Privacy policy
The fine print
Important information about what data we collect, how and why we do it and how we process it.
Last update January 9th, 2026: Updated company information and legal references.
This privacy policy explains how we process your data if you:
- are our client, business partner or a representative of either,
- are not (yet) our client but receive marketing communication from us, or
- visit our website.
We are always committed to protecting your privacy as described in this document.
Who are we and how can you contact us?
Your personal data is controlled by Episto Oy. If you have any questions in relation to your personal data, please contact us: Episto Oy, Putouskuja 6 a 2, 01600 Vantaa, Finland
If you have any questions about matters related to privacy, you can always email us at support@aito.ai.
What data do we process and why?
The following outlines the various types of personal data we process, the sources for each type of personal data, as well as the purpose and legal basis for processing said personal data.
If you are our client, business partner or a representative of either:
| Data type | Source | Purpose | Legal basis |
|---|---|---|---|
| Name | You or your organisation | Provision of services, management of client relationship | Business contract or relationship |
| Contact details | You or your organisation | Provision of services, management of client relationship | Business contract or relationship |
| Employer or other organization | You or your organisation | Provision of services, management of client relationship | Business contract or relationship |
| Role | You or your organisation | Provision of services, management of client relationship | Business contract or relationship |
| Information about communication | Communication between you and us | Provision of services, management of client relationship | Business contract or relationship |
| Event sign-ups | You | Event organisation, management of client relationship | Contract (event sign-up) |
If you are not (yet) an Aito client but receive marketing communication from us:
| Data type | Source | Purpose | Legal basis |
|---|---|---|---|
| Name | You or a personal contact at Aito | Marketing | Your consent or our legitimate interest (marketing) |
| Contact details | You or a personal contact at Aito | Marketing | Your consent or our legitimate interest (marketing) |
| Employer or other organization | You or a personal contact at Aito | Marketing | Your consent or our legitimate interest (marketing) |
| Information about communication | Communication between you and us | Marketing | Your consent or our legitimate interest (marketing) |
| Event sign-ups | You | Event organisation | Your consent or our legitimate interest (marketing) |
If you are a website visitor:
| Data type | Source | Purpose | Legal basis |
|---|---|---|---|
| IP address | Your browsing activities | Provision of a smooth user experience on our website | Legitimate interest |
Who processes your data? Is data processed by third parties outside the European Economic Area?
We may also use the following service providers for processing your data:
| Service provider | Purpose | Location | Read more |
|---|---|---|---|
| Google Workspace | Email accounts and document management | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Google Cloud & the General Data Protection Regulation |
| Google Analytics | Website usage analytics | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Google Cloud & the General Data Protection Regulation |
| Google Cloud Platform | Marketing and client communications, Data warehousing and reporting | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Google Cloud & the General Data Protection Regulation |
| Segment | Website and service analytics | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Segment Privacy Policy |
| Encharge | Marketing communications | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Encharge GDPR |
| Stripe | Payment details and processing | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Stripe Privacy Policy |
| Mailchimp | Marketing communications | EU and US (EU-US Data Privacy Framework, Standard Contractual Clauses) | Mailchimp Privacy Policy |
How long do we keep your data?
If you or your company is a client of Aito, we may process your data as long as the client relationship is in force and for a maximum of 5 years thereafter.
If you receive marketing communication from us, we may process your data until you inform us that you do not want to be in our marketing list anymore.
If you visit our website, we may process your data for a maximum of 2 years after your visit.
How do we use cookies?
Cookies are strings of information that may be stored on your computer to recognise and track visitors of our website. Information collected based on cookies can be connected to individual website visitors only based on the IP address, which we as such do not use to identify any specific persons.
We only use cookies necessary to run and improve our website experience. For this purpose we use Google Analytics - you can read more on this here.
You can always disable cookies by changing your web browser settings, and this should not affect your use of our website.
Free-tier Docker image telemetry
If you run the Aito Docker image distributed at ghcr.io/aitohq/aito or public.ecr.aws/aitoai/aito, the software transmits operational metadata to us on startup and periodically thereafter ("Free-tier Telemetry"). The categories of data collected, and the legal basis for collecting them, are defined in §5 of the License.
This section is the canonical registry of the specific fields currently transmitted in each category. §5.2 of the License commits us to keeping this list current.
Currently transmitted fields (as of 2026-05-25):
| Field | Category | Description |
|---|---|---|
instanceId | Software identification | Random UUID generated on first start, persisted on the /io/state volume |
version, buildSha | Software identification | Image build identifiers |
licenseKeyPresent | License status | Boolean — whether AITO_LICENSE_KEY is set |
licensed | License status | Boolean — whether the row-quota enforcer is disabled (i.e. a valid key is active) |
rowsTotal, tableCount | Aggregate usage | Sums across all your databases — not individual rows |
rowLimitPerTable, rowLimitTotal | Aggregate usage | The configured caps (so we can tell free-tier from licensed instances) |
javaVersion, osName | Host environment | JVM and OS strings |
uptimeMillis | Host environment | Process uptime in milliseconds |
startedAt | Host environment | Wall-clock time the process started (epoch ms) |
cpuCount | Host environment | Number of CPU cores visible to the JVM |
jvmMaxMemoryMb | Host environment | JVM -Xmx (max heap), MB |
hostMemoryMb | Host environment | Total physical RAM of the host, MB (0 if unavailable) |
stateDiskTotalGb | Host environment | Total disk size of the /io/state filesystem, GB |
containerOrchestrator | Host environment | One of kubernetes, ecs, nomad, docker, podman, none |
| Source IP | Connectivity | Observed by our servers from the request; not transmitted by the image itself |
This is distinct from analytics on the cloud service at console.aito.ai, which is covered by other sections of this policy.
What we do not collect, under any category: row contents, query text or parameters, schema names, user-provided table or column names, usernames, API keys, or any data you have stored in the Aito instance. This is a hard commitment regardless of which fields appear above; see License §5.4.
Legal basis (GDPR Article 6(1)(f)): legitimate interest in (a) license enforcement and pricing determination, (b) detecting Production Use of unlicensed Software, (c) contacting you about licensing or support, and (d) aggregate product improvement.
Retention: records are retained for thirteen (13) months from collection. Older records are deleted automatically.
Your rights: you may request deletion of records associated with a particular IP address or instance UUID by emailing support@aito.ai. We respond within 30 days as required by GDPR.
Note: License §5.6 prohibits disabling, intercepting, or modifying telemetry collection. Requesting deletion of past records is permitted; preventing future collection is not. (We may also offer separate opt-in diagnostics in future — error reports, stack traces, slow-query samples — which would be off by default and not covered by §5; that's a separate consent under Article 6(1)(a).)
What are your rights?
You can at any time ask us to:
- confirm if we process any personal data related to you and to deliver an electronic copy of such data,
- correct any inaccurate personal data related to you,
- erase any personal data related to you,
- restrict our processing of any personal data related to you, and
- stop processing any personal data related to you due to personal reasons.
You can always deny us from using any personal data related to you for direct marketing purposes. You can also at any time withdraw your consent for processing your personal data. Requests can be made to your Aito contact person if you have one, or by emailing support@aito.ai
What if I want to file a complaint?
If you disagree with our decision in relation to your request or you think your rights have not been respected, you can always contact us. You can also file a complaint with your local data protection authority. In Finland, this would be:
- Finland: Tietosuojavaltuutettu (Data Protection Ombudsman): P.O. Box 800, 00521 Helsinki, +358 29 56 66700, tietosuoja@om.fi
Address
Episto Oy
Putouskuja 6 a 2
01600 Vantaa
Finland
VAT ID FI34337429
