AINOFLOW, AINOVA SYSTEMS – PRIVACY POLICY

Last Updated: September 14, 2025

Your privacy is important to us. This Privacy Policy explains how Ainova Systems, MB ("Ainova Systems", "we", "us" or "our") collects, uses, discloses, and safeguards information about you in connection with our software-as-a-service platform and website (collectively, the "Service"). It also describes your rights and choices regarding your personal data. We are committed to processing personal information in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

For purposes of EU data protection law, Ainova Systems, MB (Registration code 307008771) with registered address at Neries g. 25A, Nemenčinė, LT-15171 Vilnius district, Lithuania, is the "data controller" of personal data we collect directly from our users (such as account information). When you use our Service to process Personal Data on behalf of others (e.g., your end users or employees), you act as the data controller and we act as a "data processor". In such cases, we provide a Data Processing Addendum (DPA) upon request, which governs our processing on your behalf. In the absence of a countersigned DPA, we handle any Personal Data contained in User Content in line with GDPR as a processor, as further detailed in our Terms of Service. You can contact us with any privacy-related questions at legal@ainovasystems.com or using the contact details provided at the end of this policy.

1. INFORMATION WE COLLECT

We collect several types of information from and about users of our Service, including:

Personal Identifiers and Contact Information: When you create an account, we collect information such as your full name, email address, and country of residence. While our system supports storing additional profile information like organization name, phone number, or job title, these fields are optional and not currently collected during registration. If we add profile update functionality in the future that allows you to provide this additional information, we will collect it at that time. This information is collected directly from you during account registration or when you update your user profile.

Account Credentials: If you register with an email and password, your credentials are handled by our authentication service provider (Supabase). The password is transmitted securely to the authentication service where it is hashed using industry-standard algorithms (bcrypt) before storage. We never receive or store your plain text password in our application database. If you use a third-party authentication (single sign-on) to register (e.g., signing in with Google or other identity providers), we receive basic profile information from that provider (such as your name and email) as permitted by your settings with the provider. We do not receive or store your third-party login passwords.

Payment and Subscription Information: When you subscribe to a paid plan, our payment processor (Stripe) will collect your payment card details and billing information, including billing country. We do not store full credit card numbers or billing addresses on our servers; however, we keep records of your subscription plan, the price paid, and transaction dates. We may also store a payment "customer ID" or subscription ID associated with your account (as provided by the payment processor) and the last four digits of your card or card type and expiration (for reference). If your company enters into an enterprise agreement with us, we may collect additional billing contact information such as your company's address, tax ID/VAT number, and contact persons for invoices.

Usage Data: We automatically collect information about how you interact with our Service. This includes:

Log Data: When you use our API or web app, we record technical details in log files. This includes your IP address, user agent string (which contains information about your browser type, device type, and operating system), and timestamps of requests. We also log API endpoint calls or web page requests, the parameters or file sizes involved, response times, duration in milliseconds, and status codes.

Usage Metrics: We track usage metrics associated with your account, such as the number of API calls used in a billing cycle, the volume of data processed, and the amount of storage you are using on our platform. This helps enforce plan limits and also allows you to view your own usage statistics. These usage stats are associated with your user ID and subscription ID.

User Activity Data: Our system may record certain actions you take within the Service (e.g., uploads, downloads, edits, or settings changes) and the corresponding timestamps. If we provide a web dashboard, we may record your last login time and activity for security purposes. Additionally, for API usage, we may record details of each API request in an activity log (including which API key was used, the product or service accessed, the operation performed, the request IP address, user agent string of the client, the duration of the request, and associated job identifiers for tracking purposes). This information is used to monitor for abuse, troubleshoot issues, and generate usage reports for you.

Cookies and Similar Technologies: When you visit our website or web app, we use cookies and similar tracking technologies to collect information about your usage and preferences. This may include your language preferences, session token (to keep you logged in), and analytics data. We describe this in more detail in the Cookies section below.

Support and Communications: If you contact us for support or with inquiries (via email, contact form, or chat), we will collect the information you choose to share in that correspondence. This could include your contact details (email, phone), the content of your messages, and any attachments or screenshots you send. We will also keep a record of our communications with you (including any support tickets or email threads) to better assist you in the future.

User Content: As described in the Terms of Service, if you upload documents, images, or other data to be processed by the Service, we will process and store that content as necessary to provide the Service to you. This may include personal data contained within those documents. We treat such content as confidential and do not use it for purposes other than delivering and improving our Service, as explained further below.

Sensitive / Prohibited Data. You must ensure you have the right to upload any Personal Data in your documents and that it is lawful for us to process it on your behalf. Our Service is not intended for Special Categories of Personal Data (GDPR Art. 9) or for data under Art. 10. Do not upload such data. If you intentionally wish to submit Art. 9/10 data, you must first obtain our written approval and a countersigned DPA amendment and provide documented instructions identifying the legal basis (Art. 6 + applicable Art. 9(2)/Art. 10), purposes, retention, and security. Absent these steps, we will not process such data; if submitted inadvertently, we will restrict processing and delete it upon notice.

Information from Third Parties: In some cases, we may obtain information about you from third-party sources. For example, if you were referred to our Service via a partner or signed up through a third-party platform, they might send us your name and email to help onboard you. If you integrate our Service with a third-party service, we may receive certain information from that integration (but only as necessary and authorized by you). Additionally, our payment processor might provide us confirmation of your payments or updates to your payment status. We treat information from third parties according to the same privacy protections as information you provide directly.

We do not collect or process Special Categories of Personal Data (as defined in GDPR Art. 9) such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, data concerning sex life or sexual orientation, nor data relating to criminal convictions and offences (Art. 10). Such data is prohibited on our Service by default. If you inadvertently upload documents containing such data, we will restrict processing and delete it upon notice. Processing of Art. 9/10 data is only permitted with our prior written approval through a countersigned DPA amendment and proper documented instructions as described in Section 1. We do not intentionally collect any information from children under the age of 16 (see Children's Privacy below).

2. HOW WE USE YOUR INFORMATION

We use the collected information for the following purposes, in accordance with applicable legal bases:

To Provide and Maintain our Service: We process your data in order to deliver the features and functionality of the Service you have requested. This includes using your uploaded documents or data to perform AI-based processing and automation workflows and returning results to you, maintaining your account and preferences, and providing cloud storage for your processed files as part of the Service. We process personal data for these purposes as it is necessary to perform our contract with you (Art. 6(1)(b) GDPR) to provide the Service you have requested.

To Manage Your Account: We use your account data (like name, email, and country) to identify you as a user and provide you with account-related functionalities. For example, your email is used as your login identifier and for account verification. Country information helps us comply with tax requirements (such as VAT) and regional regulations. Managing your account also involves maintaining your subscription status, applying any usage bonuses or beta perks, and migrating you to appropriate plan types if needed (for instance, if you are in a legacy plan that is being phased out). This processing is also under our contract obligations to you.

Payment Processing and Order Fulfillment: We use your payment and subscription information to process transactions, manage billing, and fulfill the subscriptions you purchase. For instance, we will remind you of upcoming renewals, send invoices or receipts, and alert you of any billing issues. Payment card data is handled by our payment processor, but we maintain records of your subscription and payments for accounting and to provide you with customer support. Processing payments is necessary to perform the contract (providing the paid Service) and to comply with legal financial obligations (Art. 6(1)(b) and (c) GDPR).

Communication: We use your contact information to communicate with you about the Service. This includes transactional communications (emails or in-app notifications about account activity, password resets, billing invoices, plan changes, expiration of trials, security alerts, etc.) and Service updates (e.g. notifying you of new features, maintenance downtime, or changes to our policies). These are necessary for performing our contract and/or based on our legitimate interest in keeping you informed about the Service. If you contact us with a support request, we will use your contact information and support history to assist you. We may also send customer satisfaction or feedback requests after support interactions to improve our service quality (based on our legitimate interests in enhancing customer experience).

Improvement and Development: We may use data about how users interact with our Service (such as usage data, logs, feedback, and aggregated patterns) to understand usage trends and to improve our Service. For example, we might analyze which features are most or least used, how our AI accuracy performs on different types of documents, or troubleshoot technical issues using log data. We might keep track of errors or failures to identify bugs. We use aggregated or anonymized data whenever possible for these purposes. In some cases, we may use your personal data (like your usage history) internally to tailor the Service to your needs or develop new features that would benefit users. The legal basis for this is typically our legitimate interests (Art. 6(1)(f) GDPR) in improving and ensuring the quality of our Service, ensuring network and information security, and developing new offerings. We take into account your privacy rights and will not use personal data for improvement purposes if our interests are overridden by the impact on you (we mainly use de-identified data here).

Marketing and Newsletters: We may use your email address to send you promotional communications or newsletters about our new products, services, surveys, or events, but only if you have opted-in to such communications or if you are an existing customer and we are allowed by law to send you information about similar services. For example, if you provided consent (Art. 6(1)(a) GDPR) to receive our newsletter, we will use your name and email to send you periodic updates. If you are a customer, we might rely on our legitimate interest to inform you of product updates or upgrades related to the Service you already use, but you will always have the opportunity to opt-out. We will include an unsubscribe link in any marketing email, and you can opt out at any time. We do not spam, and we generally keep marketing communications at a reasonable frequency. (Note: Transactional or service-related communications are not considered marketing and cannot be opted out of, except by canceling the Service, because they are necessary for the functioning of the Service.)

Security and Abuse Prevention: We process personal data (like IP addresses, log-ins, and usage patterns) to monitor for and prevent fraudulent, abusive, or unlawful activity on our Service. This includes detecting suspicious behavior (such as logins from unusual locations, bots scraping data, or excessive requests that may indicate abuse of the API) and ensuring users comply with our Terms of Service. We may use automated tools to flag accounts or activities that could threaten the security, integrity, or availability of our Service, and in some cases, we might review logs manually to investigate a violation. This processing is based on our legitimate interests in protecting our Service and users, as well as legal obligations to maintain a secure environment (GDPR Art. 6(1)(c) and (f)). For example, we may block an IP that is making repeated unauthorized access attempts, or we may temporarily suspend an account that appears compromised. We may also use data (like your reported location vs. login location) to verify accounts and prevent identity theft or account sharing beyond allowed use.

Legal Compliance: We may use or disclose your information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities. For instance, we may retain and produce logs or account information if required by law enforcement with the proper authority. We also process certain data to comply with financial and tax regulations (e.g., maintaining transaction records for accounting and auditing). This processing is based on legal obligations (Art. 6(1)(c) GDPR) or our legitimate interest in cooperating with legitimate legal processes.

Business Transfers: If we are involved in a merger, acquisition, bankruptcy, restructuring, or sale of all or a portion of our assets, personal data may be transferred to a successor or affiliate as part of that transaction. In such cases, we would ensure the protection of your information and notify you of any change in data controllers or use of your personal data, either by email and/or a prominent notice on our website. The new entity would continue to honor the commitments we have made in this Privacy Policy (unless you are notified otherwise and consent to any changes). Such processing is based on our legitimate interest in business continuity or may be necessary in anticipation of a contract with the new entity.

Other Purposes with Consent: If we want to use your information for a purpose not covered by the above, we will explain it to you at the time and, if required by law, obtain your consent. For example, if we ever wanted to feature your success story or logo on our website, we would ask for your permission. You have the right to withdraw any consent you have given at any time, which will not affect the lawfulness of processing based on consent before its withdrawal.

We do not engage in automated decision-making, such as profiling, that produces legal effects concerning you or similarly significantly affects you, without human involvement. Any automated processing we do (like spam detection or usage limit enforcement) has human oversight and is primarily aimed at improving service reliability.

3. HOW WE SHARE OR DISCLOSE INFORMATION

We treat your personal information with care and do not sell it to third parties for their own marketing purposes. We only share information in the following circumstances:

Service Providers (Processors): We employ third-party companies and individuals to facilitate our Service, to provide certain functions on our behalf, or to perform services related to the Service (collectively "Service Providers"). These include, for example, cloud hosting providers, data center or server providers, authentication services, payment processors, email service providers, analytics services, customer support software, etc. These Service Providers only receive the personal data necessary for them to perform their specific services, and they are contractually bound to process that data on our behalf and under our instructions, in compliance with this Privacy Policy and applicable data protection laws.

Key Service Providers include:
• Supabase (Authentication & Database, EU Central): Handles user authentication, password storage, user sessions, and provides our platform database infrastructure. Your account credentials and profile data are processed through Supabase's secure infrastructure in the EU Central region (Frankfurt, Germany).
• Hetzner (Complete Infrastructure, Germany/EU): Hosts our complete platform infrastructure including frontend, backend services, and stores processed documents, OCR results, user-uploaded files, and user sessions in EU-based data centers.
• Cloudflare (Network Services): Provides network security, DDoS protection, and content delivery for our services.
• Stripe (Payment Processing): Processes all payment transactions. Your billing information is transmitted securely to Stripe, which handles payment processing under their own privacy policy.
• Brevo (Email Services, France/EU): Manages our email communications including transactional emails (password resets, notifications) and marketing communications if you've opted in.
• We may use analytics providers on our marketing website to understand usage patterns (see Cookies section for details).
• Professional service providers (such as accounting or legal advisors) may process data when necessary for business operations, under strict confidentiality agreements.

For a current and complete list of all sub-processors, including their locations and the types of data they process, please visit our Data Processors page at https://www.ainoflow.io/legal/subprocessors.

We ensure that each Service Provider is subject to appropriate contractual obligations regarding data protection, confidentiality, and security. We remain responsible for the handling of your personal data by these Service Providers acting on our behalf.

Within Our Corporate Group: If Ainova Systems in the future has any parent companies, subsidiaries, joint ventures, or other companies under common control (collectively, "affiliates"), we may share personal data with those affiliates, in which case we will require them to honor this Privacy Policy. For example, if we establish a subsidiary in another country to help provide customer support or development, that subsidiary might access user data in order to perform those roles, but it would do so under strict privacy and security practices overseen by Ainova Systems.

Business Transfers: As mentioned earlier, if we undergo a business transaction like a merger, acquisition by another company, reorganization, or sale of all or a portion of our assets, your personal data may be among the assets transferred to the acquiring entity. In such an event, we will ensure that the successor entity is either contractually obliged to handle your personal data in accordance with this Privacy Policy or will seek your consent if required. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data in such a scenario.

Legal Compliance and Protection of Rights: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, including lawful requests by public authorities (e.g., a court order, subpoena, or regulatory demand); (b) protect and defend the rights, property, or safety of Ainova Systems, our customers, or others; (c) investigate or assist in preventing any violation of law or these Terms of Service; or (d) protect against legal liability. For instance, we might release information to law enforcement regarding fraudulent or illegal activity, or we might use or disclose information in connection with enforcing our agreements or addressing security breaches or technical issues. We will, when permissible, attempt to limit the scope of disclosure to what is strictly necessary and, when feasible, will inform you of such disclosures.

Your Explicit Consent or Direction: We will share your personal data with third parties in instances where you explicitly ask or direct us to do so. For example, if the Service allows you to integrate with a third-party application (like if you connect our platform to a third-party storage service or workflow via an API), we will send your data to that third party at your direction. Likewise, if you request that we share your information with a partner or for a particular promotional event, we will do so with your consent.

Aggregated or De-Identified Data: We may also share information that has been aggregated or anonymized in such a way that it cannot be used to identify you. This type of information is no longer considered "personal data." For example, we might publish reports or insights such as "average number of documents processed per user" or "percentage of users by industry," as long as those reports contain no personal details. We may share such aggregated statistics publicly or with partners to showcase usage patterns or the effectiveness of our Service, but they will not contain any data that could be linked back to any individual user or customer.

Importantly, we do not sell your personal data to third parties for their own marketing or commercial purposes. We do not share your information with advertisers or ad networks. Any third-party cookies or analytics on our site are there for our use and analytics (see below), not to advertise to you by others.

4. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies on our website and web-based interface to ensure the Service functions correctly and to enhance your user experience. A "cookie" is a small data file that is placed on your device (computer or mobile) when you visit a website. We use the following categories of cookies:

Essential Cookies: These are necessary for our site and Service to operate properly. For example, when you log in, we use a session cookie to keep you logged in as you navigate between pages. Essential cookies might also be used to remember your preferences (like language or display settings) or to provide core features like account authentication and security. Without these cookies, certain functionalities would not work. Because they are necessary, they are used without requiring consent (though you can still block them via browser settings, but be aware the site may not work then).

Analytics and Performance Cookies: We use these to collect information about how users visit and use our website, which pages are popular, and how users move through the site. This helps us improve the design and performance of our site and Service. For example, we use Google Analytics (a web analytics service) which sets cookies to gather usage data (such as your IP address, browser type, referring page, and time of visit). We have configured Google Analytics in a privacy-friendly manner (IP anonymization where applicable, and not sharing data with Google for their own purposes). The information collected is aggregated and does not directly identify individual visitors. The legal basis for these analytics cookies is your consent, where required by law (e.g., in the EU, we will request consent via a cookie banner for non-essential cookies). You can opt-out of Google Analytics by installing a browser add-on or through our cookie preference tool if available.

Functionality Cookies: These cookies allow our site to remember choices you make (such as your region or other personalized settings) and provide enhanced features. For instance, if we offer a "remember me" option at login, a cookie will store your login so you don't have to re-enter credentials each time.

Advertising Cookies: We do not use advertising cookies or third-party targeted advertising on our Service. We currently do not partner with ad networks or serve targeted ads, so our site should not place ad-tracking cookies on your browser. If this changes in the future, we will update this policy and seek any necessary consents.

Cookie Preferences: When you first visit our site from certain regions (like the EU/EEA), you will see a cookie notice or banner that gives you the option to accept or reject non-essential cookies. You can manage your cookie preferences at any time by clicking the "Cookie Settings" link (typically in the footer of the site) or by adjusting your browser settings to refuse cookies. Most web browsers allow you to control cookies through their settings preferences. However, if you choose to block or delete cookies (especially essential ones), some features of the Service may not function properly. For example, you might not be able to log in or use certain interactive features.

Do Not Track Signals: Some browsers offer a "Do Not Track" (DNT) feature that, when enabled, signals to websites that you do not wish to be tracked across sites. Currently, there is no uniform standard for how to respond to DNT signals, and we do not respond to them in a specific way. However, as described above, you can opt-out of certain tracking (like Google Analytics) and control cookies through other means. We will update our practices if a standard emerges for recognizing DNT signals.

5. DATA STORAGE AND INTERNATIONAL TRANSFERS

Data Storage Location: We primarily store and process personal data on servers located in the European Union. Our main infrastructure is [for example] hosted in data centers in the EU (e.g., in Germany or Ireland). However, depending on the Service Providers we use, your data may also be transferred to or accessed from countries outside of your own. For instance, our company's team members might access the data remotely if they are traveling or located outside the EU, or we might use a service provider based in the United States for certain functionality (such as email delivery or support).

International Transfers: Whenever we transfer personal data out of the European Economic Area (EEA) or other regions with data transfer restrictions, we will ensure that appropriate safeguards are in place to protect it. For example, if we transfer data to the United States or another country that is not deemed to have "adequate" privacy protections by the EU, we will use one of the following legal mechanisms:
- Standard Contractual Clauses (SCCs): We may incorporate the European Commission's approved standard contractual clauses into our contracts with recipients of the data (these clauses contractually bind the recipient to protect the data according to EU privacy standards).
- Adequacy Decision: If the country has been formally recognized by the European Commission as having an adequate level of data protection (an adequacy decision), we rely on that (for example, transfers to the UK under the EC's adequacy decision).
- Binding Corporate Rules: Though we are a small company and don't have BCRs currently, if we were part of a larger corporate group with approved binding corporate rules, we could rely on those.
- Other Lawful Grounds: In limited cases, we might rely on a GDPR derogation such as where the transfer is necessary for the performance of a contract with you, or you have explicitly consented to the transfer after being informed of the risks.

You can contact us for more information on the specific mechanism used for a given transfer. We are happy to provide a copy of the relevant contractual safeguards upon request.

Despite the safeguards in place, please note that when data is stored or processed in another country, it may be subject to the laws of that country (for instance, governments, courts, or law enforcement agencies in that country might be able to access it through their local laws). In such cases, we will assess any potential impact on your rights and take measures to ensure that any such access complies with applicable data protection laws.

6. DATA RETENTION

We retain personal data for only as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, and to comply with legal or accounting requirements. The exact retention period will depend on the type of information and the context in which it's used. Below we outline the general categories and retention schedules:

Account Information: We retain your account registration information (like name, email, country, and account credentials) for as long as your account is active. If you delete your account or it becomes inactive, we will typically delete or anonymize this information within a reasonable period after account deletion or inactivity (generally within 30-90 days), except where we need to keep it for legitimate business or legal purposes. For example, even after an account is deleted, we may keep a record of your email address or account ID in our suppression list to ensure we do not inadvertently recreate your account or send you emails, and to honor your opt-out preferences. We may also retain account data as needed for fraud prevention or to enforce our Terms (e.g., to detect if a banned user is trying to re-register).

User Content and Stored Data: Documents and data you upload to the Service (and resulting outputs) are stored for your use during the life of your account. If you delete specific documents or files from the Service, we will remove them from active systems promptly (subject to any retention setting you control, if applicable). If you delete your account entirely, the content associated with your account will be deleted or anonymized typically within 30 days of account deletion, and any backups will be deleted within an additional 30-60 days (some backups may be retained slightly longer, but they are protected and eventually cycle out). We will not retain your files longer than necessary. If our Service offers a "trash" or archive from which you can recover deleted files for a period, then those files will be permanently deleted after the retention period unless you recover them. In some cases, if a file is subject to investigation for a potential policy violation, we might retain it until the investigation is resolved.

Subscription and Payment Records: We retain records of transactions, invoices, and payments for as long as required by tax and accounting laws. In Lithuania and under EU law, for example, financial records may need to be kept for 5-10 years for auditing purposes. These records will include personal data like your name, company name (if applicable), billing address (if provided), and transaction amounts. We securely store this data and limit its use to fulfilling legal obligations and financial audits.

Usage Logs: We retain server logs and API usage logs containing IP addresses, device information, and activity data for a certain period to aid with troubleshooting, security analysis, and usage analytics. Typically, raw logs with personal data are kept for a short period (e.g., 30 days) unless required longer for security (for instance, logs of sign-in attempts might be kept for a few months to investigate brute force attacks). We may retain aggregated or anonymized log information (stripped of personal identifiers) for a longer period for analytical purposes.

Support Tickets and Communications: If you contacted us for support or inquiries, we may retain those communications and our responses for up to 2 years (or longer if legally required) after the issue was resolved. This helps us in case of follow-up issues and for training and quality assurance. If you want us to delete support emails that contain personal data, you can request it, and we will do so unless we have a lawful reason to keep them (e.g., a dispute record).

Marketing Data: If you have subscribed to our newsletter or other marketing communications, we will retain your contact information until you unsubscribe or ask us to delete it. Upon unsubscribe, we will place your contact in a suppression list to ensure we respect your opt-out. We may still retain information about your consent or opt-out for compliance purposes.

Legal Obligations and Disputes: We may need to retain certain information for longer periods if required by law (e.g., to comply with regulatory data retention obligations) or if needed to resolve disputes or enforce our agreements. For example, if we are involved in litigation or receive a legal hold notice related to your account, we will preserve relevant information until the issue is resolved.

When we have no ongoing legitimate need or legal obligation to process your personal data, we will either delete it or anonymize it (so that it can no longer be associated with you). For example, we may convert certain data to aggregated statistics that no longer identify you, which we might use for analysis.

Please note that even after deletion from our active databases, deleted data may persist in backups for a limited time until those backups are rotated out or overwritten. We have backup deletion policies to ensure old backups are eventually deleted or anonymized as well. During the retention period in backups, we maintain the security of that data and do not use it for any active purpose.

If you have any specific questions about our data retention policies (for example, if you want to know if your data from a certain time still exists in our systems), please contact us.

7. YOUR RIGHTS AND CHOICES

As our Service is focused on the EU market, we comply with the rights afforded to individuals under the GDPR and similar data protection laws. Depending on your location and subject to applicable law, you have the following rights regarding your personal data:

Right to Access: You have the right to request confirmation of whether we are processing personal data about you, and if so, to request a copy of that personal data, along with information about how we use and share it. We will provide you with a copy of your data in a commonly used electronic format, unless providing it would adversely affect the rights and freedoms of others. For example, you can request a copy of the information we have on your account and usage.

Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. If any of your information (such as name or email) changes or is incorrect, you can update it in your account settings. If any other data is inaccurate, please contact us and we will rectify it.

Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data in certain circumstances. For instance, if the data is no longer necessary for the purposes it was collected, or if you have withdrawn consent (where the processing was based on consent) and we have no other legal basis to continue processing, or if you object to processing and we have no overriding legitimate grounds. Please note that this right is not absolute – we may retain certain information if necessary for legal obligations or legitimate interests (see Data Retention above). If you want to delete your account, you can do so from the account settings, which will remove most of your data. For any additional data erasure requests, contact us and we will evaluate and comply if appropriate. Upon successful deletion, your data will be removed from our active systems and we will also instruct any third parties (Service Providers) where possible to delete your data.

Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data under certain conditions. This means we would mark the data to be limited to certain uses. For example, if you contest the accuracy of your data, you can request restriction while we verify the accuracy; or if you object to our processing based on legitimate interests, you can request restriction pending verification of our grounds. Restriction might also apply if processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you need it for a legal claim. During restriction, we will store your data but not use it except for the limited reasons allowed (such as with your consent or for legal claims, etc.).

Right to Data Portability: For data that you have provided to us and that we process by automated means based on your consent or a contract, you have the right to request that we provide it to you in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller (or have us transfer it, where technically feasible) directly. In practical terms, this could apply to account data or certain usage data you provided. We will assist with such export to the extent possible (for example, providing a CSV or JSON export of your data upon request).

Right to Object: You have the right to object to our processing of your personal data where that processing is based on our legitimate interests (or those of a third party) or where we are processing for direct marketing purposes.

Direct Marketing: You can always opt-out of direct marketing communications – if you object, we will cease processing your data for marketing purposes immediately.

Legitimate Interest Processing: You may object to processing based on legitimate interests on grounds relating to your particular situation. We will then consider whether our compelling legitimate grounds override your interests, rights, and freedoms. If they do not, we will stop that processing. For example, if you object to certain analytics tracking because of your personal situation, we will evaluate and comply unless we have a strong reason not to.

Right to Withdraw Consent: If we rely on your consent for any processing of personal data, you have the right to withdraw your consent at any time. For instance, if you consented to receive newsletters, you can unsubscribe (withdrawing consent for marketing emails). If you consented to optional cookies, you can change your cookie settings and we will stop using those cookies. Note that withdrawing consent does not affect the lawfulness of processing we conducted based on consent before its withdrawal. Nor does it affect processing under other legal bases.

Right not to be subject to Automated Decision-Making: We do not engage in solely automated decision-making, including profiling, that produces legal or similarly significant effects on you. If that changes, you would have rights related to not being subject to such decisions without human intervention and to express your point of view.

To exercise any of these rights, you can contact us at legal@ainovasystems.com or through the contact details provided in this policy. We may need to verify your identity before fulfilling certain requests (to ensure that the person making the request is actually you). For example, we may ask you to provide information that matches our records or to use your account email to send the request. We will respond to your request within one month, or inform you if we need more time (up to an additional two months for complex requests). If we cannot fulfill your request (e.g., due to legal obligations), we will explain the reasons in our response.

There is generally no fee for exercising your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive), we may either charge a reasonable fee or refuse to comply, as permitted by law. We will of course inform you of any such decision.

Your Choices: In addition to the formal rights above, we offer the following practical choices:

Access and Update: You can review and update certain personal data directly by logging into your account settings. For example, you can change your email, name, or password. If any other information we have about you needs to be updated, please let us know. Keeping your data accurate helps us serve you better.

Marketing Preferences: As mentioned, you can opt out of marketing emails by using the "unsubscribe" link in those emails or by contacting us. You can also contact us to opt out of any other marketing (such as postal or phone, though we currently do not do those). Please note that even if you opt out of marketing, we will still send you important service and account-related messages as long as you have an account with us (e.g., password resets, billing notices, etc.).

Cookie Controls: You have control over cookies as described in the Cookies section. You can refuse non-essential cookies via our cookie banner or adjust your browser settings.

Do Not Provide Optional Data: You have the choice not to provide certain information. For instance, any profile fields not marked as required can be left blank. You can choose not to upload certain content to the Service if you're concerned about it. However, please understand that some functionality may be limited if you choose not to provide information that is necessary for that functionality (e.g., you can't use the Service without providing an email address).

Closing Your Account: If you wish to discontinue using the Service, you can delete your account via the account settings. This will remove your personal data as outlined in our Data Retention section. Keep in mind that once your account is deleted, we cannot recover it or the data associated with it (aside from what might remain in backup for a short period). If you change your mind, you might have to sign up again as a new user.

Complaints: If you believe that we have infringed your privacy rights or violated data protection laws, you have the right to lodge a complaint with a supervisory authority (data protection authority) in your country of residence, place of work, or where the incident took place. For example, if you are in the EU, you can contact your country's data protection authority. In Lithuania, our lead supervisory authority is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija). We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so we encourage you to contact us first and we will do our best to resolve the issue.

8. DATA SECURITY

We take the security of your personal data seriously and have implemented appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

Encryption: All data transmitted between your device and our Service is protected using HTTPS/TLS encryption. This means that any personal data you send us (like your login credentials or documents for processing) is encrypted in transit, preventing eavesdropping. We also encrypt sensitive data at rest in our databases and storage. Passwords are managed by our authentication service (Supabase Auth) which hashes them using bcrypt before storage, and other sensitive fields are encrypted on disk.

Access Controls: We limit access to personal data only to those employees, contractors, and Service Providers who need to know that information to operate, develop, or improve our Service. Access to backend systems and databases is restricted via role-based access control and requires strong authentication (e.g., SSH keys, VPN, multi-factor authentication). Our staff are trained on the importance of confidentiality and are contractually bound to protect user data.

Network and Application Security: Our servers are protected by firewalls and monitoring systems to detect and prevent unauthorized access. We regularly update our software and infrastructure to address security vulnerabilities (applying patches and using secure configurations). We conduct periodic security audits, code reviews, and testing (including employing security tools and possibly third-party penetration tests) to identify and fix potential weaknesses.

Data Isolation: Each user's data is logically separated from others. For example, your account's data and documents are tagged with your user ID, and our application enforces access controls so that only you (or authorized processes) can access them. In multi-tenant storage, we design our queries to ensure one customer cannot see another's data.

Monitoring and Logging: We maintain logs of system activity and monitor for suspicious patterns (as noted in earlier sections). This can help us detect if someone is attempting unauthorized access or if any unusual activity is occurring on accounts. We utilize intrusion detection and prevention systems where appropriate.

Backups and Recovery: We perform regular backups of critical data to ensure we can recover from any data loss scenario. Backups are encrypted and stored securely (often in separate geographic locations for resilience). We have disaster recovery plans and aim to ensure continuity of the Service.

Physical Security: To the extent that we use third-party data centers (cloud providers), those data centers have robust physical security controls (guarded facilities, biometric access, etc.). Our own devices and offices are protected as well — for instance, employee laptops are encrypted, and any physical documents (rarely used) are kept secure or destroyed.

While we strive to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security. For example, despite our efforts, there could be a zero-day exploit or a breach at a third-party provider that affects data. We continuously update our security measures to mitigate new threats, but you should also play a role in protecting your data.

Your responsibility: Keep your account credentials confidential. Do not share your password or API keys. Use a unique, strong password for our Service and change it periodically. If you suspect any unauthorized access to your account, notify us immediately. Also, be aware of phishing attempts – we will never ask you for your password via email. Always make sure you are interacting with our official website or application.

In case of a data breach that is likely to result in a high risk to your rights and freedoms (for example, if we discover that personal data has been compromised), we will inform you and the relevant supervisory authorities as required by law. We have an incident response plan to handle such situations, which includes identifying and containing the breach, assessing the risk, notifying users and authorities as needed, and taking steps to prevent future incidents.

9. THIRD-PARTY LINKS AND SERVICES

Our Service or website may contain links to third-party websites, products, or services (for example, a link to our blog hosted on another platform, or a documentation site, or social media pages). Additionally, you might integrate our Service with third-party services via our API or through plugins. This Privacy Policy does not cover any third-party sites or services. If you follow a link to any third-party website or service, please note that those have their own privacy policies and we do not accept any responsibility or liability for their content or practices. For instance, if you click a link to an article on another company's site, any data they collect from you is governed by their policy, not ours. We encourage you to read the privacy policies of every site you visit or service you use.

Third-Party Integrations: If our Service integrates with third-party services (for example, if you choose to export data to Google Drive or import from Dropbox, etc.), any data that is shared with those services will be subject to that third party's terms and privacy policy. We will only share data with third parties that you explicitly direct us to, as part of the Service's functionality. For example, if you direct us to send the processed result to a third-party application, we will do so, but at your direction and understanding that the third party will then handle that data under their policies.

We are not responsible for the privacy practices or content of any third-party services. However, if you have a concern about a third-party link or integration on our Service (for example, if you believe one of our partner's apps is misusing data), please let us know and we will help to address it as best as we can.

10. CHILDREN'S PRIVACY

Our Service is not directed to children under the age of 16 (and in certain jurisdictions, this age may be lower – we choose 16 to be consistent with GDPR where the default age for consent is 16). We do not knowingly collect personal data from anyone under 16 years old. If you are under 16, please do not use the Service or provide any personal information to us. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and you discover that your child under 16 has provided personal information to us, please contact us immediately at legal@ainovasystems.com. We will investigate and delete the data as required. Given the nature of our Service (which is business and productivity focused), it is very unlikely to attract young children, but we nonetheless take this obligation seriously.

For users in certain jurisdictions with higher age thresholds (for example, some EU member states may set the age of digital consent at 13, and COPPA in the US is under 13), we abide by those requirements. Generally, no one under 13 should use our Service in any case. Teenagers aged 16 or 17 should only use the Service with appropriate consent if required by local law or with the involvement of a parent/guardian as necessary.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time in response to evolving legal, technical, or business developments. When we update the policy, we will revise the "Last Updated" date at the top. If we make material changes to how we handle personal data, or changes that significantly affect your rights or obligations, we will take additional steps to inform you: for example, by prominently posting a notice of such changes on our website or by directly sending you a notification via email or within the Service. We will do so prior to the change becoming effective, so you have time to review the changes.

We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. Your continued use of the Service after the effective date of an updated Privacy Policy will constitute your acknowledgment of the changes and agreement to be bound by the terms of the updated policy. If you do not agree to the revised policy, you should discontinue use of the Service and may request us to delete your data as per Section 7 (Your Rights).

12. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

Ainova Systems, MB
Attn: Data Protection Officer
Address: Neries g. 25A, Nemenčinė, LT-15171 Vilnius r., Lithuania
Email: legal@ainovasystems.com

We will respond to your inquiries as soon as possible and within any timeframe required by law. Our team is primarily based in the EU, so you can expect a response during EU business hours. We are dedicated to respecting your privacy and ensuring the security of your personal data, and we welcome feedback on how we can improve our policies and practices.

Thank you for trusting Ainova Systems with your documents and data. We value your privacy and are committed to safeguarding it as we provide you with our Service.