Privacy Policy

Last updated · June 1, 2026

This Privacy Policy describes what personal data OurAI ApS (“OurAI”, “we”, “us”) collects, why, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

Who this policy applies to

This policy applies to:

  • this marketing website;
  • the OurAI product when you are signed in — whether you use it as an individual for your own personal use, or as part of an organization that has signed up for OurAI;
  • our business communications (sales, support, recruiting).

Who is the controller

The data controller is always:

OurAI ApS
Hiort Lorenzens Gade 29, 2. tv
2200 København N, Denmark
CVR: 46472659
Privacy contact: support@ourai.dk

What changes is the scopeof OurAI’s controller role:

  • Individual accounts (consumers). If you signed up for OurAI yourself for personal use, OurAI is the controller for everything we process about you, including the prompts and conversations you submit. This Privacy Policy describes all the processing that applies to you.
  • Organization accounts (business customers). If you use OurAI through an account created by your employer or another organization, OurAI is the controller only for the limited “own purposes” data described under What we collect, and why (e.g. billing the organization, administrator contact details). For the prompts, conversations, and workspace activity of users in that organization, the organization is the controller and OurAI acts as their processor under the Data Processing Agreement (DPA). If you have questions about that data, contact your organization first.

What we collect, and why

When you visit the marketing website

We collect nothing. This marketing website is a static site and loads no analytics or trackers. Standard server access logs are kept by our edge provider for short periods for security and abuse prevention; they are not used for profiling.

When you contact us

If you write to support@ourai.dk, or any other OurAI inbox, we store the email and any attachments in our business email system so we can reply and keep a record.

When you sign up for an account

To create and operate your account, we process:

  • your name and email address;
  • for organization accounts: your organization and role;
  • your password hash (we never store the password itself);
  • billing information — for individuals: name, address, payment method; for organizations: company name, address, VAT number, payment method (all handled by our payment processor, see Who we share it with);
  • technical metadata — IP address, browser/device, sign-in times — kept in audit logs for security.

Legal basis: performance of a contract with you and legitimate interest in keeping the service secure.

When you use the product

When you are signed in and using the product, we process:

  • the prompts and conversations you send to AI models through OurAI;
  • the model responses;
  • usage metadata — model, token counts, timestamps, conversation ID — for billing and, for organization accounts, aggregated workspace insights.

For individual (consumer) accounts, OurAI is the controller of all of this. The legal basis is performance of the contract between you and OurAI. Workspace policies (such as which models you allow to be reached) apply to your individual account too. The organization-governance features — multi-user audit logs with identity escalation and aggregated workspace insights — are organization-only and do not apply to individual accounts.

For organization accounts, your employer is the controller and OurAI acts as their processor — see the DPA. By default, identity is decoupled from conversationsin the organization’s audit log: conversations are stored against a conversation ID, and identity can only be revealed through a formal escalation that is itself audited.

Sales and demo requests

If you book a demo or request information, we keep your contact details and the notes from our conversation so we can follow up. Legal basis: legitimate interest in pursuing sales relationships, or consent if you opted in to marketing communications.

How we use the data

We use the data above to:

  • provide, operate, and secure the service;
  • bill you and meet our accounting obligations;
  • respond to support and other inquiries;
  • detect, investigate, and prevent abuse, fraud, and security incidents;
  • comply with legal obligations (e.g. Danish bookkeeping law).

We do not use any of the data above to train AI models — neither ours nor anyone else’s. Our agreements with AI providers prohibit them from training on your data, and we extend that prohibition to our own processing.

How long we keep it

We keep personal data only as long as we need it for the purpose we collected it, and then we delete it or fully anonymize it. The standard retention periods are:

  • Account data (name, email, organization) — for as long as your account is active, plus 90 days after closure to handle wind-down.
  • Billing records and invoices — 5 years after the calendar year they relate to. This is required by Danish bookkeeping law (bogføringsloven).
  • Prompts, conversations, and usage metadata (individual accounts) — kept while your account is active. You can delete individual conversations at any time. On account closure, the data is deleted within 30 days, subject to the bookkeeping retention above.
  • Prompts, conversations, and audit logs (organization accounts) — per the organization’s retention policy, set inside the product. Default: 12 months. See the DPA for details.
  • Support emails — 24 months from the last interaction.
  • Marketing and CRM data — until you unsubscribe or ask us to delete it, whichever comes first.
  • Job application data — 6 months after the hiring decision, unless you have consented to longer storage in our talent pool.

Who we share it with

We share personal data only with vendors who help us operate the service, under written contracts that require them to protect it.

We do not sell personal data and we do not share it with anyone for advertising purposes.

International transfers

Most of the data we process stays inside the EU/EEA:

  • Infrastructure for the managed deployment runs in Helsinki, Finland.
  • Backups stay inside the EU and are never replicated outside.

When your workspace settings permit AI inference on US-hosted models (OpenAI, Anthropic, Google) the prompt and response are transferred to the US for the duration of that inference call.

Security

We protect personal data with measures appropriate to the risk, including: encryption in transit and at rest, role-based access, audit logging of administrative actions, regular backups inside the EU, and a documented incident-response process.

Children

OurAI is for users aged 18 and over. We do not knowingly process personal data of anyone under 18.

Contact

Questions about this policy or your data: support@ourai.dk.