Privacy Policy

1. Who We Are

AI Central Tools (AICT) operates aicentraltools.com, providing 330+ AI-powered tools in 19 languages. Contact: [email protected].

2. Data We Collect

Registration: email address, display name, registration date.
Subscription: Stripe processes billing; we store only Stripe Customer ID and subscription status.
Tool usage: text inputs sent to our AI backend to generate outputs. Inputs and outputs are stored in your account history for 90 days (so you can re-open past results) and then automatically deleted. Guest / logged-out runs are not associated with an account and persist only for the length of your browser session.
Usage counters: daily tool use counts per user (WordPress user meta) to enforce free-tier limits.
Affiliate referrals: if you visit via a ?ref=CODE link we store the code server-side in a PHP session (no persistent tracking cookie is set; the standard PHPSESSID session cookie expires when you close the browser) and in your user meta after signup, for commission attribution.
Analytics: Google Analytics 4 with anonymised IP addresses.

3. Cookies We Use

For the full inventory with retention and purpose, see our Cookie Policy. Summary:

wordpress_* / wp-settings-* — Essential. WordPress session and login cookies.
aict_consent / aict_consent_v1 — Essential. Records your cookie banner choice (accept / reject / partial).
aict_persona — Functional. Stores your onboarding persona so we tailor tool recommendations.
aict_subscribed, aict_exit_seen — Functional. Suppress newsletter / exit-intent popups after dismissal.
_ga, _ga_* — Analytics. Google Analytics 4 with anonymised IP addresses. Only set when you accept analytics in the cookie banner.
stripe_* — Functional. Stripe payment session cookies, set only during checkout.
PHPSESSID — Functional. Only set when you arrive via a referral link (?ref=CODE) to store the affiliate code server-side.
We do not set advertising or cross-site tracking cookies.

4. How We Use Your Data

To operate and personalise the service (usage limits, account features).
To process payments and manage subscriptions via Stripe.
To send transactional emails (receipts, account confirmation) via Brevo.
To send our newsletter if you have opted in (unsubscribe any time).
To measure and improve site performance via GA4 analytics.
To attribute affiliate commissions via server-side PHP session and user meta.

5. Legal Basis (GDPR)

Contract: processing necessary to provide the service.
Legitimate interests: analytics, fraud prevention, security.
Consent: newsletter emails (withdraw at any time).
Legal obligation: accounting records for paid subscribers.

6. Data Retention

Account data: retained while active, deleted 90 days after account deletion. Stripe records: 7 years (accounting compliance). Affiliate referral logs: 36 months. Analytics: per Google retention policy.

7. Data Sharing

We share data with the following sub-processors (GDPR Art. 28). All EU-region where available. [W8-Approvals 2026-05-25] Updated to disclose all 18 active sub-processors per Wave 3 trust audit.

Stripe (US/EU) - payment processing for subscriptions; we store only your Stripe Customer ID, never card data.
Brevo / Sendinblue (EU - France) - transactional and newsletter email delivery.
OpenAI (US) - AI text + audio generation (gpt-4o-mini fallback, Whisper for transcription, TTS for voice); inputs processed transiently and not retained for training (per OpenAI API data policy).
Anthropic Claude (US) - premium AI text generation for Business + Agency tiers; inputs processed transiently per Anthropic API data policy.
Google Gemini (US/EU) - AI text + image generation (Imagen 3, Gemini 2.5); inputs processed per Google API terms.
Cerebras (US) - high-throughput inference for selected fast-mode text-generation tools; inputs processed transiently per Cerebras API data policy, not retained for training.
Groq (US) - low-latency inference for selected fast-mode text-generation tools; inputs processed transiently per Groq API data policy, not retained for training.
Mistral (EU - France) - OCR + document intelligence for the OCR Document Scanner, Batch OCR, PDF Summarizer, PDF-to-Slides and Contract Analyzer tools. Uploaded PDFs and images are sent to Mistral for text extraction; not retained for training.
ElevenLabs (US) - premium voice synthesis (TTS) for Creator+ tier voice tools; text inputs processed per ElevenLabs API data policy, not retained for training.
Modal (US) - serverless AI infrastructure for our embedding model (bge-m3) used by the RAG chatbot and tool-search. Queries are processed transiently.
Supabase (EU - Frankfurt) - Postgres + pgvector storage for the RAG chatbot knowledge base and tool-search index. Stores anonymised query embeddings, not the original prompts.
PostHog (EU Cloud - Frankfurt) - product analytics for behavioural events (page views, tool clicks, error rates). EU data residency; respects DNT and consent banner.
Langfuse (EU - Frankfurt) - LLM observability and prompt-quality tracing for engineering. Stores per-request metadata (token counts, latency, model name) and may include redacted prompt/response samples for evaluation. EU data residency.
Sentry (EU - Frankfurt) - application error monitoring. Captures stack traces, browser/user-agent metadata, and the URL where an error occurred. IP addresses are scrubbed; we do not forward tool inputs to Sentry.
Google Analytics 4 (US/EU) - aggregate site analytics with anonymised IP addresses.
Cloudflare (Global) - CDN, DDoS and WAF protection; HTTP request metadata cached.
Hetzner (EU - Germany / Finland) - underlying VPS hosting provider.
AWIN (UK/EU) - affiliate-network tracking when you click out to partner-tool sponsored links (only after explicit consent).
Additional Data Processors (as of 2026-05-20)
Cerebras Systems (US) - LLM inference provider used for the majority of text-generation tools (qwen-3-235b model). Prompts and generated outputs are processed transiently and are not retained for training. Cross-border transfer to the United States relies on Standard Contractual Clauses (SCCs). Retention: per provider policy (typically <30 days for operational logs).
Sentry (US) - application error tracking and performance monitoring. Receives stack traces, browser/runtime metadata and request URLs; personally identifying values are scrubbed before transmission. Cross-border transfer to the United States relies on SCCs. Retention: 90 days by default.
MailerLite (EU/US) - email-delivery infrastructure for newsletters and lifecycle messages (complements Brevo). Receives subscriber email address and subscription-lifecycle events (subscribe, unsubscribe, open, click). Retention: while subscribed plus 12 months after unsubscribe for suppression-list compliance.
Cloudflare R2 (Global / encrypted at rest) - object-storage backups of database snapshots and user-generated media. Stored objects are server-side encrypted (AES-256). Access is restricted to operations personnel for disaster recovery. Retention: rolling 30-day window for snapshots; 90 days for media archives.
For Data Subject Access Requests (DSAR) covering any processor above, contact [email protected].
We do not sell your personal data. Cross-border transfers to US-based processors rely on Standard Contractual Clauses (SCCs) and supplementary technical measures.

8. Your Rights (GDPR)

Access a copy of your personal data.
Correct inaccurate data.
Request deletion of your account and data.
Withdraw consent for newsletter communications.
Lodge a complaint with your local data protection authority.
To exercise these rights: email [email protected].

9. Security

We implement HTTPS/TLS, Cloudflare DDoS and WAF protection, and access-controlled hosting. No internet transmission is 100% secure.

10. Children

AICT is not directed at children under 16. We do not knowingly collect their personal data.

11. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated via email or site notice.

12. Contact

Privacy questions: [email protected]