Privacy Policy
This Privacy Policy explains how Adeimantos Ltd handles your data across our entire suite of products. Our model is deliberately narrow: we collect what we need to deliver the service to you, and we treat public‑signal data transiently — never as a long‑term identity store.
iWho we are
The data controller for personal data processed across the Adeimantos AI suite is:
A company registered in England and Wales (company number: 17201404)
Registered office: Prime Apartments, 483 Green Lanes, London, N13 4FG
ICO registration: 00014014474
Contact: contact@adeimantos.com
A single ICO registration covers the entire studio. Each product in the suite operates under this same registration and under this Privacy Policy.
iiScope of this policy
This policy applies to all websites, products, and services operated by Adeimantos Ltd, including adeimantos.com and the individual product domains in our suite. Where a product has product‑specific processing notes, those are set out in the relevant Product Schedule, which sits alongside this policy.
iiiThe two data streams
Our processing falls into two clearly separated streams, each with its own legal basis and lifecycle.
Stream 1 — Contractual. The data you give us so we can deliver the service: account details, voice profiles, brand documents, prompts, payment records.
Stream 2 — Public signal. Public posts, titles, and engagement signals from third‑party platforms, processed transiently to surface niche demand. Identity markers are discarded within 24 hours.
ivStream 1 — Contractual basis
What we collect. The personal data you provide directly:
- Account information (name, email, password hash, time zone);
- Inputs you submit (voice profiles built from your own material, brand documents, newsletter brain‑dumps, prompts, reference URLs);
- Output history and account settings;
- Billing records (where the product has paid plans, handled by our Merchant of Record — see section vii);
- Support correspondence;
- Technical logs necessary to operate the Service (IP address, user agent, error logs, request timestamps).
Why we collect it. To deliver the Service you have signed up for, to bill you, to support you, to keep the Service secure and operational, and (where you have chosen to receive them) to send you marketing communications about our products.
Legal basis. Performance of a contract for the core service (UK GDPR Article 6(1)(b)). Where we process security or fraud‑prevention logs beyond what is strictly necessary for the contract, we rely on our legitimate interest in keeping the Service safe (Article 6(1)(f)). For marketing emails, we rely on either your consent (Article 6(1)(a)) or, where applicable, the ‘soft opt‑in’ under regulation 22 of the Privacy and Electronic Communications Regulations 2003 — see “Email communications” below.
Email communications
We send two distinct kinds of email, and we treat them differently.
- Service emails — sign‑in magic links, billing confirmations, security alerts, support replies, material change notices, and similar communications that are necessary to deliver the Service or to comply with our legal obligations. These are sent on the basis of contract performance (Article 6(1)(b)) or legal obligation (Article 6(1)(c)) and cannot be opted out of while you have an active account.
- Marketing emails — product news, feature launches, occasional tips on getting more out of the Service, and information about other Adeimantos AI products that may be useful to you. We send these only where (a) you have given us explicit consent, or (b) you are an existing customer of an Adeimantos AI product and the marketing is for similar products from our suite, in which case we rely on the ‘soft opt‑in’ in regulation 22 of the Privacy and Electronic Communications Regulations 2003.
Whichever basis applies, you can opt in or out of marketing emails at any time from the marketing preferences in your product settings, and every marketing email contains a clear unsubscribe link. Your marketing preference is shown to you on first sign‑up and remains visible in your account settings, so you always know what you have agreed to and can change it without contacting us. Opting out of marketing emails does not affect service emails or your access to the Service.
vStream 2 — Public‑signal intelligence (legitimate interests)
To produce niche‑aware, on‑target output, our pipelines analyse public signals from third‑party platforms — for example, public posts, public titles, public engagement counts, and public comments. This is what allows the Service to surface live demand patterns and ground each Output in real signal rather than generic prompting.
Legal basis. Legitimate interests (UK GDPR Article 6(1)(f)). We have carried out a Legitimate Interests Assessment ("LIA") that records: (i) our specific commercial interest in producing niche‑aware analysis as a transient curation layer (we do not use Stream 2 data as model training data); (ii) why this processing is necessary and why less intrusive alternatives have been considered and rejected; and (iii) the balancing of that interest against the rights and freedoms of the creators whose public content is transiently processed. The LIA documents the compelling grounds on which we would continue processing in the face of an objection under Article 21, and is reviewed alongside the DPIA. A summary of the LIA is available on request, and the full LIA is available to the Information Commissioner's Office on request.
Data Protection Impact Assessment (DPIA)
Because Stream 2 involves the systematic, large‑scale processing of personal data drawn from public sources, we treat it as triggering the requirement for a Data Protection Impact Assessment under UK GDPR Article 35. The DPIA was completed, dated, and signed off before Stream 2 processing commenced, in line with our obligations under Article 35(1) to assess the impact of envisaged processing operations prior to the processing. The DPIA documents the purposes of the processing, the necessity and proportionality of the operations, the safeguards set out below, the residual risk to data subjects, and the rationale for relying on Article 14(5)(b) (see further below). We review and update the DPIA on a defined cadence and whenever the pipeline materially changes, with each version dated and signed off by the controller. A summary of the DPIA is available on request to data subjects, and the full DPIA, with version history, will be provided to the Information Commissioner's Office on request.
How we minimise impact on data subjects
- Public‑only. We process only data made publicly available by the data subject through their chosen platform.
- Transient processing. Identity markers (handles, names, profile URLs, profile images) are stripped from the analytical pipeline within 24 hours of ingestion. What remains is content‑level signal — themes, structure, demand patterns — not a persistent profile of any individual.
- No model training. We do not use Stream 2 data to train or fine‑tune foundation AI models. Stream 2 is a transient curation layer, not a training corpus.
- No re‑identification attempts. Once identity markers are stripped, we make no attempt to re‑identify any individual whose public content was processed.
- Platform compliance. Where a third‑party platform's terms of service govern access to public signal (for example, X, YouTube), the relevant Product Schedule sets out how the product complies with those terms.
Article 14(5)(b) — disproportionate effort
UK GDPR Article 14 normally requires a controller to inform a data subject when their personal data has been obtained from a source other than the data subject. Article 14(5)(b) provides an exemption where giving that information would prove impossible, would require disproportionate effort, or is likely to render impossible or seriously impair the achievement of the objectives of the processing.
We rely principally on the third limb: providing individual notice would seriously impair the achievement of the objective of the processing. That objective is transient analysis with identifier stripping within 24 hours. Building an individual notification channel would require us to retain the very identity markers we are committing to discard, materially increasing privacy impact rather than reducing it. We also note the practical impossibility of contacting every data subject whose public comment is transiently sampled at internet scale.
Appropriate measures. Article 14(5)(b) is conditional on the controller taking appropriate measures to protect data subjects’ rights, freedoms, and legitimate interests. The measures we take are:
- Publishing this Privacy Policy at a stable canonical URL and making the Stream 2 description specific (sources, purpose, lawful basis, processor relationships) rather than generic;
- Stripping identifiers (handles, names, profile URLs, profile images) from the analytical pipeline within 24 hours of ingestion;
- Operating a hard‑stop content filter to exclude posts whose primary subject matter is special category data, before they are passed to the analytical layer (see below);
- Not using Stream 2 data to train, fine‑tune, or otherwise build foundation AI models;
- Making no attempt to re‑identify any individual whose public content was processed;
- Providing a working rights mechanism (see section xi) by which data subjects can exercise the rights that remain meaningfully exercisable after identifier stripping, in particular the Article 21 right to object to future processing.
The Article 14(5)(b) reliance, including the appropriate measures listed above, is documented in the DPIA referenced earlier in this section.
Special category data — Article 9 considerations
Stream 2 is designed to surface niche demand and content patterns. It is not designed to draw inferences about sensitive personal attributes. Our pipeline does not target health information, political opinions, religious or philosophical beliefs, racial or ethnic origin, sexual orientation, trade union membership, or biometric or genetic data — categories of personal data treated as "special category data" under UK GDPR Article 9.
We acknowledge that public posts on third‑party platforms can incidentally contain special category data — for example, a creator posting publicly about their political views, religious beliefs, or health journey. To handle this risk:
- Article 9(2)(e) reliance. Where special category data appears in content that has been manifestly made public by the data subject on a public platform, we rely on the condition in UK GDPR Article 9(2)(e). Article 6(1)(f) (legitimate interests) alone is not sufficient for special category data, and we do not rely on it in isolation;
- Auditable hard‑stop filter. Our pipeline applies a hard‑stop content filter designed to detect and exclude posts whose primary subject matter is special category data, before they are passed to the analytical layer. The filter is logged: each ingestion run produces an auditable record of how many posts were dropped at the special‑category gate and the confidence threshold applied. The filter logic is versioned and reviewed alongside the DPIA, and the operative version can be produced for regulatory inspection. We treat detection of likely special category content as a signal to drop the post from the pipeline rather than to retain it for analysis;
- Identity stripping still applies. Identity markers attached to any post are stripped within 24 hours, as set out above, and we make no attempt to derive a profile of any individual's special category attributes;
- No special‑category modelling. We do not use Stream 2 data to train, fine‑tune, or otherwise build models intended to infer special category attributes about identifiable individuals.
The DPIA covers our analysis of residual special‑category risk and the operational controls used to mitigate it.
viCookies & analytics
We use the minimum number of cookies necessary to operate the Service. The categories of cookies we use, our overall approach to non‑essential cookies, and the consent mechanism are set out in our Cookie Policy. The specific cookies set on each product’s own domain are listed in the relevant Product Schedule, because cookies are scoped to the domain that sets them and each product in the suite operates from its own domain. We do not use third‑party advertising cookies on any product domain.
viiSharing & processors
We share personal data only with carefully selected processors who help us run the Service, each under a written data processing agreement. Categories of processor include:
- Merchant of Record — for products with paid plans, billing is handled by a Merchant of Record (currently Paddle and/or Lemon Squeezy) who acts as the legal seller of record for the transaction and handles VAT and sales tax compliance and refund handling. Where a product is currently offered free of charge (for example during a private beta), no Merchant of Record processes data for that product;
- Hosting and infrastructure providers — for application hosting, databases, and content delivery;
- Email and transactional messaging providers — for account, billing, and support emails, and for delivering marketing emails to those who have opted in;
- AI model providers — for inference. Where we send prompts to third‑party model providers, we use enterprise/no‑training endpoints where available so that your inputs are not used to train their models;
- Analytics providers — privacy‑respecting analytics only, with IP truncation enabled where applicable;
- Customer support tooling — for ticket handling and conversation history.
The current list of named processors used by each product is maintained in the relevant Product Schedule. As the suite grows we may consolidate this into a single studio‑wide processor list at adeimantos.com/processors; until then, refer to the Schedule for the product you are using. We will not sell your personal data. We will only disclose data to law enforcement or other public authorities where legally compelled to do so.
Business transfers, mergers, and product spin‑outs
Adeimantos Ltd operates as a product studio and may, in the ordinary course of running the business, sell, spin out, or otherwise transfer individual products within the suite. If Adeimantos Ltd, or an individual product within the Adeimantos AI suite, is involved in a merger, acquisition, corporate reorganisation, spin‑out, sale of assets, or similar transaction, the personal data we hold that is relevant to the affected entity or product may be transferred to the acquiring or successor entity. After such a transfer, the acquiring entity may become the data controller for that data, and your personal data may become subject to a different privacy policy maintained by that entity.
Where such a transfer is planned, we will:
- Notify affected account holders by email or in‑product notice before the transfer takes effect, where reasonably practicable;
- Identify the acquiring entity and link to its privacy policy so you can review it before the transfer;
- Provide a reasonable opportunity for you to close your account and request deletion of your data prior to transfer if you do not wish your data to be transferred to the acquiring entity.
This clause operates alongside, and is consistent with, the Assignment provision in our Terms of Service.
viiiInternational transfers
Some of our processors are based outside the UK. Where personal data is transferred to a country that is not the subject of a UK adequacy decision, we put in place the safeguards required by Articles 44–49 of UK GDPR. The instrument we typically rely on is:
- The UK International Data Transfer Agreement (IDTA), in its current form; or
- The UK Addendum to the EU Standard Contractual Clauses, where a processor's group standard is the EU SCCs.
We carry out a transfer risk assessment for each onward transfer, and we apply supplementary measures (such as encryption in transit, encryption at rest, key management controls, and access minimisation) where the assessment indicates they are appropriate. Where a Merchant of Record is engaged to handle billing for a paid product, the Data Processing Agreement we hold with that Merchant of Record is maintained in line with current UK standards and incorporates the IDTA or the UK Addendum as applicable. We review our transfer documentation when the underlying instruments are updated by the ICO.
ixRetention
We keep personal data only for as long as necessary for the purposes described in this policy:
- Account data — for the life of your account, plus a limited period after closure for legal, tax, and dispute‑handling purposes (typically up to 6 years for tax records);
- Inputs and Output history — for the life of your account, unless you delete them sooner from within the Service;
- Billing records — where applicable, retained by the Merchant of Record under their own retention policy and applicable tax law;
- Stream 2 identity markers — discarded within 24 hours of ingestion;
- Security and operational logs — typically 30–90 days, longer where required for security investigation.
Where you exercise your right to erasure under Article 17, or where you close your account, we delete your personal data within one month of the verified request, unless we are required by law to retain specific records (for example, tax records under HMRC requirements). Backups are overwritten in line with our backup rotation, typically within a further 30 days of the deletion. Where verification of your identity is required before we can act on the request, the one‑month period runs from the date of completed verification (see section xi).
xSecurity
We use technical and organisational measures appropriate to the risk: encryption in transit, encryption at rest for sensitive stores, principle‑of‑least‑privilege access, multi‑factor authentication on administrative access, structured logging, and routine review of access controls. No system is perfectly secure.
If a personal data breach occurs and is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner’s Office without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in line with Article 33 of UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in line with Article 34, including the nature of the breach, the likely consequences, and the measures we have taken or propose to take. We document all personal data breaches internally, including those that do not meet either notification threshold.
Vulnerability disclosure
Security researchers and members of the public can report suspected vulnerabilities to security@adeimantos.com. We acknowledge receipt within 72 hours and treat reports confidentially in line with responsible disclosure principles. A machine‑readable disclosure record is published at /.well-known/security.txt on each of our domains.
xiYour rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you;
- Have inaccurate data rectified;
- Have your data erased, in the circumstances set out in Article 17;
- Restrict our processing of your data;
- Receive your data in a portable format;
- Object to processing carried out on the basis of our legitimate interests, including Stream 2 processing of your public content where you can identify it;
- Withdraw consent at any time, where consent is the legal basis;
- Lodge a complaint with the Information Commissioner's Office.
To exercise any of these rights, contact us at contact@adeimantos.com. We respond to rights requests without undue delay and in any event within one calendar month of receipt. We may require you to verify your identity before we can act on a request, particularly where there are reasonable doubts about the requester. Where verification is required, we will tell you what is needed and the one calendar month period runs from the date verification is complete. The response period may be extended by a further two months for particularly complex or numerous requests, in which case we will tell you within the first month and explain the reason for the extension.
This position is supported by UK GDPR Article 11, which provides that where the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject, the controller is not obliged to maintain, acquire, or process additional information solely to identify the data subject for the purposes of complying with the Regulation. Where we can demonstrate that we are not in a position to identify the data subject from the information remaining in our pipeline after identifier stripping, the rights set out in Articles 15 to 20 do not apply in respect of that data, save where the data subject provides additional information enabling identification (for example, a specific public post they can identify as their own).
xiiChildren
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
xiiiChanges
We may update this policy from time to time. The current version is always available at adeimantos.com/privacy. If a change is material, we will notify account holders by email or in‑product notice before it takes effect.
xivContact & complaints
For privacy questions, rights requests, or complaints, contact us at contact@adeimantos.com.
You have the right to complain to the UK Information Commissioner's Office:
- Website: ico.org.uk/make‑a‑complaint
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Adeimantos Ltd, a company registered in England and Wales (company number 17201404). Registered office: Prime Apartments, 483 Green Lanes, London, N13 4FG.