Aisimilate LegalLast updated: April 14, 2026

Privacy Policy

This policy explains how Aisimilate collects, uses, stores, shares, and protects personal data across its account, learning, AI-assisted, and support workflows.

TermsPrivacyDelete accountCookies

This Privacy Policy covers the Aisimilate public web app, account creation, sign-in, password recovery, adaptive lessons, vocabulary tools, learner reports, support communications, and related security operations.

1. Controller and scope

Aisimilate is operated by s4p OÜ (Reg: 17415128, VAT: EE102945199), registered at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145. For privacy requests, complaints, or formal data-protection inquiries, contact support@aisimilate.app.

For ordinary direct-use accounts, Aisimilate acts as the data controller because it determines the purposes and means of processing for account administration, learning delivery, support, and security. If Aisimilate is later offered through a separately negotiated institutional or enterprise arrangement, a specific contract or data-processing agreement may define a different role for certain processing activities.

2. Categories of personal data

  • Identity and account data, such as email address, hashed password, verification status, user role, and account lifecycle metadata.
  • Sign-in and device-security data, such as session identifiers, refresh-session records, sign-in timestamps, IP and user-agent metadata, abuse indicators, audit timestamps, and browser-side session-persistence choices such as whether you asked Aisimilate to remember the device.
  • Profile and learning-preference data, such as declared level, native language, target language, daily goals, feedback settings, and exercise preferences.
  • Learning activity data, such as lesson answers, quiz responses, timing, bookmarks, flashcard states, translations, progress scores, readiness metrics, and learner reports.
  • AI-related content and metadata, such as prompts, lesson-generation input, coaching requests, generated content, token usage, latency, and failure or abuse signals needed to operate the feature.
  • Support and communications data, such as emails, help requests, and related troubleshooting notes.
  • If you choose Google sign-in, Google account identity claims needed to authenticate you, such as your email address, Google subject identifier, and email-verification status.

3. Sources of personal data

  • Directly from you when you create an account, sign in, edit your profile, submit learning answers, or contact support.
  • Automatically from your browser and device when sessions are created, requests are sent, abuse controls run, or preferences are stored.
  • From Google, if you choose Google sign-in and Google returns authentication claims needed to identify your account.
  • From Aisimilate service activity and internal inferences generated from your learning interactions, progress, and settings.

4. Purposes and GDPR legal bases

  • Contract performance, GDPR Article 6(1)(b): account creation, authentication, lesson delivery, vocabulary practice, progress tracking, and service support.
  • Legitimate interests, GDPR Article 6(1)(f): platform security, fraud and abuse prevention, debugging, service resilience, rate limiting, and defending legal claims.
  • Legal obligations, GDPR Article 6(1)(c): statutory retention, lawful requests from authorities, and compliance obligations that apply to the operator.
  • Consent, GDPR Article 6(1)(a): optional analytics or similar tracking only if such processing is introduced later and fresh consent is requested in the relevant browser context.

Aisimilate does not rely on consent for technologies that are strictly necessary to keep your session active, protect the platform, or store your cookie-notice acknowledgement.

5. AI features and human review

Aisimilate uses AI-assisted generation for certain learning and coaching features. To deliver those features, requests may be processed through Aisimilate-managed infrastructure and external AI model or API providers selected by the operator. Operational records can include provider, model, token usage, latency, and failure state where that information is generated and needed to operate, secure, and improve the service.

Aisimilate processes learner prompts and outputs to deliver the requested feature. Where reasonably necessary, related records may also be reviewed for quality assurance, service reliability, safety checks, abuse prevention, and legal compliance. Human review remains necessary before using outputs in high-impact contexts.

6. Processors, recipients, and international transfers

We do not sell personal data. We disclose personal data only where reasonably necessary to run Aisimilate, provide requested features, comply with law, or protect rights and safety.

  • Hosting, infrastructure, database, and security providers.
  • Transactional email providers used for verification and password recovery.
  • AI model or API providers needed for lesson and coaching features.
  • Google, if you choose Google sign-in.
  • Professional advisers, insurers, auditors, or authorities where legally required.

Some providers may process data outside the EEA, including in the United States. Where that happens, Aisimilate relies on applicable GDPR Chapter V safeguards such as adequacy decisions, Standard Contractual Clauses, or comparable supplementary measures where required.

7. Retention and deletion

  • Account and profile data: retained while the account is active and for a limited post-closure period needed for restoration requests, fraud review, disputes, and limitation periods.
  • Authentication and security records: typically retained for short to medium operational windows, often between 30 and 180 days, unless a longer period is required for active incidents, abuse review, or legal defense.
  • Learning history and generated lesson records: retained while your account is active and for a limited period afterward where needed for continuity, recovery, or dispute handling.
  • Support records: typically retained for up to 24 months after the issue is resolved unless a longer period is justified.
  • Cookie-notice acknowledgement and other browser-side preference records: stored in your browser until you clear or replace them.

Deletion may be delayed where data is subject to legal hold, unresolved security review, fraud investigation, or backup-cycle constraints. When retention is no longer justified, data is deleted or anonymized where reasonably feasible.

You can request deletion from inside the Android app under Settings or from the public deletion page at /delete-account. A successful deletion request removes the active account, learner profile, lessons, progress, vocabulary state, and active sessions from the live service.

8. Your rights

Subject to GDPR conditions and applicable exemptions, you may request access, rectification, erasure, restriction, objection, portability, and withdrawal of consent for consent-based processing.

We may request reasonable identity verification before disclosing or deleting data. Requests should be sent to support@aisimilate.app. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). Requests are handled within applicable legal time limits, subject to identity verification and any lawful exemption.

9. Security and confidentiality

  • Transport encryption in deployed environments, together with authentication controls.
  • Server-side session records, refresh-token rotation, and access controls.
  • Logging, monitoring, rate limiting, and abuse-detection workflows.
  • Role-based access and need-to-know restrictions for operational access.
  • Backups and recovery procedures intended to reduce integrity and availability risks.

The current web client keeps sign-in continuity in browser session storage by default. If you explicitly choose to keep the device signed in, Aisimilate will additionally store sign-in data in browser local storage until sign-out, expiry, or manual clearing. You should avoid enabling remembered-device sign-in on shared or untrusted devices.

10. Children, sensitive data, and high-risk use

Aisimilate is not intended for unlawful use by children who cannot validly use the service under applicable law. Do not submit special-category data, medical data, legal files, government identifiers, passwords belonging to others, payment card data, or other highly sensitive third-party data unless you have a documented lawful basis and a workflow explicitly intended for it.

AI outputs may be incomplete or inaccurate. Human review remains required before relying on the service in legal, HR, medical, financial, credit, safety, or similarly high-stakes contexts.

11. Automated decision-making

Aisimilate personalizes lessons, sequencing, support depth, and related learning flows using account settings, activity history, and progress signals. In the ordinary course of the public web app, Aisimilate does not use solely automated decision-making that produces legal effects or similarly significant effects on you within the meaning of GDPR Article 22.

12. Contact and changes

Privacy contact: support@aisimilate.app

We may update this policy when Aisimilate, its subprocessors, legal requirements, or security controls change. Material changes are reflected on this page with a revised date.

Legal entity: s4p OÜ | Reg: 17415128 | VAT: EE102945199

This policy is written to explain Aisimilate data practices transparently. It is not legal advice for third parties or their independent compliance obligations.