Privacy Policy
Last updated: June 2026
Aidvocate OÜ(“Aidvocate”, “we”, “us”) is committed to protecting your personal data and respecting your privacy. This policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR).
Data controller: Aidvocate OÜ (Registry code: 17486573), Ahtri tn 12, 15551 Tallinn, Estonia — contact@aidvocate.one
1. What data we collect
Account and registration data
When you submit a registration request, we collect your name, organisation, and email address. Once approved, this forms your account profile. Passwords are stored using strong one-way encryption and are never accessible in plain text to anyone, including the Aidvocate team.
Session data
When you are logged in, a strictly necessary cookie is set in your browser to maintain your session. It contains a signed token and no personal information. Sessions expire after a period of inactivity.
Tool-specific data
Some platform tools process additional data as part of their function. See the Tool-specific data practices section below for details.
2. How we use your data
We use your data to:
- Review registration requests and manage your account
- Authenticate you and maintain your session
- Provide access to platform features
- Respond to your requests and enquiries
- Comply with our legal obligations
We do not sell your data. We do not use your data for advertising.
3. Legal basis for processing
| Purpose | Legal basis |
|---|---|
| Registration and account management | Contract (Art. 6(1)(b) GDPR) |
| Authentication and session management | Contract (Art. 6(1)(b) GDPR) |
| Tool-specific processing | Contract (Art. 6(1)(b) GDPR) |
| Legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
4. Where your data is stored and processed
All data is stored on our own server hosted in Helsinki, Finland (EU), provided by Hetzner Cloud, a German cloud infrastructure company operating under EU law.
Where specific tools require external AI processing, this is described in the Tool-specific data practices section below. Third-party providers that receive personal data are subject to GDPR. Some backend processes use third-party providers that receive no personal data — only anonymised inputs. These are described in the Tool-specific data practices section below.
5. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Registration data (rejected requests) | Deleted after review |
| Session cookies | Expires after a period of inactivity |
| Tool-specific data | See section 10 |
6. Cookies
We use only strictly necessary cookies to keep you logged in. These are not used for tracking or advertising, and no personal information is stored in them. Because they are essential to the platform's function, they do not require your prior consent under GDPR. We display a notice on your first visit so you are aware of their use.
7. Your rights
Under GDPR, you have the right to access, correct, erase, restrict, or port your personal data, and to object to its processing. To exercise any of these rights, contact us at contact@aidvocate.one. You can also delete your account and all associated data directly from your profile page.
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.
8. Security
We take reasonable technical and organisational measures to protect your personal data, including encrypted connections, strong password hashing, and access controls on our self-hosted infrastructure.
9. Changes to this policy
We may update this policy from time to time. When we do, we will update the “last updated” date at the top of this page.
10. Tool-specific data practices
Policy Aide active
Policy Aide is an AI-powered research assistant. When you use it, your questions and the AI's responses are temporarily stored to maintain context within your session.
Retention: Conversation data is automatically and permanently deleted after 24 hours. You can also delete your history at any time using the Delete history button in the chat interface. During the beta period, your messages may also be retained in operational logs on our EU server for up to 14 days to help us debug and improve the service.
AI processing: Your messages are sent to Mistral AI, a French AI company subject to EU law and GDPR. We chose Mistral specifically because — unlike US-based providers — it is not subject to the US Cloud Act, which can compel American companies to share data with US authorities. Only the content of your message and an anonymous session identifier are transmitted — no name, email, or account information is sent to Mistral. Mistral processes your messages solely to generate a response and does not use them to train its models.
Talking Points Builder active
The Talking Points Builder offers two AI-assisted tools: the Thematic Advocacy Brief, which generates a sourced one-pager based on your selected thematic focus, and the Advocacy Assistant, a conversational assistant grounded in the country wiki.
Thematic Advocacy Brief — AI processing: When you generate a brief, the country and thematic selections are sent to DeepSeek. No personal data is included in this request — no name, email, account information, or session identifier is transmitted. DeepSeek receives only the thematic selections and curated reference content. Because DeepSeek receives no personal data — only anonymised thematic selections or keywords — this does not constitute a personal data transfer under GDPR.
Advocacy Assistant — retention: Conversation data is automatically and permanently deleted after 24 hours. You can also delete your history at any time using the Delete history button in the assistant panel. During the beta period, your messages may also be retained in operational logs on our EU server for up to 14 days to help us debug and improve the service.
Advocacy Assistant — AI processing: Your messages are sent to Mistral AI, a French AI company subject to EU law and GDPR. We chose Mistral specifically because — unlike US-based providers — it is not subject to the US Cloud Act, which can compel American companies to share data with US authorities. Only the content of your message and an anonymous session identifier are transmitted — no name, email, or account information is sent to Mistral. Mistral processes your messages solely to generate a response and does not use them to train its models.
Crisis Coordination Rooms coming soon
Messages and posts submitted in Crisis Coordination Rooms will be stored on our server. A retention policy will be defined and published here before this feature goes live.