Privacy Policy

Effective date: March 14, 2026 · Last updated: March 14, 2026

CAPX Holding, Oberallmendstrasse 18, 6300 Zug, Switzerland ("we", "us", "our"), represented by Maximilian Carl Friede, is the data controller responsible for the Aiffinity mobile application and all related services (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we process it, and what rights you have in relation to your data.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Swiss Federal Act on Data Protection ("FADP" / "nDSG"), the ePrivacy Directive 2002/58/EC, and all applicable data protection legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

1. Data Controller

The data controller for your personal data is:

Entity: CAPX Holding
Represented by: Maximilian Carl Friede
Address: Oberallmendstrasse 18, 6300 Zug, Switzerland
Email: privacy@aiffinity.me
Website: aiffinity.me

1a. Data Protection Officer

We have designated a Data Protection Officer (DPO) who can be contacted for any questions regarding the processing of your personal data or the exercise of your rights:

DPO: Maximilian Carl Friede
Email: dpo@aiffinity.me
Address: Oberallmendstrasse 18, 6300 Zug, Switzerland

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Name, phone number, email address, date of birth, profile photo, and other details you provide during registration or profile setup.
Messages and Content: Text messages, voice messages, media files, and other content you create or share through the Service. All user-to-user messages are protected by end-to-end encryption — we cannot access the plaintext content of these messages.
AI Soul Data: Personality traits, communication style preferences, values, behavioural patterns, and other profile attributes generated from your interactions with the Service. This data is owned by you.
Contact Information: Names and identifiers of people you add as contacts within the Service.
Agent Instructions: Requests, prompts, and instructions you give to AI agents acting on your behalf.
Support Communications: Information you provide when contacting us for customer support, including the content of your messages and any attachments.
Payment Information: Subscription status and transaction identifiers when you make in-app purchases. We do not collect or store payment card details — all payment processing is handled by Apple (App Store) or Google (Play Store).
Location Data: If you choose to use location features (such as sharing your location or viewing location cards), we collect your location data. Location sharing is always opt-in and can be disabled at any time.
Waitlist Information: Name and email address if you sign up for our waitlist prior to account creation.

2.2 Information Collected Automatically

Device Information: Device model, operating system and version, unique device identifiers (e.g. IDFV), screen resolution, and mobile network information.
Usage Data: Features accessed, interaction patterns, session duration, timestamps, and in-app navigation paths.
Log Data: IP address, browser or app version, referring URL, access times, and error/crash reports.
Performance Data: App launch time, frame rates, memory usage, and network latency — used exclusively for performance optimisation and stability monitoring.

2.3 Information We Do Not Collect

We do not access your device contacts (address book), photo library, or other on-device data unless you explicitly grant permission for a specific feature.
We do not collect location data unless you explicitly enable location features. Last known location is retained for a maximum of 24 hours; location history retention is user-configurable.
We do not collect payment card details or bank information.
We do not use tracking technologies for advertising purposes.

3. Lawful Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

Purpose	Lawful Basis
Providing and maintaining the Service, including your account and AI Soul	Performance of contract (Art. 6(1)(b))
Processing messages and enabling communication features	Performance of contract (Art. 6(1)(b))
Executing AI agent actions you request	Performance of contract (Art. 6(1)(b))
Sending service-related communications (e.g. security alerts, updates)	Legitimate interest (Art. 6(1)(f))
Error tracking, crash reporting, and performance monitoring	Legitimate interest (Art. 6(1)(f))
Improving and developing new features based on aggregate usage patterns	Legitimate interest (Art. 6(1)(f))
Fraud prevention and abuse detection	Legitimate interest (Art. 6(1)(f))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))
Processing location data for location-sharing features	Explicit consent (Art. 6(1)(a))
Processing payment and subscription data	Performance of contract (Art. 6(1)(b)) / Legal obligation (Art. 6(1)(c))
Processing conversations via external AI providers (when enabled by you)	Explicit consent (Art. 6(1)(a))
Sharing your AI Soul with third-party services you authorise	Explicit consent (Art. 6(1)(a))
Marketing communications (if applicable)	Explicit consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may contact us to request details of these assessments.

4. How We Use Your Information

We use the personal data we collect to:

Provide, operate, and maintain the Aiffinity Service
Authenticate your identity and secure your account
Power your AI companion (Aiven) and personalise your experience
Build, maintain, and update your AI Soul profile based on your interactions
Execute AI agent actions on your behalf (e.g. drafting emails, managing schedules, making reservations)
Enable messaging, voice calls, and video calls between users
Send you service-related communications such as security alerts, feature updates, and account notifications
Monitor Service performance, diagnose errors, and resolve technical issues
Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service
Comply with applicable legal obligations, regulatory requirements, and law enforcement requests
Improve the Service based on aggregated, non-identifiable usage data

5. AI Soul and Data Portability

Your AI Soul is your data. You retain full ownership of all AI Soul data at all times. You may:

View your AI Soul data at any time within the app under Settings > AI Soul.
Export your AI Soul in a structured, machine-readable format (JSON) for use with other services.
Share your AI Soul with third-party applications and services you explicitly authorise. When you do so, the receiving service is governed by its own privacy policy — we recommend reviewing it before sharing.
Delete your AI Soul entirely, permanently removing all personality and preference data from our systems. Deletion is irreversible.

6. Data Storage, Security, and Retention

6.1 Infrastructure and Storage

All data is stored within the European Union, specifically in the AWS EU-West-1 (Ireland) region. We use Amazon Web Services (AWS) as our cloud infrastructure provider. No personal data is stored outside the EU unless explicitly stated in this policy.

6.2 Security Measures

We implement industry-standard and state-of-the-art security measures, including:

End-to-end encryption (E2EE) for all user-to-user messages — we cannot read or access the plaintext content of your messages at any point.
Encryption at rest using AES-256 for all stored data.
Encryption in transit using TLS 1.2 or higher for all network communications.
PII encryption with dedicated per-field encryption keys managed through AWS Key Management Service (KMS).
Access controls based on the principle of least privilege across all internal systems.
Regular security assessments and infrastructure monitoring.

While we take extensive measures to protect your data, no system is completely immune to security threats. We encourage you to protect your account credentials and report any suspected security issues to security@aiffinity.me.

6.3 Data Retention

Data Category	Retention Period
Account information	Duration of account plus 30 days after deletion
AI Soul data	Until you delete it or delete your account
End-to-end encrypted messages	Until deleted by participants; server-side ciphertext purged 90 days after account deletion
Agent action logs	90 days
Usage and analytics data	12 months (aggregated and anonymised thereafter)
Location data (last known)	24 hours
Location history	User-configurable; deleted when you disable location features
Payment and subscription data	7 years (legal/tax obligation)
Behavioural signals (HPI)	90 days
Error and crash reports	90 days
Waitlist information	Until you create an account or request deletion
Support communications	24 months after resolution

When a retention period expires, we delete or irreversibly anonymise the data within 30 days. Certain data may be retained longer where required by law (e.g. tax or accounting obligations).

7. Third-Party Services and Sub-Processors

We use the following third-party services to operate and improve the Service. Each operates under a data processing agreement (DPA) with us:

Service	Purpose	Data Region
Amazon Web Services (AWS)	Cloud infrastructure, data storage, encryption key management	EU (Ireland)
Firebase Authentication (Google)	User authentication and identity management	EU
PostHog	Product analytics (anonymised usage patterns)	EU
Sentry	Error tracking and crash reporting	EU
OpenAI / Anthropic	AI language model processing (only when you enable "External AI processing" in Settings)	US (with SCCs)
LiveKit	Voice and video call infrastructure	EU
Google Maps Platform	Map rendering and geocoding for location features	Global
Apple Push Notification service (APNs) / Google FCM	Push notifications delivery	Per provider policy
Cloudflare	Content delivery, DNS, and DDoS protection	Global (edge nodes)
Telegram / WhatsApp	Optional messaging integration (only if you connect these platforms)	Per provider policy

We maintain an up-to-date list of sub-processors. If we add a new sub-processor that processes personal data, we will notify you in advance and provide an opportunity to object.

8. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). Where data must be transferred outside the EEA (for example, through Cloudflare's global content delivery network), we ensure adequate safeguards are in place, including:

European Commission adequacy decisions (where applicable)
Standard Contractual Clauses (SCCs) approved by the European Commission
Supplementary technical measures such as encryption

You may request a copy of the relevant transfer safeguards by contacting privacy@aiffinity.me.

9. Data Sharing

We do not sell, rent, or trade your personal data. We do not share your data with third parties for advertising purposes. We may share personal data only in the following circumstances:

With your explicit consent — for example, when you export or share your AI Soul with a third-party service.
With service providers (sub-processors) — who assist in operating the Service, under strict data processing agreements that limit their use of your data to performing services on our behalf.
For legal compliance — to comply with applicable laws, regulations, legal proceedings, or enforceable government requests.
To protect rights and safety — to enforce our Terms of Service, protect the security and integrity of the Service, and protect the rights, property, or safety of CAPX Holding, our users, or others.
In connection with a business transfer — if CAPX Holding is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

10. Automated Decision-Making and Profiling

The Service uses automated processing to build and maintain your AI Soul profile and to personalise your experience. This profiling is essential to the Service and is based on our contractual relationship with you (Art. 22(2)(a) GDPR).

Automated processing is used to:

Generate and refine your AI Soul personality profile from your interactions
Personalise AI companion (Aiven) responses to match your communication style
Suggest actions, replies, and follow-ups based on your preferences

These processes do not produce legal effects or similarly significant effects on you. No automated decisions are made regarding access to the Service, account status, or any matter with legal consequences. You have the right to request human review of any automated processing by contacting us.

11. Your Rights Under GDPR

Under the GDPR, the Swiss FADP, and applicable data protection legislation, you have the following rights:

Right of access (Art. 15) — Request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Art. 18) — Request that we limit the processing of your data in certain circumstances.
Right to data portability (Art. 20) — Receive your data in a structured, commonly used, and machine-readable format (JSON), and transmit it to another controller. The AI Soul export feature directly supports this right.
Right to object (Art. 21) — Object to processing based on legitimate interests, including profiling. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right not to be subject to automated decision-making (Art. 22) — Request human intervention in any automated decision that significantly affects you.
Right to lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@aiffinity.me. We will respond within 30 days. In complex cases, we may extend the response period by an additional 60 days, and we will inform you of the extension and the reasons for it.

12. Cookies, Tracking, and Analytics Consent

The Aiffinity mobile application does not use cookies. Our documentation website (docs.aiffinity.me) and marketing website (aiffinity.me) do not use cookies or third-party tracking technologies.

We use PostHog for anonymised product analytics within the app. This does not involve cross-site tracking, advertising identifiers, or cookie-based tracking. You can control analytics and personalisation via Settings > Analytics & Personalization in the app:

Product Analytics — share anonymous usage data to help improve Aiffinity. Default: off in EU/EEA (opt-in required under GDPR).
Personalisation — allow Aiven to learn from your interactions. Default: off in EU/EEA (opt-in required under GDPR).
External AI Processing — allow conversations to be processed by external AI providers (OpenAI/Anthropic) to generate responses. Default: off (explicit consent required).

When you opt out, analytics tracking ceases at both the client and server level. No events are collected or stored after you disable these settings.

13. Children's Privacy

Aiffinity is intended exclusively for users aged 18 and older. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a person under 18, we will take immediate steps to delete that data and terminate the associated account. If you believe a minor has provided us with personal data, please contact us at privacy@aiffinity.me.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify you by email or in-app notification at least 30 days before the changes take effect
Where required by law, request your renewed consent before applying changes

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should stop using the Service and delete your account.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: privacy@aiffinity.me
General inquiries: hello@aiffinity.me
Security issues: security@aiffinity.me
Website: aiffinity.me

CAPX Holding
Oberallmendstrasse 18
6300 Zug
Switzerland

If you are not satisfied with our response, you have the right to lodge a complaint with:

In Switzerland: The Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
In the EU: The data protection supervisory authority in the EU member state of your habitual residence, place of work, or where the alleged infringement occurred.