Aestim Privacy Policy

Aestim Inc. (“Aestim,” “we,” “us,” or “our”) provides software and related services for property tax workflows. This Privacy Policy describes how we collect, use, share, and protect personal information in connection with our websites, products, and services (collectively, the “Services”).

This Privacy Policy applies to information we collect through:

• our websites, including aestim.ai and any other site that links to this Privacy Policy;
• our software platform and applications;
• our communications with you (email, support tickets, sales conversations); and
• offline interactions related to the Services.

Capitalized terms not defined here have the meanings given to them in our Terms of Service.

1. Our Role; Scope

The Services are intended solely for users located in the United States. We do not offer or direct the Services to individuals in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions outside the United States. See Section 12 for more information.

Aestim acts in two different capacities depending on the information involved:

Controller — for your information as an account holder, visitor, or prospect. When you create an account, browse our websites, or otherwise interact with us, we generally act as the controller (or “business” under California law) of the personal information we collect about you. This Privacy Policy applies to that information.

Processor — for User Data submitted through the Services. When our business customers upload data to the Services in the course of using our platform (for example, taxpayer records, asset lists, or financial spreadsheets imported from accounting systems), that data may include personal information about third parties (such as our customer's clients or employees). With respect to that User Data, Aestim acts as a processor (or “service provider” under California law) on behalf of our business customer, who acts as the controller. Our handling of User Data is governed by our Terms of Service and any applicable Data Processing Addendum. If you are an individual whose personal information appears in User Data, please contact the business that uploaded the data — they are the controller and are responsible for responding to your rights requests in the first instance. We will assist our customers in responding to such requests as required by law.

This Privacy Policy does not apply to the practices of third parties we do not own or control, including the websites, products, or services of any Third-Party Integration.

2. Information We Collect

We collect the following categories of personal information.

(a) Information you provide directly.

• Account and registration information — name, business email address, employer name, role, password, and account preferences when you sign up for the Services.
• Profile and contact information — title, phone number, business address, and other details you choose to add to your profile.
• Billing information — billing address and the last four digits of the payment card or other limited payment identifiers. Full payment card numbers are handled by our payment processor; we do not store full payment card numbers on our systems.
• Communications — the contents of emails, support tickets, chat messages, sales-call notes, survey responses, and other communications you send us, including any attachments.
• Content you submit — files, documents, spreadsheets, and other content you upload to the Services for processing.

(b) Information we collect automatically.

• Usage data — pages and features visited, actions taken in the Services, timestamps, referring URLs, search terms entered in the Services, and similar interaction data.
• Device and connection data — IP address, browser type and version, operating system, device identifiers, language settings, and time zone.
• Log data — server logs, error logs, audit logs (including records of who accessed or modified content within the Services for security and compliance purposes), and similar diagnostic information.
• Cookies and similar technologies — see Section 7 below.

(c) Information from third parties.

• Single sign-on (SSO) and identity providers — if you sign in using a third-party SSO provider (for example, Microsoft Entra ID / Azure AD or Google Workspace), we receive basic profile information such as your name, email address, and a unique identifier.
• Integrations — if you connect a Third-Party Integration to your account (for example, an accounting system, document store, or communication platform), we receive data from that integration as authorized by you.
• Service providers and business partners — we may receive information about you from vendors that help us operate, market, or improve the Services, including analytics, payment, fraud-prevention, and customer-relationship-management providers.
• Publicly available sources — we may collect information about you and your organization from public sources (for example, public regulatory filings, business directories, and professional networks) for sales and marketing purposes.

We do not knowingly collect or process special categories of personal data (such as health, biometric, or genetic data, or data revealing racial or ethnic origin) about account holders or website visitors. If you upload User Data to the Services, you are responsible for ensuring that you have a lawful basis to do so, and that any special-category data is handled in accordance with applicable law.

3. How We Use Information

We use personal information for the following purposes:

• Providing the Services — to authenticate you, deliver requested features, process your User Data, generate AI Outputs, and otherwise operate the Services.
• Account management and billing — to create and maintain your account, process payments, send invoices, and resolve billing issues.
• Customer support — to respond to your inquiries, troubleshoot problems, and provide technical assistance.
• Service improvement and product development — to understand how the Services are used, fix bugs, develop new features, evaluate model performance, and otherwise improve the Services.
• Security and fraud prevention — to detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service; to maintain audit logs; and to protect the rights, property, and safety of Aestim, our customers, and others.
• Communications — to send you operational and transactional messages (for example, service notifications, security alerts, billing notices, and policy updates) and, where permitted, marketing messages about Aestim products and offerings.
• Sales and marketing — to identify and reach out to prospective customers and to measure the effectiveness of our marketing.
• Compliance and legal — to comply with applicable laws, respond to lawful requests and legal process, enforce our Terms of Service, and exercise or defend legal claims.
• De-identification and aggregation — to generate De-Identified Data, which we may use and disclose for any lawful purpose as described in our Terms of Service.

4. How We Share Information

We do not sell personal information for money. We share personal information in the following circumstances:

• Service providers and processors — with vendors who perform services on our behalf, such as cloud hosting and storage, database and infrastructure providers, payment processing, communications and email delivery, analytics, customer-support tooling, error monitoring, customer-relationship-management, security, and the third-party AI service providers described in Section 5 below. These providers are bound by contractual obligations to use the information only to provide services to us.
• Third-Party Integrations you authorize — when you connect a Third-Party Integration, we share information with that integration as needed to operate the integration and as you direct.
• Affiliates — with our corporate affiliates, in which case the sharing will be governed by this Privacy Policy.
• Business transfers — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our business or assets, in which case personal information may be transferred to the successor or acquirer subject to standard confidentiality protections.
• Legal and safety — when we believe in good faith that disclosure is necessary to comply with applicable law, respond to lawful requests (including from law enforcement and government authorities), enforce our Terms of Service, protect our rights, property, or safety, or the rights, property, or safety of our users or others, or detect or prevent fraud, security, or technical issues.
• With your consent or at your direction — for any other purpose disclosed to you at the time we collect the information or with your consent.
• De-Identified Data — we may use and disclose De-Identified Data for any lawful purpose. We do not attempt to re-identify De-Identified Data and contractually prohibit our recipients from doing so.

5. Artificial Intelligence and Automated Processing

The Services use artificial intelligence and machine-learning models, including large language models developed and operated by third-party AI service providers, to process documents, extract structured data, generate suggestions, and produce other AI Outputs.

• What we send. To generate AI Outputs, we may send your User Data and certain prompt and context information to our AI service providers for processing.
• Provider commitments. We contract with our AI service providers to limit their use of data we send for processing. In particular, we do not authorize our AI service providers to use customer prompts, inputs, or outputs to train their general-purpose foundation models, except where you have opted in or where required by law.
• Model training by Aestim. We do not use the contents of your User Data to train third-party foundation models. We may use User Data internally to fine-tune, evaluate, or improve our own model configurations, prompts, and orchestration, including by generating De-Identified Data, as described in our Terms of Service.
• No solely automated decisions with legal effect. The Services are decision-support tools. We do not use the Services to make decisions about you that produce legal or similarly significant effects on you solely on the basis of automated processing. Our customers are responsible for reviewing AI Outputs and making the final determinations relating to their filings and clients.

6. Cookies and Similar Technologies

We and our service providers use cookies, pixels, local storage, and similar technologies (collectively, “cookies”) to operate and improve the Services. The types of cookies we use include:

• Strictly necessary cookies — required for the Services to function, including authentication and security.
• Functional cookies — to remember your preferences and settings.
• Analytics cookies — to understand how the Services are used, identify performance issues, and improve user experience.
• Marketing cookies — to measure the effectiveness of our marketing campaigns and to deliver relevant content; used only where permitted by applicable law and, where required, with your consent.

You can control cookies through your browser settings or, where available, through an in-product cookie preferences tool. Some cookies are necessary for the Services to work and cannot be disabled without affecting functionality. You can manage your choices for our marketing website at Your Privacy Choices.

We currently do not respond to “Do Not Track” browser signals. We honor recognized opt-out signals (such as the Global Privacy Control) where required by applicable law. When your browser sends the Global Privacy Control signal, we treat it as a request to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising and disable analytics and marketing cookies on our marketing website accordingly.

7. Data Retention

We retain personal information for as long as needed to provide the Services and for the purposes described in this Privacy Policy, including to maintain your account, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods vary depending on the type of information, the purpose for which it is processed, and our legal and contractual obligations.

If you close your account or your account is terminated, we will delete or de-identify personal information associated with your account within a reasonable period, except where we are required or permitted to retain it (for example, to comply with tax, accounting, or other legal obligations; to resolve disputes; to prevent fraud; or to enforce our agreements). Backup copies may persist for a limited period after deletion until they are overwritten in the ordinary course.

If your account becomes ninety (90) or more days delinquent, your User Data may be irretrievably deleted, as described in our Terms of Service.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption in transit and at rest, access controls, network segmentation, audit logging, and regular security reviews.

No system is perfectly secure. We cannot guarantee the absolute security of personal information, and you provide information at your own risk. You are responsible for keeping your account credentials confidential and for notifying us promptly of any actual or suspected unauthorized access.

9. International Data Transfers

Aestim is based in the United States, and we process personal information in the United States and in other countries where our service providers operate. As described in Section 12, the Services are intended solely for users located in the United States and are not offered or directed to individuals in jurisdictions outside the United States. If you are located outside the United States, you should not use the Services or provide personal information to us.

10. Children's Privacy

The Services are intended for use by businesses and professionals. They are not directed to children, and we do not knowingly collect personal information from anyone under the age of 18. If you believe that a child under 18 has provided us with personal information, please contact us at legal@aestim.ai and we will take appropriate steps to delete it.

11. Your Choices and Rights

You have the following choices regarding your personal information:

• Access and updates. You can access and update your account information through the in-product settings.
• Marketing communications. You can opt out of marketing emails by clicking the “unsubscribe” link in any marketing message or by contacting us. We may still send you transactional and operational messages relating to your account.
• Cookies. You can control cookies through your browser and through our Your Privacy Choices page.
• Account closure. You can request closure of your account through the in-product settings or by contacting us.

In addition, you may have specific rights under applicable data protection laws, as described in Sections 12, 13, and 14 below.

12. Users Outside the United States

The Services are intended solely for users located in the United States. We do not offer or direct the Services to individuals in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions outside the United States, and we do not knowingly collect personal information from individuals in those jurisdictions.

If you are located outside the United States, please do not use the Services or submit personal information to us. If you believe that you, or someone whose information you control, have provided personal information to us from outside the United States, please contact us at legal@aestim.ai and we will take appropriate steps to delete the information.

13. California Residents (CCPA/CPRA)

This section provides additional information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”), for California residents.

Categories of personal information. In the last twelve (12) months, we have collected the following categories of personal information, as defined by the CCPA:

We do not knowingly collect sensitive personal information from our account holders or visitors beyond what is necessary to authenticate them and operate the Services (for example, account credentials). User Data uploaded by business customers may contain additional information; the business customer is the controller of that data.

Sale or sharing. We do not “sell” personal information for monetary consideration. Depending on how cookies are characterized, certain analytics or advertising cookies may constitute “sharing” or “cross-context behavioral advertising” under the CCPA. Where required, we honor recognized opt-out preference signals, such as the Global Privacy Control. You may also submit an opt-out request through the methods described below or by visiting Your Privacy Choices. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Your California rights. Subject to verification, California residents have the right to:

• know the categories and specific pieces of personal information we have collected about them;
• request deletion of personal information;
• request correction of inaccurate personal information;
• opt out of “sale” or “sharing” of personal information;
• limit the use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right); and
• not be subject to discrimination for exercising these rights.

How to exercise your rights. You or your authorized agent may submit a request by emailing legal@aestim.ai. We will verify your identity using account information or other reasonable means. Authorized agents must provide proof of authorization.

Shine the Light. California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. To make such a request, email legal@aestim.ai.

Retention. We retain each category of personal information for as long as needed to fulfill the purposes described in Section 7 above.

14. Other U.S. State Privacy Rights

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive consumer privacy law, you may have rights similar to those described above, including rights to access, correct, delete, and port your personal information, and to opt out of certain processing such as targeted advertising and profiling that produces legal or similarly significant effects. To exercise your rights, contact us at legal@aestim.ai. If we deny your request, you may appeal by replying to our denial and we will respond as required by applicable law.

15. Where Aestim Acts as a Processor

When Aestim processes User Data on behalf of a business customer, we act as a processor or service provider, and our processing is governed by our agreement with that business customer (and any applicable Data Processing Addendum). If you are an individual whose personal information appears in User Data uploaded by one of our business customers, please direct your privacy requests to that business customer in the first instance. We will assist our customers in responding to verified requests as required by applicable law.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services, by email, or by posting the updated Privacy Policy with a new “Last Updated” date. Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the updated terms.

17. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at: