Privacy Policy

Last Updated: March 16, 2026

This Privacy Policy applies to AKI.IO GmbH, the website https://aki.io, and all related services, including the AI model hosting platform (together the “Services”). AKI.IO GmbH acts as the controller within the meaning of Art. 4(7) GDPR. Where customers use the platform to process personal data on their own behalf, AKI.IO acts as processor as described in Section 12.

1. Controller

AKI.IO GmbH
Marienburger Str. 1
10405 Berlin, Germany
Email: privacy@aki.io

2. Principles of Processing

We process personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality pursuant to Art. 5 GDPR. Access to personal data is restricted to authorised personnel on a strict need-to-know basis and protected by appropriate technical and organisational measures in line with ISO/IEC 27001.

Where possible, we process personal data within the European Economic Area (EEA). However, certain third-party marketing and advertising services that we use only on the basis of your consent may involve transfers of personal data to countries outside the EEA, including the United States. In such cases, we rely on the transfer mechanisms provided by applicable data protection law, such as an adequacy decision or other appropriate safeguards implemented by the relevant provider.

3. Categories of Personal Data

We process the following categories of personal data:

  • Identification data (name, username, title)
  • Contact and master data (email address, billing address, phone number)
  • Financial and payment data (registered address, bank details, VAT-ID)
  • Transaction data (payments)
  • Technical data (IP address, device and browser information)
  • Account and profile data (login credentials, support requests)
  • Usage data (interaction with website and services)

4. Legal Bases for Processing

Each processing activity is based on one dominant legal basis:

  • Art. 6(1)(b) GDPR: performance of a contract or pre-contractual measures
  • Art. 6(1)(c) GDPR: compliance with a legal obligation
  • Art. 6(1)(f) GDPR: legitimate interests
  • Art. 6(1)(a) GDPR: consent, where explicitly obtained

Our legitimate interests include ensuring IT security, preventing fraud and misuse, maintaining platform stability, and conducting proportionate B2B communication where lawful.

5. Recipients and Categories of Recipients

We disclose personal data only where necessary for the purposes described in this Privacy Policy and only to the extent permitted by applicable law. Depending on the relevant processing activity, personal data may be disclosed to the following categories of recipients:

  • providers of hosting, infrastructure, and technical operations services
  • providers of authentication, email, communication, and customer support services
  • payment service providers and financial institutions involved in payment processing
  • tax advisers, accountants, auditors, and other professional advisers
  • providers of compliance, fraud prevention, sanctions screening, and security services
  • analytics and advertising providers, but only where the relevant processing is based on your consent
  • public authorities, courts, regulators, or other third parties where disclosure is required by law or necessary to establish, exercise, or defend legal claims

Where third-party service providers process personal data on our behalf, they act only on our documented instructions and under appropriate contractual safeguards, including data processing agreements where required by law.

6. Account Registration and Service Provision

For registration, authentication, and management of user and company accounts, we process identification, contact, and login data.

Dominant legal basis: Art. 6(1)(b) GDPR.

7. Communication and Contractual Information

We process contact data to provide contractual information, service-related notices, billing communications, support-related communication, and other transactional messages necessary for the performance of the contract.


Marketing or promotional emails are sent only where you have expressly consented to receive them or where otherwise permitted under applicable law. You may withdraw your consent at any time with effect for the future.

Dominant legal basis: Art. 6(1)(b) GDPR for contractual and service-related communications; Art. 6(1)(a) GDPR for marketing communications based on consent.

8. Billing and Payments

Payment, invoicing, and transaction data are processed to execute payments and comply with statutory accounting and tax obligations.

Dominant legal basis: Art. 6(1)(b) GDPR; for statutory retention, Art. 6(1)(c) GDPR.

9. Technical Logs, Security, and Error Analysis

Technical logs and usage data are processed solely to ensure platform security, stability, and error resolution. Processing is limited to what is technically necessary.

Dominant legal basis: Art. 6(1)(f) GDPR.

10. Legal Obligations and Compliance

We process personal data to comply with legal obligations, including tax law, accounting, anti-money laundering, sanctions, and regulatory requirements.

Dominant legal basis: Art. 6(1)(c) GDPR.

11. Fraud Prevention and Sanctions Screening

Identification and transaction data may be processed to prevent fraud and perform sanctions list checks.

Dominant legal basis: Art. 6(1)(f) GDPR (in combination with applicable EU sanctions law where relevant).

12. B2B AI Model Hosting and Processing on Behalf of Customers

When customers use our platform to process personal data via hosted AI models, AKI.IO acts as a processor within the meaning of Art. 28 GDPR. Processing is carried out solely on documented instructions of the customer.

Customer-provided content, including prompts, inputs, and generated outputs, is not logged, stored, or analysed by AKI.IO. Processing occurs exclusively in volatile memory for the purpose of providing the requested service.

A Data Processing Agreement (DPA) is made available during company registration and can be accessed at any time in the authenticated user backend.

13. Website Analytics (Matomo)

We use the web analytics tool Matomo, hosted on our own servers within the EEA, to analyse website usage.

Dominant legal basis: Art. 6(1)(f) GDPR.

No data is transferred to third countries. You may object to this processing at any time via this opt-out mechanism:

14. Online Advertising, Conversion Tracking, Remarketing (Google Ads and LinkedIn Ads)

We use online advertising services provided by Google Ads and LinkedIn Ads to measure the effectiveness of our advertising campaigns, record conversions, and, where applicable, show interest-based advertising to users who have previously visited our website.

Providers

  • Google Ads: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • LinkedIn Ads: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

How the services work
If you give your consent, we may use the Google tag and Google Ads conversion tracking features as well as the LinkedIn Insight Tag on our website. These technologies allow us to determine whether users reached our website via an advertisement, whether defined conversion events occurred, and whether website visitors can be grouped into audiences for remarketing purposes.

Depending on the configuration, the providers may process in particular the following categories of data:

  • IP address
  • browser and device information
  • timestamp
  • page views and referrer URL
  • event data and conversion data
  • cookie identifiers, advertising identifiers, or similar online identifiers
  • information about prior ad interactions

Purposes of processing
We process this data for the following purposes:

  • measuring and evaluating advertising performance
  • attribution of conversions to advertising campaigns
  • building remarketing audiences
  • displaying interest-based advertising on Google and LinkedIn platforms
  • improving the efficiency of our marketing activities

Legal basis
The use of these technologies on our website takes place solely on the basis of your consent pursuant to Art. 6(1)(a) GDPR and, where applicable, Section 25 TDDDG. You may withdraw your consent at any time with effect for the future via our cookie settings.

Data sharing and independent responsibility of the providers
When these services are activated, personal data may be transmitted to Google and LinkedIn or collected by them directly via the respective tags. Further processing by the providers is carried out under their own responsibility in accordance with their privacy notices. This may include processing for conversion measurement, audience creation, attribution, fraud prevention, and security.

International data transfers
Use of Google Ads and LinkedIn Ads may involve transfers of personal data to recipients outside the EEA, in particular to the United States. According to the providers, such transfers are based on mechanisms recognized under applicable data protection law, such as participation in the EU-U.S. Data Privacy Framework and/or the use of standard contractual clauses, where applicable.

Storage period
We do not determine all storage periods applied by Google or LinkedIn. Storage and further processing by these providers are governed by their own policies. Consent records maintained by us are stored for as long as necessary to demonstrate compliance and to manage your privacy choices.

Further information about the data processing practices of these providers can be found in their respective privacy policies:

Google: https://policies.google.com/privacy
LinkedIn: https://www.linkedin.com/legal/privacy-policy

15. Communication Requests

Personal data transmitted via email, phone, or contact forms is processed solely to handle inquiries.

Dominant legal basis: Art. 6(1)(b) GDPR or, where no contractual relationship exists, Art. 6(1)(f) GDPR.

16. Social Media Presence and Joint Controllership

We operate official social media accounts. For certain processing activities, we act as joint controllers with the respective platform providers pursuant to Art. 26 GDPR. The essence of the joint controller arrangement is as follows: the platform provider is primarily responsible for data processing relating to platform operation, analytics, advertising, and account management, while we are responsible for processing related to communication, content management, and interaction with users on our pages. Data subjects may exercise their rights against either controller.

Dominant legal basis: Art. 6(1)(f) GDPR.

17. Data Retention

Personal data is deleted or anonymised within 90 days once the processing purpose no longer applies. Statutory retention obligations remain unaffected.

18. Rights of Data Subjects

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)

19. Supervisory Authority

Berlin Commissioner for Data Protection and Freedom of Information.
Friedrichstrasse 219
10969 Berlin, Germany
Phone: 030 13889-0
Fax: 030 2155050
Email: mailbox@datenschutz-berlin.de
https://www.datenschutz-berlin.de/

20. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

21. Cookies

We use necessary technologies required for the operation, security, and basic functionality of our website (essential cookies). In addition, we use optional analytics and advertising technologies only if you have given your consent (non-essential cookies).

Optional technologies may include tools for website analytics, conversion measurement, and remarketing. These technologies may store information on your device or access information already stored on your device, for example through cookies, pixels, tags, or similar technologies.

You can give, refuse, or withdraw your consent at any time via our cookie settings. Refusing or withdrawing consent does not affect the lawfulness of processing carried out before withdrawal and does not impair the availability of the website’s essential functions.

22. Amendments

This Privacy Policy may be updated from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.