances;
  • request restriction of processing in certain circumstances;
  • object to processing based on legitimate interests;
  • request transfer of your personal data where the right to data portability applies;
  • withdraw consent at any time, where processing is based on consent; and
  • lodge a complaint with the Information Commissioner’s Office.

If AIMAI is processing personal data on behalf of a client as processor, you should normally direct your request to the relevant client as controller in the first instance. We may assist our clients with such requests where required.

15. Automated processing

PRISM and related AIMAI services use AI-assisted and automated processing to analyse inputs, generate outputs, support workflows and improve operational efficiency. These tools are designed to support users and organisations, not to remove the need for appropriate human judgement where important decisions are involved.

Users and clients remain responsible for reviewing outputs and ensuring their suitability, accuracy and compliance in the relevant context.

16. Complaints

If you have concerns about how AIMAI handles personal data, please contact us using the details set out above. You also have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Website: www.ico.org.uk

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements or data processing practices. The most current version will be made available through our website or service environment, and the effective date will be updated accordingly.