Privacy Policy
How Dimora AI collects, uses, and protects your information
Last Updated: April 20, 2026 — Effective: April 20, 2026
Version 2.0 — Supersedes all prior versions
Table of Contents
Introduction
Welcome to Dimora AI. This Privacy Policy explains how GT1 Partners LLC, a California limited liability company, doing business as Dimora AI ("Dimora AI," "we," "us," or "our") collects, uses, discloses, and protects personal information when you interact with our AI operations services for property managers.
This policy applies to: (a) visitors to dimora.ai; (b) property management companies that subscribe to our platform ("Customers"); and (c) the guests of those property managers whose data we process on the Customer's behalf.
B2B2C Service Model — Controller vs. Processor
Dimora AI acts as a data processor on behalf of our business clients (property management companies). The property manager is the data controller for their guests' personal data. When a guest calls a property using our Voice AI or receives an Inbox AI draft reply, both Dimora AI and the property manager have responsibilities regarding that data. We process data only on the Controller's documented instructions, as set out in our Data Processing Agreement (DPA).
For our direct business relationships (website visitors, Customer account contacts), Dimora AI acts as an independent data controller and this policy governs those processing activities in full.
Information We Collect
A. From Website Visitors
- •Contact Information: Name and email address when you submit contact forms, request a demo, or sign up for the 14-day free trial.
- •Analytics & Tracking: This website uses Google Analytics 4 (GA4 — property G-1845HX1SQM), Microsoft Clarity (vdj4sps9l2), Ahrefs Analytics, and Meta Pixel. These tools collect browsing behaviour, page views, session duration, device type, referring URL, and similar data. They are loaded only after you provide consent via our cookie banner. See Section 14 for the full cookie disclosure.
- •Technical Data: IP address, browser type, operating system, and page interaction data collected automatically for security and performance monitoring.
B. From Service Clients (Property Managers)
- •Business Information: Company name, property portfolio details, team member names and email addresses, billing contact information.
- •PMS Integration Data: We connect to your Guesty account via API to access property listings, reservation details, guest messages, and saved reply templates. We do not write to your PMS except to send AI-drafted message replies when approved.
- •Configuration Data: AI training preferences, feedback on draft quality, approved and rejected message examples, and custom reply templates — used to improve AI performance for your specific portfolio.
C. From Guests (Processed on Behalf of Property Manager Clients)
- •Call Data: Voice audio (processed in real-time by Deepgram for transcription — raw audio is not retained in Dimora's databases), call transcripts, call duration, date and time, and caller phone number.
- •Guest Identity: First and last name, phone number, email address (where available from the PMS), and reservation details — read from the property manager's PMS or captured during calls.
- •Inquiry Content: The substance of guest requests, complaints, and inquiries — captured as call transcripts or inbox message content.
- •Preferences & History: Past interaction summaries stored in our guest memory system to enable personalised, context-aware responses across future calls.
What We Do Not Collect — Data Minimization
We believe collecting less data is a competitive advantage, not just a compliance obligation. The following categories of sensitive data are never collected or stored by Dimora AI:
Dimora does not collect or store:
Guest personal data held in Dimora's own systems is limited to: name, phone number, email address (when available from the PMS), and call transcripts. Voice audio is processed by our sub-processors for real-time transcription only and is not persisted in Dimora's databases.
Financial transaction data stays in your PMS. We read reservation balances only to flag outstanding amounts for the Payment Audit module. We never hold or process payment credentials on your guests' behalf.
Call Recordings & Transcripts
Recording Notice
Calls with our AI assistant are recorded and transcribed.
At the start of each call, the AI assistant announces that the call may be recorded. This satisfies the EU AI Act Article 50 transparency requirement for AI-generated content and interactions. Property managers using our service are responsible for any additional jurisdiction-specific consent obligations (e.g., California two-party consent under CIPA, Florida, Illinois, and similar all-party consent statutes).
Audio Processing Pipeline
Step 1 — Real-Time Transcription (Deepgram)
Raw voice audio is streamed to Deepgram for real-time speech-to-text conversion. Deepgram processes the audio stream and returns a text transcript. Raw audio is not stored in Dimora's databases. Deepgram's retention of audio in its own systems is governed by Deepgram's DPA and privacy policy. Per Deepgram's standard terms, audio is not retained beyond the transcription session buffer.
Step 2 — LLM Inference (OpenAI)
The live transcript text is passed to OpenAI's API (GPT models) for AI response generation. OpenAI processes transcripts under its API Data Processing Addendum. Per OpenAI's standard API terms (zero data retention agreement in effect), content submitted via the API is not used to train OpenAI models and is retained for a maximum of 30 days for abuse monitoring purposes.
Step 3 — Transcript Storage (Dimora / Supabase)
The completed call transcript, duration, caller phone number, and call outcome are stored in Dimora's Supabase database (AWS us-east-1). Transcripts are retained for 90 days post-call, then permanently deleted. Post-termination of a Customer account, all transcripts are deleted within 90 days.
GDPR Articles 13 & 14 — Full Processing Disclosure
Under GDPR Articles 13 and 14, we are required to disclose the following information for each category of personal data we process. This table covers all data categories processed by Dimora AI as both controller and processor.
| Data Category | Source | Legal Basis (Art. 6) | Purpose | Retention | Recipients | Transfer |
|---|---|---|---|---|---|---|
| Guest Name, Phone, Email | PMS (Guesty) — Art. 14 indirect | Art. 6(1)(b) — Contract | Call handling, inbox drafts, upsell offers, memory enrichment | 90 days post-call / post-termination | VAPI, OpenAI, Supabase, Guesty | EU → US (SCCs Module 2) |
| Call Transcripts | Deepgram real-time — Art. 14 indirect | Art. 6(1)(b) — Contract; Art. 6(1)(f) — Legitimate Interest (quality assurance) | Service delivery, AI learning, QA, dispute resolution | 90 days post-call | OpenAI (inference), Supabase (storage), Google (summaries) | EU → US (SCCs Module 2) |
| Guest Preferences & History | Aggregated from prior calls | Art. 6(1)(b) — Contract; Art. 6(1)(f) — Legitimate Interest | Personalised AI responses, memory injection | Duration of Customer contract + 90 days | Supabase, VAPI (runtime injection) | EU → US (SCCs Module 2) |
| Guest Inbox Messages | PMS (Guesty) — Art. 14 indirect | Art. 6(1)(b) — Contract | AI draft generation, inbox AI training | 90 days post-termination | OpenRouter, Google Gemini, Supabase | EU → US (SCCs Module 2) |
| Customer Contact Info | Direct — Art. 13 | Art. 6(1)(b) — Contract | Account management, billing, support | Term + 7 years (billing records) | Stripe, DocuSign, Supabase | EU → US (SCCs Module 2 / DPF) |
| Website Visitor Data (analytics) | Direct — Art. 13 | Art. 6(1)(a) — Consent | Product analytics, ad performance measurement | Per tracker policy (GA4: 14 months default) | Google (GA4), Microsoft (Clarity), Meta (Pixel), Ahrefs | EU → US (DPF / SCCs) |
| Website Visitor Data (essential) | Direct — Art. 13 | Art. 6(1)(f) — Legitimate Interest (security, fraud prevention) | Site security, bot detection, load balancing | Session / 30 days | Hosting infrastructure only | EU → US |
| Billing & Payment Records | Direct — Art. 13 | Art. 6(1)(c) — Legal Obligation (US tax law) | Tax compliance, revenue recognition, dispute resolution | 7 years | Stripe, Supabase | EU → US (DPF) |
| Support Correspondence | Direct — Art. 13 | Art. 6(1)(f) — Legitimate Interest | Issue resolution, service improvement | 2 years | Supabase (internal logs) | EU → US (SCCs Module 2) |
| Anonymized Transcript Data | Derived from call transcripts | Art. 6(1)(f) — Legitimate Interest (AI improvement) | AI model improvement (no identifiable data) | Indefinite (no personal data present) | Internal only | N/A (no personal data) |
Your Rights Under This Table
For every data category above, you may exercise your rights to access, rectify, erase, restrict, or object to processing by contacting privacy@dimora.ai. Where the legal basis is legitimate interest, you have an unconditional right to object under Art. 21 GDPR. Where the basis is consent, you may withdraw at any time without affecting the lawfulness of prior processing.
Legal Bases for Processing (GDPR Article 6)
For customers and guests in the European Union and European Economic Area, we rely on the following lawful bases:
Article 6(1)(b) — Contract Performance
Applies to: Call handling, inbox reply drafting, revenue upsells, payment auditing, PMS integration
Processing is necessary to deliver the contracted AI operations services to the property manager (Controller). As processor, we act on the Controller's documented instructions.
Article 6(1)(f) — Legitimate Interests
Applies to: AI model improvement using anonymized transcripts; security monitoring; fraud prevention; guest memory enrichment; support logs
Legitimate interest assessment (LIA) documented internally. Data subjects retain the right to object under Art. 21. Our LIA is available on request at privacy@dimora.ai.
Article 6(1)(a) — Consent
Applies to: Website analytics (GA4, Microsoft Clarity, Meta Pixel, Ahrefs); marketing communications
Collected via our LocalStorage-based cookie consent banner. Withdrawable at any time via the footer cookie preferences link or by contacting privacy@dimora.ai.
Article 6(1)(c) — Legal Obligation
Applies to: Billing records, tax records, mandatory disclosures to regulatory authorities
Retention periods are set by applicable US tax law (7 years) and any mandatory reporting obligations.
How We Use Information
- ✓Service Delivery: Operate the Voice AI receptionist, Inbox AI drafting, Revenue Engine upsells, Payment Audit, and all other platform modules.
- ✓AI Improvement: Improve AI performance using anonymized, aggregated interaction data. Individually identifiable guest data is not used for model training without appropriate safeguards and, where required, explicit permission.
- ✓Memory Enrichment: Persist guest interaction history across calls so the AI can reference prior preferences, prior issues, and prior conversations — creating more helpful and personalised guest experiences.
- ✓Security: Detect and prevent fraudulent activity, unauthorized access, and abuse of our platform.
- ✓Billing: Process Customer subscription payments and maintain billing records as required by applicable law.
- ✓Service Communications: Send billing receipts, security alerts, policy updates, and other service-essential communications. These are not opt-out-able while you are a Customer.
Automated Decision-Making (GDPR Article 22)
GDPR Article 22 gives data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The following disclosures cover Dimora's automated processing activities:
Voice AI — Fully Automated Call Handling
Our Voice AI (Maggie) handles inbound guest calls fully automatically, without a human operator on the line. The AI makes real-time decisions about how to respond to guest inquiries, including: providing property information, discussing reservation changes, routing emergencies, and generating upsell offers.
Nature of effects: In most cases, the AI's responses are informational or facilitative. We do not believe standard call-handling constitutes "legal or similarly significant effects" within the meaning of Art. 22(1). However, in an abundance of caution, we provide the following human review mechanisms.
Right to Human Review
Any guest who believes an automated call outcome has produced a significant effect on them may email privacy@dimora.ai to: (1) obtain human review of the AI's decision by the property manager, (2) express their viewpoint, and (3) contest the outcome. We will escalate the request to the relevant Customer within 2 business days.
Inbox AI — Draft Generation (Not Fully Automated)
Inbox AI drafts are generated automatically but reviewed and approved by a human property manager before being sent to the guest. This "human-in-the-loop" design means Inbox AI does not constitute solely automated decision-making under Art. 22.
Revenue Engine — Upsell Offer Generation
Revenue Engine automatically identifies upsell opportunities (late checkout, early check-in, gap night extensions) and sends offers to guests. Guest acceptance is required — no charges are made automatically. Guests may decline any offer without consequence.
Payment Audit — Balance Flagging
Payment Audit automatically flags outstanding reservation balances. This is a notification to the property manager only — no automated action is taken against the guest. The property manager decides whether and how to follow up.
AI Training Data Processing
Dimora AI uses interaction data to improve our AI systems. The following disclosures govern how this is done:
What We Do — Dimora's Own AI Improvement
We use anonymized and pseudonymized call transcript excerpts and inbox drafts to identify patterns, improve response quality, and retrain our internal AI learning systems. Before use for this purpose, personal identifiers (names, phone numbers, email addresses, specific property details) are removed or replaced with generalized equivalents.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in improving service quality. We do not use identifiable personal data for AI model training. EU data subjects have the right to object to this processing by emailing privacy@dimora.ai.
Sub-Processor AI Training Policies
- OpenAI: We operate under OpenAI's API Data Processing Addendum with zero data retention settings enabled. Content submitted via the API is not used to train OpenAI models. OpenAI retains API inputs/outputs for up to 30 days solely for abuse monitoring, then deletes them.
- Anthropic (Claude / via OpenRouter): Per Anthropic's published API policy, content submitted via the API is not used to train Anthropic models. No retention beyond inference.
- Google (Gemini API): Content submitted via the Gemini API is not used to train Google's models, per Google's Cloud Data Processing Addendum. Google Workspace (Gmail for post-call summaries) is governed by the Google Workspace DPA.
- Deepgram: Voice audio submitted for transcription is not used to train Deepgram models under our enterprise agreement. Audio data is not retained beyond the transcription buffer.
- xAI (Grok) / OpenRouter: No retention beyond inference per OpenRouter's and xAI's published policies.
Right to Object to AI Training Use
EU data subjects and California residents may object to the use of their interaction data for AI training improvement purposes by emailing privacy@dimora.ai with subject line "AI Training Objection." We will exclude your data from any further AI improvement processing within 14 days of a verified request.
Data Sharing & Sub-Processors
We share personal data only with trusted sub-processors necessary to deliver our service. We do not sell personal data to third parties. We do not share personal data for cross-context behavioral advertising.
A full public list of all sub-processors with DPA links is maintained at dimora.ai/sub-processors. Current sub-processors as of the last updated date of this policy:
| Sub-Processor | Purpose | Data Accessed | Location | DPF |
|---|---|---|---|---|
| VAPI | Voice AI platform for guest calls | Call audio, transcripts, phone numbers, duration | United States (GCP) | No |
| OpenAI | LLM inference for Voice AI (Maggie) | Live call transcript content | United States | Yes |
| OpenRouter | LLM routing for Inbox AI sub-workflows | Guest message content for AI drafting | United States | No |
| Deepgram | Real-time speech-to-text transcription | Voice audio stream | United States | Yes |
| ElevenLabs | Voice synthesis for AI responses (via VAPI) | AI-generated response text | United States | No |
| Google (Gemini + Workspace) | Inbox AI classification + call summary emails + VAPI post-call analysis | Guest messages, call transcripts, call summaries | United States | Yes |
| Guesty | Property management system (PMS) integration | Guest names, reservations, messages, lock codes — read-only via API on Customer's Guesty tenant | United States / European Union (depending on Customer's tenant region) | No |
| Supabase | Database for operational data storage | Guest names, phone, email, call metadata, AI drafts, transcripts | United States (AWS us-east-1) | Yes |
| Stripe | Payment processing for customer subscriptions | Customer billing information, VAT ID, payment method | United States | Yes |
| DocuSign | Electronic signature for Service Agreement and DPA | Customer contact info, signed document | United States | Yes |
| Railway | Infrastructure hosting for workflow platform (n8n) | Infrastructure logs, workflow execution data (transient) | United States | No |
Sub-Processor Change Notice
We notify Customers at least 30 days before adding or materially changing any sub-processor. Customers who have executed a DPA have the right to object to new sub-processors within that 30-day window. To subscribe to change notifications, email privacy@dimora.ai.
Data Retention Schedule
We retain personal information only as long as necessary for the stated purpose, and then delete or anonymize it. The schedule below represents our maximum retention periods.
| Data Type | Retention Period | Reason | Deletion Method |
|---|---|---|---|
| Call Recordings (Guesty-side) | 30–90 days | Per Guesty's retention policy; PM-controlled | Guesty platform deletion |
| Call Transcripts (Dimora / Supabase) | 90 days post-call | QA, dispute resolution, service improvement | Automated permanent deletion |
| Inbox AI Drafts | 90 days post-termination | AI learning, quality review | Automated permanent deletion |
| Guest Memory Data | Duration of Customer contract + 90 days | Personalized service delivery | Automated permanent deletion |
| Reservation Metadata | Contract term + 3 years | Dispute resolution, revenue auditing | Automated anonymization |
| Billing Records | 7 years | US tax law (IRS requirements) | Secure deletion per retention schedule |
| Support Logs | 2 years | Dispute resolution, service improvement | Automated permanent deletion |
| Marketing / Lead Data | Until consent withdrawn | Consent-based (Art. 6(1)(a)) | Immediate on withdrawal |
| Website Analytics (GA4) | 14 months (GA4 default) | Traffic analysis; consent-based | Per Google's automatic rolling window |
| Security / Access Logs | 90 days | Fraud prevention, incident response | Automated rolling deletion |
Post-Termination Data Deletion
Upon termination of a Customer account, all personal data held in Dimora's systems is deleted within 90 days, except billing records retained for the 7-year statutory period. Customers may request expedited deletion by submitting a written request to privacy@dimora.ai. Confirmation of deletion is provided within 30 days.
Data Security
We implement multiple layers of security controls to protect personal data against unauthorized access, alteration, disclosure, or destruction:
Encryption in Transit
HTTPS and TLS 1.3 for all data transmission between clients, our platform, and sub-processors.
Encryption at Rest
AES-256 encryption for all data stored in Supabase (AWS us-east-1, with AWS-managed KMS keys).
Access Control
Role-based access control (RBAC) with Row-Level Security (RLS) policies. Multi-factor authentication required for all production systems.
Audit Logging
Production access logged via Supabase audit logs. Access events reviewed quarterly; anomalies investigated within 24 hours.
Minimal Production Access
Only two personnel (founders) have production database access. Sub-processor access is strictly scoped to the minimum necessary.
Breach Notification
In the event of a data breach affecting EU residents, we will notify relevant supervisory authorities within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33-34.
To report a security vulnerability, contact security@dimora.ai. We operate a responsible disclosure policy and respond to security reports within 48 hours.
California Privacy Rights (CCPA / CPRA)
California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights apply to personal information about California residents that we hold as a controller. The following seven enumerated rights apply:
1. Right to Know
You may request: (a) the categories and specific pieces of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) the business or commercial purpose for collecting it; (d) the categories of third parties to whom we disclosed it; and (e) the specific pieces of personal information collected (a "data portability request"). We will respond within 45 days, extendable once by an additional 45 days with notice.
2. Right to Delete
You may request deletion of personal information we have collected about you. We will delete and direct our service providers to delete your information, subject to exceptions: (a) completing a transaction; (b) detecting security incidents; (c) complying with legal obligations; (d) making solely internal uses consistent with your expectations. We will confirm deletion in writing within 45 days.
3. Right to Correct
You may request correction of inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct the information, considering the nature of the information and the purposes of processing, within 45 days.
4. Right to Opt-Out of Sale / Sharing
Dimora AI does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioral advertising. No opt-out is required. We recognize and honor Global Privacy Control (GPC) signals as opt-out signals where technically feasible.
5. Right to Limit Use of Sensitive Personal Information
Where we process sensitive personal information (as defined by CPRA), you may direct us to limit its use to the purposes permitted by CPRA. Given our data minimization approach, Dimora collects no CPRA-defined sensitive personal information in the ordinary course of business (we do not collect government IDs, financial account details, precise geolocation, racial/ethnic origin, religious beliefs, biometric data, or health information).
6. Right to Non-Discrimination
We will not discriminate against you for exercising any CCPA/CPRA right. We will not deny goods or services, charge different prices, provide a different level or quality of service, or suggest you will receive different treatment for exercising your privacy rights.
7. Authorized Agent
You may designate an authorized agent (a natural person or registered business entity) to submit CCPA requests on your behalf. We require: (a) written proof of the agent's authorization signed by you; and (b) verification of your identity directly (we may contact you to confirm). We will respond to authorized agent requests with the same SLA as direct requests. Agent misrepresentation is a violation of California law.
How to Submit a CCPA Request
Email privacy@dimora.ai with subject line "CCPA Request — [Right Type]". We will acknowledge receipt within 5 business days, verify your identity (for requests involving specific personal information), and fulfill the request within 45 days. There is no charge for CCPA requests, unless manifestly unfounded or excessive (in which case we may charge a reasonable fee or decline and explain why).
We Do Not Sell Personal Information
Dimora AI does not sell or share personal information for monetary or other valuable consideration. We have not sold personal information in the past 12 months. We do not have actual knowledge that we sell or share personal information of consumers under the age of 16.
EU & UK Data Subject Rights (GDPR / UK GDPR)
If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under GDPR (or UK GDPR, as applicable). These rights may be exercised by submitting a request to privacy@dimora.ai.
Right of Access (Art. 15)
Obtain a copy of the personal data we hold about you, and information about how it is used.
Right to Rectification (Art. 16)
Have inaccurate personal data corrected without undue delay.
Right to Erasure / Right to be Forgotten (Art. 17)
Have personal data deleted where it is no longer necessary, or where consent is withdrawn and no other basis applies.
Right to Restriction of Processing (Art. 18)
Have processing restricted while accuracy is contested, or where processing is unlawful but you prefer restriction over erasure.
Right to Data Portability (Art. 20)
Receive personal data you provided to us in a structured, machine-readable format, and have it transmitted to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests (Art. 6(1)(f)). We must cease processing unless we demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Rights Related to Automated Decision-Making (Art. 22)
Not be subject to solely automated decisions producing significant effects. Request human review, express your viewpoint, and contest automated decisions.
Response Timeline & Process
- • Acknowledgment within 5 business days of receipt.
- • Fulfillment within 30 calendar days (GDPR) or 45 calendar days (CCPA).
- • One-time extension of 2 additional months (GDPR) / 45 days (CCPA) permitted for complex or numerous requests, with prior written notice.
- • All rights requests fulfilled free of charge, unless manifestly unfounded or excessive.
- • Identity verification required for requests involving access to specific personal data. We may ask you to confirm information we hold on file. We will not require disproportionate verification for simple requests.
Children's Privacy (GDPR Art. 8 / COPPA)
Our platform is a B2B service directed at property management businesses. It is not intended for, nor directed to, individuals under the age of 18 (or under 16 in EU/EEA jurisdictions where the lower age of digital consent applies).
GDPR Article 8 — Conditions Applicable to Children's Consent
Under GDPR Article 8, consent for information society services offered to children requires parental or guardian authorisation for children below the age of digital consent. The EU member state thresholds vary: 16 years by default (GDPR), 13 years in Spain under LOPDGDD (Organic Law 3/2018 on Data Protection and Digital Rights Guarantee), 13 years in the UK, and 13 years in the US under COPPA.
Dimora's services are not directed to minors. If a guest call is made by a minor, the property manager (as data controller) is responsible for ensuring appropriate parental consent where required by applicable law. We do not knowingly collect personal data from children under 13 without verifiable parental consent.
If We Discover Child Data Has Been Collected
If we become aware that we have inadvertently collected personal data from an individual under the applicable age of consent without proper parental authorisation, we will: (1) notify the relevant Customer within 24 hours; (2) delete the personal data from our systems within 5 business days; and (3) notify the relevant supervisory authority if required by law. Parents or guardians who believe their child's data has been processed may contact us at privacy@dimora.ai.
International Data Transfers
Dimora AI is incorporated and headquartered in 72-811 HWY 111, Suite 1030, Palm Desert, CA 92260, USA. All primary data storage occurs in AWS us-east-1 (N. Virginia, USA). When personal data from the European Union or United Kingdom is transferred to the United States, we rely on the following transfer mechanisms:
| Data Category | Source Country | Destination | Transfer Mechanism | Safeguards |
|---|---|---|---|---|
| Guest call/inbox data | EU/EEA/UK | US (AWS us-east-1) | Standard Contractual Clauses (2021 SCCs, Module 2 — Controller to Processor) | SCCs incorporated into DPA; TIA documented; encryption in transit and at rest |
| Guest call transcripts (LLM inference) | EU/EEA/UK | US (OpenAI, Google, Deepgram) | DPF (OpenAI, Google, Deepgram certified) + SCCs as supplementary safeguard | Sub-processor DPAs executed; zero data retention settings applied |
| Customer billing data | EU/EEA/UK | US (Stripe) | EU-US Data Privacy Framework (Stripe certified) | Stripe DPA executed; PCI-DSS compliance |
| Electronic signatures | EU/EEA/UK | US (DocuSign) | EU-US Data Privacy Framework (DocuSign certified) | DocuSign DPA executed; eIDAS-compliant |
| Website analytics | EU/EEA/UK | US (Google, Microsoft, Meta) | Consent (Art. 6(1)(a)) + DPF certification (Google, Microsoft, Meta) | Consent obtained before tracking; DPF-certified processors |
| Infrastructure logs (n8n) | EU/EEA/UK | US (Railway) | Standard Contractual Clauses (2021 SCCs) | Railway DPA executed; transient data only |
EU-US Data Privacy Framework (DPF)
GT1 Partners LLC, dba Dimora AI, has initiated the process of self-certifying to the EU-US Data Privacy Framework (DPF) operated by the US Department of Commerce. Certification is pending as of the last updated date of this policy. Until certification is complete, transfers involving Dimora as controller are covered by the 2021 Standard Contractual Clauses (Module 1 — Controller to Controller, for website visitor data; Module 2 — Controller to Processor, for Customer and guest data). Our DPF self-certification will be listed under "GT1 Partners LLC" in the DPF registry at dataprivacyframework.gov.
EU Representative (GDPR Article 27)
Formal appointment of an EU representative under GDPR Article 27 is in progress. In the interim, EU data subjects may contact us directly at privacy@dimora.ai. We respond to all EU data subject inquiries within 30 days.
Marketing Communications
We send marketing communications (product updates, feature announcements, case studies, educational content) only where we have a lawful basis:
Opt-In Basis (EU / UK)
For contacts in the EU and UK, marketing emails are sent only where we have obtained prior explicit consent (GDPR Art. 6(1)(a)) or where the soft opt-in applies (an existing customer relationship with a relevant product or service, under ePrivacy Directive Art. 13(2)). You may withdraw consent at any time via the unsubscribe link in every marketing email, or by emailing privacy@dimora.ai.
CAN-SPAM / CASL Compliance
All commercial emails include: a physical mailing address, a clear identification of the sender, a functional one-click unsubscribe mechanism, and are processed within 10 business days. We comply with CAN-SPAM Act (US) and CASL (Canada) requirements.
Non-Marketing (Service) Communications — Not Opt-Out-Able
Transactional and service-related communications — including billing receipts, subscription renewal notices, security alerts, and legally required disclosures — are sent based on contractual necessity (Art. 6(1)(b)) and are not subject to unsubscribe, as they are integral to the service relationship.
How to Exercise Your Rights
To exercise any right described in this policy (GDPR, CCPA, or other applicable law), follow this process:
Step 1 — Submit Your Request
Email privacy@dimora.ai with:
- • Subject line: "[GDPR/CCPA] [Right Type] Request — [Your Name]"
- • Your full name and the email address / phone number associated with your data
- • Whether you are submitting as a data subject or as an authorized agent
- • A description of the specific right you are exercising
Step 2 — Identity Verification
For requests involving access to specific personal data, we verify your identity by asking you to confirm information we already hold on file (e.g., email address, last 4 digits of a phone number). We do not require government-issued ID unless strictly necessary to prevent fraud. Verification protects you against unauthorized third-party access to your data.
Step 3 — Response
We acknowledge receipt within 5 business days. We fulfill the request within 30 days (GDPR) or 45 days (CCPA), with one possible extension (plus written notice). All responses are free of charge. If we are unable to fulfill a request (e.g., due to a legal exception), we explain why in writing and inform you of your right to complain to a supervisory authority.
Privacy Contact & Data Protection
Dimora AI has not formally appointed a Data Protection Officer (DPO) under GDPR Article 37, as we do not meet the threshold criteria for mandatory DPO appointment: we are not a public authority or body; our core activities do not consist of large-scale systematic monitoring of individuals; and we do not process special categories of data on a large scale.
All privacy-related inquiries, rights requests, data breach notifications, and complaints should be directed to our Privacy Contact:
Privacy Contact & Data Protection Inquiries
privacy@dimora.aiAcknowledgment within 5 business days — Fulfillment within 30 days (GDPR) / 45 days (CCPA)
Legal Entity
GT1 Partners LLC, dba Dimora AI
Riverside County, California
EIN: 41-2621031
General Inquiries
admin@dimora.aiChanges to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, sub-processors, applicable law, or regulatory guidance. When we make material changes:
- •We will update the "Last Updated" date at the top of this policy.
- •For material changes affecting EU data subjects' rights, we will provide at least 30 days' advance notice by email to active Customers.
- •For sub-processor additions or replacements, we follow our 30-day sub-processor change notice process described in Section 10.
- •Continued use of our services after the effective date of updated terms constitutes acceptance of the revised policy.
Prior versions of this policy are available upon request by emailing privacy@dimora.ai.