Privacy Policy & Data Processing Agreement

aifa.works Ltd acts as Data Controller. Our Data Protection Officer is reachable at dpo@aifa.works. All GDPR Article 30 records, DPIAs, and legitimate interest assessments are maintained and available upon verified request. We appoint EU and UK representatives pursuant to Articles 27 GDPR/UK GDPR. For CCPA requests, California residents may exercise rights via the same channel. We respond within statutory timeframes and maintain audit logs of all access requests for six years.

We process identifiers, contact data, device and usage telemetry, biometric embeddings (voice, facial geometry) under BIPA consent, health-related inferences under Washington My Health My Data Act, and generative AI interaction logs. Sensitive data is processed only with explicit consent or substantial public interest. All biometric templates are stored as irreversible one-way hashes with per-user cryptographic salt. No raw biometric images are retained beyond the active session.

Processing relies on consent, contract performance, legitimate interests, and legal obligations. International transfers to the United States and Singapore utilise approved SCCs 2021, UK IDTA, and Binding Corporate Rules. We conduct Transfer Impact Assessments annually. Data localisation options are available for Quebec Law 25 and LGPD data residency requirements. All subprocessors are bound by equivalent DPA terms and undergo SOC 2 Type II and ISO 27001 audits.

Pursuant to the EU AI Act and GDPR Articles 13-22, users receive clear disclosure when interacting with our chatbot systems. Generative outputs are watermarked and labelled as AI-generated. Users may request human review of solely automated decisions that produce legal or significant effects. We maintain model cards, training data provenance summaries, and bias testing reports. Opt-out from profiling is honoured within 48 hours.

Data is retained only as long as necessary for the stated purposes or to meet statutory obligations (DORA financial record-keeping, tax, litigation holds). Default retention for interaction logs is 90 days; biometric templates are deleted within 30 days of account closure. Cryptographic erasure and verifiable deletion certificates are issued upon request. California CPRA deletion metrics are published in our annual transparency report.

All data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Key management follows FIPS 140-3 validated HSMs. We maintain 99.99% uptime commitments under DORA ICT risk management frameworks, including annual penetration testing, red-team exercises, and incident response playbooks. Breach notification occurs within 72 hours to supervisory authorities and without undue delay to affected individuals.

Data subjects may exercise access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. California residents may request disclosure of categories sold or shared and opt-out of cross-context behavioural advertising. Requests are authenticated via multi-factor verification. We do not discriminate against users who exercise privacy rights. Response SLA is 30 days (extendable once by 60 days under GDPR).

Our platform is not directed at children under 13 (COPPA) or 16 (GDPR). For users aged 13-17 we apply California Age-Appropriate Design Code safeguards, including default privacy settings, time-spent disclosures, and prohibition of dark patterns. Age verification occurs via government ID or verified guardian consent. We promptly delete any inadvertently collected child data upon discovery.

We employ strictly necessary, performance, and consented marketing cookies. No dark patterns or deceptive consent interfaces are used in compliance with DSA Article 25 and DMA. Cookie banners require affirmative action; rejection is as prominent as acceptance. Analytics data is aggregated and IP-anonymised within the EU. Users may manage preferences via our consent management platform at any time.

Current subprocessors are listed at aifa.works/legal/subprocessors. Material changes to this DPA trigger 30-day notice and renewed consent where required. We undergo annual third-party audits covering all listed regulatory regimes. This document constitutes the entire agreement regarding data processing and supersedes prior versions. Continued use after updates constitutes acceptance of the revised terms.

By interacting with AIfa, the user provides explicit, irrevocable consent to the collection, analysis, and immutable, eternal storage of their dialogues in the decentralized Arweave blockchain. This long-term memory layer (PADAM) is designed to preserve interaction contexts permanently. Once written, this data is decentralized and cannot be modified or deleted by any central authority, including aifa.works.

aifa.works provides only the decentralized storage protocol. The user bears 100% of the responsibility for all data (personal, commercial, proprietary, or confidential) transmitted to the AI. Under no circumstances shall aifa.works be liable for any indirect, direct, punitive, incidental, or consequential damages resulting from on-chain storage. The user waives all liability up to 200% of any service fees paid.