Privacy Policy
AI Visionary is committed to protecting the privacy of its users. This policy describes the personal data we collect, how we use it, and the rights you have.
1. Data Controller
AI Visionary
Founded and directed by Cyril Leger
Geneva, Switzerland
Email: hello@ai-visionary.com
Website: ai-visionary.xyz
AI Visionary acts as data controller within the meaning of the Swiss Federal Act on Data Protection (nFADP, effective September 1, 2023) and, for users residing in the European Economic Area, within the meaning of the General Data Protection Regulation (GDPR — Regulation EU 2016/679).
2. Personal Data Collected
In connection with our services, we collect the following categories of data:
2.1 AYO Diagnostic (AI chatbot)
- Website URL: web address provided by the user for the diagnostic.
- Questionnaire responses: declarative information about the company (services, certifications, target audience, indicators, etc.).
- Data extracted from the site: publicly accessible content (title, meta description, JSON-LD, sitemap).
- Computed AIO score: AI readability diagnostic result (score from 0 to 100).
2.2 Identification and Contact
- Email address: used for sending results, authentication (OTP), and service-related communications.
- Company name: as declared by the user or automatically detected on the analyzed website.
2.3 Payment
- Transaction information: processed exclusively by Stripe (PCI-DSS Level 1 certified). We do not store any credit card data.
- Only the Stripe customer ID, amount, currency, and transaction status are retained on our side.
2.4 AYA Registry
- Company name, business sector, country, URL, AIO score, generated ASR files, keywords.
- This data is publicly accessible in the AYA registry, which is the very purpose of the service.
2.5 Technical Data
- IP address: used temporarily for security (rate limiting, abuse prevention). Not retained beyond the session.
- Server logs: managed by Vercel, retained for a maximum of 30 days.
3. Legal Bases for Processing
We process your data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Performing the AIO diagnostic | Performance of contract (Art. 6.1.b GDPR / Art. 31 nFADP) |
| Registration in the AYA Registry | Performance of contract |
| Generation and delivery of ASR files | Performance of contract |
| Payment processing | Performance of contract / Legal obligation |
| Service security (rate limiting, logs) | Legitimate interest (Art. 6.1.f GDPR) |
| Service improvement | Legitimate interest |
| Automatic indexing in the AYA Registry (AYA Bot) | Legitimate interest (publicly accessible data on the internet) |
4. Sub-processors and Data Transfers
We use the following sub-processors to provide our services:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | PostgreSQL database (analyses, AYA registry, sessions) | United States | DPA, SOC 2 Type II, encryption at rest and in transit |
| Stripe Inc. | Credit card payment processing | United States / Ireland | PCI-DSS Level 1, Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional email delivery (results, confirmations, OTP) | United States | DPA, TLS encryption |
| Vercel Inc. | Website and serverless API hosting | United States (global CDN) | DPA, SOC 2 Type II, HTTPS encryption |
| Google LLC (Gemini) | Semantic content generation (FAQ, glossary, AI-enriched descriptions) | United States | Google Cloud DPA, data anonymized before transmission |
Some sub-processors are located outside Switzerland and the European Economic Area (EEA). Data transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission and/or adequacy decisions, in accordance with Articles 16-17 of the nFADP and Chapter V of the GDPR.
Your data is never sold to third parties. It is only shared with sub-processors to the extent strictly necessary for the provision of the service.
5. Cookies and Tracking Technologies
AI Visionary takes a minimalist approach to cookies:
- Strictly necessary cookies: technical cookies set by Vercel for application operation (routing, session). They do not require consent pursuant to Art. 45c(2) TCA and Art. 5(3) of the ePrivacy Directive.
- Payment cookies: Stripe may set technical cookies during the payment process for fraud prevention.
We do not use any tracking, advertising, or analytics cookies. No Google Analytics, Facebook Pixel, or third-party trackers are present on this site.
6. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| AYO analyses and diagnostics | 2 years after the last interaction |
| AYA Registry (Platform Pack — subscription) | Duration of active subscription + 30 days after cancellation |
| AYA Registry (PRO Pack) | 3 years + 30 days after expiration |
| AYA Registry (bot-indexed entities) | Indefinite (public data). Deletion upon request within 72 hours. |
| System and security logs | 90 days |
| OTP codes (authentication) | 10 minutes (automatic expiration) |
| Billing data | 10 years (Swiss accounting legal obligations) |
Upon expiry of these periods, data is permanently deleted or irreversibly anonymized.
7. Data Security
We implement the following technical and organizational measures:
- HTTPS encryption (TLS 1.3) for all communications.
- Encryption at rest for database data (Supabase / PostgreSQL).
- Ed25519 cryptographic signatures for ASR files to ensure authenticity and integrity.
- One-time password (OTP) authentication sent by email.
- Protection against SSRF attacks, injections, and brute force (rate limiting).
- Data access restricted to the strict minimum (principle of least privilege).
- No password storage (passwordless OTP authentication).
8. Your Rights
Under the Swiss nFADP and the GDPR (for EEA residents), you have the following rights:
- Right of access (Art. 25 nFADP / Art. 15 GDPR): obtain a copy of your personal data and information about its processing.
- Right to rectification (Art. 32 nFADP / Art. 16 GDPR): have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17 GDPR): request deletion of your data when it is no longer necessary for processing.
- Right to data portability (Art. 28 nFADP / Art. 20 GDPR): receive your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21 GDPR): object to processing based on legitimate interest.
- Right to restriction of processing (Art. 18 GDPR): request restriction of processing in certain circumstances.
- Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.
How to Exercise Your Rights
Send your request by email to hello@ai-visionary.com specifying your identity and the nature of your request. We will respond within 30 days (extendable to 60 days for complex requests, with prior notification).
Complaint to a Supervisory Authority
If you believe your rights are not being respected, you may file a complaint with:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
- European Union / EEA: the competent supervisory authority in your country of residence.
9. Automatic Indexing (AYA Bot)
The AYA registry may automatically index companies from publicly accessible data on the internet (website content, JSON-LD data, sitemaps). This processing is based on our legitimate interest in building a reference registry for AI agents (Art. 6.1.f GDPR).
If your company is indexed in the AYA registry and you wish to have it removed, send an email to hello@ai-visionary.com indicating the URL concerned. Removal will be completed within 72 hours.
10. Protection of Minors
Our services are intended exclusively for professionals and businesses. We do not knowingly collect data about individuals under 16 years of age. If you discover that a minor has provided personal data, please contact us for immediate deletion.
11. Changes to This Policy
We reserve the right to modify this privacy policy at any time. Changes take effect upon publication on this page. In the event of substantial changes, we will inform affected users by email.
12. Applicable Law and Jurisdiction
This privacy policy is governed by Swiss law, in particular the Federal Act on Data Protection (nFADP).
For users residing in the European Union or the European Economic Area, the provisions of the GDPR apply in addition.
Any dispute relating to data protection shall be submitted to the competent courts of the Canton of Geneva, Switzerland, subject to the mandatory jurisdiction rules applicable to consumers residing in the EU/EEA.
13. Contact
For any questions regarding the protection of your personal data or to exercise your rights:
AI Visionary — Data Protection
Cyril Leger
Geneva, Switzerland
Email: hello@ai-visionary.com
Last updated: March 25, 2026