Back to Aira

Privacy Policy

Last updated: March 17, 2026

1. Controller

Softure UG (haftungsbeschränkt)
Scharfenberger Str. 28, 13505 Berlin, Germany
Email: customers@softure-ug.de

For data protection inquiries, contact our Data Protection Officer at customers@softure-ug.de.

2. What We Collect

We process the following categories of personal data:

  • Account data — email address, name, and organization name provided during registration.
  • Usage data — API calls, timestamps, endpoints accessed, and request metadata for service operation and billing.
  • AI evaluation data — the decisions, prompts, and model responses you submit through the Aira API. These are processed to deliver the service and generate audit proofs.
  • Technical data — IP address, browser type, and device information collected automatically via server logs.

3. Legal Basis

We process your data based on:

  • Contract performance (Art. 6(1)(b) GDPR) — to provide the Aira service.
  • Legitimate interests (Art. 6(1)(f) GDPR) — for security, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c) GDPR) — for tax and accounting compliance.

4. Sub-Processors

To deliver multi-model AI evaluations, we transmit evaluation data to the following AI providers acting as sub-processors:

  • OpenAI, Inc. — San Francisco, USA (Standard Contractual Clauses in place)
  • Anthropic, PBC — San Francisco, USA (Standard Contractual Clauses in place)
  • Google LLC — Mountain View, USA (Standard Contractual Clauses in place)

All sub-processors are contractually bound not to use your data for training or purposes beyond providing the service.

5. Data Retention

  • Account data is retained while your account is active and for 30 days after organization deletion.
  • When a team member leaves an organization, their personal data (email, password) is immediately anonymized. Audit log entries are preserved with the actor shown as "Deleted user" to maintain compliance records.
  • When an organization owner deletes the organization, all data (users, cases, receipts, API keys, audit logs) is permanently and irreversibly removed.
  • Evaluation data and audit proofs are retained for 7 years to meet regulatory requirements, or as configured in your plan.
  • Server logs are retained for 90 days.

6. Cookies

Aira does not use tracking cookies or third-party analytics. We use only strictly necessary session cookies to maintain your authenticated session. No consent banner is required.

7. Your Rights

Under the GDPR, you have the right to:

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Restriction — restrict processing in certain circumstances.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, email customers@softure-ug.de. We will respond within 30 days.

8. Data Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Audit proofs are signed with Ed25519 keys and timestamped via RFC 3161. Access to production systems is restricted by role-based access control.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence. Our lead supervisory authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

10. Changes

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect.