AITerm

Privacy

Privacy policy

Last updated 26 May 2026 · Effective immediately · Controller: Kodeværk Danmark, Denmark (CVR 46346084)

Controller

The controller responsible for processing your personal data is Kodeværk Danmark, Tunnelvej 8, 6392 Bolderslev, Denmark (CVR 46346084). Contact: hello@aiterm.io.

What we collect

Account data

When you create an account, we store your email address, a salted PBKDF2 hash of your password, and the name you provide. We never store your password in plain text.

Session cookie

On login we set a single HttpOnly, SameSite=Lax, Secure cookie (aiterm_session) holding a random session identifier. It expires after 24 hours of inactivity.

Pairing data

When you install the connector, a short-lived pairing code is generated together with your machine's hostname and a scan result (which AI binaries are present). Pairing data is deleted automatically after one hour or when claimed.

Connector state

For each connector token we store the most recent scan result and connector version, so the dashboard can show them. We do not store directory listings, file contents, command history, or AI prompts.

Server logs

Our nginx records IP address, timestamp, request URL and user agent for every request. Logs rotate after 14 days and are used only for abuse defence and debugging.

AI conversations

AI prompts and outputs are streamed live between your browser and your machine. We buffer the last 200 KB per session on the hub to support reconnects, but we do not persist conversations to disk.

Why we process it

  • Operating the service (authentication, terminal routing, presence).
  • Securing the service (rate-limiting, abuse detection, cert pinning).
  • Sending essential service emails (email verification, account changes).
  • Complying with our legal obligations (tax, bookkeeping, court orders).

Legal basis

Performance of contract (Art. 6(1)(b) GDPR) for everything we need to deliver the service you signed up for; legitimate interests (Art. 6(1)(f) GDPR) for security logs and abuse defence; legal obligation (Art. 6(1)(c) GDPR) for tax and accounting records; consent (Art. 6(1)(a) GDPR) only where we explicitly ask, e.g. before storing voice input in a transcript.

How long we keep it

Account data: until you delete your account. Session cookies: 24 hours. Pairing data: 1 hour. Connector state: while the token exists. Server logs: 14 days. Email-verification tokens: 24 hours after issue.

Third parties

We don't sell personal data and we don't use third-party analytics, advertising, or tracking pixels. We use Let's Encrypt for TLS certificates, but Let's Encrypt does not receive your personal data. Outbound email is delivered by our own SMTP server — no third-party email provider.

International transfers

All servers are in the European Economic Area (Germany and Denmark). We do not transfer your personal data to third countries.

Your rights

Under the GDPR you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (subject to legal retention).
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where we rely on consent, withdraw it any time.

To exercise any of these rights, write to hello@aiterm.io. We respond within 30 days.

Complaints

If you believe we are mishandling your data, you may lodge a complaint with the Danish Data Protection Agency (Datatilsynet) — datatilsynet.dk — or your local supervisory authority in the EU member state where you reside.

California residents (CCPA/CPRA)

If you reside in California, you have the right to know what personal data we collect about you, to request deletion, to correct inaccuracies, and to opt out of any sale or sharing of your data. We do not sell personal data. Submit requests to hello@aiterm.io.

Children

AITerm is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, please contact us and we will delete it.

Changes

When we change this policy in a material way, we notify active account holders by email at least 30 days before the change takes effect. The current version is always available at this URL.

← Back to home