Privacy Policy

Identity

Aura Intelligence SL

Tax ID (NIF)

B26844217

Address

Plaza de la Coca, 08301 Mataró (Barcelona), Spain

Registry details

Registered with the Mercantile Registry of Barcelona, Section 8, Sheet B-652848, Entry 1, dated 12 March 2026.

Privacy contact

privacy@aidex.chat

Legal contact

legal@aidex.chat

We have not appointed a Data Protection Officer (DPO), as the thresholds of Article 37 GDPR and Article 34 LOPDGDD are not met. Any question can be sent to privacy@aidex.chat.

Depending on how you use aiDex, we process:

• Account data: name, email address, language, time zone, registration date, password (stored in hashed form).
• Billing data: name, address, tax number (NIF / CIF / VAT / CPF / CNPJ) and payment details, handled by our payment processor (Stripe).
• Usage data: conversations, messages, files you upload (documents, images), editor preferences, saved teams, API keys you provide (stored with envelope encryption).
• Technical data: IP address, browser type, operating system, session identifiers, request timestamps, error logs.
• Derived data: aggregated usage metrics (message counts, token consumption, estimated cost) used to render your own usage dashboard and to enforce daily limits.

We do not deliberately process special categories of personal data (Art. 9 GDPR). If you choose to include such data in a conversation or document, you act as the controller of that processing vis-à-vis the AI provider you have selected (see the BYOK section below).

We process your personal data for the following purposes:

Service provision

Account management, storage of your conversations and documents, billing. Legal basis: performance of the contract (Art. 6(1)(b) GDPR).

Communication with the user

Transactional emails (account verification, spending-cap alerts, weekly cost digest) and responses to your enquiries. Legal basis: performance of the contract and legitimate interest (Art. 6(1)(b) and (f) GDPR).

Marketing communications (newsletter)

Only if you have expressly subscribed. Legal basis: consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.

Compliance with legal obligations

Retention of invoices (Spanish tax law), response to public-authority requests. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

Security and fraud prevention

Access logging, abuse detection, enforcement of usage limits. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

Service improvement

Aggregated, anonymised product-usage analysis. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). We do not use the content of your conversations to train AI models.

aiDex operates on a BYOK model: you provide your own API keys for the AI-model providers (OpenAI, Anthropic, Google, DeepSeek or Ollama). When you interact with a model, the content of your request (prompts, attachments) is sent directly from our servers to the provider you have selected using your key.

In respect of that transmission, aiDex acts as a processor only for the technical transport of your data to the provider. The provider will process the data according to its own policies (linked from our sub-processor list). We recommend reviewing the provider's policy before submitting sensitive information.

API keys are stored using envelope encryption with libsodium. They are decrypted only at the moment a provider call is made and are never exposed to the user's browser.

For convenience, the privacy policies of the AI-model providers we support are linked below. We recommend reading the policy of any provider whose key you intend to use, particularly with regard to training-data usage:

OpenAI, L.L.C. — Privacy Policy

Anthropic, PBC — Privacy Policy

Google LLC (Generative AI) — Privacy Policy

DeepSeek (Hangzhou DeepSeek AI Co. Ltd.) — Privacy Policy

To deliver the service we rely on processors (sub-processors) that process personal data on our behalf. The up-to-date list of sub-processors — with purpose, processing location and each one's privacy policy — is available at https://aidex.chat/subprocessors.

We will notify any change to that list at least 30 days in advance by email to users on paid plans.

In addition, we may disclose personal data to competent public authorities where there is a legal obligation to do so.

Your account data, conversations and files are stored on infrastructure located exclusively in the European Union.

Certain sub-processors (AI-model providers, Stripe, Sentry, Google, Microsoft and TikTok) may process data outside the European Economic Area, principally in the United States. Such transfers take place under the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, where applicable, under the EU-U.S. Data Privacy Framework.

For information about the safeguards applicable to a specific transfer, please write to privacy@aidex.chat.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected:

• Account data, conversations and files: for the duration of the account. Once you request closure, the data is permanently and immediately deleted from our production systems.
• Billing data: for the period required by Spanish tax and commercial law (a minimum of 6 years — Art. 30 Spanish Commercial Code, Art. 66 Spanish General Tax Act).
• Access logs and technical data: 12 months, extendable if necessary to investigate a security incident.
• Newsletter subscription data: until you withdraw consent.

Encrypted backups may retain deleted data for up to 35 days, after which they are overwritten. We will not access such backups except for service recovery after an incident.

You may exercise the following rights at any time:

• Access (Art. 15 GDPR): to know what personal data we process about you.
• Rectification (Art. 16 GDPR): to have inaccurate data corrected.
• Erasure (Art. 17 GDPR): to request deletion of your data when no longer necessary.
• Restriction (Art. 18 GDPR): to request the suspension of processing in certain cases.
• Portability (Art. 20 GDPR): to receive your data in a structured, machine-readable format.
• Objection (Art. 21 GDPR): to object to processing based on legitimate interest.
• Withdrawal of consent: where processing relies on consent, without affecting the lawfulness of prior processing.

To exercise these rights write to privacy@aidex.chat proving your identity. We will respond within one month, extendable by two months where the request is particularly complex.

If you consider that the processing does not comply with the regulation, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es, without prejudice to any other administrative or judicial remedy.

aiDex is aimed at persons aged 16 or older. We do not knowingly process personal data of children under that age. If we discover that an account has been created by a child under 16, we will close it immediately.

We apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest of sensitive data, role-based access control, audit logging and periodic vulnerability reviews.

In the event of a personal-data breach posing a risk to the rights and freedoms of data subjects, we will notify the AEPD within 72 hours and, where the risk is high, the affected data subjects without undue delay (Arts. 33 and 34 GDPR).

In accordance with Article 50 of the EU Artificial Intelligence Act, we inform you that aiDex is an AI system that combines responses from several language models and image-generation models. Responses and generated content are produced automatically, may contain inaccuracies and do not constitute professional advice.

AI-generated images are identified as such in the product interface. We do not use biometric recognition, person categorisation or subliminal techniques prohibited by the Regulation.

We may update this Privacy Policy to reflect legislative, case-law or operational changes. The last-updated date is shown at the top of the document. Material changes will be notified by email with reasonable advance notice.