Data & Privacy
How AIM collects, uses, and retains your information
Last updated: April 25, 2026
The short version
- →AIM only collects data that is necessary to deliver the service to you.
- →Your assessment content and generated documents belong to you. We do not use them to train AI models, and we do not pool data across organizations to train a shared model.
- →AIM accumulates a private, per-organization record of decisions and outputs inside the platform (your assessments, project tracking events, and change-board votes) so AIM gets more useful for your team over time. This record stays inside your organization's database — it is never combined with another organization's data.
- →AI analysis runs server-side. Your data is sent to our AI provider (Anthropic) to generate responses and is not retained by them beyond the API call.
- →Security and activity logs are kept for up to 3 years for compliance and incident investigation, then permanently deleted.
- →You can request deletion of your account or organization at any time. Deletion is permanent after a 30-day window.
- →AIM Eagle (the chat assistant) logs only anonymized, hashed interaction metadata for routine turns — never your raw message text. Messages routed by our safety layer (for example, self-harm or crisis patterns) are not written to that analytics or improvement metadata. If you voluntarily submit a support request through Eagle, your email and question are stored solely to respond to you.
What data AIM collects
AIM collects the minimum data necessary to operate the platform and deliver its services. Data collection falls into three categories: information you provide directly, information generated by using the platform, and security and operational data collected automatically.
Information you provide
- Account information — your name and email address used to create and manage your account.
- Organization details — your organization name, sector, and team member information when you set up a workspace.
- Assessment inputs — system descriptions, technical architecture details, constraints, budget parameters, and other information you enter when conducting an assessment.
- Collaboration invitations — email addresses of guest collaborators you invite to specific assessments.
Information generated by the platform
- Generated documents — modernization plans, RFP drafts, IGCE estimates, and other outputs created from your assessment inputs.
- Review workflow records — document review status, approvals, flags, and reviewer comments.
- Project health data — Modernization Pulse snapshots and project health scores derived from your assessment data.
Security and operational data
- Authentication events — login activity, session information, and multi-factor authentication records.
- Activity and access logs — records of who accessed which resources, when, and what actions were taken. These are maintained for security, compliance, and incident investigation purposes consistent with NIST SP 800-53 AU-2 and AU-3.
- Device and connection information — technical information about the device and connection used to access the platform, collected for security monitoring and abuse prevention.
- AIM Eagle chat interaction metadata — for routine chat turns, AIM may log a cryptographic hash (SHA-256) of your question — not the question text itself — along with which knowledge sources were used, whether the response required a support escalation, and whether you rated the response. Your raw message is not stored in that analytics record. If our safety routing classifies a message as crisis-related self-harm or severe distress, we do not add that turn to hashed chat analytics or product-improvement learning loops. If you voluntarily submit a support request through Eagle by providing your email address, that email and a copy of your question are retained to respond to your inquiry.
How AIM uses your data
AIM uses your data exclusively to operate and improve the platform for you. Specifically:
- To deliver the service — your assessment inputs are used to generate recommendations, reports, cost estimates, and other deliverables.
- To power AI analysis — your inputs are sent to Anthropic's API to generate AI-driven outputs. Anthropic does not retain your data beyond the API call under our agreement. Your data is never used to train AI models.
- To operate your workspace — account and organization data is used to manage access, billing, and team collaboration.
- For security and compliance — activity and audit logs are retained to detect and investigate security incidents, meet compliance obligations, and maintain platform integrity.
- To maintain platform reliability — diagnostic and operational data is used to monitor service health and resolve incidents.
AIM does not: sell your data, share it with advertisers, use it to train AI models, pool customer data across organizations to train a shared model, provide it to technology vendors for competitive intelligence, or receive compensation from vendors based on your assessment outcomes.
Data retention schedule
AIM retains different categories of data for different periods based on operational need, legal requirements, and compliance obligations. The table below describes what we retain and for how long.
| Data category | Examples | Purpose | Retention period |
|---|---|---|---|
| Account identity | Name, email address, authentication credentials | Login, notifications, collaboration invitations | Duration of account + 30-day deletion window |
| Organization profile | Organization name, sector, billing plan tier | Workspace management, feature access, billing | Duration of org subscription + 30-day window; billing records kept 7 years (regulatory) |
| Assessment content | System descriptions, architecture inputs, modernization requirements, constraints | Generating recommendations, reports, and cost estimates | Duration of active subscription; content anonymized on org deletion |
| Generated documents | Modernization plans, RFP drafts, IGCE reports, whitepapers | Delivering your work product and supporting review workflows | Duration of active subscription; anonymized on org deletion |
| Collaboration records | Guest invitations, collaborator access events, review comments | Per-assessment collaboration and audit trail | Tied to parent assessment; anonymized on org deletion |
| Security and activity audit log | Login events, admin actions, document access, permission changes | Security monitoring, compliance, and incident investigation (NIST AU-2/AU-3) | Active for 90 days; archived for up to 3 years; permanently deleted thereafter |
| Platform health and diagnostics | API error rates, job completion status, pricing refresh outcomes | Reliability monitoring and platform operations | Up to 90 days; aggregated summaries may be retained longer |
| AIM Eagle chat interactions | Hashed question fingerprints for eligible turns (not raw text), source page attribution, support escalation flags, thumbs up/down ratings | Identifying knowledge gaps, improving response quality, monitoring for support escalations | Interaction metadata up to 90 days; explicit support request emails retained until resolved (90-day recommended review) |
Audit log archival follows a two-tier schedule: records are actively queryable for 90 days, then moved to a compliance archive for the remainder of the 3-year period, after which they are permanently and irrecoverably deleted. This schedule is aligned with NIST SP 800-53 AU-11.
Per-organization context
AIM accumulates a private record of decisions and outputs your team makes inside the platform: assessments, RAO recommendations, project tracking events, change-board votes, configuration drift, and procurement actions.
This record is scoped to your organization through row-level security in our database. It is never blended with any other organization's data, and it is never used to improve service for any other organization.
Why it exists
AIM gets more useful to your team the longer you use it. The next time your team runs a modernization assessment, AIM seeds it from your own historical record — not from anyone else's.
Forward-looking note on AIM's roadmap
AIM's roadmap includes future capabilities that operate on this accumulated context — for example, agentic operations that take action on your organization's behalf across the systems you have already documented in AIM. Any such capability will be opt-in, will be scoped to your organization's data only, and will be governed by a separate agreement and pricing tier — never silently activated. Other AIM customers' data will never inform what AIM does for you, and your data will never inform what AIM does for them.
Retention
Per-organization context is retained for the lifetime of your active subscription. On organization deletion, it is cleared as part of the standard 30-day deletion window alongside your assessment content.
Organization and account deletion
You can request deletion of your account or your entire organization at any time from the platform settings. Deletion follows a defined process:
Deletion request submitted
Your request is logged and a 30-day cancellation window begins. You can cancel the deletion during this period.
Access suspended at window close
After 30 days, your workspace is locked and access is disabled while permanent deletion is processed.
Permanent data purge
Assessment content, generated documents, and personally identifiable information are permanently deleted. User accounts are removed. The organization record is anonymized — identifiers are cleared, but anonymized billing records are retained for 7 years to meet financial recordkeeping requirements.
Audit log aging
Security and activity logs associated with the deleted organization age out of the live audit table within 90 days and are permanently purged at the end of the 3-year retention window. These cannot be recovered after purge.
Guest collaborators
Guest collaborators are external stakeholders (architects, vendors, agency partners) invited to a specific assessment via a time-limited email link. Guests operate under a minimal data model:
- No permanent platform account is created. Guests authenticate via one-time email verification.
- The inviting organization's assessment owner controls what the guest can see and do. Guests cannot generate AI outputs, trigger pipelines, or export reports.
- Guest sessions expire automatically. Expired sessions are cleaned up by an automated process.
- Guest access events (who accessed, when) are logged in the assessment audit trail for the assessment owner's review.
- Guest email addresses are retained only for the duration of the invitation and are not used for any marketing or outreach.
Third-party services
AIM uses a small number of third-party services to operate the platform:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication and database hosting | Account data, assessment content, audit logs |
| Anthropic | AI analysis, document generation, and AIM Eagle chat responses | Assessment inputs and chat messages during active generation only; not retained by Anthropic beyond the API call |
| Stripe | Billing and subscription management | Billing contact, payment method (Stripe-managed) |
| Vercel | Platform hosting and edge delivery | Request traffic for routing and delivery |
AIM does not use advertising networks, data brokers, or analytics platforms that share data with third parties. Analytics are limited to aggregate platform performance metrics and anonymized, hashed AIM Eagle chat interaction metadata for eligible turns, used solely for product improvement. No raw message content is included in any such analytics record; safety-routed crisis-classified turns are omitted.
Your rights
As an AIM user or organization administrator, you have the following rights with respect to your data:
- AccessYou can view your account information, organization settings, and assessment content within the platform at any time.
- CorrectionYou can update your account information, organization details, and assessment content directly from the platform.
- DeletionOrganization owners can submit a deletion request from the organization settings. Deletion is permanent after the 30-day cancellation window.
- PortabilityGenerated documents and reports can be exported in PDF and structured formats from within the platform.
Security posture
AIM is designed with security as a foundational requirement, not an afterthought. Key controls include:
- Multi-factor authentication (MFA) enforced for all protected routes when enrolled
- End-to-end HTTPS with HTTP Strict Transport Security (HSTS) including subdomains
- Role-based access control with six distinct organization roles (Owner, Admin, Engineer, Program Analyst, Reviewer, Viewer), enforced server-side
- Tamper-evident audit logs with cryptographic hash chaining aligned to NIST SP 800-53 AU-9
- All AI analysis performed server-side — assessment data does not traverse the client
- Append-only audit records that cannot be modified or deleted outside of the authorized archival process
- Content Security Policy, CORS controls, and browser security headers on all application routes
Questions about your data?
If you have questions about how AIM handles your data, want to request information, or need assistance with a deletion request, contact us directly.
[email protected]