1. Scope and controller
This Privacy Policy (the “Policy”) applies when Addis AI (“Addis AI,” “we,” “us,” or “our”) processes personal data through the Services described in our Terms of Use.
Addis AI is the controller responsible for account, website, billing, security, analytics, support, and other personal data that we determine how and why to process. Our contact details are in Section 20.
We provide the Services through operations in Ethiopia and Europe, including Switzerland. The location of processing may also depend on the infrastructure and service providers used for a particular feature.
This Policy does not cover independent third-party websites, applications, or services, even if linked from or interoperable with our Services. It also does not replace a separate employee, applicant, enterprise, or project-specific privacy notice where one is provided.
2. Our data-protection roles
Our role depends on the processing context. We act as a controller when we decide the purposes and means of processing, such as for accounts, payments, product analytics, security, abuse prevention, model and product improvement, legal compliance, and direct support.
When a business customer sends personal data through an API solely for us to process on its documented instructions, the customer may be the controller and we may act as its processor. A processor relationship, security commitments, restricted data use, retention terms, or cross-border safeguards must be set out in an applicable data processing addendum or signed enterprise agreement. In the absence of such an agreement, this Policy and the Terms govern our processing.
3. Personal data we collect
| Category | Examples |
|---|---|
| Account and identity data | Name, email address, user ID, password or authentication records, sign-in method, account status, organization, phone number, profile image, preferred language, and notification preferences. |
| Customer Content | Prompts, system instructions, messages, conversation history, text, uploaded images, PDFs and other files, knowledge-base material, audio recordings and streams, voice samples, transcripts, translations, generated text or audio, clip metadata, and feedback. |
| Voice and audio data | Microphone audio, uploaded recordings, spoken words, voice characteristics, language, accent, timing, duration, transcription, generated voice clips, and realtime interaction data. Depending on how it is processed and applicable law, some voice data may be biometric or sensitive personal data. |
| API and usage data | API-key name, hashed key and prefix, model and endpoint used, token counts, audio duration, request time, response time, status and error codes, request ID, rate-limit events, wallet balance, budgets, and usage history. |
| Transaction and billing data | Amount, currency, billing email, payment method, payment-processor identifiers, transaction reference, card brand and last four digits where provided by a processor, CBE/FT reference, payment receipt or screenshot, verification result, refunds, credits, and transaction history. We do not directly store complete card numbers entered into Stripe Elements. |
| Device, network, and log data | IP address, approximate country or region, browser, device and operating-system information, user agent, pages and routes requested, timestamps, referral URL, cookies, session identifiers, authentication logs, diagnostic events, and security signals. |
| Analytics and attribution data | Page views, clicks and interactions, feature events, session and anonymous identifiers, referring domain, landing page, UTM source/medium/campaign/content/term, advertising click IDs, signup method, preferred language, and conversion or payment events. |
| Communications | Support requests, emails, attachments, complaints, survey responses, sales and demo requests, legal notices, and records of our responses. |
| Inferences and safety data | Potential abuse, fraud, account-linkage, disposable-email, policy-violation, payment-risk, content-safety, and service-integrity signals, as well as actions taken in response. |
Content can contain any personal data that you or an End User chooses to include. We cannot know in advance what Content will contain. Please minimize personal data and do not submit information that is unnecessary for your purpose.
4. Sources of personal data
We collect personal data:
- directly from you, such as when you create an account, update a profile, enter a prompt, upload a file, speak into a microphone, create a voice clip, make a payment, or contact us;
- from your organization or another user, such as an administrator, developer, or customer who gives you access or sends your data through an integration;
- automatically from devices and use, through server logs, cookies, local storage, analytics, error monitoring, rate limiting, and security systems;
- from service providers, including authentication, infrastructure, analytics, fraud-prevention, and payment providers; and
- from public or permitted sources, such as public websites, sanctions or fraud-prevention information, or material lawfully licensed for research, model development, or safety.
5. How and why we use personal data
| Purpose | Typical data | Legal basis where required |
|---|---|---|
| Provide and operate the Services | Account, Content, voice/audio, API usage, device, and transaction data | Performing our contract; steps at your request; legitimate interests |
| Authenticate users and secure accounts | Identity, credentials, sessions, IP address, device and security signals | Contract; legitimate interests; legal obligations |
| Process payments, credits, refunds, and accounting | Billing, transaction, wallet, receipt, and contact data | Contract; legal obligations; legitimate interests |
| Measure usage, enforce limits, and improve performance | API usage, device, logs, diagnostics, and analytics | Contract; legitimate interests; consent where required |
| Develop, evaluate, train, and improve models and products | Content, feedback, usage, diagnostics, and lawfully sourced data | Legitimate interests; consent where required; contract where applicable |
| Detect and prevent abuse, fraud, and harm | Content, account-linkage, IP, device, payment, safety, and enforcement data | Legitimate interests; legal obligations; protection of rights and safety |
| Provide support and communicate | Account, Content relevant to the request, diagnostics, and communications | Contract; legitimate interests; consent for optional marketing where required |
| Comply with law and resolve disputes | Any data reasonably relevant to a legal duty, claim, investigation, or request | Legal obligations; legitimate interests; establishment or defense of legal claims |
| Market and understand adoption | Contact preferences, attribution, analytics, feature and conversion events | Legitimate interests; consent where required |
Where we rely on legitimate interests, they include operating and improving a secure AI service, understanding product use, preventing fraud and abuse, protecting users and the public, enforcing our Terms, and developing our business. We balance those interests against the nature of the data, your reasonable expectations, and potential effects on your rights.
Where consent is the legal basis, you may withdraw it for future processing, but withdrawal does not make earlier processing unlawful and may prevent us from providing the relevant feature. We may process data for another compatible or legally permitted purpose after providing any notice required by law.
6. Content review and model improvement
Content submitted to the standard Services is not automatically private or confidential. We may use prompts, messages, files, audio, transcripts, Outputs, ratings, and related metadata to operate, protect, evaluate, develop, train, fine-tune, and improve our models, voices, safety systems, and products, subject to applicable law and any controlling enterprise agreement.
Automated systems may inspect Content for quality, security, abuse, fraud, safety, policy enforcement, debugging, and model evaluation. A limited number of authorized employees, contractors, and service providers may review Content when needed to:
- investigate abuse, fraud, safety concerns, or security incidents;
- provide support or diagnose a technical problem;
- handle legal matters and enforce our Terms;
- label, assess, test, and improve model or system performance; or
- comply with a valid legal obligation.
Access is intended to be limited to people with a work-related need and may be logged and controlled. Do not submit Content that you would not want processed or reviewed for these purposes. If you require restricted data use, no-training commitments, special retention, or private deployment, contact us before submitting data and enter into an appropriate written enterprise agreement.
We may create aggregated or de-identified information and use it for lawful business, research, safety, benchmarking, and product development purposes. We will not attempt to re-identify information that we maintain as de-identified except to test our de-identification controls or where permitted by law.
7. Voice, audio, and realtime processing
Our speech-to-text, text-to-speech, dubbing, voice, and realtime services may process microphone audio, uploaded recordings, spoken content, transcripts, generated audio, voice settings, timing, language, accent, and other acoustic or interaction information. Realtime services transmit audio to our relay and model infrastructure while a session is active and may create operational, safety, usage, and diagnostic records.
Voice recordings can reveal identity and sensitive characteristics, even when we do not intend to infer them. If a feature technically processes voice characteristics to uniquely identify or verify a person, applicable law may treat that information as biometric or sensitive personal data. We process such data only for the feature, security, consented development, or other purposes described at collection and as permitted by law.
The developer or customer who records or submits another person's voice is responsible for providing clear notice, obtaining legally sufficient consent, respecting withdrawal and deletion rights, and complying with recording, wiretap, biometric, employment, publicity, telecommunications, and data-protection laws. We may request evidence of consent or authority.
8. Payment information
Card payments are processed by Stripe. Payment-card fields presented through Stripe Elements are sent to Stripe rather than stored in full by us. We receive information needed to reconcile and support the transaction, which can include a payment-intent identifier, billing email, status, amount, currency, payment method type, card brand and last four digits, or bank descriptor.
Ethiopian payment verification may be processed through CanyoPay and relevant banking or payment systems. If you submit an FT reference or a receipt screenshot, that information and the payment amount are sent to the verification provider. A receipt may contain your name, account information, transaction reference, amount, date, or other personal data. Redact unrelated information before upload.
Payment providers act under their own privacy notices for activities where they independently determine processing. We also retain transaction and accounting records as described in Section 13.
9. Cookies, local storage, analytics, and monitoring
We and our providers use cookies, browser storage, pixels, scripts, and similar technologies. These technologies can be first-party or third-party and may persist after a browser session.
| Type | What it does | Examples in the Services |
|---|---|---|
| Strictly necessary | Authenticates sessions, preserves security, routes requests, prevents abuse, and remembers essential choices. | Supabase authentication, Cloudflare security/Turnstile, currency and session storage. |
| Analytics and product measurement | Measures page views, interactions, journeys, feature use, attribution, and conversions. | PostHog analytics, including anonymous and identified events after authentication. |
| Error and performance monitoring | Diagnoses crashes, slow requests, browser and server errors, and affected sessions. | Sentry diagnostics and error-related session context where configured. |
| Fraud and payment security | Detects automated abuse, suspicious payments, duplicate transactions, and account misuse. | Cloudflare Turnstile, Stripe, CanyoPay, server logs, and rate-limit records. |
Analytics may associate activity with an account ID and email after sign-in. Attribution data can include referring pages, campaign parameters, and advertising click identifiers. We use PostHog's European ingestion infrastructure in the current portal configuration, but provider processing locations may change.
Where consent is required, we will seek it before using non-essential technologies. You can also control cookies through browser settings, although blocking necessary storage can prevent authentication or other features from working. Browser “Do Not Track” signals do not have a uniform legal or technical standard; we respond where required by applicable law.
11. Legal requests, preservation, and authorities
Your account history and Content are not immune from legal process. We may preserve, access, or disclose personal data—including prompts, files, recordings, transcripts, generated Content, usage records, account identifiers, IP addresses, and payment records—when we reasonably believe disclosure is necessary or appropriate to:
- comply with applicable law, regulation, court order, subpoena, warrant, or other valid legal process;
- respond to lawful requests from courts, regulators, law enforcement, national-security, or other public authorities;
- enforce our Terms or investigate fraud, abuse, security incidents, policy violations, or unlawful activity;
- protect the rights, safety, privacy, security, or property of Addis AI, our users, or the public; or
- establish, exercise, or defend legal claims.
Where permitted, we may challenge overbroad requests, seek protective measures, and provide notice before disclosure. We may be legally prohibited from notifying you. We may also preserve data in response to a legally valid preservation request even if you seek deletion.
12. International data transfers
Personal data may be processed in Ethiopia, Switzerland, the European Economic Area, and countries where our service providers or infrastructure are located. This can include processing outside the country where you live. Those countries may have different data-protection rules, and their public authorities may have lawful access powers.
Where required, we use recognized safeguards for international transfers, such as adequacy decisions, contractual protections, approved standard contractual clauses, access and security controls, or a legally permitted exception. Transfers of sensitive personal data are subject to additional requirements where applicable, including requirements under applicable data-protection law.
Contact us for information about safeguards relevant to your data. Enterprise customers that require specific data locations or transfer terms must agree them with us in writing before use.
13. Data retention
We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, including to provide the Services, maintain legitimate business and safety records, resolve disputes, enforce agreements, and comply with legal, tax, accounting, and regulatory obligations. Retention depends on the data and context:
| Data | General retention approach |
|---|---|
| Account and profile data | For the life of the account and afterward as needed to complete deletion, maintain required records, resolve disputes, prevent re-registration abuse, and comply with law. |
| Prompts, conversation history, files, transcripts, and generated clips | For as long as stored in your account or needed to provide the feature, unless deleted sooner; longer where needed for safety, abuse investigation, support, legal process, or an applicable enterprise agreement. |
| Realtime and transient request data | For the time needed to transmit and process the interaction, with operational, safety, usage, or diagnostic records retained separately where necessary. |
| API usage, security, and audit logs | For a period proportionate to billing, service integrity, fraud prevention, security investigation, enforcement, and legal requirements. |
| Payment, credit, refund, and accounting records | For the statutory accounting, tax, anti-fraud, chargeback, and dispute period that applies to the transaction. |
| Analytics and diagnostics | According to our configured provider retention periods and for as long as reasonably useful for product measurement, debugging, security, and trend analysis, after which data may be deleted or aggregated. |
| Closed, banned, or abusive-account records | As long as reasonably necessary to enforce restrictions, prevent fraud and repeated abuse, protect the Services, and establish or defend claims. |
| Support and legal records | For as long as needed to address the request, document the response, comply with law, and establish or defend claims. |
When you request deletion, we take steps to delete or de-identify data covered by the request unless retention is permitted or required. Deletion from active systems may not be immediate. Data can remain temporarily in backups, security records, provider systems, and deletion logs until those systems are overwritten or the applicable retention period ends. We may retain an audit record showing that a deletion request was handled.
Information already lawfully de-identified and disassociated from your account, aggregated statistics, and model or system improvements that do not identify you may not be capable of being reversed or removed. We consider purpose, amount, nature, sensitivity, potential harm, technical constraints, and legal requirements when setting retention periods.
14. Security
We use administrative, technical, and organizational measures designed to protect personal data, which may include access controls, authentication, encryption in transit, credential hashing, logging, rate limits, provider reviews, separation of duties, and incident response. No internet transmission, storage system, or AI service is completely secure, and we cannot guarantee that unauthorized access, loss, alteration, or disclosure will never occur.
You are responsible for securing your devices, accounts, API keys, integrations, and End User data. Notify us immediately at support@addisassistant.comif you suspect an account or data incident. Where required by law, we will notify the competent authority and affected individuals of a qualifying personal-data breach.
15. Your privacy rights
Depending on where you live and subject to legal exceptions, you may have rights to:
- know whether and how we process your personal data;
- access and receive a copy of personal data;
- correct inaccurate, incomplete, misleading, or outdated data;
- delete personal data;
- restrict or object to processing, including certain direct marketing;
- receive portable data in a structured, commonly used format;
- withdraw consent for future processing where consent is the basis;
- object to or request human review of certain solely automated decisions with legal or similarly significant effects;
- lodge a complaint with a competent data-protection authority; and
- not be discriminated against for exercising a privacy right.
You can update some profile data and request account deletion in account settings. For other requests, email support@addisassistant.comwith the subject “Privacy Request.” Describe the right you wish to exercise and the account or service involved. We may verify your identity and authority, ask for information needed to locate data, and retain a record of the request. Authorized agents must provide proof of authority where required.
Rights are not absolute. We may deny or limit a request where permitted by law, including to protect another person's rights, preserve security or fraud records, comply with a legal duty, protect legal privilege, or establish or defend claims. We will provide a reason where required. You may appeal a refusal by replying to our decision.
16. Children
The Services are intended for people aged 18 or older and are not directed to children. You may not create an account for a child or submit a child's voice, recording, biometric data, or other personal data unless we have expressly authorized the use in writing and you have verified parental or guardian authorization and every other safeguard required by law.
If you believe a child's personal data was submitted without proper authorization, contact us immediately. We may delete the data, restrict the account, and request proof of age or authority.
17. Automated processing and profiling
We use automated systems to provide AI Output, transcribe and generate audio, meter usage, recommend defaults, detect abuse and fraud, apply rate limits, identify duplicate or suspicious payments, protect accounts, and prioritize review. These systems may produce safety or risk signals that lead to a request being blocked or an account being reviewed, limited, or suspended.
Addis AI does not use account-level automated processing described in this Policy as the sole basis for decisions that produce legal or similarly significant effects on individuals. Where applicable law grants a right to human review, explanation, or contest, contact us using Section 20. Customers are prohibited by the Terms from using Output as the sole basis for high-impact decisions about their End Users.
18. Third-party services and links
The Services may link to or interoperate with third-party websites, app stores, documentation, social platforms, open-source services, or customer integrations. If you choose to use them or direct data to them, their privacy policies and terms apply. We are not responsible for independent third parties' practices.
Public sharing or publication of Output is at your direction and can make personal data available to anyone. Search engines, recipients, and downstream services may copy or retain published material even after you delete it from your own account.
19. Changes to this Policy
We may update this Policy to reflect changes in law, technology, providers, risks, or the Services. The version and effective date appear above. If a change materially affects how we use personal data already collected, we will provide additional notice or obtain consent where required. We encourage you to review the current Policy periodically.
20. Contact and complaints
To ask a privacy question, exercise a right, report a concern, or contact the data controller, use:
Addis AIHauptstrasse, 2552 Orpund, Switzerland
support@addisassistant.com
contact@addisai.ch
Please contact us first so we can try to resolve your concern. You may also lodge a complaint with the data-protection authority competent for your location or the relevant processing where applicable.