Last updated: April 5, 2026
AIPMO ("we," "us," or "our") operates the websites aipmo.co and app.aipmo.co. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our websites and services.
We take privacy seriously — particularly as a platform focused on responsible AI governance. We aim to collect only the data we need, be transparent about how we use it, and give you meaningful control over your information, including the ability to delete your account and all associated data at any time.
Information We Collect
Information You Provide
When you create a membership account or subscribe to our services, we collect:
- Name — To personalize your experience and pre-fill documents you generate
- Email address — For account authentication, membership management, and newsletter delivery ("The AI Governance Brief")
When you use the AIPMO Advisor application, we may also collect:
- Organization details — Information you provide about your organization (or, for Consultant members, your client organizations) for AI governance document generation, such as organization name, industry, size, AI maturity level, regulatory environment, and PM methodology
- Project details — Information about specific AI projects within your organizations, including project type, objectives, deployment stage, risk level, and stakeholders
- Conversation messages — Messages you send and responses generated through the AI Governance Advisor chat, stored per project to maintain continuity within your sessions
- Generated documents — Documents created through our AI-powered Document Customizer
- Uploaded documents — Documents you upload to a project (Professional and Consultant members only) to provide additional context for AI-generated guidance. Accepted formats are PDF, DOCX, TXT, and MD. Uploaded documents are processed to extract text, classify document type, and generate search embeddings; see "How We Process Your Data with AI" below for details
- Feedback — Optional thumbs-up or thumbs-down ratings, and any written comments you submit on generated documents or Advisor chat responses
Information Collected Automatically
When you visit our websites, we automatically collect:
- Session data — Authentication tokens to keep you signed in
- Server logs — Standard web server logs maintained by our hosting providers (Vercel and Ghost), which may include IP addresses, browser type, and pages visited
- Usage events — Server-side logs of platform activity including document types generated, Advisor messages sent, framework families queried, upgrade trigger points, and low-confidence retrieval events. These events record your user ID, membership tier, organization and project identifiers, and event-specific metadata. We do not log the content of your chat messages for analytics purposes.
Information We Do Not Collect
We do not collect or process:
- Payment card numbers (handled entirely by Stripe)
- Browsing behavior through third-party analytics or tracking tools
- Location data beyond what is present in standard server logs
- The content of your Advisor chat messages for analytics or improvement purposes (usage event logging records metadata only, never message content)
- Data from third-party sources about you
How We Use Your Information
We use the information we collect to:
- Provide our services — Authenticate your account, deliver content based on your membership tier (Essential, Professional, or Consultant), and generate customized AI governance documents
- Communicate with you — Send membership-related emails, newsletter editions of "The AI Governance Brief," and important service updates
- Process payments — Facilitate paid membership subscriptions through Stripe
- Improve our services — Understand how our platform is used through aggregated, anonymized usage event data so we can prioritize features and expand our knowledge base
- Improve document generation quality — When you submit feedback on a generated document, including any written comment, that feedback signal and associated document context may be used to improve generation quality for that document type. You may submit a rating without a comment if you prefer not to share additional context. We do not use documents or conversations where no feedback was submitted for any improvement purpose.
We do not sell, rent, or share your personal information with third parties for their marketing purposes.
How We Process Your Data with AI
AIPMO uses AI at several points in the service. Here is a transparent account of each:
Advisor chat and document generation uses Anthropic's Claude API. When you send a message or generate a document, the content of your message and your organization and project context are sent to Anthropic's API to generate a response. Anthropic processes this data in accordance with their usage policy and does not use API inputs to train their models.
Document classification uses Anthropic's Claude API (Haiku model). When you upload a document to a project, the first portion of the document text is sent to Anthropic's API to classify the document type, identify governance frameworks referenced, and generate a summary. This classification is stored with your document record to improve retrieval relevance.
Search embeddings use OpenAI's embedding API (text-embedding-3-small model). When you send a message in the Advisor, the text of your message is sent to OpenAI's API to generate a search vector used to retrieve relevant guidance from our knowledge base. When you upload a document, the full text of the document is chunked and sent to OpenAI's API to generate embeddings stored for retrieval. OpenAI processes this data in accordance with their usage policy.
What we do not send to AI APIs: Your name, email address, payment information, and membership credentials are never sent to any AI API.
Document ownership: You retain full ownership of all documents generated through the platform. AIPMO does not use your generated documents for any purpose other than delivering the service to you, except where you have affirmatively submitted feedback on a generated document as described above.
Third-Party Service Providers
We work with the following service providers who may process your data on our behalf:
| Provider | Purpose | Data Processed | Privacy Policy |
|---|---|---|---|
| Ghost | Content management and membership | Name, email, membership status | https://ghost.org/privacy/ |
| Stripe | Payment processing | Email, payment information | https://stripe.com/privacy |
| Vercel | Application hosting | Server logs, IP addresses | https://vercel.com/legal/privacy-policy |
| Supabase | Database and file storage | Account data, organization and project profiles, conversations and messages, generated documents, uploaded document files and embeddings, usage events, feedback | https://supabase.com/privacy |
| Anthropic | AI chat, document generation, and document classification | Organization and project context, chat messages, uploaded document text samples | https://www.anthropic.com/policies/privacy-policy |
| OpenAI | Search embedding generation | Chat message text (query-time only), uploaded document text (chunked for embedding) | https://openai.com/policies/privacy-policy |
| HostGator | Email hosting | Inbound and outbound email content sent to info@aipmo.co | https://www.hostgator.com/privacy-policy |
Namecheap provides DNS services only and does not process personal data on our behalf.
Each provider processes data in accordance with their own privacy policies and our data processing agreements with them.
Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with our services. Specifically:
- Account data (name, email, membership status) — Retained while your account exists
- Organization and project profiles — Retained while your account exists or until you delete them
- Conversation messages — Retained while your account is active or until you delete the associated conversation or project
- Generated documents — Retained while your account exists or until you delete them
- Uploaded documents and embeddings — Retained while your account exists or until you delete them from your project
- Usage event logs — Retained for 12 months from the date of the event, then permanently deleted
- Feedback ratings — Retained for 24 months from the date of submission
- Feedback comments — Retained for 12 months from the date of submission, after which the comment text is deleted and only the rating is retained
- Payment records — Retained as required by applicable tax and financial regulations
- Server logs — Retained according to our hosting providers' standard retention policies
Account Deletion and Backup Residuals
When you delete your account — either through the self-service deletion option in Account Settings or by contacting us at info@aipmo.co — we delete your personal data from our active systems immediately. Uploaded document files stored in Supabase Storage are deleted at the same time and are not retained in any backup.
Database records (account data, conversations, documents, and related data) may persist in automated database backup snapshots for up to 7 days following deletion, after which they are permanently purged as part of our standard backup rotation. During this period, backup data is not accessed or used for any purpose.
For Consultant members, deleting an organization cascades to remove all linked projects, conversations, and documents associated with that organization.
Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encrypted connections (HTTPS/TLS) for all data transmission
- Encrypted session tokens for authentication
- Database access restricted by role-based controls
- Payment processing handled entirely by PCI-compliant Stripe infrastructure
- User-uploaded files stored in access-controlled Supabase Storage
- Server-side only usage event logging — no client-side tracking scripts
No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.
Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access — Request a copy of the personal data we hold about you
- Correction — Request that we correct inaccurate or incomplete data
- Deletion — Delete your account and all associated data directly through Account Settings in the app, or contact us at info@aipmo.co. We will process deletion requests within 30 days.
- Data portability — Request a copy of your data in a portable format
- Opt out of communications — Unsubscribe from newsletters and non-essential emails at any time using the unsubscribe link in any email
To exercise any of these rights, you may use the self-service tools available in Account Settings at app.aipmo.co/account, or contact us at info@aipmo.co.
For California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to request deletion, and the right to non-discrimination for exercising your rights. We do not sell personal information.
For European Economic Area Residents (GDPR)
If you are located in the EEA, our legal basis for processing your personal data is:
- Contract performance — Processing necessary to provide the services you signed up for
- Legitimate interest — Processing necessary for our legitimate business interests, such as aggregated usage analytics to improve the service, where those interests are not overridden by your rights
- Consent — Where you have given us specific consent, such as subscribing to our newsletter or submitting feedback with a written comment
You also have the right to lodge a complaint with your local data protection authority.
Children's Privacy
Our services are intended for users 18 years of age and older. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected personal data from a minor without parental consent, we will take steps to delete that information promptly.
International Data Transfers
Our services are hosted in the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting paid members, we will also provide notice by email. A history of material changes to this policy is maintained at aipmo.co/policy-changelog/.
Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Email: info@aipmo.co
Website: aipmo.co