Version 2026-07-07 · Effective 2026-07-07

Privacy Policy

Aimée LLC 30 N Gould St, Ste R, Sheridan, WY 82801, USA Email: founder@tryaimee.com EIN: 36-5184363

Effective Date: July 7, 2026 Version: 2026-07-07

This Privacy Policy explains how Aimée LLC ("Aimée," "we," "us," or "our") collects, uses, stores, and shares personal information in connection with the Aimée AI voice agent platform (the "Service"). Please read this Policy carefully before using the Service.


1. Who We Are

Aimée LLC is a Wyoming limited liability company registered at 30 N Gould St, Ste R, Sheridan, WY 82801, USA. We operate the Aimée AI voice agent platform, which provides AI-powered telephone answering and appointment scheduling services to private medical and healthcare clinics.

Data Protection Contact: founder@tryaimee.com (Subject: "Privacy Request"). This contact serves the equivalent function of a data protection contact for all privacy-related inquiries, rights requests, and regulatory correspondence.

EU Representative: Aimée has not yet formally appointed an EU representative under GDPR Article 27, as our current processing scale does not trigger that requirement. We monitor our EU customer base and will appoint a representative when required. Until then, EU/EEA data subjects may contact us directly at founder@tryaimee.com.


2. Scope of This Policy

This Policy applies to the following categories of individuals whose personal data we process:

Customers — clinics, medical practices, dental practices, beauty salons, and other businesses that register for and use the Service, and the Authorized Users (owners, managers, receptionists, and other staff) who access the Service on behalf of a Customer.

Callers — patients and other individuals who call a clinic that uses the Service. Callers are data subjects whose personal information is incidentally processed when they telephone a clinic deploying the Aimée voice agent.

Website visitors — individuals who visit aimee.ai or related web properties. Website visitors are subject to standard server-side logging (IP address, user agent, page visited, referrer, timestamp). We do not currently use third-party analytics tracking cookies on our website beyond strictly necessary session cookies.


3. Categories of Personal Data Collected

Notice at Collection (CCPA): The following table describes the categories of personal information we collect, the sources from which we collect it, and our purposes for collection. This notice is provided at or before the point of collection as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

CategoryExamplesSourceLawful Basis (GDPR Art. 6)
Account dataEmail address, full name, password hash, organization name, country, role, UI language preferenceCustomer registrationContract performance (Art. 6(1)(b))
Billing dataLast 4 digits of payment card, billing address, invoice history, subscription planStripe, Inc. (tokenized — we never receive full card data)Contract performance (Art. 6(1)(b))
Call audioReal-time audio stream during a callCaller's telephone callNot stored — processed in real time only; legitimate interest of Customer in operating the Service (Art. 6(1)(f))
Call transcriptsText transcription of the conversation generated from call audioGenerated via Deepgram STT serviceLegitimate interest of Customer in reviewing and acting on call content (Art. 6(1)(f))
Caller phone numberCaller ID (CLI/ANI) transmitted with the incoming callTelnyx telephony providerLegitimate interest in call routing and caller identification (Art. 6(1)(f))
Appointment dataCaller name, requested appointment date/time, stated reason for visit, may include health-related information disclosed voluntarily by callerDisclosed during callLegitimate interest; for health data disclosed in a healthcare context — Art. 9(2)(h) (provision of healthcare or social care)
Usage analyticsLogin timestamps, feature usage patterns, dashboard interactions, IP address, browser user agent, session dataCustomer dashboard activityLegitimate interest in service security, performance optimization, and fraud prevention (Art. 6(1)(f))
Communication preferencesMarketing opt-in/opt-out flag and historyUser selection during registration or in account settingsConsent (Art. 6(1)(a)) — marketing communications are sent only to those who have affirmatively opted in
Consent audit recordsTruncated IP address, browser user agent, timestamp, document version hash, language shown at acceptanceAutomatically recorded at time of legal document acceptanceLegal obligation (Art. 6(1)(c)) — GDPR Art. 5(2) accountability; Art. 7(1) demonstrating consent; Legitimate interest (Art. 6(1)(f)) — audit integrity (see Section 16)

For special category data (Art. 9 GDPR): health-related information may be incidentally disclosed by callers during the course of scheduling appointments (e.g., stating the reason for a visit or a medical condition). We process such data under Art. 9(2)(h) — processing necessary for the provision of health care or treatment — and only to the extent necessary to fulfill the caller's request. We do not actively solicit health information beyond what is necessary for the scheduling function. Customer is responsible for ensuring appropriate notice and transparency to callers regarding such processing.


4. How We Use Your Data

We use the personal data described in Section 3 for the following purposes:

Account data — to create and manage Customer accounts; to authenticate Authorized Users; to communicate service-related information (billing, security alerts, product updates where opted in); to enforce this Policy and our Terms of Service.

Billing data — to process subscription payments via Stripe; to generate and maintain invoice records; to comply with tax and financial record-keeping obligations.

Call audio — to power the real-time AI voice agent response. Audio is streamed to our speech-to-text provider (Deepgram) for transcription and is not stored or retained by Aimée.

Call transcripts — to display call history and summaries in the Customer dashboard; to enable Customer staff to review calls and follow up on appointments; to generate analytics reports for the Customer.

Caller phone number — to route incoming calls; to display caller identification in the dashboard; to enable the AI agent to reference prior interactions where applicable.

Appointment data — to populate the Customer's appointment and task management workflows; to enable follow-up actions by clinic staff.

Usage analytics — to monitor Service security and detect fraudulent activity; to improve Service performance and reliability; to generate aggregated, non-identifiable usage statistics.

Communication preferences — to determine whether to send marketing communications, product announcements, or usage tips. We do not send marketing communications to users who have not affirmatively opted in.

Consent audit records — as described in Section 16.


5. Retention Periods

We retain personal data for the periods set out below. When data is no longer needed, we delete it, anonymize it, or reduce it to a form that can no longer be associated with an individual.

Data CategoryDefault RetentionConfigurable by Customer?
Call transcripts and call summary90 days from call date, then automatically NULLed by our GDPR serviceYes — Customer may reduce auto_delete_days in clinic settings
Caller phone numberSame as call transcriptsYes — deleted or NULLed on the same schedule
Call metadata (timestamp, duration, agent ID)90 days (linked to transcript); anonymized metadata may be retained longer for aggregate analyticsNo
Account and profile dataDuration of subscription + 7 years (required by US tax and financial record-keeping law)No
Billing records and invoices7 years from invoice dateNo
Audit logs of administrative actions7 yearsNo
Consent audit log entries7 years from date of consent (see Section 16)No
Marketing communication preference historyUntil opt-out, then archived; opt-out record retained indefinitelyNo

Where Customer exercises a right to erasure (Section 9.2), we anonymize identifying fields in personal records rather than deleting rows that are required for compliance or audit purposes. Specifically, consent log entries survive account deletion with the user reference set to null (see Section 16).


6. Legal Bases for Processing (EU/UK)

This Section is addressed specifically to Customers and data subjects located in the European Union, European Economic Area, or United Kingdom. For each processing activity, we rely on the following legal bases under GDPR Article 6 (and Article 9 for special category data):

  • Contract performance (Art. 6(1)(b)): account management, billing, authentication, and core service delivery to Customers who have entered into a contract with us.
  • Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, call processing (transcripts, caller ID), analytics, and audit log integrity. In each case, Aimée's legitimate interests are balanced against the rights and interests of the data subjects concerned. Callers have a legitimate interest in having their calls answered efficiently; Customers have a legitimate interest in reviewing call records.
  • Legal obligation (Art. 6(1)(c)): retention of financial records, tax compliance, and maintenance of consent audit logs for regulatory accountability purposes.
  • Consent (Art. 6(1)(a)): marketing communications. Consent may be withdrawn at any time via account settings without affecting the lawfulness of processing prior to withdrawal.
  • Art. 9(2)(h): processing of health-related information incidentally disclosed during healthcare appointment scheduling.

7. Subprocessors

We use the following third-party service providers ("subprocessors") to deliver the Service. Each subprocessor processes personal data only as directed by Aimée, under written data processing agreements that impose obligations equivalent to those in our DPA with Customers. Customers receive 30 days' advance email notice before we add or replace any subprocessor.

A complete, always-current subprocessor list with additional detail is maintained at aimee.ai/legal/subprocessors.

ProviderPurposeData LocationSafeguards for Non-EU Transfers
Supabase, Inc.Database and authenticationEU (Frankfurt, Germany)DPA signed; data stored in EU — no international transfer required
Deepgram, Inc.Speech-to-text transcriptionUSADPA signed; EU SCCs Module 2 (Commission Decision 2021/914) + UK IDTA (ICO, Version B1.0)
ElevenLabs, Inc.Text-to-speech voice synthesisUSADPA signed; EU SCCs Module 2 (2021/914) + UK IDTA
Groq, Inc.Large language model (LLM) inference — primaryUSADPA accepted; EU SCCs Module 2 (2021/914) + UK IDTA
xAI Corp.LLM inference — fallbackUSADPA accepted; EU SCCs Module 2 (2021/914) + UK IDTA
Vercel, Inc.Frontend hosting and edge deliveryUSA (with EU edge nodes)DPA signed (Pro plan); EU SCCs (2021/914)
Railway Corp.Backend hostingUSADPA signed; EU SCCs Module 2 (2021/914) + UK IDTA
Telnyx LLCTelephony servicesEU + USADPA signed; EU SCCs for US-routed traffic (2021/914) + UK IDTA
Stripe, Inc.Payment processingUSADPA signed; EU SCCs Module 2 (2021/914) + UK IDTA; PCI-DSS Level 1 certified

8. International Data Transfers

Where we transfer personal data of EU/EEA or UK data subjects to subprocessors located in the United States, those transfers are governed by:

  • For EU/EEA data: the Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission in Decision (EU) 2021/914, incorporated by reference into our agreements with each US subprocessor.
  • For UK data: the UK International Data Transfer Addendum to the EU SCCs (issued by the UK ICO), incorporated by reference.
  • Supplementary measures: TLS 1.2+ encryption in transit, encryption at rest, role-based access controls, audit logging, and contractual prohibitions on government access without legal challenge.

A full list of subprocessors with their applicable safeguards is available at aimee.ai/legal/subprocessors. Customers receive 30 days advance email notice before any subprocessor change.


9. Your Rights

9.1 All Users

Regardless of your location, you have the following rights in relation to your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that we correct inaccurate or incomplete personal data.
  • Deletion: request that we delete your personal data, subject to applicable legal retention requirements (see Section 16 for consent audit records).
  • Portability: receive a copy of your data in a structured, commonly used, machine-readable format.

To exercise these rights, contact us at founder@tryaimee.com with subject "Privacy Request" and sufficient detail to verify your identity.

9.2 EU/EEA and UK Residents (GDPR / UK GDPR)

If you are located in the EU/EEA or UK, you have additional rights under GDPR Articles 15–22:

  • Right of access (Art. 15): obtain confirmation of whether we process your personal data and receive a copy.
  • Right to rectification (Art. 16): have inaccurate personal data corrected without undue delay.
  • Right to erasure (Art. 17): have personal data deleted ("right to be forgotten") where it is no longer necessary, consent is withdrawn, or processing is unlawful — subject to the limitations described in Section 16 for consent audit records.
  • Right to restriction of processing (Art. 18): restrict our processing of your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured format and transmit it to another controller.
  • Right to object (Art. 21): object to processing based on legitimate interests; we will cease processing unless we can demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making (Art. 22): the Service does not make solely automated decisions that produce legal or similarly significant effects on individuals.

Supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority. For EU/EEA residents, the relevant authority is the supervisory authority of the EU member state where you reside, work, or where the alleged infringement occurred. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. For UK residents, the relevant authority is the UK Information Commissioner's Office (ICO) at ico.org.uk.

9.3 California Residents (CCPA / CPRA)

Notice at Collection: personal information is collected at the categories and for the purposes described in Section 3 above.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: know what categories of personal information we collect, use, disclose, or sell, and to access the specific personal information we hold about you.
  • Right to delete: request deletion of your personal information, subject to certain exceptions.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: Aimée does not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not sell personal data to third parties, and we do not share personal data with third parties for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: we do not use or disclose sensitive personal information beyond the purposes permitted by the CPRA without your explicit consent.
  • Right to non-discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, contact us at founder@tryaimee.com or via your account dashboard. We will respond within 45 days.

9.4 Other US State Residents

We honor privacy rights under applicable state privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other US states that have enacted comprehensive privacy legislation, to the extent those laws apply to our processing activities. The rights available are substantially equivalent to those described in Section 9.3. Submit requests to founder@tryaimee.com.


10. How to Exercise Your Rights

To exercise any privacy right described in Section 9:

  1. Email founder@tryaimee.com with the subject line "Privacy Request".
  2. Include your full name, the email address associated with your account (or used when contacting a clinic), the specific right you wish to exercise, and sufficient detail for us to identify you and locate your data.
  3. We may ask for additional verification to confirm your identity before processing your request.

Response times:

  • EU/EEA and UK requests (GDPR/UK GDPR): response within 30 days of receiving a complete request. Complex requests may be extended by a further 60 days with notice.
  • US requests (CCPA/CPRA and other states): response within 45 days of receiving a verifiable consumer request.

For callers (patients who called a clinic using the Service): direct your request to the clinic you contacted. Clinics are the data controller for caller data processed in connection with their use of the Service. Aimée acts as a data processor on behalf of the clinic for that data. We will assist clinics in fulfilling data subject requests as required by our DPA.


11. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration:

  • Encryption in transit: all data is transmitted using TLS 1.2 or higher.
  • Encryption at rest: database contents and backups are encrypted using AES-256.
  • Access control: role-based access control (RBAC) ensures that employees and contractors access only the data necessary for their role. Multi-factor authentication is required for administrative access.
  • Audit logging: administrative actions affecting personal data are recorded in an immutable audit log.
  • Data minimization: call audio is processed in real time and is not stored or retained. Only the resulting transcript is saved, subject to the retention periods in Section 5.
  • Monitoring and incident response: we use uptime monitoring and error tracking to detect security incidents. In the event of a Personal Data Breach affecting EU/EEA or UK data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33), and will notify affected Customers without undue delay.
  • Third-party security: all subprocessors listed in Section 7 are subject to security due diligence and contractual security obligations.

12. Cookies and Tracking

Aimée uses cookies and similar technologies on the Service and on our marketing website. Non-essential cookies are only set after you make a choice in our cookie banner ("Accept all", "Reject all", or "Customize") — until then, Analytics and Marketing cookies default to denied.

We use three cookie categories:

  • Necessary — always on, cannot be disabled. Required for login sessions, security, and remembering your saved preferences.
  • Analytics — Google Analytics 4. Loaded only if you accept the Analytics category.
  • Marketing — reserved category, visible in the cookie banner, but no marketing or advertising cookies are currently loaded (no Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or similar). We will not load any marketing cookie without first updating this Policy and requesting your consent.
CookieCategorySet byPurposeLifetime
sb-*-auth-tokenNecessaryAimée (Supabase Auth)Keeps you signed inSession, up to 7 days
NEXT_LOCALENecessaryAiméeRemembers your interface language1 year
CSRF/session cookieNecessaryAiméeProtects form submissions from forgerySession
_gaAnalyticsGoogle AnalyticsDistinguishes visitors2 years
_ga_*AnalyticsGoogle AnalyticsPersists session state2 years

Changing or withdrawing your choice: you can review or change your cookie preferences at any time via the "Cookie settings" link in the footer of the Service and of our website. Withdrawing consent is as easy as giving it, and does not affect the lawfulness of any processing carried out before withdrawal.

Consent record: each time you accept, reject, or customize your cookie preferences, we log the action (timestamp, a salted one-way hash of your IP address, a hash of your user agent, the categories chosen, and which control you used) as a record of consent for compliance purposes. We never store your raw IP address. This consent log is retained for up to 24 months.

EU/EEA and UK users are not required to accept any cookies beyond strictly necessary cookies to use the Service. If you have questions about specific cookies used by the Service, contact founder@tryaimee.com.


13. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from individuals under 16. If we learn that we have inadvertently collected personal information from a child under 16, we will take prompt steps to delete that information. If you believe that a child's personal information has been submitted to the Service, please contact us immediately at founder@tryaimee.com.


14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes as follows:

  • Material changes (such as new categories of data collected, new subprocessors, or changes to your rights): we will provide at least 30 days' advance written notice to the email address on file in your account before the updated Policy takes effect.
  • Minor or cosmetic changes (such as clarifications or formatting updates that do not affect your rights or our practices): we may update the Policy without prior notice, but we will always update the version date at the top.

Your continued use of the Service after a material change takes effect constitutes acceptance of the updated Policy. For changes that require your active re-acceptance under our three-tier re-acceptance system, you will be prompted to review and accept the updated Policy in the Service dashboard.


15. Contact Us

For privacy-related questions, rights requests, and data protection inquiries:

Aimée LLC 30 N Gould St, Ste R, Sheridan, WY 82801, USA Email: founder@tryaimee.com Subject line: "Privacy Request" or "Legal Notice"

Data Protection Officer: Aimée LLC has not formally appointed a Data Protection Officer, as our current processing activities and scale do not trigger the mandatory DPO requirement under GDPR Article 37 (we are not a public authority, we do not engage in large-scale systematic monitoring of individuals, and our processing of special category data is limited and incidental to our primary business function). The contact email above serves the equivalent function for all data protection inquiries.

For complaints that cannot be resolved directly, EU/EEA residents may contact their national supervisory authority and UK residents may contact the Information Commissioner's Office (ico.org.uk).


16. Special Notice — Consent Audit Logs

When you accept our Terms, Privacy Policy, DPA, or change your marketing preferences, we record a consent event including a truncated IP address (first 3 octets for IPv4 / first 48 bits for IPv6), browser user-agent, timestamp, and a cryptographic hash of the document version you saw, together with the language in which it was presented.

Lawful basis for this retention: these records are processed and retained under:

  • GDPR Art. 6(1)(c) — compliance with a legal obligation, specifically Aimée's accountability obligation under GDPR Art. 5(2) and the obligation under Art. 7(1) to be able to demonstrate that consent was obtained; and
  • GDPR Art. 6(1)(f) — legitimate interest in maintaining the integrity of audit logs for fraud prevention, contractual evidence, and regulatory compliance.

Important: because these records exist to satisfy a legal obligation, and because they have been minimized (truncated IP, no full identifier), we may decline requests to erase them under GDPR Art. 17(3)(b) and (e). They are retained for seven (7) years from the date of consent, which matches the longest applicable statute of limitations for contractual claims in the jurisdictions we operate in.

If you delete your account, the user account record is anonymized but the consent log entries remain with the user reference set to null. This ensures we can prove consent was lawfully obtained without continuing to process you as an identifiable individual.


This Privacy Policy is effective as of July 1, 2026. Version 2026-07-01.