Privacy Policy

Last updated: 24 June 2026

Aware Index is operated by SmartSec Academy OÜ. This Privacy Policy explains how we collect, use, share and retain personal data when you visit awareindex.com, contact us, request a Free AI Trust Snapshot, purchase or receive a paid report, or otherwise interact with Aware Index.

In this policy, "Aware Index", "we", "us" and "our" refer to SmartSec Academy OÜ.

1. Who is responsible for your data

The data controller is:

2. Who this policy applies to

This policy applies to website visitors, business representatives, prospective clients, clients, form respondents and other people who communicate with Aware Index. Our services are intended for business and professional use and are not directed at children.

3. Personal data we collect

3.1 Information you provide

• Contact information, such as your name, work email address, role, organisation and country or region.
• Business information, such as your business name, website, sector, public profiles, target customers and the information you want your business to be known for.
• Information included in enquiries, form responses, correspondence, feedback and support requests.
• Order and transaction information, such as the service purchased, payment status, invoice details and refund status. We do not receive or store your full payment card details.

3.2 Information collected through the website

• Technical and security information processed by our hosting and security infrastructure, which may include IP address, browser type, device information, request time, requested pages, security events and similar server log data.
• Strictly necessary information used to deliver and protect the website. We do not use analytics, advertising pixels or behavioural tracking on the website at launch.

3.3 Publicly available business information

When carrying out a review, we may examine information that a business or its representatives have made publicly available, including website content, business directories, search results, public social media or professional profiles, public reviews and other visible trust signals. This may incidentally include personal data such as names, job titles, professional contact details, photographs or public statements.

We use only the information reasonably necessary for the requested business review. We do not build personal profiles, assess private individuals, or intentionally collect special category data.

4. Why we use personal data and our legal bases

We process personal data only where we have a lawful basis. Depending on the context, we use it for the following purposes:

• To respond to enquiries and take steps requested before a service is purchased. Legal basis: steps before entering into a contract and our legitimate interest in responding to business enquiries.
• To assess, select and deliver Free AI Trust Snapshots. Legal basis: our legitimate interest in operating and improving the service requested by the business contact.
• To accept orders, deliver paid reports, provide support and manage refunds or disputes. Legal basis: performance of a contract.
• To review public business information and selected AI/search outputs. Legal basis: our legitimate interest in providing a human-reviewed business clarity service, balanced against the limited nature of the public information used.
• To protect the website, prevent abuse, investigate incidents and maintain service security. Legal basis: our legitimate interest in protecting our systems, users and business.
• To maintain accounting, tax and legally required business records. Legal basis: compliance with legal obligations.
• To send optional updates or marketing communications where you have actively requested them. Legal basis: consent. You can withdraw consent at any time.

5. How AI and search tools are used

Aware Index uses selected third-party AI assistants, search engines and related services to test how public business information may be interpreted or presented. These checks are evidence inputs, not final decisions. Findings are reviewed by a person before they are included in a snapshot or report.

We may submit a business name, website address, public description or neutral test prompt to these services. We do not intentionally submit confidential customer information, private personal data, payment information or special category data to AI/search tools.

AI and search outputs can vary by platform, location, timing, wording, settings and system updates. We do not use solely automated decision-making that produces legal or similarly significant effects on individuals.

6. Who we share personal data with

We share personal data only where reasonably necessary. Recipients may include:

• Cloudflare, for website hosting, DNS, content delivery, security and email routing.
• Google Workspace, for receiving, storing and managing service email and correspondence.
• Tally, when used for external intake forms and form submissions.
• Stripe, when paid services are enabled, for payment processing, fraud prevention and transaction administration.
• Selected AI and search service providers, but only for limited public-business-information checks as described above.
• Accountants, professional advisers, insurers, contractors or service providers where necessary and subject to appropriate confidentiality or data protection obligations.
• Courts, regulators, law enforcement or public authorities where disclosure is required by law or necessary to establish, exercise or defend legal claims.

We do not sell personal data.

7. International data transfers

Some service providers may process data outside Estonia or the European Economic Area. Where personal data is transferred internationally, we use or rely on appropriate safeguards made available under applicable data protection law, such as an adequacy decision, standard contractual clauses or another lawful transfer mechanism.

8. How long we keep personal data

We use short retention periods wherever practical:

• General enquiries and unselected Free AI Trust Snapshot requests: normally deleted within 90 days after the last meaningful contact or selection decision.
• Selected free snapshot intake data, working notes and evidence: normally deleted within 90 days after delivery.
• Paid-report working files, research notes and evidence screenshots: normally deleted within six months after delivery.
• Final paid reports and core service correspondence: normally retained for up to 12 months after delivery for support, factual queries and service records, then deleted.
• Payment, invoice and accounting records: retained for the period required by applicable accounting and tax law. Estonian accounting source documents are generally retained for seven years from the end of the financial year in which the transaction was recorded.
• Marketing consent and opt-out records: retained only as long as needed to manage your preference and demonstrate compliance. A minimal suppression record may be kept to ensure that an opt-out is respected.

We may retain limited information for longer where required by law, where a dispute or legal claim is active or reasonably anticipated, or where temporary backup copies remain until they are securely overwritten.

9. Security

We use reasonable technical and organisational measures appropriate to the nature of the service, including access controls, secure service providers and restricted access to working materials. No online service can guarantee absolute security, but we aim to minimise the amount of personal data collected and the time it is retained.

10. Your data protection rights

Subject to the conditions and limits in applicable law, you may have the right to:

• Request access to your personal data.
• Ask us to correct inaccurate or incomplete data.
• Ask us to delete personal data.
• Ask us to restrict processing.
• Object to processing based on legitimate interests or to direct marketing.
• Receive certain data in a portable format.
• Withdraw consent at any time where processing is based on consent. Withdrawal does not affect processing carried out before withdrawal.

To exercise a right, email hello@awareindex.com. We may need to verify your identity and may ask for information needed to locate the relevant records.

11. Complaints

Please contact us first at hello@awareindex.com so we can try to resolve the issue. You also have the right to complain to the Estonian Data Protection Inspectorate, Andmekaitse Inspektsioon, at www.aki.ee, or to the data protection authority in the EEA country where you live or work.

12. Third-party websites

The website may link to external services, including Tally, Stripe, SmartSec Academy, AI/search platforms or other third-party websites. Those services operate under their own privacy and cookie notices. We are not responsible for their independent practices.

13. Changes to this policy

We may update this Privacy Policy when the service, providers or legal requirements change. The current version and date will be published on this page. Material changes will be highlighted where reasonably appropriate.

14. Contact

Questions about privacy or this policy can be sent to hello@awareindex.com.