Privacy

Privacy Policy

Last updated: February 2026

1. Introduction

AOP ("AI Operating Partner," "we," "us," or "our") is committed to protecting the privacy and security of all data entrusted to us. This Privacy Policy explains how we collect, use, store, and protect information in the course of our business operations and client engagements.

We operate in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data We Collect

2.1 Client Engagement Data

In the course of our services, we may process:

  • Financial transaction records (invoices, purchase orders, contracts)
  • Vendor and supplier information
  • Subscription and license records
  • Organizational structure data relevant to financial workflows

This data is provided directly by the Client and is processed exclusively for the purposes defined in the engagement agreement.

2.2 Website and Contact Data

When you interact with our website or contact us, we may collect:

  • Name, job title, and company affiliation
  • Email address and phone number
  • Message content from contact form submissions
  • Basic analytics data (page views, session duration) via privacy-respecting analytics

3. How We Use Data

3.1 Client Data

  • Purpose-limited: Client data is used exclusively for the services defined in the engagement agreement
  • No model training: Client data is never used to train, fine-tune, or improve our AI models
  • No cross-client use: Data from one client is never used for the benefit of another client
  • No commercial reuse: Client data is never sold, shared, or repurposed for any commercial activity

3.2 Website Data

  • To respond to inquiries and schedule discussions
  • To improve our website and communication materials
  • To comply with legal obligations

4. Data Security

We implement comprehensive security measures to protect all data:

  • Tenant isolation: Each client's data is stored in a dedicated, isolated database schema
  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access control: Strict role-based access with need-to-know enforcement
  • Infrastructure: SOC 2 Type II certified hosting environments
  • EU residency: All data is stored and processed within the European Union
  • Audit trails: Complete logging of all data access and processing activities

5. Data Retention

Client engagement data is retained only for the duration of the active engagement plus a 90-day wind-down period, unless a longer retention period is explicitly agreed upon by both parties.

Upon engagement conclusion, all client data is securely deleted. A certificate of destruction is available upon request.

Website contact data is retained for up to 24 months from the last interaction, after which it is automatically deleted.

6. Third-Party Processors

We use a limited number of third-party processors, all of which are GDPR-compliant and bound by Data Processing Agreements (DPAs):

  • Cloud infrastructure: EU-based hosting for data storage and processing
  • LLM providers: AI models accessed via API only, with no data retention on provider side
  • Form processing: Contact form submissions processed via Formspree

We do not share client data with any third party for marketing, advertising, or analytics purposes.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interest

8. Cookies

Our website uses only essential, first-party cookies required for basic functionality. We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users.

9. International Transfers

All data processing occurs within the European Union. In the event that data must be transferred outside the EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to active clients directly and posted on this page with an updated revision date.

11. Contact

For privacy-related inquiries or to exercise your data rights:

  • Email: privacy@aop-partner.com
  • Contact form: aop-partner.com/contact