Privacy Policy

Last Updated: June 26, 2026

This Privacy Policy applies to AKI.IO GmbH, the website https://aki.io, and all related services, including the AI model hosting platform (together the “Services”). AKI.IO GmbH acts as the controller within the meaning of Art. 4(7) GDPR. Where customers use the platform to process personal data on their own behalf, AKI.IO acts as processor as described in Section 12.

1. Controller

AKI.IO GmbH
Marienburger Str. 1
10405 Berlin, Germany
Email: privacy@aki.io

2. Principles of Processing

We process personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality pursuant to Art. 5 GDPR. Access to personal data is restricted to authorised personnel on a strict need-to-know basis and protected by appropriate technical and organisational measures in line with ISO/IEC 27001.

Where possible, we process personal data within the European Economic Area (EEA). However, certain third-party services may involve transfers of personal data to countries outside the EEA, including the United States. This may include marketing and advertising services used only on the basis of your consent, as well as third-party identity providers where you voluntarily choose to sign in through Google or GitHub.

Where AKI.IO transfers personal data to a country outside the EEA, we rely on transfer mechanisms permitted under applicable data protection law, such as an adequacy decision or appropriate safeguards. Google and GitHub process personal data in connection with their identity services under their own responsibility. Further information is available in their respective privacy notices referenced in Section 6.

3. Categories of Personal Data

We process the following categories of personal data:

  • Identification data (name, username, title)
  • Contact and master data (email address, billing address, phone number)
  • Financial and payment data (registered address, bank details, VAT-ID)
  • Transaction data (payments)
  • Technical data (IP address, device and browser information)
  • Account and profile data (login credentials, support requests)
  • Authentication and security data (authentication status, two-factor authentication configuration data, and security-relevant authentication events)
  • Third-party identity-provider data, where you choose to sign in through Google or GitHub (provider-specific user identifier, email address, email-verification status, and profile information made available through the selected sign-in method, such as name, username, or profile image)
  • Usage data (interaction with website and services)

4. Legal Bases for Processing

Each processing activity is based on one dominant legal basis:

  • Art. 6(1)(b) GDPR: performance of a contract or pre-contractual measures
  • Art. 6(1)(c) GDPR: compliance with a legal obligation
  • Art. 6(1)(f) GDPR: legitimate interests
  • Art. 6(1)(a) GDPR: consent, where explicitly obtained

Our legitimate interests include ensuring IT security, preventing fraud and misuse, maintaining platform stability, and conducting proportionate B2B communication where lawful.

5. Recipients and Categories of Recipients

We disclose personal data only where necessary for the purposes described in this Privacy Policy and only to the extent permitted by applicable law. Depending on the relevant processing activity, personal data may be disclosed to the following categories of recipients:

  • providers of hosting, infrastructure, and technical operations services
  • providers of authentication, email, communication, and customer support services
  • Google and GitHub, where you actively choose to use their respective sign-in options
  • payment service providers and financial institutions involved in payment processing
  • tax advisers, accountants, auditors, and other professional advisers
  • providers of compliance, fraud prevention, sanctions screening, and security services
  • analytics and advertising providers, but only where the relevant processing is based on your consent
  • public authorities, courts, regulators, or other third parties where disclosure is required by law or necessary to establish, exercise, or defend legal claims

Where third-party service providers process personal data on our behalf, they act only on our documented instructions and under appropriate contractual safeguards, including data processing agreements where required by law.

Google and GitHub provide their identity services under their own responsibility and are not engaged by AKI.IO as processors for their independent processing in connection with those services.

6. Account Registration and Service Provision

For registration, authentication, and management of user and company accounts, we process identification, contact, account, and authentication data.

We offer users the optional ability to register for and sign in to AKI.IO through Google or GitHub (“Third-Party Identity Providers”). When you choose one of these sign-in methods, the relevant provider authenticates you directly. AKI.IO does not receive or store your password for your Google or GitHub account.

Dominant legal basis: Art. 6(1)(b) GDPR.

7. Communication and Contractual Information

We process contact data to provide contractual information, service-related notices, billing communications, support-related communication, and other transactional messages necessary for the performance of the contract.


Marketing or promotional emails are sent only where you have expressly consented to receive them or where otherwise permitted under applicable law. You may withdraw your consent at any time with effect for the future.

Dominant legal basis: Art. 6(1)(b) GDPR for contractual and service-related communications; Art. 6(1)(a) GDPR for marketing communications based on consent.

8. Billing and Payments

Payment, invoicing, and transaction data are processed to execute payments and comply with statutory accounting and tax obligations.

Dominant legal basis: Art. 6(1)(b) GDPR; for statutory retention, Art. 6(1)(c) GDPR.

9. Technical Logs, Security, and Error Analysis

Technical logs, security-relevant authentication events, and usage data are processed solely to ensure platform security, stability, authentication security, fraud prevention, and error resolution. Processing is limited to what is technically necessary.

OAuth authorization codes, OAuth access tokens, and refresh tokens are not included in application or security logs.

Dominant legal basis: Art. 6(1)(f) GDPR.

10. Legal Obligations and Compliance

We process personal data to comply with legal obligations, including tax law, accounting, anti-money laundering, sanctions, and regulatory requirements.

Dominant legal basis: Art. 6(1)(c) GDPR.

11. Fraud Prevention and Sanctions Screening

Identification and transaction data may be processed to prevent fraud and perform sanctions list checks.

Dominant legal basis: Art. 6(1)(f) GDPR (in combination with applicable EU sanctions law where relevant).

12. B2B AI Model Hosting and Processing on Behalf of Customers

When customers use our platform to process personal data via hosted AI models, AKI.IO acts as a processor within the meaning of Art. 28 GDPR. Processing is carried out solely on documented instructions of the customer.

Customer-provided content, including prompts, inputs, and generated outputs, is not logged, stored, or analysed by AKI.IO. Processing occurs exclusively in volatile memory for the purpose of providing the requested service.

A Data Processing Agreement (DPA) is made available during company registration and can be accessed at any time in the authenticated user backend.

13. Website Analytics (Matomo)

We use the web analytics tool Matomo, hosted on our own servers within the EEA, to analyse website usage.

Dominant legal basis: Art. 6(1)(f) GDPR.

No data is transferred to third countries. You may object to this processing at any time via this opt-out mechanism:

14. Online Advertising, Conversion Tracking, Remarketing (Google Ads and LinkedIn Ads)

We use online advertising services provided by Google Ads and LinkedIn Ads to measure the effectiveness of our advertising campaigns, record conversions, and, where applicable, show interest-based advertising to users who have previously visited our website.

Providers

  • Google Ads: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • LinkedIn Ads: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

How the services work
If you give your consent, we may use the Google tag and Google Ads conversion tracking features as well as the LinkedIn Insight Tag on our website. These technologies allow us to determine whether users reached our website via an advertisement, whether defined conversion events occurred, and whether website visitors can be grouped into audiences for remarketing purposes.

Depending on the configuration, the providers may process in particular the following categories of data:

  • IP address
  • browser and device information
  • timestamp
  • page views and referrer URL
  • event data and conversion data
  • cookie identifiers, advertising identifiers, or similar online identifiers
  • information about prior ad interactions

Purposes of processing
We process this data for the following purposes:

  • measuring and evaluating advertising performance
  • attribution of conversions to advertising campaigns
  • building remarketing audiences
  • displaying interest-based advertising on Google and LinkedIn platforms
  • improving the efficiency of our marketing activities

Legal basis
The use of these technologies on our website takes place solely on the basis of your consent pursuant to Art. 6(1)(a) GDPR and, where applicable, Section 25 TDDDG. You may withdraw your consent at any time with effect for the future via our cookie settings.

Data sharing and independent responsibility of the providers
When these services are activated, personal data may be transmitted to Google and LinkedIn or collected by them directly via the respective tags. Further processing by the providers is carried out under their own responsibility in accordance with their privacy notices. This may include processing for conversion measurement, audience creation, attribution, fraud prevention, and security.

International data transfers
Use of Google Ads and LinkedIn Ads may involve transfers of personal data to recipients outside the EEA, in particular to the United States. According to the providers, such transfers are based on mechanisms recognized under applicable data protection law, such as participation in the EU-U.S. Data Privacy Framework and/or the use of standard contractual clauses, where applicable.

Storage period
We do not determine all storage periods applied by Google or LinkedIn. Storage and further processing by these providers are governed by their own policies. Consent records maintained by us are stored for as long as necessary to demonstrate compliance and to manage your privacy choices.

Further information about the data processing practices of these providers can be found in their respective privacy policies:

Google: https://policies.google.com/privacy
LinkedIn: https://www.linkedin.com/legal/privacy-policy

15. Communication Requests

Personal data transmitted via email, phone, or contact forms is processed solely to handle inquiries.

Dominant legal basis: Art. 6(1)(b) GDPR or, where no contractual relationship exists, Art. 6(1)(f) GDPR.

16. Social Media Presence and Joint Controllership

We operate official social media accounts. For certain processing activities, we act as joint controllers with the respective platform providers pursuant to Art. 26 GDPR. The essence of the joint controller arrangement is as follows: the platform provider is primarily responsible for data processing relating to platform operation, analytics, advertising, and account management, while we are responsible for processing related to communication, content management, and interaction with users on our pages. Data subjects may exercise their rights against either controller.

Dominant legal basis: Art. 6(1)(f) GDPR.

17. Data Retention

Personal data is deleted or anonymised within 90 days once the processing purpose no longer applies. Statutory retention obligations remain unaffected.

Third-party identity-provider identifiers and two-factor authentication configuration data are retained for as long as they are necessary to maintain the relevant user account, provide the selected authentication method, or protect the account against unauthorised access. They are deleted or anonymised within 90 days after account deletion or once the relevant authentication method is no longer used, unless longer retention is required by law or necessary to establish, exercise, or defend legal claims.

Revoking AKI.IO’s authorization in Google or GitHub does not by itself delete an AKI.IO account. Requests for account deletion may be submitted to privacy@aki.io.

18. Rights of Data Subjects

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)

19. Supervisory Authority

Berlin Commissioner for Data Protection and Freedom of Information.
Friedrichstrasse 219
10969 Berlin, Germany
Phone: 030 13889-0
Fax: 030 2155050
Email: mailbox@datenschutz-berlin.de
https://www.datenschutz-berlin.de/

20. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

21. Cookies

We use necessary technologies required for the operation, security, account authentication, two-factor authentication, and basic functionality of our website and Services (essential cookies and similar technologies). These may include session identifiers and security-related values required to protect authentication flows against misuse.

Google and GitHub sign-in scripts are not loaded merely because you visit the website or the sign-in page. They are loaded only after you actively select the relevant Google or GitHub sign-in option. The subsequent authentication process takes place with the selected provider under its own responsibility.

In addition, we use optional analytics and advertising technologies only if you have given your consent (non-essential cookies). Optional technologies may include tools for website analytics, conversion measurement, and remarketing. These technologies may store information on your device or access information already stored on your device, for example through cookies, pixels, tags, or similar technologies.

You can give, refuse, or withdraw your consent at any time via our cookie settings. Refusing or withdrawing consent does not affect the lawfulness of processing carried out before withdrawal and does not impair the availability of the website’s essential functions.

22. Amendments

This Privacy Policy may be updated from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.