Privacy Policy

Last updated: 30 March 2026

Aloi AI AB (company reg. no. 559469-6444) (“Aloi”, “we”, “us”, “our”) are committed to protecting your privacy. This policy (“Privacy Policy”) explains how we collect, use, process, and share data that can be used to identify an individual (“Personal Data”) when you interact with us. The Privacy Policy also outlines yourprivacy rights and how you can exercise them. Please read the following carefully to understand ourpractices regarding your personal data and how we will process it. If you haveany questions or concerns about the Privacy Policy, or want to exerciseyour rights, please contactus.

1. Applicability of this Privacy Policy and our role

Aloi AI provides its application to companies for professional use (our “Customers”) in accordance with the terms of their respective agreements with us (“Customer Agreements”), including a Data Processing Agreement (“DPA”). Our collection and processing of personal data in connection with a Customer’s use of our application (“Customer Data”) are governed by the Customer Agreement and DPA, under which Aloi acts solely as a data processor on behalf of the Customer. This means we process data only according to the Customer’s instructions and purposes, without determining the means or purposes of processing. As such, this Privacy Policy does not apply to Customer Data processed within our application under those agreements.

This Privacy Policy applies only when Aloi acts as a data controller. Aloi is the data controller for personal data collected when you interact with us outside the scope of a Customer’s use of our application – for example, when you visit our website (aloi.law), our Help Center, or any other site we operate (each, a “Site”), when you participate in feedback or survey activities, or otherwise communicate with us. As the data controller, we are responsible for ensuring that such personal data is processed lawfully and in compliance with applicable laws.

Our Sites may contain links to third-party websites or services that are not operated or controlled by Aloi. This Privacy Policy does not apply to those third-party platforms. We encourage you to review the privacy policies of any external sites you visit.

2. Personal data we collect

We collect personal data in the following circumstances:

2.1 Personal data you provide

We collect personal data directly from you when you interact with us. The types of personal data we collect include:

Communication and correspondence information
When you contact us, for example, for customer support, to provide feedback, to respond to surveys, or sign up for our waitlist or otherwise communicate with us, we collect personal data such as your name, IP address, role, email address, phone number, and any other relevant information that can be attributed to you and is needed to support and communicate with you. Aloi will also record phone calls made to our Help Center to help us provide the support needed to resolve your issue or assist you effectively.

Social media information
When you interact with our social media pages, such as LinkedIn, we collect personal data that you choose to provide, such as contact details. In addition, third parties that host our social media may provide us with aggregated information and analytics about your interactions with our pages. In some cases, Aloi and these third-party platforms may act as joint controllers for certain processing activities, such as the collection and analysis of page usage data. For more information on how your data is handled in these cases and how to exercise your rights, please refer to the privacy policies of the relevant platforms.

Recruitment information
When you apply for a job, internship, or other training program with us, we may collect personal data such as your name, email address, phone number, CV, cover letter, and any other information you provide in your application. We may also collect information from interviews, recruitment agencies, referees, publicly available sources (e.g. LinkedIn), or our employees if you are referred. This information is used solely to evaluate and manage your application. Providing this information is voluntary, but failure to do so may limit our ability to assess and process your application.

Testimonial information
With your consent, we may display your personal testimonials on our website or social media platforms. If you wish to update or delete your testimonial, you can contact us.

Marketing communication information
We may collect personal data if you sign up to receive marketing communications from us, such as newsletters, product updates, or promotional materials. This information may be collected via online forms, email signups, or when you provide your preferences for communication. You can manage or withdraw your consent at any time by using the unsubscribe link in our emails or contacting us directly.

Prospects and investor information
We may collect personal data about prospects and potential investors who express interest in our services or company. This may include business contact details provided through direct communications, meetings, inbound requests, or other business development or investor outreach activities. In some cases, we may also collect information from publicly available sources such as company websites or social media platforms (e.g. LinkedIn).

2.2 Personal data we collect automatically‍

We collect your personal data indirectly through automated means when you interact with us by visiting our Sites. The types of information we collect include:

Log data
We collect information that your browser or device automatically sends when you visit our Sites. This includes your IP address, browser type, operating system, the date and time of your request, pages visited, and other interactions with the Sites (collectively “Log data”).

Usage data
When you visit our Sites, we automatically collect information about your use, including, actions you take, your time zone, location, the date and times of interactions, and time spent on our Sites (collectively “Usage Data”).

Device information
We collect information about the device you use to visit our Sites, such as the device name, browser type, operating system, date and time stamps, and clickstream data. The specific data collected may vary depending on your device settings.

Cookies and similar technologies
We use cookies and similar technologies on our Sites to collect certain information automatically, such as how you interact with our Sites, including to measure the effectiveness of our marketing campaigns, attribute visits and conversions to particular channels or campaigns, and improve our marketing and website performance. Some cookies are essential for the website to function properly, while others (such as analytics and marketing cookies) are used to understand usage patterns and measure campaign performance. Non-essential cookies are only used with your consent, which you can manage or withdraw at any time via our cookie settings. For more information about the types of cookies we use and how we use them, please see our Cookie Policy available at aloi.law/legal/cookie-policy.

2.3 Personal data we collect through third parties

We may receive information from analytics and marketing partners regarding your interactions with our Sites, including campaign and referral data, where such partners are used.

2.4 Personal data that is publicly available

We may collect publicly available information about customers and prospects to help us offer and deliver our application. This may include:

Contact information (name, email address, phone number, and company name)
Professional details (e.g. role or job title and industry)

This information is obtained from publicly accessible sources such as:

Company website
Professional networking sites (e.g. LinkedIn)
Public directories
Official company records

3. How we use personal data

We collect personal data in the following circumstances:

to provide, administer and maintain our Sites and application;
to improve and develop our Sites and application;
to conduct research and usage analysis;
to personalize your experience;
to provide support services, resolve issues, or respond to inquiries;
to communicate with you, including information and marketing about our services;
to prevent fraud, misuses, or security issues; and
to comply with legal obligations and protect our rights.

We may also aggregate and anonymize personal data so it can no longer be used to identify you and use that data for the following purposes:

to analyze trends and usage;
to improve and update our sites and communications;
to conduct research; and
to share or publish insights, such as usage statistics, on our website or social media.

The following table includes additional information about the different types of personal data processed by us, the purpose and the legal basis for the processing, as well as the data retention period.

Title of the document

Purpose	Type of personal data	Legal basis	Data retention period
To manage and evaluate job applications.	Name, email address, phone number, CV, cover letter, interview notes, info from referees, LinkedIn or public sources.	We rely on our legitimate interest (GDPR Article 6(1)(f)) in managing recruitment, which we have assessed outweighs your right not to have your data processed for this purpose.	Duration of recruitment process and up to 6 months after, unless consent is given to retain for up to 3 years.
To provide support and manage customer relationships.	Name, email address, company name, role, username, IP address, correspondence, voice recordings of support calls, call metadata, transcripts.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) to support users and manage customer relationships, which we have assessed outweighs your right not to have your data processed for this purpose.	Duration of the customer relationship or up to 2 years after last contact, unless objected to earlier. Voice recordings are stored for up to 180 days (maximum 2 years if a ticket remains open).
To respond to communication and correspondence.	Name, email address, phone number, role, message content, correspondence history.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) in responding to inquiries and improving our services, which we have assessed outweighs your right not to have your data processed for this purpose.	Up to 2 years after the last interaction, unless a shorter period applies.
To manage social media interactions and analytics.	Name, role/title, company name, photo (if applicable), testimonial content.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) in promoting our services, engaging with users, and understanding content performance, which we have assessed outweighs your right not to have your data processed for this purpose. Where applicable, this may involve joint controllership with the relevant platform.	As long as necessary for the interaction or as per the third-party platform’s retention terms.
To display testimonials.	Name, role/title, company name, photo (if applicable), testimonial content.	We rely on your consent (GDPR Art. 6(1)(a)) to publish testimonials, which you may withdraw at any time.	Until consent is withdrawn or the testimonial is removed.
To send marketing communications and updates.	Name, email address, company name, communication preferences.	We rely on your consent (GDPR Art. 6(1)(a)) to send marketing communications, which you may withdraw at any time.	Until consent is withdrawn.
To analyze website usage and improve user experience.	IP address, browser type, usage data, location, device data.	We rely on your consent (GDPR Art. 6(1)(a)), which is obtained through your selection of cookie preferences.	As specified in the Cookie Policy.
To engage with prospects and investors, and process publicly available business contact data.	Name, job title, email address, company name, industry, meeting notes, communication history, professional background.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) in developing commercial relationships, building investor and customer networks, and conducting outreach, which we have assessed outweighs your right not to have your data processed for this purpose.	For as long as the data is relevant or until you opt out.
To ensure security and prevent misuse.	IP address, usage data, device/browser details, login behavior, interaction history.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) in maintaining the security, availability, and proper functioning of our services, which we have assessed outweighs your right not to have your data processed for this purpose.	For as long as reasonably necessary for security monitoring, or as required by law.
To comply with legal obligations.	Contact information, transaction records, communication logs, usage data, or any other data required by law.	We process this data to comply with legal obligations (GDPR Art. 6(1)(c)).	As required by law.
To protect and enforce our legal rights.	Contact details, contractual records, correspondence, usage logs, payment and account history, or other relevant data.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) in protecting and enforcing our legal rights, which we have assessed outweighs your right not to have your data processed for this purpose.	For as long as necessary to establish, exercise or defend legal claims.
To improve our products and conduct research.	Feedback data, interaction logs, anonymized usage data, survey responses.	We rely on our legitimate interest (GDPR Art. 6(1)(f)) in developing and optimizing our services based on user input and behavioral insights, which we have assessed outweighs your right not to have your data processed for this purpose.	Feedback and survey data for up to 2 years, anonymized/aggregated data may be retained longer.
To measure marketing campaign effectiveness and website traffic sources.	IP address, cookie identifiers, device/browser information, pages viewed, clicks, timestamps, referrer URL, campaign parameters, and conversion events.	We rely on your consent (GDPR Art. 6(1)(a)), obtained via cookie preferences.	As set out in the Cookie Policy and/or until consent is withdrawn, subject to maximum retention periods.

4. Who we share your personal data with

Under certain circumstances, we may share your personal data with the following categories of recipients in the situations outlined below:

Vendors and Service Providers: We may share your personal data with trusted vendors and service providers who assist us in operating our service, conducting our business or serving our users. These include IT service providers, cloud service providers, analytics providers, marketing and customer support services, professional advisors (such as legal or accounting firms). These parties act as data processors and are contractually obligated to protect your data and use it only as instructed by us.
Other data controllers: In some cases, we may share your personal data with other data controllers (e.g., partners or co-organizers) who determine how your personal data is used in accordance with their own privacy policies.
Joint Controllers: If we jointly determine the purposes and means of processing with another party, that party acts as a joint controller together with us.
Business Changes: In the event of a merger, acquisition, reorganization, liquidation, or other similar event, your personal data may be shared or transferred to counterparties, potential investors, and professional advisors involved in the transaction, who will be required to handle your data in accordance with applicable data protection laws.
Legal Obligations: We may disclose your personal data to comply with applicable laws, regulations, legal processes, or government requests.
With your consent: We may share your personal data for other purposes with your explicit consent.

5. International Transfers

Under certain circumstances, we may share your personal data with the following categories of recipients in the situations outlined below:

Recipient and country: Our service providers (including hosting, analytics, and marketing providers) may be located in the United States and other countries outside the EU/EEA.

Transfer safeguard: We rely on the European Commission’s Standard Contractual Clauses (SCCs) as our primary legal safeguard for these transfers.

Assessment: We have assessed the level of data protection in the United States and taken steps to ensure your data receives an adequate level of protection, despite the fact that local laws may allow authorities to access personal data for law enforcement and national security purposes.

Obtaining copies of safeguards: If you would like more information about these safeguards or a copy of the relevant SCCs, please contact us.

Potential risks: While we take these measures to protect your data, please note that personal data transferred to the United States may be subject to access by US authorities for law enforcement or national security purposes, which may not offer the same level of protection as within the EEA.

6. Your data protection rights

You have several rights under the applicable data protection laws (including GDPR) related to your personal data. Below you can read about your rights:

Right to access. You have the right to request copies of the personal data that we hold about you.

Right to rectification. You have the right to request that we correct or complete any inaccurate or incomplete personal data.

Right to erasure. In some cases, you have the right to request that we delete your personal data, for example where the data is no longer necessary for the purposes for which it was collected. However, this right is not absolute. We may be legally required to continue processing the data, for example to comply with accounting obligations or to establish, exercise or defend legal claims.

Right to restrict processing. You have the right to request that we restrict the processing of your personal data under certain conditions. This applies, for example, when you contest the accuracy of your personal data, when you object to the processing or when the processing is unlawful, but you oppose erasure, or when we no longer need the data but you require it to establish, exercise, or defend legal claims.

Right to object. You have the right to object to our processing of your personal data when it is based on our legitimate interests. You also have the right to object to the processing of your personal data for direct marketing purposes, including profiling related to such marketing.

Right to data portability. You have the right to request that we transfer your personal data to another organization or directly to you, in a structured, commonly used, and machine-readable format, where technically feasible. This right applies only to personal data you have provided to us, that is processed by automated means, and where the legal basis for processing is your consent or the performance of a contract.

Right to withdraw consent. If we process your personal data based on your consent, you have the right to withdraw that consent at any time. This includes withdrawing consent to receive marketing communications. You can do so by clicking the “unsubscribe” or “opt-out” link in our emails or by contacting us directly. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Please note that you may still receive non-marketing communications related to your account or use of the services.

Right to lodge a complaint. If you are concerned about how we process your Personal Data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection or your local data protection authority.

To exercise your rights, please contact us. We will respond to your request without undue delay and within one month. Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.

7. How long we store your personal data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to provide our Sites, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention period depends on the type of data and the purpose of processing. When we no longer need your data, we securely delete or anonymize it. In some cases, we may retain data for a longer period if required by law or if it is necessary to establish, exercise, or defend legal claims.

For more information, please refer to the table above, which outlines specific retention periods by data category.

8. How we keep your personal data secure

We implement comprehensive technical and organisational safeguards to protect your personal data against unauthorised access, alteration, disclosure or destruction. Our programme is certified under ISO/IEC 27001:2013 and attested against SOC 2 Type II. In practice this means industry standard encryption (TLS 1.3 in transit, AES 256 at rest), granular role based access controls, regular independent security audits and penetration tests, and mandatory security awareness training for all staff. These measures are designed based on a risk assessment of the type of data we process, the context of processing, and the potential impact on individuals.

9. Changes to this privacy policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. We encourage you to review this Privacy Policy periodically.

10. How to contact us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Aloi AI AB

Company registration number: 559469-6444

Mailing address: Gumshornsgatan 2 b, 114 60 Stockholm

Office address: Brahegatan 10, 114 37 Stockholm

Phone: +46 10-884 48 33

Email: privacy@aloi.law‍