Version 2026-07-07 · Effective 2026-07-07
Privacy Policy
Aimée LLC 30 N Gould St, Ste R, Sheridan, WY 82801, USA Email: founder@tryaimee.com EIN: 36-5184363
Effective Date: July 7, 2026 Version: 2026-07-07
This Privacy Policy explains how Aimée LLC ("Aimée," "we," "us," or "our") collects, uses, stores, and shares personal information in connection with the Aimée AI voice agent platform (the "Service"). Please read this Policy carefully before using the Service.
1. Who We Are
Aimée LLC is a Wyoming limited liability company registered at 30 N Gould St, Ste R, Sheridan, WY 82801, USA. We operate the Aimée AI voice agent platform, which provides AI-powered telephone answering and appointment scheduling services to private medical and healthcare clinics.
Data Protection Contact: founder@tryaimee.com (Subject: "Privacy Request"). This contact serves the equivalent function of a data protection contact for all privacy-related inquiries, rights requests, and regulatory correspondence.
EU Representative: Aimée has not yet formally appointed an EU representative under GDPR Article 27, as our current processing scale does not trigger that requirement. We monitor our EU customer base and will appoint a representative when required. Until then, EU/EEA data subjects may contact us directly at founder@tryaimee.com.
2. Scope of This Policy
This Policy applies to the following categories of individuals whose personal data we process:
Customers — clinics, medical practices, dental practices, beauty salons, and other businesses that register for and use the Service, and the Authorized Users (owners, managers, receptionists, and other staff) who access the Service on behalf of a Customer.
Callers — patients and other individuals who call a clinic that uses the Service. Callers are data subjects whose personal information is incidentally processed when they telephone a clinic deploying the Aimée voice agent.
Website visitors — individuals who visit aimee.ai or related web properties. Website visitors are subject to standard server-side logging (IP address, user agent, page visited, referrer, timestamp). We do not currently use third-party analytics tracking cookies on our website beyond strictly necessary session cookies.
3. Categories of Personal Data Collected
Notice at Collection (CCPA): The following table describes the categories of personal information we collect, the sources from which we collect it, and our purposes for collection. This notice is provided at or before the point of collection as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
| Category | Examples | Source | Lawful Basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Email address, full name, password hash, organization name, country, role, UI language preference | Customer registration | Contract performance (Art. 6(1)(b)) |
| Billing data | Last 4 digits of payment card, billing address, invoice history, subscription plan | Stripe, Inc. (tokenized — we never receive full card data) | Contract performance (Art. 6(1)(b)) |
| Call audio | Real-time audio stream during a call | Caller's telephone call | Not stored — processed in real time only; legitimate interest of Customer in operating the Service (Art. 6(1)(f)) |
| Call transcripts | Text transcription of the conversation generated from call audio | Generated via Deepgram STT service | Legitimate interest of Customer in reviewing and acting on call content (Art. 6(1)(f)) |
| Caller phone number | Caller ID (CLI/ANI) transmitted with the incoming call | Telnyx telephony provider | Legitimate interest in call routing and caller identification (Art. 6(1)(f)) |
| Appointment data | Caller name, requested appointment date/time, stated reason for visit, may include health-related information disclosed voluntarily by caller | Disclosed during call | Legitimate interest; for health data disclosed in a healthcare context — Art. 9(2)(h) (provision of healthcare or social care) |
| Usage analytics | Login timestamps, feature usage patterns, dashboard interactions, IP address, browser user agent, session data | Customer dashboard activity | Legitimate interest in service security, performance optimization, and fraud prevention (Art. 6(1)(f)) |
| Communication preferences | Marketing opt-in/opt-out flag and history | User selection during registration or in account settings | Consent (Art. 6(1)(a)) — marketing communications are sent only to those who have affirmatively opted in |
| Consent audit records | Truncated IP address, browser user agent, timestamp, document version hash, language shown at acceptance | Automatically recorded at time of legal document acceptance | Legal obligation (Art. 6(1)(c)) — GDPR Art. 5(2) accountability; Art. 7(1) demonstrating consent; Legitimate interest (Art. 6(1)(f)) — audit integrity (see Section 16) |
For special category data (Art. 9 GDPR): health-related information may be incidentally disclosed by callers during the course of scheduling appointments (e.g., stating the reason for a visit or a medical condition). We process such data under Art. 9(2)(h) — processing necessary for the provision of health care or treatment — and only to the extent necessary to fulfill the caller's request. We do not actively solicit health information beyond what is necessary for the scheduling function. Customer is responsible for ensuring appropriate notice and transparency to callers regarding such processing.
4. How We Use Your Data
We use the personal data described in Section 3 for the following purposes:
Account data — to create and manage Customer accounts; to authenticate Authorized Users; to communicate service-related information (billing, security alerts, product updates where opted in); to enforce this Policy and our Terms of Service.
Billing data — to process subscription payments via Stripe; to generate and maintain invoice records; to comply with tax and financial record-keeping obligations.
Call audio — to power the real-time AI voice agent response. Audio is streamed to our speech-to-text provider (Deepgram) for transcription and is not stored or retained by Aimée.
Call transcripts — to display call history and summaries in the Customer dashboard; to enable Customer staff to review calls and follow up on appointments; to generate analytics reports for the Customer.
Caller phone number — to route incoming calls; to display caller identification in the dashboard; to enable the AI agent to reference prior interactions where applicable.
Appointment data — to populate the Customer's appointment and task management workflows; to enable follow-up actions by clinic staff.
Usage analytics — to monitor Service security and detect fraudulent activity; to improve Service performance and reliability; to generate aggregated, non-identifiable usage statistics.
Communication preferences — to determine whether to send marketing communications, product announcements, or usage tips. We do not send marketing communications to users who have not affirmatively opted in.
Consent audit records — as described in Section 16.
5. Retention Periods
We retain personal data for the periods set out below. When data is no longer needed, we delete it, anonymize it, or reduce it to a form that can no longer be associated with an individual.
| Data Category | Default Retention | Configurable by Customer? |
|---|---|---|
| Call transcripts and call summary | 90 days from call date, then automatically NULLed by our GDPR service | Yes — Customer may reduce auto_delete_days in clinic settings |
| Caller phone number | Same as call transcripts | Yes — deleted or NULLed on the same schedule |
| Call metadata (timestamp, duration, agent ID) | 90 days (linked to transcript); anonymized metadata may be retained longer for aggregate analytics | No |
| Account and profile data | Duration of subscription + 7 years (required by US tax and financial record-keeping law) | No |
| Billing records and invoices | 7 years from invoice date | No |
| Audit logs of administrative actions | 7 years | No |
| Consent audit log entries | 7 years from date of consent (see Section 16) | No |
| Marketing communication preference history | Until opt-out, then archived; opt-out record retained indefinitely | No |
Where Customer exercises a right to erasure (Section 9.2), we anonymize identifying fields in personal records rather than deleting rows that are required for compliance or audit purposes. Specifically, consent log entries survive account deletion with the user reference set to null (see Section 16).
6. Legal Bases for Processing (EU/UK)
This Section is addressed specifically to Customers and data subjects located in the European Union, European Economic Area, or United Kingdom. For each processing activity, we rely on the following legal bases under GDPR Article 6 (and Article 9 for special category data):
- Contract performance (Art. 6(1)(b)): account management, billing, authentication, and core service delivery to Customers who have entered into a contract with us.
- Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, call processing (transcripts, caller ID), analytics, and audit log integrity. In each case, Aimée's legitimate interests are balanced against the rights and interests of the data subjects concerned. Callers have a legitimate interest in having their calls answered efficiently; Customers have a legitimate interest in reviewing call records.
- Legal obligation (Art. 6(1)(c)): retention of financial records, tax compliance, and maintenance of consent audit logs for regulatory accountability purposes.
- Consent (Art. 6(1)(a)): marketing communications. Consent may be withdrawn at any time via account settings without affecting the lawfulness of processing prior to withdrawal.
- Art. 9(2)(h): processing of health-related information incidentally disclosed during healthcare appointment scheduling.
7. Subprocessors
We use the following third-party service providers ("subprocessors") to deliver the Service. Each subprocessor processes personal data only as directed by Aimée, under written data processing agreements that impose obligations equivalent to those in our DPA with Customers. Customers receive 30 days' advance email notice before we add or replace any subprocessor.
A complete, always-current subprocessor list with additional detail is maintained at aimee.ai/legal/subprocessors.
| Provider | Purpose | Data Location | Safeguards for Non-EU Transfers |
|---|---|---|---|
| Supabase, Inc. | Database and authentication | EU (Frankfurt, Germany) | DPA signed; data stored in EU — no international transfer required |
| Deepgram, Inc. | Speech-to-text transcription | USA | DPA signed; EU SCCs Module 2 (Commission Decision 2021/914) + UK IDTA (ICO, Version B1.0) |
| ElevenLabs, Inc. | Text-to-speech voice synthesis | USA | DPA signed; EU SCCs Module 2 (2021/914) + UK IDTA |
| Groq, Inc. | Large language model (LLM) inference — primary | USA | DPA accepted; EU SCCs Module 2 (2021/914) + UK IDTA |
| xAI Corp. | LLM inference — fallback | USA | DPA accepted; EU SCCs Module 2 (2021/914) + UK IDTA |
| Vercel, Inc. | Frontend hosting and edge delivery | USA (with EU edge nodes) | DPA signed (Pro plan); EU SCCs (2021/914) |
| Railway Corp. | Backend hosting | USA | DPA signed; EU SCCs Module 2 (2021/914) + UK IDTA |
| Telnyx LLC | Telephony services | EU + USA | DPA signed; EU SCCs for US-routed traffic (2021/914) + UK IDTA |
| Stripe, Inc. | Payment processing | USA | DPA signed; EU SCCs Module 2 (2021/914) + UK IDTA; PCI-DSS Level 1 certified |
8. International Data Transfers
Where we transfer personal data of EU/EEA or UK data subjects to subprocessors located in the United States, those transfers are governed by:
- For EU/EEA data: the Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission in Decision (EU) 2021/914, incorporated by reference into our agreements with each US subprocessor.
- For UK data: the UK International Data Transfer Addendum to the EU SCCs (issued by the UK ICO), incorporated by reference.
- Supplementary measures: TLS 1.2+ encryption in transit, encryption at rest, role-based access controls, audit logging, and contractual prohibitions on government access without legal challenge.
A full list of subprocessors with their applicable safeguards is available at aimee.ai/legal/subprocessors. Customers receive 30 days advance email notice before any subprocessor change.
9. Your Rights
9.1 All Users
Regardless of your location, you have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you.
- Correction: request that we correct inaccurate or incomplete personal data.
- Deletion: request that we delete your personal data, subject to applicable legal retention requirements (see Section 16 for consent audit records).
- Portability: receive a copy of your data in a structured, commonly used, machine-readable format.
To exercise these rights, contact us at founder@tryaimee.com with subject "Privacy Request" and sufficient detail to verify your identity.
9.2 EU/EEA and UK Residents (GDPR / UK GDPR)
If you are located in the EU/EEA or UK, you have additional rights under GDPR Articles 15–22:
- Right of access (Art. 15): obtain confirmation of whether we process your personal data and receive a copy.
- Right to rectification (Art. 16): have inaccurate personal data corrected without undue delay.
- Right to erasure (Art. 17): have personal data deleted ("right to be forgotten") where it is no longer necessary, consent is withdrawn, or processing is unlawful — subject to the limitations described in Section 16 for consent audit records.
- Right to restriction of processing (Art. 18): restrict our processing of your data in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured format and transmit it to another controller.
- Right to object (Art. 21): object to processing based on legitimate interests; we will cease processing unless we can demonstrate compelling legitimate grounds.
- Rights related to automated decision-making (Art. 22): the Service does not make solely automated decisions that produce legal or similarly significant effects on individuals.
Supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority. For EU/EEA residents, the relevant authority is the supervisory authority of the EU member state where you reside, work, or where the alleged infringement occurred. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. For UK residents, the relevant authority is the UK Information Commissioner's Office (ICO) at ico.org.uk.
9.3 California Residents (CCPA / CPRA)
Notice at Collection: personal information is collected at the categories and for the purposes described in Section 3 above.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know: know what categories of personal information we collect, use, disclose, or sell, and to access the specific personal information we hold about you.
- Right to delete: request deletion of your personal information, subject to certain exceptions.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of sale or sharing: Aimée does not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not sell personal data to third parties, and we do not share personal data with third parties for cross-context behavioral advertising.
- Right to limit use of sensitive personal information: we do not use or disclose sensitive personal information beyond the purposes permitted by the CPRA without your explicit consent.
- Right to non-discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a CCPA/CPRA request, contact us at founder@tryaimee.com or via your account dashboard. We will respond within 45 days.
9.4 Other US State Residents
We honor privacy rights under applicable state privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other US states that have enacted comprehensive privacy legislation, to the extent those laws apply to our processing activities. The rights available are substantially equivalent to those described in Section 9.3. Submit requests to founder@tryaimee.com.
10. How to Exercise Your Rights
To exercise any privacy right described in Section 9:
- Email founder@tryaimee.com with the subject line "Privacy Request".
- Include your full name, the email address associated with your account (or used when contacting a clinic), the specific right you wish to exercise, and sufficient detail for us to identify you and locate your data.
- We may ask for additional verification to confirm your identity before processing your request.
Response times:
- EU/EEA and UK requests (GDPR/UK GDPR): response within 30 days of receiving a complete request. Complex requests may be extended by a further 60 days with notice.
- US requests (CCPA/CPRA and other states): response within 45 days of receiving a verifiable consumer request.
For callers (patients who called a clinic using the Service): direct your request to the clinic you contacted. Clinics are the data controller for caller data processed in connection with their use of the Service. Aimée acts as a data processor on behalf of the clinic for that data. We will assist clinics in fulfilling data subject requests as required by our DPA.
11. Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration:
- Encryption in transit: all data is transmitted using TLS 1.2 or higher.
- Encryption at rest: database contents and backups are encrypted using AES-256.
- Access control: role-based access control (RBAC) ensures that employees and contractors access only the data necessary for their role. Multi-factor authentication is required for administrative access.
- Audit logging: administrative actions affecting personal data are recorded in an immutable audit log.
- Data minimization: call audio is processed in real time and is not stored or retained. Only the resulting transcript is saved, subject to the retention periods in Section 5.
- Monitoring and incident response: we use uptime monitoring and error tracking to detect security incidents. In the event of a Personal Data Breach affecting EU/EEA or UK data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33), and will notify affected Customers without undue delay.
- Third-party security: all subprocessors listed in Section 7 are subject to security due diligence and contractual security obligations.
12. Cookies and Tracking
Aimée uses cookies and similar technologies on the Service and on our marketing website. Non-essential cookies are only set after you make a choice in our cookie banner ("Accept all", "Reject all", or "Customize") — until then, Analytics and Marketing cookies default to denied.
We use three cookie categories:
- Necessary — always on, cannot be disabled. Required for login sessions, security, and remembering your saved preferences.
- Analytics — Google Analytics 4. Loaded only if you accept the Analytics category.
- Marketing — reserved category, visible in the cookie banner, but no marketing or advertising cookies are currently loaded (no Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or similar). We will not load any marketing cookie without first updating this Policy and requesting your consent.
| Cookie | Category | Set by | Purpose | Lifetime |
|---|---|---|---|---|
sb-*-auth-token | Necessary | Aimée (Supabase Auth) | Keeps you signed in | Session, up to 7 days |
NEXT_LOCALE | Necessary | Aimée | Remembers your interface language | 1 year |
| CSRF/session cookie | Necessary | Aimée | Protects form submissions from forgery | Session |
_ga | Analytics | Google Analytics | Distinguishes visitors | 2 years |
_ga_* | Analytics | Google Analytics | Persists session state | 2 years |
Changing or withdrawing your choice: you can review or change your cookie preferences at any time via the "Cookie settings" link in the footer of the Service and of our website. Withdrawing consent is as easy as giving it, and does not affect the lawfulness of any processing carried out before withdrawal.
Consent record: each time you accept, reject, or customize your cookie preferences, we log the action (timestamp, a salted one-way hash of your IP address, a hash of your user agent, the categories chosen, and which control you used) as a record of consent for compliance purposes. We never store your raw IP address. This consent log is retained for up to 24 months.
EU/EEA and UK users are not required to accept any cookies beyond strictly necessary cookies to use the Service. If you have questions about specific cookies used by the Service, contact founder@tryaimee.com.
13. Children's Privacy
The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from individuals under 16. If we learn that we have inadvertently collected personal information from a child under 16, we will take prompt steps to delete that information. If you believe that a child's personal information has been submitted to the Service, please contact us immediately at founder@tryaimee.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of changes as follows:
- Material changes (such as new categories of data collected, new subprocessors, or changes to your rights): we will provide at least 30 days' advance written notice to the email address on file in your account before the updated Policy takes effect.
- Minor or cosmetic changes (such as clarifications or formatting updates that do not affect your rights or our practices): we may update the Policy without prior notice, but we will always update the version date at the top.
Your continued use of the Service after a material change takes effect constitutes acceptance of the updated Policy. For changes that require your active re-acceptance under our three-tier re-acceptance system, you will be prompted to review and accept the updated Policy in the Service dashboard.
15. Contact Us
For privacy-related questions, rights requests, and data protection inquiries:
Aimée LLC 30 N Gould St, Ste R, Sheridan, WY 82801, USA Email: founder@tryaimee.com Subject line: "Privacy Request" or "Legal Notice"
Data Protection Officer: Aimée LLC has not formally appointed a Data Protection Officer, as our current processing activities and scale do not trigger the mandatory DPO requirement under GDPR Article 37 (we are not a public authority, we do not engage in large-scale systematic monitoring of individuals, and our processing of special category data is limited and incidental to our primary business function). The contact email above serves the equivalent function for all data protection inquiries.
For complaints that cannot be resolved directly, EU/EEA residents may contact their national supervisory authority and UK residents may contact the Information Commissioner's Office (ico.org.uk).
16. Special Notice — Consent Audit Logs
When you accept our Terms, Privacy Policy, DPA, or change your marketing preferences, we record a consent event including a truncated IP address (first 3 octets for IPv4 / first 48 bits for IPv6), browser user-agent, timestamp, and a cryptographic hash of the document version you saw, together with the language in which it was presented.
Lawful basis for this retention: these records are processed and retained under:
- GDPR Art. 6(1)(c) — compliance with a legal obligation, specifically Aimée's accountability obligation under GDPR Art. 5(2) and the obligation under Art. 7(1) to be able to demonstrate that consent was obtained; and
- GDPR Art. 6(1)(f) — legitimate interest in maintaining the integrity of audit logs for fraud prevention, contractual evidence, and regulatory compliance.
Important: because these records exist to satisfy a legal obligation, and because they have been minimized (truncated IP, no full identifier), we may decline requests to erase them under GDPR Art. 17(3)(b) and (e). They are retained for seven (7) years from the date of consent, which matches the longest applicable statute of limitations for contractual claims in the jurisdictions we operate in.
If you delete your account, the user account record is anonymized but the consent log entries remain with the user reference set to null. This ensures we can prove consent was lawfully obtained without continuing to process you as an identifiable individual.
This Privacy Policy is effective as of July 1, 2026. Version 2026-07-01.