Privacy Policy

1. Introduction

Welcome to anmly.ai ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered data analytics platform.

By using anmly.ai, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

Contact us: For any privacy-related questions or concerns, please contact us at info@delta-ai.nl

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for authentication and communication)
• Password (encrypted and securely stored)
• Account creation date and user ID

2.2 Profile Information

During onboarding and profile setup, you may provide:

• First name and last name
• Company name and website URL (for business users)
• User type (business or personal)
• Industry or background information
• Data sources and tools you use
• Project goals and suggested project ideas

2.3 Dataset and File Information

When you upload datasets for analysis, we collect and store:

• Original filenames and file metadata
• File size, type, and format (CSV, Excel)
• Complete file contents including all data rows and columns
• Column names, data types, and sample preview data
• Dataset statistics (row count, column distributions, correlations)
• Data quality metrics (duplicates, outliers, quality scores)
• Upload and modification timestamps

2.4 Machine Learning Analysis Data

When you run ML analyses on your datasets, we store:

• Target column selections and problem types (classification, regression)
• Training configurations (quality presets, time limits, excluded columns)
• Trained machine learning model files
• Model performance metrics (accuracy, precision, recall, F1 score, R², MAE, MSE, RMSE)
• Feature importance rankings and correlations
• Confusion matrices and sample predictions with confidence scores
• Training status, duration, and error logs
• Analysis results in JSON format

2.5 AI-Generated Content

Our platform uses AI to provide insights. We store:

• AI-generated explanations of model performance and results
• Target column interpretations and accuracy analyses
• Data health summaries and suggestions
• Actionable insights with feature-specific recommendations
• Chat conversation history (your questions and AI responses)
• Custom chat instructions and response length preferences
• Context data used to generate AI responses

2.6 Predictions

When you use trained models to make predictions, we record:

• Input data (feature values you provide)
• Output predictions and probability scores
• Number of predictions made
• Prediction timestamps and processing time

2.7 Projects and Organization

To help you organize your work, we store:

• Project names, descriptions, and goals
• Project icons and visual customizations
• Additional context and notes
• Associations between datasets, analyses, and projects
• Creation and modification timestamps

2.8 Plan and Billing Information

For paid subscriptions, we collect:

• Stripe customer ID and subscription ID
• Plan type (Free, Starter, Professional)
• Subscription status and billing period dates
• Cancellation information (if applicable)
• Payment information is processed and stored by Stripe (see Section 4.3)

2.9 AI Credits and Usage

We track your AI credit usage:

• Current credit balance and monthly limits
• Credit transaction history (analyses, AI explanations, predictions, chats)
• Transaction amounts, timestamps, and metadata
• Credit resets, purchases, refunds, and adjustments

2.10 Authentication and Security

For account security, we maintain:

• Session tokens and authentication cookies
• Multi-factor authentication (MFA) settings if enabled
• TOTP (Time-based One-Time Password) factors and authenticator device names
• Login history and session information
• Password reset requests and email verification records

2.11 Usage and Analytics Data

We automatically collect:

• Page views and navigation patterns
• Feature usage statistics (uploads, analyses, predictions)
• Performance metrics and load times
• Device type, browser information, and IP address
• Error logs and diagnostic information

3. Cookies and Tracking Technologies

3.1 Essential Cookies

We use essential cookies that are necessary for the platform to function:

• Authentication Cookies: Session tokens managed by Supabase Auth to keep you logged in. These cookies contain JWT (JSON Web Tokens) and are HttpOnly and Secure in production environments.
• Cookie Names: Supabase session cookies (names can vary by configuration and environment)
• Expiration: Session-based or configurable expiration
• Purpose: Authenticate users, maintain secure sessions, enable MFA verification

3.2 Analytics (Optional)

With your consent, we use privacy-friendly analytics to improve our service:

• Vercel Web Analytics: Collects anonymized page view and usage data. Vercel's Web Analytics is designed to be cookie-less.
• Vercel Speed Insights: Collects real-user performance metrics (Core Web Vitals) to help us improve speed and reliability.
• Purpose: Understand how users interact with our platform, identify performance issues, improve user experience
• Data Shared: Page URLs, referrer information, device type, approximate location (country-level)
• Opt-Out: You can decline analytics via our cookie banner. Essential authentication cookies will still be used.

3.3 Local Storage

We use browser local storage for:

• Theme Preferences: Remember your dark/light mode selection
• Tutorial State: Track onboarding tutorial progress
• Cookie Consent: Remember your cookie preferences

3.4 Managing Cookies

You can control cookies through our cookie consent banner and your browser settings. Note that blocking essential cookies will prevent you from using key features of the platform. For more details, see our Cookie Policy.

4. Third-Party Services and Data Processors

4.1 Supabase (Infrastructure Provider)

Purpose: Authentication, database, and file storage infrastructure

Data Shared: All user account data, datasets, analyses, and uploaded files

Location: Data stored in Supabase cloud infrastructure

Security: Industry-standard encryption, Row Level Security (RLS) policies, secure JWT authentication

Privacy Policy: https://supabase.com/privacy

4.2 OpenAI (AI Chat and Insights)

Purpose: Generate AI explanations, insights, and chat responses

Models Used: OpenAI GPT models via the OpenAI API (for example gpt-5-mini and, when enabled, gpt-5.2). We may update models over time for quality, safety, or cost reasons.

Data Shared: Your chat messages, analysis context (model performance metrics, feature importance), dataset metadata (column names, data types), system prompts

Data Not Shared: Full dataset contents are not sent to OpenAI

Retention & Training: OpenAI may retain data according to their policies. OpenAI states that API data is not used to train their models by default; see their documentation for current details and options.

Privacy Policy: https://openai.com/privacy

4.3 Stripe (Payment Processing)

Purpose: Process subscription payments and manage billing

Data Shared: Email address, Supabase user ID (as metadata), plan selection

Payment Data: Credit card and payment information is collected and processed directly by Stripe. We never store or have access to your complete payment details.

Location: Global infrastructure with data centers in multiple regions

Privacy Policy: https://stripe.com/privacy

4.4 Railway.app (ML Training Backend)

Purpose: Execute machine learning model training and predictions

Data Shared: Complete dataset files (via temporary signed URLs), analysis configurations, target columns, training parameters

Location: Railway.app servers in Amsterdam, Netherlands (EU)

Data Processing: Datasets are downloaded temporarily for processing, trained models are generated and returned, no permanent storage of your data on the ML backend

Security: JWT token authentication, temporary file access via expiring signed URLs (2-hour expiration)

Privacy Policy: https://railway.app/legal/privacy

4.5 Vercel (Hosting and Analytics)

Purpose: Host the Next.js application, provide analytics and performance monitoring

Data Collected: Page views, user interactions, performance metrics, IP addresses, device information

Analytics: Anonymized usage data to improve platform performance

Location: Global CDN with data centers worldwide

Privacy Policy: https://vercel.com/legal/privacy-policy

5. How We Use Your Information

5.1 Service Delivery

We use your information to:

• Authenticate you and maintain your account
• Process and store your uploaded datasets
• Train machine learning models on your data
• Generate predictions and insights
• Provide AI-powered explanations and chat assistance
• Organize your projects and analyses
• Track and manage your AI credit usage

5.2 Platform Improvement

We analyze usage data to:

• Understand how features are used
• Identify and fix technical issues
• Improve ML model performance and accuracy
• Optimize platform speed and reliability
• Develop new features based on user needs

5.3 Communication

We may use your email address to:

• Send account verification and security notifications
• Notify you of analysis completion
• Provide important service updates
• Send billing and subscription information
• Respond to your support requests
• Share product updates and new features (you can opt out)

5.4 Legal and Security

We may process your data to:

• Comply with legal obligations
• Enforce our Terms of Service
• Protect against fraud and abuse
• Ensure platform security and stability

6. Data Storage and Security

6.1 Storage Infrastructure

Your data is stored using:

• Supabase PostgreSQL: Structured data (accounts, analyses, metadata)
• Supabase Storage: File uploads in separate buckets (datasets, models, results, predictions)
• Location: Supabase cloud infrastructure with servers in various regions

6.2 Security Measures

We implement industry-standard security practices:

• Encryption in Transit: All data transmitted over HTTPS/TLS
• Encryption at Rest: Database and file storage encryption
• Row Level Security (RLS): Database policies ensure you can only access your own data
• Authentication: Secure JWT tokens with session management
• Multi-Factor Authentication: Optional TOTP-based MFA for enhanced account protection
• Signed URLs: Temporary file access links with 1-2 hour expiration
• Password Security: Passwords are hashed using industry-standard algorithms (managed by Supabase)
• API Security: Authentication required for all API endpoints, user ownership verification

6.3 Access Controls

We maintain strict access controls:

• User data is isolated using Row Level Security policies
• All database queries automatically filter by user ID
• File storage uses private buckets with user-specific paths
• No public access to uploaded files or results
• Middleware validates authentication on every request

6.4 Data Isolation

Your data is protected from other users:

• Each user has a unique UUID identifier
• Database policies prevent cross-user data access
• File paths are prefixed with user IDs
• API endpoints verify ownership before returning data

7. Data Retention

7.1 Active Account Data

While your account is active, we retain all your data (datasets, analyses, predictions, projects) until you choose to delete it manually. There is no automatic expiration of uploaded data or analysis results.

7.2 Manual Deletion

You can delete your data at any time:

• Datasets: Delete individual datasets from the project page
• Analyses: Deleting a dataset automatically deletes all associated analyses
• Projects: Delete entire projects with all contained datasets and analyses
• Account: Request full account deletion via your settings page (see Section 8)

7.3 Subscription Cancellation

If you cancel your plan, your account remains active and all your data is retained. You can continue using the free tier features. To delete your data, you must manually request account deletion.

7.4 Inactive Accounts

We may delete accounts that have been inactive for extended periods (typically 2+ years) after providing notice to your email address. You will have at least 30 days to log in and prevent deletion.

7.5 Legal Requirements

We may retain certain data when required by law, to resolve disputes, enforce our agreements, or for legitimate business purposes even after account deletion (e.g., financial records for tax purposes).

8. Your Rights and Choices

8.1 Access Your Data

You can access all your data directly through the platform dashboard. This includes viewing your datasets, analyses, predictions, projects, and account information.

8.2 Export Your Data

You have the right to receive a copy of your personal data in a structured, commonly used format. To export your data:

• Go to Settings → Privacy & Security
• Click "Download Your Data"
• Select the data categories you want to export (Account Info, Datasets, Analyses, Predictions, etc.)
• Choose your preferred format (JSON, CSV, or Excel)
• We'll prepare a download package and notify you when it's ready (typically within 24 hours)

8.3 Modify Your Information

You can update your information at any time:

• Profile: Edit your name, company, and preferences in Settings
• Password: Change your password in the Privacy & Security section
• MFA: Enable or disable multi-factor authentication
• Chat Settings: Customize AI chat behavior and response preferences

8.4 Delete Your Data

You can delete specific data or your entire account:

• Datasets: Delete individual datasets and their associated analyses
• Projects: Delete entire projects with all contained data
• Full Account Deletion: Go to Settings → Privacy & Security → Delete Account

When you delete your account, we will permanently delete:

• All your datasets and uploaded files
• All trained machine learning models
• All analyses, predictions, and results
• All projects and organization data
• Your profile and account information
• All AI chat conversations and explanations

Note: Account deletion is permanent and cannot be undone. Some data may be retained for legal or legitimate business purposes (e.g., transaction records for tax compliance).

8.5 Cookie Preferences

You can manage analytics preferences through the cookie banner when you first visit the site. If you want to change your choice later, you can clear the cookie-consent item from your browser local storage and revisit the site. You can opt out of analytics while keeping essential authentication cookies.

8.6 Marketing Communications

If we send promotional emails (product updates, new features), you can opt out by:

• Clicking "Unsubscribe" in any marketing email
• Adjusting notification preferences in your Settings
• Contacting us at info@delta-ai.nl

Note: You will still receive essential service communications (security alerts, billing notifications) even if you opt out of marketing.

9. International Data Transfers

anmly.ai operates globally and may process your data in multiple countries. Our primary infrastructure partners are located in:

• Supabase: Multiple global regions
• Railway.app (ML Backend): Amsterdam, Netherlands (EU)
• Vercel: Global CDN with data centers worldwide
• Stripe: United States and global infrastructure
• OpenAI: United States

When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with third-party providers
• Compliance with GDPR, CCPA, and other applicable privacy laws
• Encryption in transit and at rest

For EU users: Your machine learning processing occurs in Amsterdam (EU region), minimizing international data transfers for core ML functionality.

10. Children's Privacy

anmly.ai is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at info@delta-ai.nl and we will delete such information promptly.

11. GDPR Compliance (EU Users)

11.1 Legal Basis for Processing

Under GDPR, we process your personal data based on:

• Contract: Processing necessary to provide our service (account management, ML training, predictions)
• Consent: Analytics and marketing communications (you can withdraw consent at any time)
• Legitimate Interests: Platform improvement, security, fraud prevention
• Legal Obligation: Compliance with tax, accounting, and legal requirements

11.2 Your GDPR Rights

If you are in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (with some exceptions)
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for cookies or marketing
• Right to Lodge a Complaint: File a complaint with your data protection authority

11.3 Data Protection Officer

For GDPR-related inquiries, contact our data protection team at info@delta-ai.nl

11.4 EU Representative

If required under GDPR, we will appoint an EU representative. Contact information will be provided here when applicable.

12. CCPA Compliance (California Residents)

12.1 Information for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

12.2 Categories of Personal Information Collected

We collect the following categories of personal information:

• Identifiers: Email address, user ID, IP address
• Personal Information: Name, company information
• Commercial Information: Subscription records, credit transactions
• Internet Activity: Page views, interactions, browsing behavior
• Professional Information: Industry, data sources, business goals
• User-Generated Content: Uploaded datasets, analysis configurations, chat messages

12.3 Your CCPA Rights

• Right to Know: Request what personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

12.4 How to Exercise Your Rights

To exercise your CCPA rights, contact us at info@delta-ai.nl or use the data export/deletion features in your account settings. We will verify your identity before processing requests.

12.5 Do Not Sell My Personal Information

We do not sell your personal information. We do not and will not sell your data to third parties for monetary or other valuable consideration.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email or through a prominent notice on the platform
• We encourage you to review this policy periodically
• Continued use of anmly.ai after changes constitutes acceptance of the updated policy

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. For urgent security matters, please mark your email as "URGENT: Security Issue."

15. Additional Resources

For more information about our policies and practices:

• Terms of Service
• Cookie Policy
• GDPR Information