Privacy Policy

Last updated: June 2026

Aidvocate OÜ(“Aidvocate”, “we”, “us”) is committed to protecting your personal data and respecting your privacy. This policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR).

Data controller: Aidvocate OÜ (Registry code: 17486573), Ahtri tn 12, 15551 Tallinn, Estonia — contact@aidvocate.one

1. What data we collect

Account and registration data

When you submit a registration request, we collect your name, organisation, and email address. Once approved, this forms your account profile. Passwords are stored using strong one-way encryption and are never accessible in plain text to anyone, including the Aidvocate team.

Session data

When you are logged in, a strictly necessary cookie is set in your browser to maintain your session. It contains a signed token and no personal information. Sessions expire after a period of inactivity.

Tool-specific data

Some platform tools process additional data as part of their function. See the Tool-specific data practices section below for details.

2. How we use your data

We use your data to:

  • Review registration requests and manage your account
  • Authenticate you and maintain your session
  • Provide access to platform features
  • Respond to your requests and enquiries
  • Comply with our legal obligations

We do not sell your data. We do not use your data for advertising.

3. Legal basis for processing

PurposeLegal basis
Registration and account managementContract (Art. 6(1)(b) GDPR)
Authentication and session managementContract (Art. 6(1)(b) GDPR)
Tool-specific processingContract (Art. 6(1)(b) GDPR)
Legal obligationsLegal obligation (Art. 6(1)(c) GDPR)

4. Where your data is stored and processed

All data is stored on our own server hosted in Helsinki, Finland (EU), provided by Hetzner Cloud, a German cloud infrastructure company operating under EU law.

Where specific tools require external AI processing, this is described in the Tool-specific data practices section below. Third-party providers that receive personal data are subject to GDPR. Some backend processes use third-party providers that receive no personal data — only anonymised inputs. These are described in the Tool-specific data practices section below.

5. Data retention

Data typeRetention period
Account dataUntil you delete your account
Registration data (rejected requests)Deleted after review
Session cookiesExpires after a period of inactivity
Tool-specific dataSee section 10

6. Cookies

We use only strictly necessary cookies to keep you logged in. These are not used for tracking or advertising, and no personal information is stored in them. Because they are essential to the platform's function, they do not require your prior consent under GDPR. We display a notice on your first visit so you are aware of their use.

7. Your rights

Under GDPR, you have the right to access, correct, erase, restrict, or port your personal data, and to object to its processing. To exercise any of these rights, contact us at contact@aidvocate.one. You can also delete your account and all associated data directly from your profile page.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.

8. Security

We take reasonable technical and organisational measures to protect your personal data, including encrypted connections, strong password hashing, and access controls on our self-hosted infrastructure.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the “last updated” date at the top of this page.

10. Tool-specific data practices

Policy Aide active

Policy Aide is an AI-powered research assistant. When you use it, your questions and the AI's responses are temporarily stored to maintain context within your session.

Retention: Conversation data is automatically and permanently deleted after 24 hours. You can also delete your history at any time using the Delete history button in the chat interface. During the beta period, your messages may also be retained in operational logs on our EU server for up to 14 days to help us debug and improve the service.

AI processing: Your messages are sent to Mistral AI, a French AI company subject to EU law and GDPR. We chose Mistral specifically because — unlike US-based providers — it is not subject to the US Cloud Act, which can compel American companies to share data with US authorities. Only the content of your message and an anonymous session identifier are transmitted — no name, email, or account information is sent to Mistral. Mistral processes your messages solely to generate a response and does not use them to train its models.

Talking Points Builder active

The Talking Points Builder offers two AI-assisted tools: the Thematic Advocacy Brief, which generates a sourced one-pager based on your selected thematic focus, and the Advocacy Assistant, a conversational assistant grounded in the country wiki.

Thematic Advocacy Brief — AI processing: When you generate a brief, the country and thematic selections are sent to DeepSeek. No personal data is included in this request — no name, email, account information, or session identifier is transmitted. DeepSeek receives only the thematic selections and curated reference content. Because DeepSeek receives no personal data — only anonymised thematic selections or keywords — this does not constitute a personal data transfer under GDPR.

Advocacy Assistant — retention: Conversation data is automatically and permanently deleted after 24 hours. You can also delete your history at any time using the Delete history button in the assistant panel. During the beta period, your messages may also be retained in operational logs on our EU server for up to 14 days to help us debug and improve the service.

Advocacy Assistant — AI processing: Your messages are sent to Mistral AI, a French AI company subject to EU law and GDPR. We chose Mistral specifically because — unlike US-based providers — it is not subject to the US Cloud Act, which can compel American companies to share data with US authorities. Only the content of your message and an anonymous session identifier are transmitted — no name, email, or account information is sent to Mistral. Mistral processes your messages solely to generate a response and does not use them to train its models.

Crisis Coordination Rooms coming soon

Messages and posts submitted in Crisis Coordination Rooms will be stored on our server. A retention policy will be defined and published here before this feature goes live.

11. Contact

Aidvocate OÜ

Ahtri tn 12, 15551 Tallinn, Estonia

contact@aidvocate.one