Privacy & Data Policy

Innovation Mode Limited ("Company," "we," "us," or "our"), a company registered in Ireland (Company Registration Number: 785034), operates Ainna, accessible at ainna.ai. Ainna is an AI product strategy platform built for product managers, founders, and business professionals. This Privacy & Data Policy ("Policy") describes how we collect, use, store, share, and protect your personal data when you use our Service.

We are committed to protecting your privacy with transparency and care. Ainna was built with a privacy-first approach because we understand that you share sensitive, competitive information with us — product strategies, market insights, early-stage concepts. Your ideas stay yours alone.

Our core privacy commitments:

• We do not train AI models on your data

• We do not sell, rent, or trade your personal information

• We do not routinely monitor or scan your content

• We host all data in EU data centres, subject to GDPR

• We automatically delete generated Document file artifacts after 30 days (re-downloadable from underlying data while it exists)

• We automatically delete trial and free account data after 90 days of inactivity

• We retain paid account data for 2 years after plan expiration and last activity

• We offer hard deletion on request — no backups retained

Ainna is designed to forget. We retain only what's needed, for as long as it's useful.

This Policy applies to all users of Ainna, including visitors to our website, registered users, and paying customers. By using Ainna, you agree to the collection and use of information in accordance with this Policy.

Please read this Policy carefully alongside our Terms of Service. If you do not agree with our practices, please do not use our Service.

Questions about privacy? See How to Contact Us.

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller is:

Innovation Mode Limited
Company Registration Number: 785034
Registered Office: 51 Bracken Road Dublin 18, D18 CV48, DUBLIN
Ireland
Email: privacy@ainna.ai

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing complies with applicable data protection laws.

We are registered in Ireland and subject to oversight by the Irish Data Protection Commission (DPC). We have built GDPR compliance into how Ainna works — not as an afterthought, but by design.

If you have any questions about this Policy or our data practices, or if you wish to exercise your data protection rights, please see How to Contact Us.

To help you understand this Policy, here are definitions of key terms. These align with the definitions in our Terms of Service and, where applicable, the General Data Protection Regulation (GDPR):

"Personal Data" means any information relating to an identified or identifiable natural person. This includes your name, email address, profile information, payment details, device identifiers, and usage data.

"Data Subject" means the individual to whom Personal Data relates — in this Policy, that means you.

"Special Categories of Personal Data" means sensitive data such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. Ainna does not intentionally collect or process Special Categories of Personal Data.

"Inputs" means all information, ideas, data, and content you provide to Ainna during your use of the Service, including your product concepts, business information, strategic details, and responses provided during strategic conversations.

"Outputs" means all assessments, opportunity scores, strategic analysis, competitive landscapes, persona profiles, market analysis, documents, presentations, and other materials generated by Ainna based on your Inputs.

"Documents" means the downloadable files generated by Ainna, including pitch decks, PRDs, executive summaries, one-pagers, problem framing documents, portfolio decks, and related materials. Documents are file artifacts generated from underlying strategic data and are subject to automatic deletion 30 days after generation. Documents can be re-downloaded (regenerated from the underlying data) at any time while the underlying Opportunity data exists.

"Opportunity" means a product concept within Ainna, including all associated conversations, assessments, scores, persona profiles, competitive analysis, market analysis, and generated Outputs for a single product idea. Also referred to as an "idea" or "project" within the platform.

"Brainstorming" means the open-ended ideation mode within Ainna for exploring ideas, generating adjacent possibilities, and reframing constraints. Brainstorming is unlimited on all plans and does not consume Opportunity allocations.

"Sprint Package" means a one-time purchase providing fixed-duration access to Ainna's strategic analysis and document generation capabilities for a defined number of Opportunities.

"Continuous Plan" means a recurring monthly or annual subscription providing ongoing access to Ainna's capabilities with a monthly Opportunity allocation.

"Customer Data" means your Inputs and Outputs collectively. Customer Data belongs entirely to you. We do not train AI models on Customer Data, and we do not use it to improve results for other users.

"Usage Data" means technical and analytical data generated through your use of the Service, such as feature usage patterns, session duration, and performance metrics. Usage Data does not include Customer Data.

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

"Subprocessor" means a third-party service provider that processes Personal Data on our behalf to help us deliver the Service.

Questions about these definitions? See How to Contact Us.

4.1 Information You Provide Directly

When you use Ainna, you may provide us with the following information:

• Account Information: When you register via LinkedIn OAuth, we receive your name, email address, and profile picture. We never see or store your LinkedIn password or credentials. We do not access your LinkedIn connections, posts, or activity.

• Profile Information: Additional information you choose to add to your account, such as your job title, company name, professional signature, or team tagline.

• Conversation Data: The messages and responses exchanged between you and Ainna during your Opportunity sessions. This includes your prompts, Ainna's responses, and the full conversation history for each Opportunity. Conversation data is stored to maintain continuity within your sessions and is subject to our data retention policy (see Section 8).

• Customer Data (Inputs): The product concepts, market information, competitive details, strategic thinking, and other substantive content embedded within your conversations. This content is yours — we do not routinely monitor, scan, or review it. You are responsible for ensuring your Inputs do not include information you are legally prohibited from disclosing, including material subject to confidentiality obligations, non-disclosure agreements, trade secret protections, or regulatory restrictions (see our Terms of Service, Section 7.6).

• Outputs: Ainna generates Outputs based on your Inputs, including opportunity assessments, competitive landscapes, persona profiles, market analysis, and stakeholder-ready Documents. Generated Documents are associated with your account until downloaded or automatically deleted after 30 days.

• Branding Assets: Company logos and other visual elements you upload for Document customisation.

• Payment Information: When you make a purchase, our payment processor (Stripe) collects your payment details. We never see or store your card details — Stripe handles all payment data securely in compliance with PCI-DSS standards. We receive only a token and the last four digits for reference.

• Referral Data: If you participate in the Ainna Fellows referral programme, we process your referral link usage, referral conversions, and earned rewards. We do not share your identity with referred users beyond what is necessary for the referral to function.

• Communications: Information you provide when you contact our support team, submit feedback, or respond to surveys.

4.2 Information Collected Automatically

When you access or use Ainna, we automatically collect certain technical information:

• Device Information: Device type, operating system, browser type and version, screen resolution, and device identifiers.

• Log Data: IP address, access times, pages viewed, referring URL, and actions taken within the Service.

• Usage Data: Features used, session duration, interaction patterns, and performance data. Usage Data does not include Customer Data.

• Conversation Metadata: Timestamps, message counts, session duration, and Opportunity identifiers. This helps us maintain your session state and provide usage analytics. It does not include the content of your conversations.

• Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information and improve our Service. See Section 10 for details.

Important: Automatic collection applies to technical and usage data only. We do not routinely scan, analyse, or monitor the content of your Inputs or Outputs.

4.3 Information from Third Parties

We may receive information about you from third-party sources:

• LinkedIn: Basic profile information (name, email, profile picture) when you authenticate using LinkedIn OAuth.

• Payment Processor: Transaction status and limited payment information from Stripe.

• Analytics Providers: Aggregated, anonymised usage analytics and performance data.

We do not purchase Personal Data from data brokers or third-party marketing lists.

4.4 Information We Do Not Collect

To be clear about our privacy-first approach:

• We do not collect Special Categories of Personal Data (sensitive data such as health, political, or religious information)

• We do not collect data from your LinkedIn connections, posts, or activity

• We do not collect biometric data

• We do not collect location data beyond what is inferred from your IP address

• We do not use third-party tracking pixels or advertising networks

Questions about data collection? See How to Contact Us.

We process your information only for specific, legitimate purposes. Under GDPR, we rely on the following legal bases: performance of contract (to provide the Service you've requested), legitimate interests (to improve and secure the Service), legal obligation (to comply with laws), and consent (where specifically required).

5.1 To Provide and Operate the Service

Legal basis: Performance of contract

• Process your Inputs through our AI to generate Outputs, including opportunity assessments, competitive landscapes, persona profiles, market analysis, and stakeholder-ready Documents

• Maintain your Conversation Data to provide continuity across your Opportunity sessions

• Authenticate your identity via LinkedIn OAuth and manage your account

• Process payments, manage subscriptions, and track Opportunity allocations

• Apply your branding assets to generated Outputs

• Provide customer support and respond to your enquiries

• Send data retention notifications before automatic deletion of Opportunities and Documents

• Process referral programme activity and reward calculations

5.2 To Improve and Develop the Service

Legal basis: Legitimate interests

• Analyse aggregated, anonymised Usage Data to understand how users interact with Ainna

• Identify and fix bugs, errors, and performance issues

• Develop new features and functionality

• Improve The Innovation Mode methodology and strategic frameworks

Critical distinction: We use only aggregated, anonymised Usage Data and Conversation Metadata for improvement purposes. We do not use your Customer Data (Inputs, Outputs, or Conversation content) to train, fine-tune, or improve any AI models. Your content passes through our AI infrastructure to generate your Outputs — it is never fed into training pipelines.

Quality Measurement. We may use automated analysis to assess the quality and effectiveness of Ainna's strategic conversations — for example, whether the platform's guidance is coherent, relevant, and methodologically sound. This analysis may process Conversation Data to produce aggregate quality indicators (such as conversation completeness scores or methodology coverage metrics). Only these aggregate indicators are retained; they contain no user content, no product concepts, and no competitively sensitive information. Raw Conversation Data is never surfaced to, displayed for, or accessible by our team through this process. Quality measurement is used solely to improve the Service and does not alter our commitment above — your Customer Data is never used to train, fine-tune, or improve any AI models.

5.3 To Communicate with You

Legal basis: Performance of contract, legitimate interests, and consent (where required)

• Send transactional emails (account confirmations, purchase receipts, subscription updates)

• Notify you of changes to our Service, Terms, or this Policy before they take effect

• Send data retention reminders before automatic deletion of your Opportunities and Documents

• Respond to your support requests and enquiries

• Send product updates and announcements (with your consent, where required by law)

• Request feedback or participation in surveys (optional)

5.3.1 Communication Preferences

We respect your communication preferences and give you control:

• Transactional emails: Required for service operation (e.g., receipts, security alerts, data retention notices, account changes). These cannot be opted out of while your account is active.

• Product updates: Optional. News about features, tips, and Ainna improvements. You can opt in or out at any time via Account Settings → Notifications or by clicking 'unsubscribe' in any email.

• Marketing communications: Only sent with your explicit consent. You can withdraw consent at any time.

• Referral notifications: If you participate in the Ainna Fellows referral programme, we will notify you of referral conversions and earned rewards. You can manage these in your notification preferences.

Communication optimisation: If you opt in to product updates, we may analyse email engagement (opens, clicks) to send you relevant content at optimal times and avoid over-communicating. This tracking is solely to improve your experience — not for advertising or profiling. You can disable engagement tracking in Account Settings → Notifications.

We will never sell your email address or share it with third parties for their marketing purposes.

5.4 To Ensure Security and Prevent Abuse

Legal basis: Legitimate interests and legal obligation

• Detect, prevent, and address fraud, abuse, and security threats

• Monitor usage patterns and system behaviour for anomalies (this does not include monitoring the content of your Inputs or Outputs)

• Maintain and enforce our built-in AI safeguards

• Protect the rights, property, and safety of Ainna, our users, and the public

• Investigate potential violations of our Terms of Service

To be clear: We do not routinely scan, read, or review the content of your conversations or Outputs. Security monitoring applies to technical and behavioural signals only. In limited, exceptional circumstances, we may access or review content where reasonably necessary — for example, to investigate a specific abuse report, respond to a legal obligation, or assess a quality or safety concern. See our Terms of Service, Section 9.4 for the full list of exceptions.

5.5 To Comply with Legal Obligations

Legal basis: Legal obligation

• Comply with applicable laws, regulations, and legal processes

• Respond to lawful requests from public authorities (such as court orders or regulatory enquiries)

• Retain billing and account creation records as required for tax and financial reporting

• Establish, exercise, or defend legal claims

5.6 What We Do Not Do with Your Information

To reinforce our privacy-first commitment:

• We do not sell, rent, or trade your Personal Data

• We do not use your Customer Data to train AI models

• We do not share your Inputs or Outputs with other users

• We do not use your data to improve results for anyone else

• We do not use your data for advertising or marketing profiling

• We do not routinely monitor or scan the content of your conversations

• We do not share your email address with third parties for their marketing

Questions about how we use your data? See How to Contact Us.

Under the General Data Protection Regulation (GDPR), we must have a lawful basis for processing your Personal Data. This section summarises the legal bases outlined in Section 5 and provides additional detail.

6.1 Performance of Contract

Processing necessary to perform our contract with you (the Terms of Service). This includes:

• Creating and managing your account via LinkedIn OAuth

• Maintaining your Conversation Data and Opportunity history

• Processing your Inputs through our AI to generate Outputs and Documents

• Processing payments, managing subscriptions, and tracking Opportunity allocations

• Applying your branding assets to generated Outputs

• Providing customer support and responding to enquiries

• Sending transactional and service-critical communications (receipts, data retention notices, security alerts)

• Enabling data export and account management functions

• Processing referral programme activity

6.2 Legitimate Interests

Processing necessary for our legitimate interests, provided those interests are not overridden by your rights. This includes:

• Improving and developing the Service using aggregated, anonymised Usage Data and Conversation Metadata

• Enhancing The Innovation Mode methodology and strategic frameworks

• Ensuring security, detecting fraud, and preventing abuse of the Service

• Monitoring system behaviour and usage patterns for anomalies (not content)

• Maintaining and enforcing our built-in AI safeguards

• Analysing email engagement to optimise communication timing and relevance (for users who have opted in)

• Sending product updates to existing customers (where permitted without consent)

Important: We have conducted a balancing test and determined that our legitimate interests do not override your privacy rights, particularly because we do not process your Customer Data (Inputs, Outputs, Conversation content) for these purposes.

6.3 Legal Obligation

Processing necessary to comply with legal obligations to which we are subject. This includes:

• Retaining billing and account creation records for tax, accounting, and financial reporting

• Responding to lawful requests from public authorities (court orders, regulatory enquiries)

• Complying with applicable data protection laws, including GDPR

• Establishing, exercising, or defending legal claims

6.4 Consent

Where required by law, we process certain data based on your explicit consent. This includes:

• Marketing communications and promotional emails

• Non-essential cookies and analytics tracking technologies (see Section 10)

• Email engagement tracking for communication optimisation

• Any Special Categories of Personal Data you voluntarily provide (though we do not request or intentionally collect such data)

You may withdraw consent at any time via Account Settings → Notifications, by clicking 'unsubscribe' in any email, or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

6.5 Summary Table

| Processing Activity | Legal Basis |

| Account creation and management | Contract |

| Generating Outputs and Documents | Contract |

| Payment processing | Contract |

| Customer support | Contract |

| Transactional emails | Contract |

| Referral programme processing | Contract |

| Service improvement (anonymised data only) | Legitimate interests |

| Security monitoring | Legitimate interests |

| Product updates (existing customers) | Legitimate interests |

| Tax and financial records | Legal obligation |

| Responding to authorities | Legal obligation |

| Marketing emails | Consent |

| Non-essential cookies | Consent |

Questions about our legal basis for processing? See How to Contact Us.

Ainna uses artificial intelligence to process your Inputs and generate Outputs. This section explains exactly how your data flows through our AI systems — and, importantly, how it doesn't.

7.1 How AI Processing Works

When you interact with Ainna:

• Your messages are sent to our AI infrastructure for processing

• The AI analyses your Inputs and applies The Innovation Mode methodology and proprietary strategic frameworks

• Ainna's responses and your Conversation Data are stored to maintain continuity across your Opportunity sessions

• When you generate Documents, your Inputs are processed to create Outputs (pitch decks, PRDs, executive summaries, opportunity assessments, and related materials)

• Generated Document file artifacts are stored in your account for 30 days after generation. The underlying strategic data from which Documents are generated persists under the account-level retention rules in Section 8. Documents can be re-downloaded (regenerated from the underlying data) at any time while the Opportunity data exists.

• Opportunities and associated Conversation Data are stored according to the tiered retention schedule in Section 8

Your content passes through our AI infrastructure to generate your Outputs. It does not stay for any other purpose.

7.2 Data Minimisation & Anonymisation

We keep data exchange with AI providers to an absolute minimum.

When your messages are processed by third-party AI infrastructure:

• Minimal data only: We send only the content necessary to generate your response. Some contextual information from your Opportunity may be included to improve response quality.

• No documents are shared: Your Documents, pitch decks, PRDs, and other generated Outputs are never sent to AI providers. These are created, stored, and maintained entirely within our own infrastructure.

• User discretion: Be mindful that any information you include in your conversations — including names, company details, or competitive intelligence — may be processed by AI providers. We advise against including highly sensitive identifiers where possible.

• No training on your data: Regardless of what is sent, AI providers are contractually prohibited from using your data for model training.

7.3 Our AI Training Commitment

WE DO NOT USE YOUR CUSTOMER DATA TO TRAIN, FINE-TUNE, OR IMPROVE ANY AI MODELS.

This is a core architectural commitment, not just a policy. Here's what this means in practice:

• Your Inputs (ideas, product concepts, competitive information, strategic details) are never used for AI training

• Your Conversation Data (messages, prompts, Ainna's responses) is never used for AI training

• Your Outputs (Documents, opportunity assessments, strategic materials) are never used for AI training

• Your data is never fed into training pipelines, never shared for AI improvement, and never used to improve results for other users

• Your data is processed to generate your Outputs. That's it.

Your intellectual property and competitive advantage remain exclusively yours. Ainna is designed to forget.

7.4 Third-Party AI Infrastructure

We use third-party AI infrastructure providers to power Ainna's conversational capabilities. We have selected providers whose API terms explicitly exclude customer data from model training.

Specifically:

• Customer data submitted via API is not used to train or improve their models

• Data is retained only as long as necessary to process your request

• Appropriate security measures are in place for data in transit and at rest

We do not name specific providers as our infrastructure may evolve, but we commit to using only providers whose terms protect your data from training use. If we change providers, this commitment remains.

We do not have custom enterprise agreements with AI providers — we operate under their standard API terms, which already prohibit training on customer data. Should enterprise-grade agreements become necessary or beneficial, we will pursue them.

7.5 What Stays Within Our Infrastructure

To be absolutely clear about what never leaves our systems:

• Your account information (name, email, profile details)

• Your branding assets (logos, visual elements)

• Your generated Outputs (Documents, pitch decks, PRDs, executive summaries)

• Your downloaded files and document history

• Your billing and payment records

• Your referral programme data

All document generation, storage, and management happens entirely within our own infrastructure on EU-based servers.

7.6 What We Do Monitor

To be transparent: while we do not routinely monitor, scan, or review the content of your Inputs or Outputs, we do:

• Track Conversation Metadata (timestamps, message counts, session duration) for usage analytics

• Monitor system performance and error rates

• Log technical data for debugging and service reliability

• Track generation events (when you generate Documents) for billing and usage limits

None of this involves reading or analysing your actual content.

7.7 Automated Decision-Making

Ainna uses AI to generate content, provide opportunity assessments, and produce strategic analysis. This constitutes content generation and analytical frameworks rather than automated decision-making that produces legal or similarly significant effects on you.

• You always have full control over whether to use, modify, or discard any Output

• Opportunity assessments and scores are AI-generated analytical frameworks, not market validation, business validation, or predictions of success (see our Terms of Service, Section 10)

• Ainna's analysis does not constitute endorsement, validation, or approval of any product concept by Innovation Mode Limited

• AI-generated content may contain errors, inaccuracies, biases, or fabricated claims — all Outputs require human review before use

• We do not use automated decision-making for account suspension, pricing determinations, or access decisions without human review

Questions about AI processing? See How to Contact Us.

Ainna is designed to forget. We retain your data only as long as necessary to provide the Service — and we make deletion easy, permanent, and transparent.

8.1 Data Retention Schedule

We apply the following retention rules to your data. These align with Section 3.3 of our Terms of Service.

Generated Documents (File Artifacts)

• 30-Day Auto-Delete: Generated Document file artifacts (pitch decks, PRDs, executive summaries, and other downloadable files) are automatically deleted 30 days after generation. This applies to all account types.

• Underlying Data Preserved: The strategic data from which Documents are generated (conversations, assessments, analysis) is not affected by Document deletion and remains available under the account-level retention rules below.

• Re-Download Anytime: You may re-download (regenerate) Documents from the underlying data at any time, provided the Opportunity data still exists.

• Deleted with Opportunity: Documents are also immediately and permanently deleted when you delete the corresponding Opportunity.

• Downloaded Documents: Once you download a Document, you own that file forever. The copy on our servers still follows the 30-day schedule.

• Download promptly: We strongly recommend downloading all Documents you wish to keep as offline copies immediately after generation.

Opportunities (Conversations, Inputs, Assessments & Analysis)

Retention of Opportunity data depends on your account type:

(a) While a paid plan is active: No inactivity-based deletion applies. Your Opportunities, conversations, assessments, and all associated data are fully retained for the duration of your Sprint Package window or Continuous Plan subscription.

(b) Trial and free accounts: If your account has had no activity for 90 consecutive days, we will notify you by email. You will have 14 days to log in and keep your account active. If we do not hear from you, all account data — including all Opportunities, conversations, assessments, and associated content — will be permanently deleted.

(c) Accounts that have made any paid purchase (Sprint Package or Continuous Plan): After a paid plan expires (sprint window closed, subscription cancelled or lapsed), if your account has no activity for 2 consecutive years, we will notify you by email at 60 days and again at 14 days before deletion. If we do not hear from you, all account data will be permanently deleted. Any login resets the 2-year inactivity clock.

For the purposes of this section, "activity" means an authenticated login event.

8.2 Account Closure

When you close your account, all your data is permanently deleted — hard deletion, no backups, no recovery possible. This includes all Opportunities, conversations, Documents, Outputs, branding materials, and any other content associated with your account. We retain only basic account creation and billing records as required for legal and financial purposes.

8.3 Your Deletion Rights

You have full control over your data:

• Delete Individual Opportunities: Remove any Opportunity, conversation, or associated Documents from your workspace with one click via your dashboard. Documents are immediately deleted when you delete an Opportunity.

• Hard Deletion on Request: Request immediate permanent deletion of any Opportunity at any time. Hard deletion is irreversible — all associated conversations, assessments, Documents, and data are permanently destroyed.

• Delete Everything: Wipe your entire workspace instantly from Account Settings → My Account.

• Close Your Account: Go to Account Settings → My Account and click Close Account. You will be asked to confirm this action to prevent accidental deletion.

When you delete, we mean it. Hard deletion from active systems — no backups retained, no recovery possible. Your data is gone.

Before deleting, we recommend exporting or downloading anything you wish to keep.

8.4 Data We Must Retain

Certain minimal data is retained longer than standard periods as required by law:

• Billing Records: Transaction records, invoices, and payment references are retained for 7 years for tax and accounting purposes. These do not include your Customer Data.

• Account Creation Records: Basic account identifiers are retained for legal and financial audit purposes.

• Legal Holds: Data may be preserved if subject to legal proceedings, regulatory investigation, or government request. We will notify you if legally permitted to do so.

• Security Logs: Technical security and access logs (not content) are retained for up to 12 months for fraud prevention and security purposes.

• Anonymised Data: We may retain fully anonymised, aggregated Usage Data indefinitely for analytical purposes. This data cannot be linked back to you or your content.

8.5 No Backups, By Design

Unlike most services, Ainna does not retain backups of your Customer Data after deletion. This is an intentional architectural decision to protect your privacy:

• When you delete an Opportunity, it is permanently removed — not moved to a backup

• When Document file artifacts are auto-deleted after 30 days, they are permanently erased — not archived

• When you close your account, all your data is permanently erased — not retained

• There is no 30-day recovery window, no recycle bin, no backup tape

This means deletion is truly final. We recommend downloading or exporting any content you wish to preserve before deleting.

Questions about data retention? See How to Contact Us.

You have meaningful control over your Personal Data. We honour privacy rights for all users, regardless of location, to the extent reasonably practicable — and we've built self-service tools to make exercising these rights easy.

9.1 Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of Access: Request a copy of the Personal Data we hold about you.

• Right to Rectification: Request correction of inaccurate or incomplete Personal Data.

• Right to Erasure ("Right to be Forgotten"): Request deletion of your Personal Data. With Ainna, deletion is hard deletion — no backups, no recovery.

• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.

• Right to Data Portability: Receive your Personal Data in a structured, machine-readable format. Ainna provides one-click export of your entire workspace.

• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.

• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent. This will not affect the lawfulness of processing prior to withdrawal.

• Rights Related to Automated Decision-Making: Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Ainna's AI generates content and assessments for your review — it does not make automated decisions about you.

• Right to Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority. As an Irish company, our lead supervisory authority is the Irish Data Protection Commission (www.dataprotection.ie).

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.

• Right to Delete: Request deletion of personal information we have collected from you.

• Right to Correct: Request correction of inaccurate personal information.

• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information, so there is nothing to opt out of.

• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information as defined under CCPA.

• Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

California residents may designate an authorised agent to make requests on their behalf by providing written authorisation.

9.3 How to Exercise Your Rights

We've made exercising your rights as easy as possible:

Self-Service (Recommended):

• Access your data: View all your Personal Data in Account Settings → My Account

• Export your data: One-click export of your entire workspace (all Opportunities, conversations, Documents) in Account Settings → My Account

• Correct your data: Update your profile information in Account Settings → My Account

• Delete Individual Opportunities: Remove any Opportunity from your dashboard with one click

• Delete everything: Wipe your entire workspace in Account Settings → My Account

• Close your account: Account Settings → My Account → Close Account

• Manage communications: Update preferences in Account Settings → Notifications

Contact Us:

Email privacy@ainna.ai

We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing certain requests. If we cannot fulfil your request, we will explain why.

9.4 We Do Not Sell Your Personal Information

We do not sell, rent, share, or trade your Personal Data to third parties for monetary or other valuable consideration.

This applies to all users, regardless of location. We have not sold or shared Personal Data in the preceding 12 months and have no intention of doing so. Your data is not our product — you are our customer, not our inventory.

For California residents: Because we do not sell or share Personal Data, we do not offer a "Do Not Sell or Share My Personal Information" link. There is nothing to opt out of.

9.5 Verification

To protect your privacy, we may need to verify your identity before processing certain requests. Verification methods may include:

• Confirming your request from the email address associated with your account

• Asking you to log into your account

• Requesting additional information to confirm your identity

We will not fulfil requests if we cannot verify your identity, as this protects you from unauthorised access to your data.

Questions about your privacy rights? See How to Contact Us.

We use cookies and similar technologies to provide, protect, and improve the Service. Consistent with our privacy-first approach, we keep tracking to a minimum and never use cookies for advertising or cross-site tracking.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and understand how you use the site. Similar technologies include local storage, session storage, pixel tags, and web beacons.

10.2 Cookies We Use

Essential Cookies (Always Active)

Required for the Service to function. These cannot be disabled while using Ainna:

• Authentication: Keep you logged in securely across sessions

• Security: Protect against cross-site request forgery and other threats

• Session Management: Maintain your session state and conversation continuity

• Load Balancing: Ensure stable performance across our infrastructure

Legal basis: Performance of contract (necessary for service operation)

Functional Cookies (Optional)

Remember your preferences to provide a personalised experience:

• Theme Preferences: Your selected colour theme and display settings

• Interface Settings: Layout preferences and workspace configuration

• Notification Preferences: Your communication and alert settings

Legal basis: Consent or legitimate interests (enhancing user experience)

Analytics Cookies (Optional)

Help us understand how users interact with Ainna so we can improve the Service:

• Usage Patterns: Which features are used, navigation paths, session duration

• Performance Metrics: Page load times, error rates, service reliability

• Aggregated Statistics: Overall usage trends across our user base

Analytics cookies collect aggregated, anonymised data only. They do not track the content of your conversations, Inputs, or Outputs. We do not use analytics data to build individual profiles.

Legal basis: Consent

10.3 Cookies We Do Not Use

To be clear about what we don't do:

• No advertising cookies: We do not serve ads or use advertising tracking

• No third-party marketing pixels: We do not embed tracking pixels from advertising networks

• No cross-site tracking: We do not track your activity across other websites

• No social media trackers: We do not embed social media tracking scripts

• No data broker integrations: We do not share cookie data with data brokers

Ainna's business model is built on providing value to you — not on monetising your attention or data.

10.4 Your Cookie Choices

Cookie Consent:

When you first visit Ainna, we ask for your consent before setting non-essential cookies. You can change your preferences at any time.

Managing Preferences:

• In Ainna: Manage cookie preferences via Account Settings → Privacy

• Browser Settings: Most browsers allow you to refuse or delete cookies in privacy/security settings

• Withdraw Consent: Change your cookie preferences at any time — changes apply immediately

Note: If you disable essential cookies, some features of Ainna may not function properly. You cannot opt out of essential cookies while using the Service.

For more information about cookies, visit www.allaboutcookies.org.

10.5 Do Not Track

Some browsers offer a "Do Not Track" (DNT) feature that signals websites not to track your activity. There is currently no industry-standard response to DNT signals.

While we do not formally respond to DNT signals, our practices already align with DNT principles: we do not engage in cross-site tracking, we do not track you for advertising purposes, and we do not share tracking data with third parties.

Questions about cookies? See How to Contact Us.

We use carefully selected third-party service providers (subprocessors) to help deliver and improve Ainna. These providers process Personal Data on our behalf and are bound by terms that protect your data.

11.1 Our Key Service Providers

Cloud Infrastructure — Microsoft Azure

We host Ainna on Microsoft Azure's enterprise-grade cloud infrastructure.

• Data is stored in EU data centres, subject to GDPR

• Data is encrypted at rest (AES-256) and in transit (TLS 1.2+)

• Azure maintains SOC 2, ISO 27001, and GDPR compliance certifications

• All your Outputs, Documents, branding assets, and account data remain within our Azure infrastructure

• Documents are generated, stored, and managed entirely within our own systems — never sent to third parties

AI Infrastructure — Third-Party AI Providers

We use third-party AI infrastructure for conversational AI capabilities.

• Data minimisation: We send only the content necessary to generate your response. Some contextual information may be included to improve quality.

• Minimal data only: We send only the content necessary to generate your response — nothing more.

• No documents shared: Your Documents, pitch decks, PRDs, and generated Outputs are never sent to AI providers. All document generation happens within our own infrastructure.

• No training on your data: We use providers whose API terms explicitly exclude customer data from model training.

• Transient processing: Data is retained only as long as necessary to process your request.

We operate under standard API terms that already prohibit training on customer data. We do not currently have custom enterprise agreements with AI providers, but we commit to using only providers whose terms protect your data. If we change providers, this commitment remains.

Payment Processing — Stripe

Stripe processes all payments securely.

• We never see or store your card details — Stripe handles all payment data

• Stripe is PCI-DSS Level 1 certified (the highest level of payment security)

• We receive only a token and the last four digits for reference

• Stripe's privacy policy: stripe.com/privacy

Authentication — LinkedIn

LinkedIn provides OAuth authentication for secure sign-in.

• We receive only basic profile information: name, email, and profile picture

• We never see your LinkedIn password or credentials

• We do not access your LinkedIn connections, posts, or activity

• LinkedIn's privacy policy: linkedin.com/legal/privacy-policy

11.2 Our Commitments Regarding Subprocessors

Before engaging any subprocessor, we:

• Evaluate their privacy, security, and compliance practices

• Ensure their terms prohibit use of customer data for training or improvement of their own services

• Verify they provide appropriate safeguards for international data transfers

• Confirm data residency requirements are met (EU data centres where applicable)

• Conduct ongoing monitoring and periodic reviews

We remain responsible for our subprocessors' compliance with this Policy.

11.3 Updates to Subprocessors

We may update our list of subprocessors from time to time as our infrastructure evolves. We do not disclose specific implementation details for security reasons, but our commitments regarding data protection remain constant regardless of provider.

Material changes to subprocessors that significantly affect how your data is processed will be communicated through the Service or by email. If you have concerns about a new subprocessor, please contact us.

Questions about our service providers? See How to Contact Us.

We do not sell, rent, or trade your Personal Data. Ever.

We share your data only in the limited circumstances described below — and even then, we share the minimum necessary.

12.1 With Service Providers

We share data with our subprocessors (described in Section 11) solely to provide and operate the Service:

• Cloud infrastructure: Your account data, Opportunities, and Outputs are stored on our cloud infrastructure

• AI infrastructure: Conversation content is processed to generate responses. Your Documents and generated files are never shared with AI providers.

• Payment processing: Payment details are handled directly by Stripe — we never see your card information

• Authentication: LinkedIn provides sign-in — we receive only basic profile information

These providers are bound by terms that prohibit using your data for their own purposes, including AI training.

12.2 With Your Consent

We may share data when you give us explicit consent. Examples include:

• Integrating Ainna with third-party services you choose to connect

• Sharing specific content with colleagues or stakeholders at your direction

• Participating in case studies or testimonials (only with your written permission)

You can withdraw consent at any time, though this will not affect sharing that occurred prior to withdrawal.

12.3 For Legal Reasons

We may disclose data if we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes

• Respond to lawful requests from public authorities (such as court orders or regulatory enquiries)

• Protect the rights, property, or safety of Innovation Mode Limited, our users, or the public

• Enforce our Terms of Service or investigate potential violations

• Prevent fraud, security threats, or illegal activity

Our commitment: If we receive a legal request for your data, we will notify you before disclosure unless legally prohibited from doing so (e.g., by court order or gag order). Where permitted, we will give you the opportunity to challenge the request.

12.4 Business Transfers

If Innovation Mode Limited is involved in a merger, acquisition, bankruptcy, reorganisation, or sale of assets, your Personal Data may be transferred as part of that transaction.

In such event:

• We will notify you via email and/or prominent notice in the Service before your data is transferred

• Your data will remain subject to protections at least as strong as this Policy

• You will be informed of any choices you have regarding your data

• If the acquiring entity intends to use your data differently, you will have the opportunity to delete your account before transfer

12.5 Aggregated and Anonymised Data

We may share aggregated, anonymised data that cannot be used to identify you or your content. Examples include:

• Statistics about overall platform usage and feature adoption

• Industry benchmarks and trends (e.g., average time savings, common use cases)

• Performance metrics and service reliability data

This data is fully anonymised — it cannot be linked back to you, your Opportunities, or your Outputs. It is not considered Personal Data under GDPR.

12.6 With Your Team (Team and Enterprise Plans)

If you use Ainna under a Team or Enterprise plan, you may choose to share Opportunities and Outputs with other members of your organisation. In such cases:

• Sharing is controlled by you and your organisation's administrators

• Your organisation's policies govern how shared content is used within your team

• We do not share your content with team members without your explicit action

Individual users on Sprint Packages or individual Continuous Plans have private workspaces — your Opportunities are never visible to other users.

12.7 What We Never Share

To be absolutely clear:

• We never sell your Personal Data to data brokers or advertisers

• We never share your Customer Data (Inputs, Outputs, Documents) with other Ainna users

• We never share your content with AI providers for training purposes

• We never share your data with third parties for their marketing purposes

• We never monetise your data in any way other than providing the Service you pay for

Your data is not our product. You are our customer.

Questions about data sharing? See How to Contact Us.

Innovation Mode Limited is based in Ireland, and we store your data within the European Union by default. This means your data benefits from GDPR protections — one of the world's strongest privacy frameworks.

13.1 Where Your Data Is Stored

• European Union: Your account data, Opportunities, Outputs, Documents, branding assets, and all generated documents are stored exclusively in EU data centres.

• Your documents never leave the EU: All document generation, storage, and management happens within our EU-based infrastructure.

13.2 Where Your Data May Be Processed

While your data is stored in the EU, some processing may occur outside the EU when you use certain features:

• AI Infrastructure: Conversation content may be processed by AI providers with infrastructure in the United States. Your Documents and generated files are never sent outside the EU.

• Payment Processing: Payment data is handled by Stripe, which operates globally. We never see or store your card details.

• Support Services: If you contact support, your enquiry may be handled by team members in various locations.

Important: Even when data is processed outside the EU, we ensure appropriate safeguards are in place (see below).

13.3 Safeguards for International Transfers

When Personal Data is transferred outside the EU/EEA to countries not deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers where applicable.

• Adequacy Decisions: Where the European Commission has determined a country provides adequate protection, transfers may occur under that framework.

• Provider Terms: Our service providers are bound by terms that require them to protect your data and prohibit use for purposes other than providing the service.

• Data Minimisation: We minimise what is transferred — we send only the content necessary to generate responses, and documents remain in the EU.

• Supplementary Measures: Where necessary, we implement additional technical measures such as encryption and pseudonymisation.

13.4 Your Rights Regarding Transfers

You have the right to:

• Know where your data is processed

• Request information about the safeguards we use for international transfers

• Object to transfers in certain circumstances

To request a copy of the safeguards we use, or if you have concerns about international transfers, contact privacy@ainna.ai.

Questions about international transfers? See How to Contact Us.

We take the security of your data seriously. Ainna was built with security and privacy as foundational principles — not afterthoughts.

14.1 Technical Measures

• Encryption in Transit: All data transmitted to and from Ainna is encrypted using TLS 1.2 or higher.

• Encryption at Rest: Data stored in our infrastructure is encrypted using AES-256 encryption.

• EU Data Residency: Your data is stored in EU data centres, protected by GDPR and European data protection standards.

• Access Controls: We implement role-based access controls and the principle of least privilege for all systems.

• Authentication Security: We use OAuth 2.0 via LinkedIn for secure authentication. We never store passwords — there are no Ainna passwords to steal.

• Infrastructure Security: Our cloud infrastructure is protected by enterprise-grade firewalls, intrusion detection systems, and regular security patches.

• No Backups by Design: Unlike most services, we do not retain backups of your Customer Data after deletion. When you delete, it's truly gone — reducing the attack surface and protecting your privacy.

14.2 Privacy-First Architecture

Security isn't just about keeping attackers out — it's about minimising what could be compromised in the first place:

• Minimal AI Data Exchange: We send only the content necessary to generate your response. Documents, pitch decks, and generated Outputs are never sent to third-party AI providers.

• Documents Stay In-House: Your Documents, pitch decks, and generated Outputs are never sent to third-party AI providers. All document generation happens within our own infrastructure.

• Minimal Data Collection: We collect only what's necessary to provide the Service.

• Automatic Deletion: Document file artifacts are automatically deleted after 30 days; account data follows the tiered retention schedule in Section 8 — reducing long-term data exposure.

• Hard Deletion: When you delete data, it's permanently removed — no backups, no archives, no recovery possible.

14.3 Organisational Measures

• Security Training: Our team receives regular security awareness training.

• Vendor Assessment: We evaluate the security and privacy practices of all third-party providers before engagement, and conduct ongoing monitoring.

• Principle of Least Privilege: Team members have access only to the systems and data necessary for their role.

• Incident Response: We have documented procedures to detect, respond to, and recover from security incidents.

• Regular Reviews: We conduct periodic reviews and assessments of our security controls.

14.4 Your Role in Security

Security is a shared responsibility. You can help protect your data by:

• Protecting your LinkedIn account: Your LinkedIn credentials control access to Ainna. Use a strong password and enable two-factor authentication on LinkedIn.

• Downloading important Documents: Download Documents you wish to keep immediately, as file artifacts are automatically deleted 30 days after generation. You can re-download from underlying data while the Opportunity exists.

• Being mindful of what you share: Avoid including highly sensitive identifiers (e.g., personal ID numbers, financial account details) in your conversations where possible. Do not submit material non-public financial information, protected health information, or data subject to regulatory restrictions.

• Reporting suspicious activity: Notify us immediately at security@ainna.ai if you suspect unauthorised access to your account.

• Not sharing access: Your account is personal to you. Do not share your account access with others.

14.5 Security Incidents

Despite best efforts, no system is completely secure. If we discover a security breach that affects your Personal Data:

• We will notify affected users without undue delay

• We will notify the Irish Data Protection Commission within 72 hours as required by GDPR (where the breach is likely to result in a risk to your rights)

• We will provide clear information about what happened, what data was affected, and what steps we are taking

• We will take immediate steps to contain and remediate the breach

If you believe your account has been compromised, contact us immediately at security@ainna.ai.

Questions about security? See How to Contact Us.

Ainna is an AI product strategy platform designed for product managers, founders, and business professionals. It is not intended for use by individuals under 18 years of age.

15.1 Age Requirement

You must be at least 18 years old to create an account and use Ainna. By using the Service, you represent that you meet this age requirement.

15.2 No Collection from Minors

We do not knowingly collect Personal Data from children under 18. Our use of LinkedIn OAuth for authentication provides a natural safeguard, as LinkedIn requires users to be at least 16 years old. However, our Terms require users to be 18 or older.

If you are under 18, please do not attempt to register for an account or provide any personal information to us.

15.3 If We Learn of Underage Use

If we learn that we have collected Personal Data from anyone under 18, we will:

• Immediately suspend the account

• Delete all associated Personal Data and Customer Data

• Not retain any information except as required for legal purposes

If you believe we may have inadvertently collected information from someone under 18, please contact us immediately at privacy@ainna.ai.

Questions about our age policy? See How to Contact Us.

Ainna may contain links to third-party websites, applications, or services that are not operated by us.

16.1 Third-Party Services We Link To

In the normal course of using Ainna, you may interact with:

• LinkedIn: For authentication (LinkedIn Privacy Policy)

• Stripe: For payment processing (Stripe Privacy Policy)

• The Innovation Mode: For methodology resources (theinnovationmode.com)

We encourage you to review the privacy policies of these services.

16.2 Links in Generated Outputs

Your Documents and other Outputs may contain links to external websites based on the content you provide or references included in generated materials. These links are provided for convenience and do not imply endorsement or verification by Innovation Mode Limited.

16.3 Our Responsibility

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. The inclusion of any link — whether in the Service itself or in generated Outputs — does not imply endorsement by Innovation Mode Limited.

When you leave Ainna to visit a third-party site, this Policy no longer applies. Your interactions with third-party sites are governed by their own terms and privacy policies.

Questions about external links? See How to Contact Us.

We may update this Privacy & Data Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will always handle your data in accordance with the Policy in effect at the time of collection, unless you consent to changes.

17.1 Notification of Changes

• Material Changes: For material changes that significantly affect how we collect, use, or share your Personal Data, we will notify you by email (to the address associated with your account) and by prominent notice within the Service before the changes take effect.

• Minor Changes: For minor changes (such as clarifications, formatting, or corrections that do not affect your rights), we will update the "Last Updated" date at the top of this Policy.

• Required Changes: If changes are required by law or regulation, we may implement them on a shorter timeline where legally necessary, but will still notify you as soon as practicable.

17.2 What Constitutes a Material Change

Examples of material changes include:

• New categories of Personal Data we collect

• New purposes for processing your data

• Changes to how we share data with third parties

• Changes to your rights or how to exercise them

• Changes to our data retention periods

• New subprocessors that significantly affect data processing

When in doubt, we err on the side of notifying you.

17.3 Your Choices

Your continued use of Ainna after any changes become effective constitutes your acceptance of the revised Policy.

If you do not agree to the revised Policy:

• You may stop using the Service before the changes take effect

• You may request deletion of your data at any time

• You may export your data before closing your account

• If you have prepaid for services, contact us to discuss options

We will not retroactively change how we handle data already collected under a previous Policy without your consent.

17.4 Prior Versions

We maintain an archive of prior versions of this Policy for transparency:

• View prior versions here

• Each version includes its effective date

• You may request a copy of any prior version by contacting us

The current version always governs your use of the Service.

Questions about policy changes? See How to Contact Us.

We're here to help with any privacy questions or concerns. Use our online forms for the fastest response, or email us directly.

Privacy & Data Requests

For data access, deletion requests, export requests, or privacy concerns:

Email privacy@ainna.ai

Security

To report a security concern or suspected account compromise:

• Email security@ainna.ai

General Enquiries

For all other questions:

Email hello@ainna.ai

18.1 Self-Service Options

Many privacy actions can be completed directly in your account:

• View your data: Account Settings → My Account

• Export your data: Account Settings → My Account

• Delete individual Opportunities: From your dashboard

• Delete all data: Account Settings → My Account

• Close your account: Account Settings → My Account

• Manage communications: Account Settings → Notifications

• Manage cookies: Account Settings → Privacy

18.2 Response Times

• Privacy requests: Within 30 days (or sooner if required by GDPR)

• Security concerns: Acknowledged within 24 hours

• General support: Within 24 hours on business days

Complex requests may require additional time — we will keep you informed of progress. Subscribers receive priority support.

18.3 Supervisory Authority

If you are located in the European Union and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a data protection supervisory authority.

As an Irish company, our lead supervisory authority is:

Data Protection Commission (Ireland)

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

You also have the right to lodge a complaint with the supervisory authority in your country of residence.

18.4 Our Details

Innovation Mode Limited

Company Registration Number: 785034

Registered Office: 51 Bracken Road Dublin 18, D18 CV48, DUBLIN

Ireland

As Innovation Mode Limited is established in Ireland within the European Union, we are subject to direct jurisdiction under the GDPR. No separate EU representative is required.

You can also access privacy options anytime from within Ainna via Account Settings → Privacy.