Legal
Last updated: June 2, 2026
At EquilAI, we value privacy. That is why we have established and implemented policies and practices governing personal data.
This document describes how EquilAI ("EquilAI" or "us" or "we"), a company registered in Finland under business ID (Y-tunnus) 3546344-3, with its registered office at Saturnuksenkuja 2 B 45, 01480 Vantaa, Finland, collects, uses, shares, stores and otherwise processes certain personal data about users of the EquilAI Service (the "Service") and personal data processed through our website, which includes our products and services (the "Website").
Depending on the context, the use of the second person ("you" or "your") refers to a Customer, User, Visitor and/or End-User.
In this Privacy Statement:
"Conversation Data" means content inputted by an End-User into a Customer Bot in a production environment and data generated by the Customer Bot in a conversation with an End-User.
"Customer" means any person or business who purchased a subscription to the Service or is using the free version of the Service.
"Customer Bot" means a program designed to automate interactions with End-Users of a service or website, including any configuration data or other supporting data that is developed using EquilAI software compatible with the Service by Customers, or third parties on behalf of a Customer or by EquilAI for the benefit of the Customer and that is hosted through the Service.
"End-User" means an individual interacting with a Customer Bot served through our Services.
"Personal data" refers to any information that identifies or could be reasonably associated with an individual.
"Visitor" means an individual browsing our Website.
"Usage Data" means data about the Users' use of the Service, which may contain personal data where identifying information is necessary but excluding any Conversation Data. Usage Data may include personal data about the employees and contractors of the Customer but not about End-Users interacting with Customer Bots.
"User" means an individual using the Service on behalf of the Customer, such as an employee of the Customer.
The contact details of the person responsible for data protection is the following: [email protected]
We collect analytics data, which includes:
We collect this data when an End-User interacts with a Customer Bot for the sole purpose of providing the Service to our Customers. This data is not personally linked to a specific End-User and is transmitted to us in aggregate form.
We process personal data about End-Users on behalf of our Customers pursuant to their instructions.
To generate Customer Bot responses, Conversation Data (the messages exchanged with the Customer Bot, together with the relevant Customer Bot configuration and knowledge base content) is transmitted to our AI provider, OpenAI, which processes it solely to return a response. OpenAI processes this data as our sub-processor through its API and does not use data submitted through its API to train or improve its models.
We do not use Conversation Data or other End-User personal data for any other purpose, which includes analytics, algorithms, model improvements or training.
We collect the following personal data:
We use the content updated to the Customer Bot for the sole purpose of providing the Service to our Customers.
We do not use this content for any other purpose, including to perform analytics and model improvements, create algorithms or for training purposes.
When a Visitor fills out a form on our Website, we collect the following personal data:
If, and only if, a Visitor consents to analytics cookies through our cookie banner, we use Microsoft Clarity, a product analytics tool provided by Microsoft, to understand how our Website is used. Where this tool is active, we automatically collect:
Microsoft Clarity may record anonymised session interactions (such as mouse movement, scrolling and clicks) to produce heatmaps and aggregate usage insights. We do not use Microsoft Clarity to identify individual Visitors. Microsoft acts as our sub-processor for this purpose and processes the data in accordance with its own privacy terms.
Because Microsoft Clarity loads only after a Visitor selects “Allow all” in our cookie banner, you can prevent this collection at any time by declining analytics cookies, or by clearing your stored cookie preference and choosing “Necessary only”.
We process the personal data collected through the use of the Service or the Website for the following purposes:
We process the personal data collected through the Service to provide services to our Customers, including customer service and technical support, in accordance with their instructions. Conversation Data is processed only for this purpose.
As part of the Service, we will process the personal data of Users and Visitors to respond to their requests, including requests for assistance, account processing, etc.
We process personal data about Users and Customers to communicate with them about their use of the Service or the Website. We may also send marketing communications about us, our products and promotions, but only to Customers and Users that agreed to receive marketing communications from us. We comply with all applicable regulations regarding unsolicited commercial messages. If you no longer wish to receive marketing communications from us, you may unsubscribe at any time by writing to us at [email protected]
If a Visitor has provided personal data, we use it for communication purposes.
To render the Service, we process personal data to identify and authenticate Users and Customers.
We process aggregated Usage Data to improve our products and services, identify trends in product use and develop new products and offerings.
We also use browser cookies and other tracking technologies to improve our Website.
We process the data collected through the Website to offer Visitors content that corresponds to their situation or interests. For example, the home page of the Website may be displayed according to language preferences, and the products and services displayed may be different depending on geographic location.
We may also use personal data to customize our Customers' and Users' experience of the Service.
We process the data collected through the Website and the Service and data from analytics tools to monitor Users' and Customers' use of the Website and the Service, to prevent misuse of the Website or the Service, to identify problems or bugs with the Website or the Service, and to determine what features need to be improved.
We may use data collected automatically to ensure the security of the Website, the Service and our computer systems (e.g. to prevent hacking or to deter, monitor and prevent fraud).
We do not currently engage in behavioral advertising, retargeting, or the building of advertising audiences, and we do not sell personal data. We do not use third-party advertising cookies on our Website.
Where you have provided your details (for example, through our contact form) or otherwise consented, we may send you marketing communications about our products and services. You can opt out at any time as described in the “Communication” section above.
Data collected through the Service, including Conversation Data, is never used for marketing purposes.
Where applicable, we process personal data to comply with laws and regulations that apply to our activities, including for dispute resolution, responding to legal requests and cooperating with regulatory entities or courts.
We retain your personal data only as long as it's necessary for our intended processing purposes or, as the case may be, until you or our Customer request that we delete it. The retention duration is determined by our reasons for collecting personal data and using our services and/or as mandated by relevant laws.
EquilAI operates primarily within the European Union. Some data relating to the use of the Service and the Website, system automation, support services and billing are processed by our service providers through facilities that may be located in other jurisdictions. Therefore, your personal data may be accessed by jurisdictions outside your country of residence.
Personal data about End-Users collected through the Service (such as Conversation Data) is stored electronically by our service providers on servers located within the European Economic Area or other locations determined by the specific Customer, subject to appropriate safeguards.
We ensure that the transfer of your Personal Data is made in a secure manner, with appropriate safeguards concerning the nature of the personal data being transferred.
Certain of our sub-processors — including OpenAI, Stripe, Google, Microsoft and Resend — are established in or process data in the United States. In case of transfers of personal data outside the European Economic Area, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses approved by the European Commission and other safeguards in compliance with the GDPR.
Analytics data generated through Microsoft Clarity is stored on servers controlled by Microsoft.
EquilAI has put in place organizational, physical and technical measures to secure the personal data entrusted to us. You can ask for a complete description of the security measures in effect to protect personal data at any time by writing to us at [email protected]
Your personal data is hosted on servers operated by our service providers and is protected against unauthorized access or use by security measures proportionate to the sensitivity of the data. Any financial data is subject to additional security measures that comply with the standards established by payment card networks.
Our employees and suppliers are informed of the confidential nature of personal data collected through the Website and the Service. They are also aware of the appropriate security measures to prevent unauthorized access to personal data through an enterprise-wide cybersecurity policy and training.
We only share personal data in the manner described in this statement. Your personal data may be disclosed to the categories of recipients below for the following purposes:
Personal data is accessible to our officers and employees, who must have access to it as part of their duties. Each employee is bound by a confidentiality agreement.
We share personal data collected through the Service about End-Users with the Customer controlling the Customer Bot with which the End-User interacts. The Customer is the controller with respect to such personal data.
We share personal data with service providers (acting as our sub-processors) that enable us to deliver our services more efficiently. We only share personal data with service providers that agree to keep personal data confidential and which implement security and personal data protection measures comparable to our own. The sub-processors we currently rely on are:
An up-to-date list of our sub-processors is available on request by writing to [email protected].
We may share your personal data with our business family for the purposes outlined in this statement.
If required by law: We may also disclose personal data to third parties as otherwise permitted or required to do so by law or if we are compelled to do so by a competent authority. We may disclose personal data in connection with legal proceedings if necessary to protect our rights or those of others or to meet national security or law enforcement requirements.
Transfer of business: If the sale or restructuring of all or part of our business is contemplated, we may disclose personal data to the persons or organizations involved before and during the transaction, whether or not the transaction ultimately takes place. In such a case, these persons or organizations commit to us to maintain the confidentiality of personal data so disclosed and to use the same exclusively to evaluate the contemplated transaction and in accordance with this statement if the transaction is completed.
We may verify the identity of individuals asking to exercise their rights with respect to their personal data. Any information collected to perform such verification will not be used for any other purpose.
When we process your personal data on behalf of our Customers (e.g. if you are an End-User and you interact with a Customer Bot), you must directly contact our Customer to exercise your rights in connection with your personal data. When this scenario applies, we will forward your requests to the relevant Customer and will cooperate with the Customer to respond to your request. We are not authorized by our Customers to provide information to End-Users. Conversation Data and personal data about users are typically processed on behalf of our Customers.
Your browser allows you to withdraw your consent to certain processing of your personal data, in particular by preventing the placement of browser cookies.
If you wish to withdraw your consent to the processing of your personal data beyond what is permitted by the browser, please contact us by writing to us at [email protected]. Using the Website or the Service entails some processing of your personal data. The only way to stop the processing of your personal data is to stop using the Website and the Service.
Subject to what is stated in the 'Data controlled by Customers' section, if you would like to access personal data we have about you or have inaccurate personal data corrected in our files, you may make a request at [email protected]. We will respond to your request promptly and no later than required under applicable law. If required by law, we will provide personal data in a structured, commonly used and machine-readable format.
Subject to what is stated in the 'Data controlled by Customers' section, you may, in certain circumstances, request the deletion of personal data that we hold about you. To make such a request, please write to us at [email protected]. We will respond to your request promptly and no later than required under applicable law. If you continue to use the Website or the Service, we will again collect certain personal data about you.
Subject to what is stated in the 'Data controlled by Customers' section, End-Users may request the restriction of the processing of their personal data where such processing is unlawful, if End-Users contest the accuracy of such personal data or where deletion of personal data is not permitted under applicable law. You may make a request at [email protected].
Subject to what is stated in the 'Data controlled by Customers', you may have the right to limit the use and disclosure of your personal data. Although EquilAI currently does not share personal data with third parties, we remain committed to ensuring you can exercise this right should that practice change in the future. Specifically, you will have the option to opt-out before your personal data is disclosed to a third party or used for a purpose materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.
Moreover, for sensitive personal data processing, EquilAI will always require your affirmative express consent (opt-in) before such information is disclosed to a third party or used for a purpose other than those originally stated or subsequently authorized by you.
You can make a request at [email protected].
If you wish to lodge a complaint in relation to the processing of your personal data by EquilAI, you may do so by writing to [email protected]. You may also lodge a complaint about our processing of personal data to the supervisory authority of your place of residence, which for Finnish residents is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu).
We use the following categories of cookies and similar technologies:
We do not use advertising or third-party tracking cookies. Analytics cookies are not placed unless you select “Allow all” in our cookie banner; if you select “Necessary only”, no analytics cookies are set. You can also control the storage of cookies through your browser settings.
If you want to understand how we use Microsoft Clarity, refer to the ‘What Personal Data is Collected through the Website’ section.
EquilAI Service and Website do not knowingly collect personal data from children under the age of 16, as the Service and Website do not target children. Children under 16 years of age should not use our Service or Website or provide EquilAI with any personal data without the consent of a parent or legal guardian. Should we become aware of the collection of personal data from a child under 16 years of age, we may promptly remove this information without prior notice. If you discover such an incident, please contact [email protected]
As a Finnish company, EquilAI complies with the EU General Data Protection Regulation (GDPR). We only process personal data based on the following legal basis:
Your personal data might undergo processing, transfer, or disclosure in other countries where our affiliates and service providers operate or have servers. We ensure that the recipient of your personal data maintains an adequate level of protection. This is achieved through arrangements such as Standard Contractual Clauses or other approved transfer mechanisms, as determined by the European Commission or the relevant data protection authority.
If you are a Customer, we strongly advise entering into a Data Processing Agreement (DPA) with us. This document constitutes a formal agreement that acknowledges EquilAI's GDPR compliance and assists you in upholding GDPR standards in your utilization of EquilAI as a data processor. A signed copy of our DPA can be obtained by contacting [email protected]
EquilAI is committed to implementing appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. This includes protecting data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
EquilAI has appointed a Data Protection Officer (DPO) who is responsible for ensuring compliance with data protection laws and regulations, including GDPR. You can reach out to our DPO by email at [email protected]
For any additional information with respect to our processing of personal data, you may contact us at [email protected].
We may modify this Privacy Statement from time to time to reflect changes in our personal data processing practices or any requirement under applicable law. If a modification is made, the new statement will be available through the Service and on this Website.
The statement posted via this website shall be deemed to be the statement then in effect and the date at the top of the statement will be updated to reflect the date of effectiveness. We recommend that you check this website from time to time to remain informed of any changes in this statement.