Privacy & Data Policy

Innovation Mode Limited ("Company," "we," "us," or "our"), a company registered in Ireland (Company Registration Number: 785034), operates Ainna, accessible at ainna.ai. Ainna is an AI-powered opportunity discovery platform built for Product Managers and business professionals. This Privacy & Data Policy ("Policy") describes how we collect, use, store, share, and protect your personal data when you use our Service.

We are committed to protecting your privacy with transparency and care. Ainna was built with a privacy-first approach because we understand that you share sensitive, competitive information with us—product strategies, market insights, early-stage concepts. Your ideas stay yours alone.

Our core privacy commitments:

• We do not train AI models on your data

• We do not sell, rent, or trade your personal information

• We do not monitor or scan your content

• We host all data in EU data centres, subject to GDPR

• We automatically delete Idea data after 180 days of inactivity

• We offer hard deletion on request—no backups retained

Ainna is designed to forget. We retain only what's needed, for as long as it's useful.

This Policy applies to all users of Ainna, including visitors to our website, registered users, and paying customers. By using Ainna, you agree to the collection and use of information in accordance with this Policy.

Please read this Policy carefully alongside our Terms of Service. If you do not agree with our practices, please do not use our Service.

Questions about privacy? See How to Contact Us.

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller is:

Innovation Mode Limited
Company Registration Number: 785034
Registered Office: 51 Bracken Road Dublin 18, D18 CV48, DUBLIN
Ireland
Email: privacy@ainna.ai

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing complies with applicable data protection laws.

We are registered in Ireland and subject to oversight by the Irish Data Protection Commission (DPC). We have built GDPR compliance into how Ainna works—not as an afterthought, but by design.

If you have any questions about this Policy or our data practices, or if you wish to exercise your data protection rights, please see How to Contact Us.

To help you understand this Policy, here are definitions of key terms. These align with the definitions in our Terms of Service and, where applicable, the General Data Protection Regulation (GDPR):

"Personal Data" means any information relating to an identified or identifiable natural person. This includes your name, email address, profile information, payment details, device identifiers, and usage data.

"Data Subject" means the individual to whom Personal Data relates—in this Policy, that means you.

"Special Categories of Personal Data" means sensitive data such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. Ainna does not intentionally collect or process Special Categories of Personal Data.

"Inputs" means all information, ideas, data, and content you provide to Ainna during your use of the Service, including your product concepts, business information, and strategic details.

"Outputs" means all documents, presentations, assessments, and other materials generated by Ainna based on your Inputs, including Product Packs.

"Product Pack" means a complete documentation suite generated by Ainna, which may include pitch decks, PRDs, executive summaries, and related strategic materials.

"Idea" means a product framing session within Ainna, including all associated conversations, assessments, and generated Outputs for a single product concept.

"Customer Data" means your Inputs and Outputs collectively. Customer Data belongs entirely to you. We do not train AI models on Customer Data, and we do not use it to improve results for other users.

"Usage Data" means technical and analytical data generated through your use of the Service, such as feature usage patterns, session duration, and performance metrics. Usage Data does not include Customer Data.

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

"Subprocessor" means a third-party service provider that processes Personal Data on our behalf to help us deliver the Service.

Questions about these definitions? See How to Contact Us.

4.1 Information You Provide Directly

When you use Ainna, you may provide us with the following information:

• Account Information: When you register via LinkedIn OAuth, we receive your name, email address, and profile picture. We never see or store your LinkedIn password or credentials. We do not access your LinkedIn connections, posts, or activity.

• Profile Information: Additional information you choose to add to your account, such as your job title, company name, professional signature, or team tagline.

• Conversation Data: The messages and responses exchanged between you and Ainna during your Idea sessions. This includes your prompts, Ainna's responses, and the full conversation history for each Idea. Conversation data is stored to maintain continuity within your sessions and is automatically deleted after 180 days of inactivity.

• Customer Data (Inputs): The product concepts, market information, competitive details, strategic thinking, and other substantive content embedded within your conversations. This content is yours—we do not monitor, scan, or review it.

• Outputs: Ainna generates Outputs based on your Inputs, including Product Packs, opportunity assessments, and related strategic materials. Generated Outputs are associated with your account until downloaded or deleted.

• Branding Assets: Company logos and other visual elements you upload for Product Pack customisation.

• Payment Information: When you make a purchase, our payment processor (Stripe) collects your payment details. We never see or store your card details—Stripe handles all payment data securely in compliance with PCI-DSS standards. We receive only a token and the last four digits for reference.

• Communications: Information you provide when you contact our support team, submit feedback, or respond to surveys.

4.2 Information Collected Automatically

When you access or use Ainna, we automatically collect certain technical information:

• Device Information: Device type, operating system, browser type and version, screen resolution, and device identifiers.

• Log Data: IP address, access times, pages viewed, referring URL, and actions taken within the Service.

• Usage Data: Features used, session duration, interaction patterns, and performance data. Usage Data does not include Customer Data.

• Conversation Metadata: Timestamps, message counts, session duration, and Idea identifiers. This helps us maintain your session state and provide usage analytics. It does not include the content of your conversations.

• Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information and improve our Service. See Section 10 for details.

Important: Automatic collection applies to technical and usage data only. We do not scan, analyse, or monitor the content of your Inputs or Outputs.

4.3 Information from Third Parties

We may receive information about you from third-party sources:

• LinkedIn: Basic profile information (name, email, profile picture) when you authenticate using LinkedIn OAuth.

• Payment Processor: Transaction status and limited payment information from Stripe.

• Analytics Providers: Aggregated, anonymised usage analytics and performance data.

We do not purchase Personal Data from data brokers or third-party marketing lists.

4.4 Information We Do Not Collect

To be clear about our privacy-first approach:

• We do not collect Special Categories of Personal Data (sensitive data such as health, political, or religious information)

• We do not collect data from your LinkedIn connections, posts, or activity

• We do not collect biometric data

• We do not collect location data beyond what is inferred from your IP address

• We do not use third-party tracking pixels or advertising networks

Questions about data collection? See How to Contact Us.

We process your information only for specific, legitimate purposes. Under GDPR, we rely on the following legal bases: performance of contract (to provide the Service you've requested), legitimate interests (to improve and secure the Service), legal obligation (to comply with laws), and consent (where specifically required).

5.1 To Provide and Operate the Service

Legal basis: Performance of contract

• Process your Inputs through our AI to generate Outputs, including Product Packs, opportunity assessments, and strategic materials

• Maintain your Conversation Data to provide continuity across your Idea sessions

• Authenticate your identity via LinkedIn OAuth and manage your account

• Process payments, manage subscriptions, and track Product Pack credits

• Apply your branding assets to generated Outputs

• Provide customer support and respond to your enquiries

• Send data retention notifications (30 days and 7 days before automatic deletion)

5.2 To Improve and Develop the Service

Legal basis: Legitimate interests

• Analyse aggregated, anonymised Usage Data to understand how users interact with Ainna

• Identify and fix bugs, errors, and performance issues

• Develop new features and functionality

• Improve The Innovation Mode methodology and strategic frameworks

Critical distinction: We use only aggregated, anonymised Usage Data and Conversation Metadata for improvement purposes. We do not use your Customer Data (Inputs, Outputs, or Conversation content) to train, fine-tune, or improve any AI models. Your content passes through our AI infrastructure to generate your Outputs—it is never fed into training pipelines.

5.3 To Communicate with You

Legal basis: Performance of contract, legitimate interests, and consent (where required)

• Send transactional emails (account confirmations, purchase receipts, subscription updates)

• Notify you of changes to our Service, Terms, or this Policy (at least 30 days' notice for material changes)

• Send data retention reminders before automatic deletion of your Ideas

• Respond to your support requests and enquiries

• Send product updates and announcements (with your consent, where required by law)

• Request feedback or participation in surveys (optional)

5.3.1 Communication Preferences

We respect your communication preferences and give you control:

• Transactional emails: Required for service operation (e.g., receipts, security alerts, data retention notices, account changes). These cannot be opted out of while your account is active.

• Product updates: Optional. News about features, tips, and Ainna improvements. You can opt in or out at any time via Account Settings → Notifications or by clicking 'unsubscribe' in any email.

• Marketing communications: Only sent with your explicit consent. You can withdraw consent at any time.

• Referral notifications: If you participate in our referral programme, we will notify you when you earn credits. You can manage these in your notification preferences.

Communication optimisation: If you opt in to product updates, we may analyse email engagement (opens, clicks) to send you relevant content at optimal times and avoid over-communicating. This tracking is solely to improve your experience—not for advertising or profiling. You can disable engagement tracking in Account Settings → Notifications.

We will never sell your email address or share it with third parties for their marketing purposes.

5.4 To Ensure Security and Prevent Abuse

Legal basis: Legitimate interests and legal obligation

• Detect, prevent, and address fraud, abuse, and security threats

• Monitor usage patterns and system behaviour for anomalies (this does not include monitoring the content of your Inputs or Outputs)

• Maintain and enforce our built-in AI safeguards

• Protect the rights, property, and safety of Ainna, our users, and the public

• Investigate potential violations of our Terms of Service

To be clear: We do not scan, read, or review the content of your conversations or Outputs. Security monitoring applies to technical and behavioural signals only.

5.5 To Comply with Legal Obligations

Legal basis: Legal obligation

• Comply with applicable laws, regulations, and legal processes

• Respond to lawful requests from public authorities (such as court orders or regulatory enquiries)

• Retain billing and account creation records as required for tax and financial reporting

• Establish, exercise, or defend legal claims

5.6 What We Do Not Do with Your Information

To reinforce our privacy-first commitment:

• We do not sell, rent, or trade your Personal Data

• We do not use your Customer Data to train AI models

• We do not share your Inputs or Outputs with other users

• We do not use your data to improve results for anyone else

• We do not use your data for advertising or marketing profiling

• We do not monitor or scan the content of your conversations

• We do not share your email address with third parties for their marketing

Questions about how we use your data? See How to Contact Us.

Under the General Data Protection Regulation (GDPR), we must have a lawful basis for processing your Personal Data. This section summarises the legal bases outlined in Section 5 and provides additional detail.

6.1 Performance of Contract

Processing necessary to perform our contract with you (the Terms of Service). This includes:

• Creating and managing your account via LinkedIn OAuth

• Maintaining your Conversation Data and Idea history

• Processing your Inputs through our AI to generate Outputs and Product Packs

• Processing payments, managing subscriptions, and tracking Product Pack credits

• Applying your branding assets to generated Outputs

• Providing customer support and responding to enquiries

• Sending transactional and service-critical communications (receipts, data retention notices, security alerts)

• Enabling data export and account management functions

6.2 Legitimate Interests

Processing necessary for our legitimate interests, provided those interests are not overridden by your rights. This includes:

• Improving and developing the Service using aggregated, anonymised Usage Data and Conversation Metadata

• Enhancing The Innovation Mode methodology and strategic frameworks

• Ensuring security, detecting fraud, and preventing abuse of the Service

• Monitoring system behaviour and usage patterns for anomalies (not content)

• Maintaining and enforcing our built-in AI safeguards

• Analysing email engagement to optimise communication timing and relevance (for users who have opted in)

• Sending product updates to existing customers (where permitted without consent)

Important: We have conducted a balancing test and determined that our legitimate interests do not override your privacy rights, particularly because we do not process your Customer Data (Inputs, Outputs, Conversation content) for these purposes.

6.3 Legal Obligation

Processing necessary to comply with legal obligations to which we are subject. This includes:

• Retaining billing and account creation records for tax, accounting, and financial reporting

• Responding to lawful requests from public authorities (court orders, regulatory enquiries)

• Complying with applicable data protection laws, including GDPR

• Establishing, exercising, or defending legal claims

6.4 Consent

Where required by law, we process certain data based on your explicit consent. This includes:

• Marketing communications and promotional emails

• Non-essential cookies and analytics tracking technologies (see Section 10)

• Email engagement tracking for communication optimisation

• Any Special Categories of Personal Data you voluntarily provide (though we do not request or intentionally collect such data)

You may withdraw consent at any time via Account Settings → Notifications, by clicking 'unsubscribe' in any email, or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

6.5 Summary Table

| Processing Activity | Legal Basis |

| Account creation and management | Contract |

| Generating Outputs and Product Packs | Contract |

| Payment processing | Contract |

| Customer support | Contract |

| Transactional emails | Contract |

| Service improvement (anonymised data only) | Legitimate interests |

| Security monitoring | Legitimate interests |

| Product updates (existing customers) | Legitimate interests |

| Tax and financial records | Legal obligation |

| Responding to authorities | Legal obligation |

| Marketing emails | Consent |

| Non-essential cookies | Consent |

Questions about our legal basis for processing? See How to Contact Us.

Ainna uses artificial intelligence to process your Inputs and generate Outputs. This section explains exactly how your data flows through our AI systems—and, importantly, how it doesn't.

7.1 How AI Processing Works

When you interact with Ainna:

• Your messages are sent to our AI infrastructure for processing

• The AI analyses your Inputs and applies The Innovation Mode methodology and proprietary strategic frameworks

• Ainna's responses and your Conversation Data are stored to maintain continuity across your Idea sessions

• When you generate a Product Pack, your Inputs are processed to create Outputs (pitch decks, PRDs, executive summaries, opportunity assessments, and related materials)

• Your Outputs are stored in your account until you download them or they are automatically deleted after 180 days of inactivity

Your content passes through our AI infrastructure to generate your Outputs. It does not stay for any other purpose.

7.2 Data Minimisation & Anonymisation

We keep data exchange with AI providers to an absolute minimum, and anonymised by default.

When your messages are processed by third-party AI infrastructure:

• No personal identifiers are sent: Your name, email, company name, and account details are never transmitted to AI providers. Conversations are anonymised by default.

• Minimal context only: We send only the content necessary to generate your response—nothing more.

• No documents are shared: Your Product Packs, pitch decks, PRDs, and other generated Outputs are never sent to AI providers. These are created, stored, and maintained entirely within our own infrastructure.

• User discretion: If you type or paste identifying information directly into your conversation (e.g., your name, company details), that content may be processed by AI providers. We advise against including sensitive personal or company identifiers in your messages where possible.

This means even in the unlikely event of an AI provider breach, your identity would not be linked to your content.

7.3 Our AI Training Commitment

WE DO NOT USE YOUR CUSTOMER DATA TO TRAIN, FINE-TUNE, OR IMPROVE ANY AI MODELS.

This is a core architectural commitment, not just a policy. Here's what this means in practice:

• Your Inputs (ideas, product concepts, competitive information, strategic details) are never used for AI training

• Your Conversation Data (messages, prompts, Ainna's responses) is never used for AI training

• Your Outputs (Product Packs, opportunity assessments, strategic materials) are never used for AI training

• Your data is never fed into training pipelines, never shared for AI improvement, and never used to improve results for other users

• Your data is processed to generate your Outputs. That's it.

Your intellectual property and competitive advantage remain exclusively yours. Ainna is designed to forget.

7.4 Third-Party AI Infrastructure

We use third-party AI infrastructure providers to power Ainna's conversational capabilities. We have selected providers whose API terms explicitly exclude customer data from model training.

Specifically:

• Customer data submitted via API is not used to train or improve their models

• Data is retained only as long as necessary to process your request

• Appropriate security measures are in place for data in transit and at rest

We do not name specific providers as our infrastructure may evolve, but we commit to using only providers whose terms protect your data from training use. If we change providers, this commitment remains.

We do not have custom enterprise agreements with AI providers—we operate under their standard API terms, which already prohibit training on customer data. Should enterprise-grade agreements become necessary or beneficial, we will pursue them.

7.5 What Stays Within Our Infrastructure

To be absolutely clear about what never leaves our systems:

• Your account information (name, email, profile details)

• Your branding assets (logos, visual elements)

• Your generated Outputs (Product Packs, pitch decks, PRDs, executive summaries)

• Your downloaded files and document history

• Your billing and payment records

All document generation, storage, and management happens entirely within our own infrastructure on EU-based servers.

7.6 What We Do Monitor

To be transparent: while we do not monitor, scan, or review the content of your Inputs or Outputs, we do:

• Track Conversation Metadata (timestamps, message counts, session duration) for usage analytics

• Monitor system performance and error rates

• Log technical data for debugging and service reliability

• Track generation events (when you create a Product Pack) for billing and usage limits

None of this involves reading or analysing your actual content.

7.7 Automated Decision-Making

Ainna uses AI to generate content and provide opportunity assessments, but this constitutes content generation and strategic guidance rather than automated decision-making that produces legal or similarly significant effects on you.

• You always have full control over whether to use, modify, or discard any Output

• Opportunity assessments are advisory—they inform your judgment, they don't replace it

• We do not use automated decision-making for account suspension, pricing determinations, or access decisions without human review

• AI-generated content should always be reviewed before presenting to stakeholders (see our Disclaimers)

Questions about AI processing? See How to Contact Us.

Ainna is designed to forget. We retain your data only as long as necessary to provide the Service—and we make deletion easy, permanent, and transparent.

8.1 Idea Data (Conversations, Inputs & Outputs)

• Active Ideas: Your Conversation Data, Inputs, and generated Outputs are retained while you actively use them within the platform.

• 180-Day Auto-Delete: Idea data (conversations, Inputs, and undownloaded Outputs) is automatically deleted 180 days after your last interaction with that Idea.

• Advance Notification: We will email you 30 days and 7 days before any automatic deletion, so nothing disappears unexpectedly.

• Downloaded Outputs: Once you download an Output, you own that file forever. The copy on our servers follows the same 180-day schedule.

• Export Anytime: With one click, you can export your entire workspace—all active Ideas, conversations, and Outputs. Your data, portable and complete.

8.2 Account Data

• Active Accounts: We retain your account information for as long as your account remains active.

• Inactive Accounts: If your account has no activity for 12 consecutive months, we will notify you by email. You will have 30 days to log in and keep your account active. If we do not hear from you, we may close the account and permanently delete associated data.

• Closed Accounts: When you close your account, all your Ideas, conversations, and Outputs are permanently deleted—hard deletion, no backups, no recovery possible. We retain only basic account creation and billing records as required for legal and financial purposes.

8.3 Your Deletion Rights

You have full control over your data:

• Delete Individual Ideas: Remove any Idea, conversation, or Output from your workspace with one click via your dashboard.

• Delete Everything: Wipe your entire workspace instantly from Account Settings → My Account.

• Close Your Account: Go to Account Settings → My Account and click Close Account. You will be asked to confirm this action to prevent accidental deletion.

When you delete, we mean it. Hard deletion from active systems—no backups retained, no recovery possible. Your data is gone.

Before deleting, we recommend exporting or downloading anything you wish to keep.

8.4 Data We Must Retain

Certain minimal data is retained longer than standard periods as required by law:

• Billing Records: Transaction records, invoices, and payment references are retained for 7 years for tax and accounting purposes. These do not include your Customer Data.

• Account Creation Records: Basic account identifiers are retained for legal and financial audit purposes.

• Legal Holds: Data may be preserved if subject to legal proceedings, regulatory investigation, or government request. We will notify you if legally permitted to do so.

• Security Logs: Technical security and access logs (not content) are retained for up to 12 months for fraud prevention and security purposes.

• Anonymised Data: We may retain fully anonymised, aggregated Usage Data indefinitely for analytical purposes. This data cannot be linked back to you or your content.

8.5 No Backups, By Design

Unlike most services, Ainna does not retain backups of your Customer Data after deletion. This is an intentional architectural decision to protect your privacy:

• When you delete an Idea, it is permanently removed—not moved to a backup

• When you close your account, your data is permanently erased—not archived

• There is no 30-day recovery window, no recycle bin, no backup tape

This means deletion is truly final. We recommend downloading or exporting any content you wish to preserve before deleting.

Questions about data retention? See How to Contact Us.

You have meaningful control over your Personal Data. We honour privacy rights for all users, regardless of location, to the extent reasonably practicable—and we've built self-service tools to make exercising these rights easy.

9.1 Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of Access: Request a copy of the Personal Data we hold about you.

• Right to Rectification: Request correction of inaccurate or incomplete Personal Data.

• Right to Erasure ("Right to be Forgotten"): Request deletion of your Personal Data. With Ainna, deletion is hard deletion—no backups, no recovery.

• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.

• Right to Data Portability: Receive your Personal Data in a structured, machine-readable format. Ainna provides one-click export of your entire workspace.

• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.

• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent. This will not affect the lawfulness of processing prior to withdrawal.

• Rights Related to Automated Decision-Making: Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Ainna's AI generates content and assessments for your review—it does not make automated decisions about you.

• Right to Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority. As an Irish company, our lead supervisory authority is the Irish Data Protection Commission (www.dataprotection.ie).

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.

• Right to Delete: Request deletion of personal information we have collected from you.

• Right to Correct: Request correction of inaccurate personal information.

• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information, so there is nothing to opt out of.

• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information as defined under CCPA.

• Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

California residents may designate an authorised agent to make requests on their behalf by providing written authorisation.

9.3 How to Exercise Your Rights

We've made exercising your rights as easy as possible:

Self-Service (Recommended):

• Access your data: View all your Personal Data in Account Settings → My Account

• Export your data: One-click export of your entire workspace (all Ideas, conversations, Outputs) in Account Settings → My Account

• Correct your data: Update your profile information in Account Settings → My Account

• Delete Individual Ideas: Remove any Idea from your dashboard with one click

• Delete everything: Wipe your entire workspace in Account Settings → My Account

• Close your account: Account Settings → My Account → Close Account

• Manage communications: Update preferences in Account Settings → Notifications

Contact Us:

• Use our privacy request form for the fastest response

• Or email privacy@ainna.ai

We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing certain requests. If we cannot fulfil your request, we will explain why.

9.4 We Do Not Sell Your Personal Information

We do not sell, rent, share, or trade your Personal Data to third parties for monetary or other valuable consideration.

This applies to all users, regardless of location. We have not sold or shared Personal Data in the preceding 12 months and have no intention of doing so. Your data is not our product—you are our customer, not our inventory.

For California residents: Because we do not sell or share Personal Data, we do not offer a "Do Not Sell or Share My Personal Information" link. There is nothing to opt out of.

9.5 Verification

To protect your privacy, we may need to verify your identity before processing certain requests. Verification methods may include:

• Confirming your request from the email address associated with your account

• Asking you to log into your account

• Requesting additional information to confirm your identity

We will not fulfil requests if we cannot verify your identity, as this protects you from unauthorised access to your data.

Questions about your privacy rights? See How to Contact Us.

We use cookies and similar technologies to provide, protect, and improve the Service. Consistent with our privacy-first approach, we keep tracking to a minimum and never use cookies for advertising or cross-site tracking.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and understand how you use the site. Similar technologies include local storage, session storage, pixel tags, and web beacons.

10.2 Cookies We Use

Essential Cookies (Always Active)

Required for the Service to function. These cannot be disabled while using Ainna:

• Authentication: Keep you logged in securely across sessions

• Security: Protect against cross-site request forgery and other threats

• Session Management: Maintain your session state and conversation continuity

• Load Balancing: Ensure stable performance across our infrastructure

Legal basis: Performance of contract (necessary for service operation)

Functional Cookies (Optional)

Remember your preferences to provide a personalised experience:

• Theme Preferences: Your selected colour theme and display settings

• Interface Settings: Layout preferences and workspace configuration

• Notification Preferences: Your communication and alert settings

Legal basis: Consent or legitimate interests (enhancing user experience)

Analytics Cookies (Optional)

Help us understand how users interact with Ainna so we can improve the Service:

• Usage Patterns: Which features are used, navigation paths, session duration

• Performance Metrics: Page load times, error rates, service reliability

• Aggregated Statistics: Overall usage trends across our user base

Analytics cookies collect aggregated, anonymised data only. They do not track the content of your conversations, Inputs, or Outputs. We do not use analytics data to build individual profiles.

Legal basis: Consent

10.3 Cookies We Do Not Use

To be clear about what we don't do:

• No advertising cookies: We do not serve ads or use advertising tracking

• No third-party marketing pixels: We do not embed tracking pixels from advertising networks

• No cross-site tracking: We do not track your activity across other websites

• No social media trackers: We do not embed social media tracking scripts

• No data broker integrations: We do not share cookie data with data brokers

Ainna's business model is built on providing value to you—not on monetising your attention or data.

10.4 Your Cookie Choices

Cookie Consent:

When you first visit Ainna, we ask for your consent before setting non-essential cookies. You can change your preferences at any time.

Managing Preferences:

• In Ainna: Manage cookie preferences via Account Settings → Privacy

• Browser Settings: Most browsers allow you to refuse or delete cookies in privacy/security settings

• Withdraw Consent: Change your cookie preferences at any time—changes apply immediately

Note: If you disable essential cookies, some features of Ainna may not function properly. You cannot opt out of essential cookies while using the Service.

For more information about cookies, visit www.allaboutcookies.org.

10.5 Do Not Track

Some browsers offer a "Do Not Track" (DNT) feature that signals websites not to track your activity. There is currently no industry-standard response to DNT signals.

While we do not formally respond to DNT signals, our practices already align with DNT principles: we do not engage in cross-site tracking, we do not track you for advertising purposes, and we do not share tracking data with third parties.

Questions about cookies? See How to Contact Us.

We use carefully selected third-party service providers (subprocessors) to help deliver and improve Ainna. These providers process Personal Data on our behalf and are bound by terms that protect your data.

11.1 Our Key Service Providers

Cloud Infrastructure — Microsoft Azure

We host Ainna on Microsoft Azure's enterprise-grade cloud infrastructure.

• Data is stored in EU data centres, subject to GDPR

• Data is encrypted at rest (AES-256) and in transit (TLS 1.2+)

• Azure maintains SOC 2, ISO 27001, and GDPR compliance certifications

• All your Outputs, Product Packs, branding assets, and account data remain within our Azure infrastructure

• Documents are generated, stored, and managed entirely within our own systems—never sent to third parties

AI Infrastructure — Third-Party AI Providers

We use third-party AI infrastructure for conversational AI capabilities.

• Anonymised by default: Your name, email, company, and account details are never sent to AI providers. Conversations are anonymised before processing.

• Minimal data only: We send only the content necessary to generate your response—nothing more.

• No documents shared: Your Product Packs, pitch decks, PRDs, and generated Outputs are never sent to AI providers. All document generation happens within our own infrastructure.

• No training on your data: We use providers whose API terms explicitly exclude customer data from model training.

• Transient processing: Data is retained only as long as necessary to process your request.

We operate under standard API terms that already prohibit training on customer data. We do not currently have custom enterprise agreements with AI providers, but we commit to using only providers whose terms protect your data. If we change providers, this commitment remains.

Payment Processing — Stripe

Stripe processes all payments securely.

• We never see or store your card details—Stripe handles all payment data

• Stripe is PCI-DSS Level 1 certified (the highest level of payment security)

• We receive only a token and the last four digits for reference

• Stripe's privacy policy: stripe.com/privacy

Authentication — LinkedIn

LinkedIn provides OAuth authentication for secure sign-in.

• We receive only basic profile information: name, email, and profile picture

• We never see your LinkedIn password or credentials

• We do not access your LinkedIn connections, posts, or activity

• LinkedIn's privacy policy: linkedin.com/legal/privacy-policy

11.2 Our Commitments Regarding Subprocessors

Before engaging any subprocessor, we:

• Evaluate their privacy, security, and compliance practices

• Ensure their terms prohibit use of customer data for training or improvement of their own services

• Verify they provide appropriate safeguards for international data transfers

• Confirm data residency requirements are met (EU data centres where applicable)

• Conduct ongoing monitoring and periodic reviews

We remain responsible for our subprocessors' compliance with this Policy.

11.3 Updates to Subprocessors

We may update our list of subprocessors from time to time as our infrastructure evolves. We do not disclose specific implementation details for security reasons, but our commitments regarding data protection remain constant regardless of provider.

Material changes to subprocessors that significantly affect how your data is processed will be communicated through the Service or by email. If you have concerns about a new subprocessor, please contact us.

Questions about our service providers? See How to Contact Us.

We do not sell, rent, or trade your Personal Data. Ever.

We share your data only in the limited circumstances described below—and even then, we share the minimum necessary.

12.1 With Service Providers

We share data with our subprocessors (described in Section 11) solely to provide and operate the Service:

• Cloud infrastructure: Your account data, Ideas, and Outputs are stored on our cloud infrastructure

• AI infrastructure: Conversation content (anonymised—no personal identifiers) is processed to generate responses. Your Product Packs and generated documents are never shared with AI providers.

• Payment processing: Payment details are handled directly by Stripe—we never see your card information

• Authentication: LinkedIn provides sign-in—we receive only basic profile information

These providers are bound by terms that prohibit using your data for their own purposes, including AI training.

12.2 With Your Consent

We may share data when you give us explicit consent. Examples include:

• Integrating Ainna with third-party services you choose to connect

• Sharing specific content with colleagues or stakeholders at your direction

• Participating in case studies or testimonials (only with your written permission)

You can withdraw consent at any time, though this will not affect sharing that occurred prior to withdrawal.

12.3 For Legal Reasons

We may disclose data if we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes

• Respond to lawful requests from public authorities (such as court orders or regulatory enquiries)

• Protect the rights, property, or safety of Innovation Mode Limited, our users, or the public

• Enforce our Terms of Service or investigate potential violations

• Prevent fraud, security threats, or illegal activity

Our commitment: If we receive a legal request for your data, we will notify you before disclosure unless legally prohibited from doing so (e.g., by court order or gag order). Where permitted, we will give you the opportunity to challenge the request.

12.4 Business Transfers

If Innovation Mode Limited is involved in a merger, acquisition, bankruptcy, reorganisation, or sale of assets, your Personal Data may be transferred as part of that transaction.

In such event:

• We will notify you via email and/or prominent notice in the Service before your data is transferred

• Your data will remain subject to protections at least as strong as this Policy

• You will be informed of any choices you have regarding your data

• If the acquiring entity intends to use your data differently, you will have the opportunity to delete your account before transfer

12.5 Aggregated and Anonymised Data

We may share aggregated, anonymised data that cannot be used to identify you or your content. Examples include:

• Statistics about overall platform usage and feature adoption

• Industry benchmarks and trends (e.g., average time savings, common use cases)

• Performance metrics and service reliability data

This data is fully anonymised—it cannot be linked back to you, your Ideas, or your Outputs. It is not considered Personal Data under GDPR.

12.6 With Your Team (Corporate Tier)

If you use Ainna under a Corporate or Agency plan, you may choose to share Ideas and Outputs with other members of your organisation. In such cases:

• Sharing is controlled by you and your organisation's administrators

• Your organisation's policies govern how shared content is used within your team

• We do not share your content with team members without your explicit action

Individual users on Flexible or Subscription plans have private workspaces—your Ideas are never visible to other users.

12.7 What We Never Share

To be absolutely clear:

• We never sell your Personal Data to data brokers or advertisers

• We never share your Customer Data (Inputs, Outputs, Product Packs) with other Ainna users

• We never share your content with AI providers for training purposes

• We never share your data with third parties for their marketing purposes

• We never monetise your data in any way other than providing the Service you pay for

Your data is not our product. You are our customer.

Questions about data sharing? See How to Contact Us.

Innovation Mode Limited is based in Ireland, and we store your data within the European Union by default. This means your data benefits from GDPR protections—one of the world's strongest privacy frameworks.

13.1 Where Your Data Is Stored

• European Union: Your account data, Ideas, Outputs, Product Packs, branding assets, and all generated documents are stored exclusively in EU data centres.

• Your documents never leave the EU: All document generation, storage, and management happens within our EU-based infrastructure.

13.2 Where Your Data May Be Processed

While your data is stored in the EU, some processing may occur outside the EU when you use certain features:

• AI Infrastructure: Conversation content (anonymised—no personal identifiers) may be processed by AI providers with infrastructure in the United States. Your Product Packs and generated documents are never sent outside the EU.

• Payment Processing: Payment data is handled by Stripe, which operates globally. We never see or store your card details.

• Support Services: If you contact support, your enquiry may be handled by team members in various locations.

Important: Even when data is processed outside the EU, we ensure appropriate safeguards are in place (see below).

13.3 Safeguards for International Transfers

When Personal Data is transferred outside the EU/EEA to countries not deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers where applicable.

• Adequacy Decisions: Where the European Commission has determined a country provides adequate protection, transfers may occur under that framework.

• Provider Terms: Our service providers are bound by terms that require them to protect your data and prohibit use for purposes other than providing the service.

• Data Minimisation: We minimise what is transferred—for example, AI conversations are anonymised before processing, and documents remain in the EU.

• Supplementary Measures: Where necessary, we implement additional technical measures such as encryption and pseudonymisation.

13.4 Your Rights Regarding Transfers

You have the right to:

• Know where your data is processed

• Request information about the safeguards we use for international transfers

• Object to transfers in certain circumstances

To request a copy of the safeguards we use, or if you have concerns about international transfers, contact privacy@ainna.ai or use our privacy request form.

Questions about international transfers? See How to Contact Us.

We take the security of your data seriously. Ainna was built with security and privacy as foundational principles—not afterthoughts.

14.1 Technical Measures

• Encryption in Transit: All data transmitted to and from Ainna is encrypted using TLS 1.2 or higher.

• Encryption at Rest: Data stored in our infrastructure is encrypted using AES-256 encryption.

• EU Data Residency: Your data is stored in EU data centres, protected by GDPR and European data protection standards.

• Access Controls: We implement role-based access controls and the principle of least privilege for all systems.

• Authentication Security: We use OAuth 2.0 via LinkedIn for secure authentication. We never store passwords—there are no Ainna passwords to steal.

• Infrastructure Security: Our cloud infrastructure is protected by enterprise-grade firewalls, intrusion detection systems, and regular security patches.

• No Backups by Design: Unlike most services, we do not retain backups of your Customer Data after deletion. When you delete, it's truly gone—reducing the attack surface and protecting your privacy.

14.2 Privacy-First Architecture

Security isn't just about keeping attackers out—it's about minimising what could be compromised in the first place:

• Anonymised AI Processing: Your name, email, and company details are never sent to AI providers. Conversations are anonymised by default.

• Documents Stay In-House: Your Product Packs, pitch decks, and generated Outputs are never sent to third-party AI providers. All document generation happens within our own infrastructure.

• Minimal Data Collection: We collect only what's necessary to provide the Service.

• Automatic Deletion: Idea data is automatically deleted after 180 days of inactivity, reducing long-term data exposure.

• Hard Deletion: When you delete data, it's permanently removed—no backups, no archives, no recovery possible.

14.3 Organisational Measures

• Security Training: Our team receives regular security awareness training.

• Vendor Assessment: We evaluate the security and privacy practices of all third-party providers before engagement, and conduct ongoing monitoring.

• Principle of Least Privilege: Team members have access only to the systems and data necessary for their role.

• Incident Response: We have documented procedures to detect, respond to, and recover from security incidents.

• Regular Reviews: We conduct periodic reviews and assessments of our security controls.

14.4 Your Role in Security

Security is a shared responsibility. You can help protect your data by:

• Protecting your LinkedIn account: Your LinkedIn credentials control access to Ainna. Use a strong password and enable two-factor authentication on LinkedIn.

• Downloading important Outputs: Export or download Outputs you wish to keep, as data is automatically deleted after 180 days of inactivity.

• Being mindful of what you share: Avoid including highly sensitive identifiers (e.g., personal ID numbers, financial account details) in your conversations where possible.

• Reporting suspicious activity: Notify us immediately at security@ainna.ai if you suspect unauthorised access to your account.

• Not sharing access: Your account is personal to you. Do not share your account access with others.

14.5 Security Incidents

Despite best efforts, no system is completely secure. If we discover a security breach that affects your Personal Data:

• We will notify affected users without undue delay

• We will notify the Irish Data Protection Commission within 72 hours as required by GDPR (where the breach is likely to result in a risk to your rights)

• We will provide clear information about what happened, what data was affected, and what steps we are taking

• We will take immediate steps to contain and remediate the breach

If you believe your account has been compromised, contact us immediately at security@ainna.ai.

Questions about security? See How to Contact Us.

Ainna is an opportunity discovery platform designed for Product Managers and business professionals. It is not intended for use by individuals under 18 years of age.

15.1 Age Requirement

You must be at least 18 years old to create an account and use Ainna. By using the Service, you represent that you meet this age requirement.

15.2 No Collection from Minors

We do not knowingly collect Personal Data from children under 18. Our use of LinkedIn OAuth for authentication provides a natural safeguard, as LinkedIn requires users to be at least 16 years old. However, our Terms require users to be 18 or older.

If you are under 18, please do not attempt to register for an account or provide any personal information to us.

15.3 If We Learn of Underage Use

If we learn that we have collected Personal Data from anyone under 18, we will:

• Immediately suspend the account

• Delete all associated Personal Data and Customer Data

• Not retain any information except as required for legal purposes

If you believe we may have inadvertently collected information from someone under 18, please contact us immediately at privacy@ainna.ai.

Questions about our age policy? See How to Contact Us.

Ainna may contain links to third-party websites, applications, or services that are not operated by us.

16.1 Third-Party Services We Link To

In the normal course of using Ainna, you may interact with:

• LinkedIn: For authentication (LinkedIn Privacy Policy)

• Stripe: For payment processing (Stripe Privacy Policy)

• The Innovation Mode: For methodology resources (theinnovationmode.com)

We encourage you to review the privacy policies of these services.

16.2 Links in Generated Outputs

Your Product Packs and other Outputs may contain links to external websites based on the content you provide or references included in generated materials. These links are provided for convenience and do not imply endorsement or verification by Innovation Mode Limited.

16.3 Our Responsibility

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. The inclusion of any link—whether in the Service itself or in generated Outputs—does not imply endorsement by Innovation Mode Limited.

When you leave Ainna to visit a third-party site, this Policy no longer applies. Your interactions with third-party sites are governed by their own terms and privacy policies.

Questions about external links? See How to Contact Us.

We may update this Privacy & Data Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will always handle your data in accordance with the Policy in effect at the time of collection, unless you consent to changes.

17.1 Notification of Changes

• Material Changes: For material changes that significantly affect how we collect, use, or share your Personal Data, we will notify you by email (to the address associated with your account) and by prominent notice within the Service at least 30 days before the changes take effect.

• Minor Changes: For minor changes (such as clarifications, formatting, or corrections that do not affect your rights), we will update the "Last Updated" date at the top of this Policy.

• Required Changes: If changes are required by law or regulation, we may implement them sooner than 30 days where legally necessary, but will still notify you as soon as practicable.

17.2 What Constitutes a Material Change

Examples of material changes include:

• New categories of Personal Data we collect

• New purposes for processing your data

• Changes to how we share data with third parties

• Changes to your rights or how to exercise them

• Changes to our data retention periods

• New subprocessors that significantly affect data processing

When in doubt, we err on the side of notifying you.

17.3 Your Choices

Your continued use of Ainna after any changes become effective constitutes your acceptance of the revised Policy.

If you do not agree to the revised Policy:

• You may stop using the Service before the changes take effect

• You may request deletion of your data at any time

• You may export your data before closing your account

• If you have prepaid for services, contact us to discuss options

We will not retroactively change how we handle data already collected under a previous Policy without your consent.

17.4 Prior Versions

We maintain an archive of prior versions of this Policy for transparency:

• View prior versions at /legal/privacy/archive

• Each version includes its effective date

• You may request a copy of any prior version by contacting us

The current version always governs your use of the Service.

Questions about policy changes? See How to Contact Us.

We're here to help with any privacy questions or concerns. Use our online forms for the fastest response, or email us directly.

Privacy & Data Requests

For data access, deletion requests, export requests, or privacy concerns:

• Submit a privacy request

• Or email privacy@ainna.ai

Security

To report a security concern or suspected account compromise:

• Email security@ainna.ai

General Enquiries

For all other questions:

• Submit a support request

• Or email hello@ainna.ai

18.1 Self-Service Options

Many privacy actions can be completed directly in your account:

• View your data: Account Settings → My Account

• Export your data: Account Settings → My Account

• Delete individual Ideas: From your dashboard

• Delete all data: Account Settings → My Account

• Close your account: Account Settings → My Account

• Manage communications: Account Settings → Notifications

• Manage cookies: Account Settings → Privacy

18.2 Response Times

• Privacy requests: Within 30 days (or sooner if required by GDPR)

• Security concerns: Acknowledged within 24 hours

• General support: Within 24 hours on business days

Complex requests may require additional time—we will keep you informed of progress. Subscribers receive priority support.

18.3 Supervisory Authority

If you are located in the European Union and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a data protection supervisory authority.

As an Irish company, our lead supervisory authority is:

Data Protection Commission (Ireland)

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

You also have the right to lodge a complaint with the supervisory authority in your country of residence.

18.4 Our Details

Innovation Mode Limited

Company Registration Number: 785034

Registered Office: 51 Bracken Road Dublin 18, D18 CV48, DUBLIN

Ireland

As Innovation Mode Limited is established in Ireland within the European Union, we are subject to direct jurisdiction under the GDPR. No separate EU representative is required.

You can also access privacy options anytime from within Ainna via Account Settings → Privacy.