Privacy Policy

Effective: March 23, 2026 | Last updated: March 23, 2026

1. Who We Are

Aelara is an AI-powered chatbot platform operated by:

Evonord OÜ
Registry code: [your registry code]
Address: Simuna, Lääne-Virumaa, Estonia
Email: info@evonord.eu

In this policy, "we", "us", and "our" refer to Evonord OÜ. "Platform" refers to the Aelara service at aelara.evonord.eu. "Tenant" refers to a business that uses our platform to create chatbots. "End-user" refers to a visitor who interacts with a tenant's chatbot.

2. Scope

This Privacy Policy applies to:

Tenants — businesses that register on our platform, create chatbots, upload knowledge base content, and manage conversations.
End-users — visitors who interact with chatbot widgets embedded on tenant websites.
Website visitors — anyone who visits aelara.evonord.eu.

3. Data We Collect

3.1 From Tenants (Account Holders)

Data	Purpose	Legal Basis
Email address, name	Account creation, authentication	Contract performance
Payment information	Subscription billing via Stripe	Contract performance
Knowledge base documents	Training the AI chatbot	Contract performance
Chatbot configuration	Customizing chatbot behavior	Contract performance

3.2 From End-Users (Chat Visitors)

Data	Purpose	Legal Basis
Chat messages	Generating AI responses, conversation history	Legitimate interest of the tenant
Form submissions (name, email, phone — if provided via chatbot flow)	Lead collection as configured by tenant	Legitimate interest of the tenant / consent
Session ID (anonymous)	Maintaining conversation continuity	Legitimate interest
Browser information (via widget)	Widget rendering, language detection	Legitimate interest

            Important: We do not collect IP addresses, do not use tracking cookies in the chat widget, and do not track end-users across websites. The chat widget does not set any cookies. Each conversation is identified only by a random session ID stored in the browser's local storage.
        

4. How We Use Your Data

To provide the service — generating AI chatbot responses using the tenant's knowledge base and configuration.
To process payments — subscription management via Stripe.
To improve the service — aggregated, anonymized usage metrics (e.g., total conversations per day, average response time).
To communicate with tenants — service notifications, billing updates.

5. AI Processing

When an end-user sends a message through a chatbot, the following happens:

The message is sent to our backend server hosted in the EU (Zone.ee, Estonia).
We search the tenant's knowledge base (stored in our EU database) for relevant content.
The message, relevant knowledge base excerpts, and conversation history are sent to Google Gemini API (model: gemini-2.5-flash-lite) to generate a response.
The response is returned to the end-user and stored in our database.

Google Gemini API: Google processes the data to generate the AI response. Google's API does not store the data or use it for training. See Google Gemini API Terms for details. Data may be processed in Google's data centers which may be located outside the EU — appropriate safeguards (Standard Contractual Clauses) are in place.

6. Data Controller and Processor Roles

Role	Who	Responsibility
Data Controller (for tenant data)	Evonord OÜ	We determine how and why tenant account data is processed.
Data Processor (for end-user data)	Evonord OÜ	We process end-user chat data on behalf of the tenant. The tenant is the data controller for their end-users.
Sub-processor	Google (Gemini API)	AI response generation.
Sub-processor	Stripe	Payment processing.
Sub-processor	Firebase (Google)	Authentication services.

            For tenants: As the data controller for your end-users' chat data, you are responsible for providing your own privacy policy to your end-users. Aelara provides a configurable privacy policy link in the chat widget footer — set this to point to your own privacy policy.
        

7. Data Storage and Security

Location: All data is stored on servers in Estonia (EU) operated by Zone.ee.
Database: MariaDB with encrypted connections.
Knowledge base vectors: ChromaDB stored on the same EU server.
Authentication: Firebase Auth (Google) with industry-standard security.
Transport: All data in transit is encrypted via TLS/SSL (HTTPS).
Access: Only Evonord OÜ administrators have access to the production database.

8. Data Retention

Data Type	Retention Period
Tenant account data	Until account is deleted
Chat conversations	Per subscription tier: Free = 7 days, Starter = 30 days, Professional = 90 days
Knowledge base documents	Until deleted by tenant
Payment data	Managed by Stripe per their retention policy

9. Data Sharing

We do not sell personal data. We share data only with:

Google (Gemini API) — for AI response generation (processed, not stored)
Google (Firebase) — for authentication
Stripe — for payment processing

We do not share data with advertising companies, data brokers, or any other third parties.

10. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the right to:

Access — request a copy of your personal data.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your data ("right to be forgotten").
Restriction — request that we limit how we use your data.
Portability — request your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent.

To exercise any of these rights, contact us at info@evonord.eu.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

11. Cookies

The Aelara chat widget does not use cookies. It uses browser localStorage to store a random session ID for conversation continuity. This session ID cannot be used to identify a person.

The Aelara platform (tenant dashboard) uses:

Firebase authentication token — stored in localStorage, required for login functionality.
Language preference — stored in localStorage.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@evonord.eu.

13. International Data Transfers

Your data is stored in the EU (Estonia). When data is transferred to Google's services (Gemini API, Firebase) for processing, it may be processed outside the EU. These transfers are protected by:

Standard Contractual Clauses (SCCs) as approved by the European Commission
Google's data processing agreements

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes, we will notify tenants via email.

15. Contact Us

For any privacy-related questions or requests:

Evonord OÜ
Email: info@evonord.eu
Address: Simuna, Lääne-Virumaa, Estonia