Terms of Service

Effective Date: September 10, 2025

Definitions

As used in these Terms: “Agreement” means these Terms of Service and all documents referenced in them; “Applicable Law” means all laws and regulations that apply to a party’s activities under the Agreement; “Customer Data” means any data or content that you or your end users submit to or through the Services; “Outputs” means any content generated by the Services; “Personal Data” has the meaning given in the DPA; and “Subprocessor” has the meaning given in the DPA.

Terminology. For clarity, “Customer Data” in these Terms includes “User Content”, and “Customer Personal Data” (as defined in the DPA) is the subset of Customer Data that constitutes Personal Data.

1. Acceptance of Terms

Welcome to Askpilot (“Service”), operated by AI Number, Inc. ("Askpilot," “AI Number,” “we,” “us,” or “our”). By accessing or using our websites (including https://askpilot.com) or any related services (together, the “Services”), you agree to be bound by these Terms of Service (“Terms”). If you do not agree with any part of these Terms, you must not use or access the Services.

2. Eligibility

• You must be at least 18 years of age (or the age of majority in your jurisdiction) to register for or use the Services.
• By using the Services on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to these Terms.
• Business Use Only: You represent and warrant that you are using the Services for business purposes only and not as a consumer. The Services are intended solely for professional or organizational use.

Business Verification; Right to Refuse

We provide the Services solely for business and professional use. We may require you to provide proof that you are a business or acting on behalf of a business (e.g., company name, business email domain, VAT/EIN or equivalent, corporate registration, or other documentation) and you agree to promptly provide such information. We may decline, suspend, or limit accounts that do not meet these requirements or until verification is completed, in our reasonable business discretion and to the extent permitted by Applicable Law.

No Consumer Use

For the avoidance of doubt, if you are a consumer located in the EEA, UK, or another jurisdiction with non‑waivable consumer rights, you may not use the Services. If you nevertheless do so, nothing in these Terms purports to exclude rights that cannot lawfully be excluded; in that case, the provisions on governing law, venue, and limitations of liability apply only to the extent permitted by Applicable Law.

For the avoidance of doubt, if you are a consumer located in the EEA, UK, or another jurisdiction with non‑waivable consumer rights, you may not use the Services. If you nevertheless do so, nothing in these Terms purports to exclude rights that cannot lawfully be excluded; in that case, the provisions on governing law, venue, and limitations of liability apply only to the extent permitted by Applicable Law.

You represent and warrant that you are not using the Services as a consumer and that no consumer protection laws apply to your use. If we reasonably determine that you are a consumer or otherwise ineligible, we may suspend or terminate access without liability, subject to any non-waivable rights under Applicable Law.

Misrepresentation

You are responsible for any losses arising from false, misleading, or incomplete information about your eligibility or business status and agree to indemnify us for third-party claims resulting from such misrepresentation, to the fullest extent permitted by Applicable Law.

3. Changes to Terms

We may revise these Terms from time to time. The most current version will always be posted on our website. If a revision materially impacts your rights or obligations, we will notify you, for example by posting a notice or sending an email. By continuing to use or access the Services after the revisions come into effect, you agree to be bound by the revised Terms.

4. Accounts and Registration

Account Creation

To access certain features of the Services, you may be required to create an account. You agree to provide accurate and complete information and promptly update it if it changes.

Account Security

You are responsible for maintaining the confidentiality of your account credentials (username/password). You agree to immediately notify us of any unauthorized use of your account. We are not liable for any loss or damage arising from your failure to safeguard your credentials.

Restrictions

• Use the Services for any illegal, fraudulent, or unauthorized purpose.
• Interfere with or disrupt the Services or attempt to gain unauthorized access to any systems or networks.
• Reverse-engineer, decompile, disassemble, or attempt to discover source code or underlying ideas or algorithms of the Services.

Acceptable Use

• No unlawful, infringing, deceptive, or harmful content or activity (including spam, phishing, malware, or denial‑of‑service attacks).
• No attempts to bypass, probe, or test the security or availability of the Services or related systems without our prior written consent.
• No processing of special categories of data or children’s data unless expressly agreed in writing and subject to additional controls.
• No automated scraping, rate‑limit evasion, or use outside documented APIs, permitted scopes, or rate limits.

5. Use of the Services

License

Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Services for your internal business purposes.

Modifications

We reserve the right to modify or discontinue, temporarily or permanently, any part of the Services with or without notice. We will not be liable if all or any part of the Services are unavailable at any time for any reason.

Customer Responsibilities

• Account & Access Controls: You are responsible for configuring and maintaining appropriate role-based access controls, safeguarding credentials, enabling MFA where available, and promptly revoking access for departed users.
• Configuration & Use: You are responsible for your configurations, content, and use of the Services, including any settings that impact data retention, sharing, or integrations.
• Third‑Party Services: If you enable third‑party integrations, you authorize transmission of relevant data to those third parties and agree that their terms and privacy policies govern their processing.
• Compliance: You are responsible for complying with applicable laws in your use of the Services, including obtaining any required notices/consents from end users.
• Integrations Configuration: You are responsible for selecting integrations, scopes, and any third-party terms, and for ensuring that your use of integrations and any Customer-hosted MCP endpoints complies with Applicable Law and provider policies. You must promptly revoke access you no longer require.

Third‑Party Services & Integrations

The Services may interoperate with third‑party products or services. We do not control and are not responsible or liable for third‑party services, and we do not endorse or assume any obligations with respect to such services. Your use of third‑party services is governed by their terms.

App Store Integrations; OAuth Permissions & Tokens

The Services may offer an integrations marketplace (“App Store”) enabling you to authorize or connect your accounts with third-party tools via OAuth or similar mechanisms. You control which integrations are enabled and which scopes/permissions are granted. We Process data from an integration only to provide the requested features, to maintain the security and availability of the Services, to fulfil legal obligations, or as otherwise permitted in these Terms and the DPA.

You may revoke an integration at any time via the integration settings or the third-party provider’s console. Upon revocation, we will cease future access and invalidate stored access tokens as soon as practicable, and delete or de-identify cached integration data that is no longer required to provide the Services, comply with law, or meet documented retention policies (see the Privacy Policy and the DPA).

Provider Policies

Some providers impose additional requirements (e.g., API usage restrictions, “limited-use” rules, or end-user disclosures). Where applicable, you agree that your use of those integrations will comply with such provider policies. We may reasonably limit features or disable an integration if required by a provider, by law, or for security.

Model Context Protocol (MCP) Connectors

Certain integrations may be implemented via Model Context Protocol (“MCP”). Unless expressly stated otherwise, MCP connectors you enable to access your systems or third-party systems are treated as Customer-directed integrations. We do not persist MCP content beyond what is necessary to provide the requested feature, to debug at your documented request, for security monitoring, or as required by law. You remain responsible for securing any MCP endpoints you control.

AI/ML Outputs; No Professional Advice; No Reliance

The Services may generate content, recommendations, or outputs using machine learning models (“Outputs”). Outputs are probabilistic and may be inaccurate, incomplete, or out of date, and are provided for informational purposes only. You are solely responsible for evaluating, verifying, and using Outputs, including by maintaining appropriate human review and safeguards.

• No professional-client relationship. We are not a law firm, medical provider, accounting firm, or investment adviser, and no attorney–client, doctor–patient, accountant–client, or advisory relationship is created by your use of the Services or any Outputs.
• No reliance; assumption of risk. You must not rely on the Services or Outputs as a substitute for professional advice. Any use or reliance is at your sole risk, and you remain solely responsible for your compliance decisions.
• No regulatory or emergency use. The Services are not intended for emergency, life-critical, or regulated uses, and do not constitute regulated advice or services.
• No duty to update. We have no obligation to monitor changes in law or regulation or to update any Outputs.

The Services do not constitute legal, medical, financial, or other professional advice, and you should obtain advice from a qualified professional where appropriate. Outputs may contain errors, hallucinations, or third-party content; we make no representations or warranties about the accuracy, completeness, or usefulness of any Output and disclaim any liability arising from reliance on Outputs, subject to applicable law.

No High‑Risk Use

You may not use the Services in any situation where failure or inaccuracy of the Services could lead to death or serious bodily injury, or to severe environmental or property damage (including but not limited to medical diagnosis or treatment, emergency services, autonomous vehicles, aviation, nuclear facilities, life‑support, or weapons systems).

Beta, Trial, and Free Services

We may offer alpha/beta features, trials, or free tiers (“Beta/Free Services”). Beta/Free Services are provided for evaluation, may be changed or discontinued at any time, may be less reliable than generally available services, and are provided “AS IS” without support or service‑level commitments.

Telecom/Carrier Dependencies

Certain features (e.g., SMS, voice, WhatsApp, or other messaging) depend on third-party carriers, networks, and platforms. Delivery, timeliness, and availability are not guaranteed and may be affected by congestion, filtering, or outages.

You are responsible for complying with applicable messaging policies of those channels. Unless expressly stated in your plan, pricing page, or order form, you will not be charged separately for carrier or platform transmission fees. If your plan expressly provides for pass-through or metered messaging fees, such fees will be charged as described in that plan/pricing.

6. Fees and Payment

• Subscription Fees: If the Services are offered on a subscription basis, you agree to pay the applicable subscription fees, which may be subject to automatic renewal unless you cancel in accordance with the terms presented at sign-up.
• Payment Methods: You authorize us (or our designated third-party payment processor) to charge your payment method for all applicable fees. All fees are exclusive of taxes, which you are responsible for paying.
• Refunds: All payments are non-refundable unless explicitly stated otherwise in a separate agreement or as required by applicable law.

Price Changes and Taxes

We may change fees upon at least thirty (30) days’ prior notice. Changes take effect at the start of your next renewal term. All fees are exclusive of taxes, duties, and similar governmental assessments; you are responsible for these except for taxes based on our net income. You authorize us and our payment processors to charge all due amounts, including applicable taxes, to your designated payment method.

Late amounts may accrue interest at one percent (1%) per month or the maximum permitted by law, whichever is lower, and you agree to reimburse reasonable costs of collection for undisputed past‑due amounts. Chargebacks are treated as non‑payment.

7. Intellectual Property

• Our IP: We (and our licensors) own and retain all rights, title, and interest in and to the Services, including all intellectual property rights. Except as expressly set forth in these Terms, no license or other rights in or to the Services are granted to you.
• User Content: You retain all rights to any data, content, or materials that you submit to the Services (“User Content”). You grant us a non-exclusive, worldwide, royalty-free, sublicensable license to use, store, transmit, process, and display your User Content solely as necessary to provide the Services and to maintain, secure, and improve the Services.
• Feedback: If you provide feedback or suggestions, you grant us a non‑exclusive, perpetual, irrevocable, royalty‑free license to use it without restriction or compensation.

No Training on Customer Data. We do not use Customer Data to train our or third‑party machine‑learning models unless you expressly opt in in writing. We may use de‑identified or aggregated information derived from Customer Data to maintain and improve core functionality and security.

8. Confidentiality

Both parties agree to take reasonable measures to protect the other party’s confidential information and use it only in connection with the Services. “Confidential Information” excludes information that is or becomes publicly available without breach of these Terms.

Security Practices; Policy Non-Contractual

Our Information Security Policy describes our current security program and is provided for informational purposes only. Except for the TOMs summarized in Annex II of the DPA, the Security Policy is not incorporated into these Terms and does not create a warranty or service level. We may update the Security Policy from time to time; any deviations from specific controls or configurations described therein do not, by themselves, constitute a breach of these Terms or the DPA, provided we maintain security appropriate under Applicable Law and the DPA and do not materially diminish the overall level of protection set out in Annex II.

9. Disclaimer of Warranties

THE SERVICES ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. TO THE FULLEST EXTENT PERMITTED BY LAW, AI NUMBER DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON‑INFRINGEMENT. WITHOUT LIMITING THE FOREGOING, WE DO NOT WARRANT THAT THE SERVICES WILL BE ERROR‑FREE, UNINTERRUPTED, SECURE, OR FREE OF MALICIOUS CODE, OR THAT DEFECTS WILL BE CORRECTED. YOU ACKNOWLEDGE THAT NO INTERNET‑FACING SERVICE CAN BE GUARANTEED TO BE 100% SECURE.

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, AI NUMBER AND ITS AFFILIATES, EMPLOYEES, AGENTS, OR LICENSORS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, REVENUE, GOODWILL, OR DATA, IN EACH CASE ARISING OUT OF OR RELATED TO THE SERVICES OR THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Overall Cap (Paid Services): IN NO EVENT WILL OUR AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE SERVICES, THESE TERMS, OR THE DPA EXCEED THE AMOUNTS YOU PAID FOR THE SERVICES IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

Free/Beta Services Cap: FOR BETA/FREE SERVICES (INCLUDING TRIALS), OUR AGGREGATE LIABILITY IS LIMITED TO ONE HUNDRED U.S. DOLLARS (US$100).

Carve‑outs; Mandatory Law: NOTHING IN THESE TERMS SEEKS TO EXCLUDE OR LIMIT LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW (E.G., FOR FRAUD, WILLFUL MISCONDUCT, OR DEATH/PERSONAL INJURY CAUSED BY NEGLIGENCE). UNLESS OTHERWISE REQUIRED BY APPLICABLE LAW, ALL CLAIMS (INCLUDING FOR CONFIDENTIALITY OR DATA‑PROTECTION OBLIGATIONS) ARE SUBJECT TO THE APPLICABLE CAP ABOVE. THE FOREGOING LIMITATIONS APPLY REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

Exclusive Remedies for Security/Privacy Incidents. To the maximum extent permitted by law, Customer’s sole and exclusive remedies for any Security Incident, privacy incident, or data breach affecting the Services are: (i) our notice without undue delay; (ii) our reasonable cooperation as required by Applicable Law; and (iii) restoration of availability or access to Customer Data from available backups where feasible. No other remedies (including credit monitoring, third‑party forensic costs, notifications, fines, or customer credits) are available unless expressly required by Applicable Law or expressly agreed in a signed order form.

No Strict Liability; No Data Reconstruction Liability. The Services are not designed as a backup or archival system. We have no liability for lost, corrupted, or unrecoverable data, or for costs of recreating or re‑ inputting data, except to the extent caused by our willful misconduct.

Notice and Time Limit to Bring Claims. To the extent permitted by Applicable Law, you must provide written notice of any claim within ninety (90) days after you first become aware of the facts giving rise to the claim. Any claim must be filed within one (1) year after accrual. These limits do not apply to claims for non‑payment, confidentiality, data protection, or intellectual property infringement.

No Third‑Party Beneficiaries. There are no third‑party beneficiaries to these Terms, the DPA, or any incorporated documents.

11. Indemnification

You will indemnify, defend, and hold harmless AI Number, its officers, directors, employees, and agents from and against any third‑party claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to:

• your User Content or your use of the Services in violation of law or these Terms;
• your configurations, misuse, or failure to implement appropriate access controls or data protections;
• your use of third‑party services or integrations (including claims by such third parties); and
• claims by your end users, employees, or customers relating to your products or services.

We will promptly notify you of any claim and reasonably cooperate at your expense. You may not settle any claim without our prior written consent if it imposes an admission of liability or obligations on us.

12. Term and Termination

12.1 Term

These Terms will remain in effect until terminated by either party in accordance with the provisions below. We offer monthly, annual, and enterprise subscriptions. The specific start date, term length, and renewal provisions may be set forth in the ordering process, your subscription plan details, or a separate agreement (for Enterprise accounts).

12.2 Termination by You

Monthly Subscriptions: If you have a monthly subscription, you may cancel at any time. Your cancellation will become effective at the end of the current monthly billing cycle, and no pro-rated refunds will be issued for any fees already paid.

Annual Subscriptions: If you have an annual subscription, you may request cancellation at any time, but your cancellation will become effective at the end of your current annual term. If you do not cancel before the annual renewal date, your subscription will automatically renew.

Enterprise Subscriptions: If your subscription is governed by a separate enterprise agreement, the term and any termination rights will be defined in that agreement. Please refer to your contract or contact our support team for further details.

Cancellation Process: If self-service cancellation is available (e.g., from your account settings), you may cancel directly within your account. Otherwise, or if you encounter any issues, you must contact support@askpilot.com to request cancellation.

12.3 Termination by Us

AI Number may suspend or terminate your access to the Services (including cancellation of your account) at any time, for any or no reason, including if you breach these Terms, fail to pay required fees when due, or if continued provision of the Services to you becomes impractical or unlawful under applicable law. Where reasonably practicable, we will endeavor to provide you with prior notice (e.g., email) of such termination or suspension.

12.4 Effect of Termination

Upon termination or expiration of your subscription:

• Your right to access and use the Services (including any data or content submitted by you) immediately ceases, unless otherwise stated in a separate agreement.
• You remain responsible for all charges accrued up to the date of termination, including fees for the billing cycle in which termination occurs for monthly plans, or the full annual subscription fee for annual plans (unless otherwise specified in your plan or agreement).
• Any provisions in these Terms that by their nature should survive termination or expiration will remain in effect, including but not limited to intellectual property protections, confidentiality obligations, warranty disclaimers, indemnity, and limitations of liability.
• Export Window. For thirty (30) days after termination (the “Export Window”), we will provide reasonable, read‑only access to export Customer Data in a commonly used format, unless prohibited by law or you request earlier deletion. After the Export Window, we will delete or de‑identify Customer Data per the Privacy Policy and DPA.

If you have any questions regarding termination or need assistance canceling your subscription, please contact us at: support@askpilot.com.

13. Governing Law and Dispute Resolution

These Terms and any action related to them will be governed by the laws of the State of Delaware, USA, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with these Terms shall be resolved in the state or federal courts located in the State of Delaware.

Class Action & Jury Trial Waiver. To the fullest extent permitted by law, each party agrees that any dispute will be brought only in that party’s individual capacity and not as a plaintiff or class member in any purported class, consolidated, representative, or private attorney general action, and each party waives any right to a jury trial.

14. General Provisions

• Entire Agreement: These Terms, along with our Privacy Policy, DPA, and any other referenced documents, constitute the entire agreement between you and AI Number regarding the Services.
• Severability: If any provision is held invalid, the remaining provisions will remain enforceable.
• No Waiver: Our failure to enforce any right or provision of these Terms shall not be deemed a waiver.
• Assignment: You may not assign or transfer these Terms without our prior written consent. We may freely assign or transfer these Terms at our discretion.
• Force Majeure: Neither party will be liable for any delay or failure to perform due to events beyond its reasonable control, including acts of God, natural disasters, war, terrorism, labor disputes, failures of telecommunications, utilities, or third‑party hosting providers, or widespread Internet or service provider outages. The affected party will use commercially reasonable efforts to mitigate the effects and resume performance.
• Export Control & Sanctions: You represent that you are not located in, and will not use the Services from, any embargoed country or restricted party list and will comply with applicable export, re‑export, and sanctions laws.
• Publicity: We may reference you as a customer (name and logo) in accordance with your brand guidelines unless you opt out by notifying support@askpilot.com.
• Order of Precedence: If there is any conflict between these Terms and the DPA solely regarding the Processing of Personal Data, the DPA will control.

If you have any questions about these Terms of Service, please contact us at:

Email: support@askpilot.com
Mailing address:
AI Number, Inc.
9450 SW Gemini Dr PMB 96629 Beaverton
Oregon 97008-7105
US

---

Privacy Policy

Effective Date: September 10, 2025

Introduction

AI Number, Inc. ("Askpilot," “AI Number,” “we,” “us,” or “our”) respects your privacy and is committed to protecting the personal information you share with us when you use the Askpilot services (“Services”) or visit our website at https://askpilot.com. This Privacy Policy describes how we collect, use, disclose, and protect your information, as well as your rights concerning your personal data.

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

Controller; DPO and Representatives

For the purposes of this Privacy Policy, AI Number, Inc. is the controller of Personal Data it collects about you when you visit our websites and interact with us, and the processor of Customer Personal Data submitted to the Services, as described in the DPA.
DPO: If appointed, insert DPO contact details here (or delete this line if not required).
EU/UK Representatives (Art. 27): If required, we appoint an EU and/or UK representative; their contact details will be provided upon request or published here.

1. Information We Collect

Information You Provide

We collect information you provide directly to us, including when you create an account, contact support, or submit any data. Such information may include your name, email address, billing information, and any other data you choose to share.

Information We Collect Automatically

When you use our website or Services, we automatically collect certain information such as your IP address, browser type, device identifiers, operating system, and usage data through cookies and similar technologies. See our Cookie Policy for more details.

Information from Third Parties

We may receive information about you from third parties that helps us enhance, improve, or personalize our Services.

Information via Integrations

When you connect third-party integrations (e.g., email, storage, CRM) through our App Store, we receive the data and metadata made available under the scopes you authorize. We use this data only to provide the integration features, maintain the security and availability of the Services, fulfil legal obligations, and improve core functionality in de-identified or aggregate form. We do not sell this data.

You can revoke an integration at any time. Upon revocation, we cease future access and invalidate tokens as soon as practicable, and delete or de-identify cached data that is no longer needed for the purposes above, subject to legal holds or mandatory retention.

Where provider policies impose additional rules (e.g., limited-use restrictions), we apply them to the extent applicable to our role.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Services.
• Process transactions and send related information (e.g., invoices, payment confirmations).
• Personalize your experience and deliver relevant content.
• Respond to your questions, provide customer support, and communicate with you about our Services.
• Monitor and analyze usage, trends, and activities in connection with the Services.
• Detect, investigate, and prevent fraudulent transactions, unauthorized access, or other illegal activities.

3. How We Share Your Information

• With Service Providers: We share your information with trusted third-party vendors and service providers to perform functions on our behalf (e.g., payment processing, data hosting, analytics). They are contractually obligated to keep your information confidential and use it only for the services provided.
• Business Transfers: In the event of a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction.
• Legal Requirements: We may disclose your information if required by law, subpoena, or to protect our rights, users, or business.

Legal Bases for Processing (EEA/UK/Swiss users)

We process Personal Data only where we have a lawful basis, including: (i) contract necessity to provide the Services; (ii) our legitimate interests to operate, secure, and improve the Services (not overridden by your interests or fundamental rights); (iii) your consent (e.g., for certain cookies/marketing, where required); and (iv) compliance with legal obligations.

4. Your Rights

Access and Correction: You may request to access or correct the personal data we hold about you.
Deletion: You may request deletion of your personal data, subject to certain legal exceptions.
Opt-out of Marketing: You can opt out of receiving promotional emails or messages at any time by clicking the “unsubscribe” link. If the email or message does not provide an unsubscribe link, you may opt out by emailing our support team at support@askpilot.com.

Marketing Communications

Where required by law, we obtain your consent before sending marketing communications or setting non‑essential cookies. You can withdraw consent at any time via the mechanisms in the message or our cookie banner.

If we deny your privacy request, you may appeal by replying to our decision or emailing support@askpilot.com with the subject “Privacy Appeal.” If your appeal is denied, you may contact your state attorney general or data protection authority.

For details on exercising your data subject rights under GDPR or CCPA/CPRA, see the relevant sections below or contact us at support@askpilot.com.

5. Data Retention

We retain Personal Data for no longer than necessary for the purposes described in this Policy. Criteria we use include: the length of your account or contract; legal retention periods (e.g., tax/accounting records up to 7 years); the nature and sensitivity of the data; and the potential risk of harm from unauthorized use or disclosure.

6. International Data Transfers

Primary hosting in the EU/EEA. We store and process Customer Personal Data primarily in data centers located within the European Union (EU) / European Economic Area (EEA). Production databases, backups, and disaster‑recovery copies that host Customer Personal Data are kept in the EU/EEA.

Cross-Border Transfers (If Needed). Where Customer Personal Data must be accessed or transferred outside the EU/EEA, UK, or Switzerland in connection with transfers we control (e.g., limited, audited remote support or our Sub-processors), we rely on the EU Standard Contractual Clauses (and the UK Addendum/IDTA and Swiss equivalents, as applicable) and implement supplementary measures. Where an adequacy decision applies, we may rely on it.

Customer-directed transfers. Where you instruct us to connect or disclose Customer Personal Data to third-party services that are not our Sub-processors (e.g., your CRM, analytics, messaging, or other integrations under your control), you are responsible for ensuring that an appropriate transfer mechanism and contract with such third party are in place and for complying with applicable privacy and messaging rules. We are not responsible for the third party’s compliance. We may reasonably request evidence of a lawful transfer mechanism and may decline to transmit data where no such mechanism exists.

Remote support access. On a limited, audited basis, authorized personnel outside the EU/EEA may remotely access EU‑hosted systems to provide support, security, or development services. Any such access constitutes a restricted transfer and is subject to the safeguards described above.

More information. You may contact us at support@askpilot.com to request additional information about cross‑border transfers, including copies of relevant transfer safeguards (subject to appropriate redactions and confidentiality).

7. California Privacy Notice (CCPA/CPRA)

This section applies to California residents and describes your rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, “CCPA”). Hosting your data in the EU/EEA does not limit these rights if we are a covered business with respect to your information.

• Know/Access & Portability: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and the categories of third parties to whom we disclose it.
• Delete: request deletion of personal information we collected from you, subject to exceptions.
• Correct: request correction of inaccurate personal information.
• Opt‑out of Sale/Sharing: direct us not to sell or share your personal information (including for cross‑context behavioral advertising). We also honor browser‑ or device‑based opt‑out preference signals (e.g., Global Privacy Control).
• Limit Use/Disclosure of Sensitive Personal Information: where collected, request that we limit its use and disclosure to purposes allowed by law.
• Non‑Discrimination: exercise your rights free from unlawful discrimination.

How to exercise your rights. Email support@askpilot.com or use Your Privacy Choices. We will confirm receipt within 10 business days and respond within 45 days (we may extend once by an additional 45 days when reasonably necessary, with notice). We may need to verify your identity, and authorized agents must provide proof of authorization.

Sale/Sharing disclosures. We do not sell personal information for money. Depending on your settings and product usage, we may share identifiers and internet/electronic activity with advertising and analytics partners for cross-context behavioral advertising. You can opt out at any time using Your Privacy Choices, and we honor supported browser/device opt-out preference signals (e.g., Global Privacy Control) as valid opt-out requests for that browser/device, to the extent required by Applicable Law.

Minors. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Your Privacy Choices (California)

To opt out of cross-context behavioral advertising (“sharing”), or to request access, correction, or deletion, contact support@askpilot.com. We honor supported browser/device opt-out preference signals (e.g., Global Privacy Control) as valid “Do Not Sell or Share” requests for the specific browser or device sending the signal, to the extent required by Applicable Law.

Exclusive Remedy for Opt-Out Signal Errors. If we inadvertently fail to recognize a supported opt-out preference signal, your sole remedy (to the maximum extent permitted by law) is to notify us at support@askpilot.com; upon notice we will cease any sale/sharing for the affected browser/device and update your preferences as required. This paragraph does not limit any non-waivable rights under Applicable Law.

8. Security

We maintain security measures designed to protect your personal information. For more information, see our Information Security Policy.

9. Children’s Privacy

Our Services are not directed to children under 18 (or other age as required by local law), and we do not knowingly collect personal information from children.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and indicate the effective date. Your continued use of the Services after the updated Privacy Policy takes effect constitutes your acceptance.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@askpilot.com
Mailing address:
AI Number, Inc.
9450 SW Gemini Dr PMB 96629 Beaverton
Oregon 97008-7105
US

---

Data Processing Addendum

Effective Date: September 10, 2025

This Data Processing Addendum (“DPA”) is incorporated into the Terms of Service between AI Number, Inc. ("Askpilot," “AI Number,” “we,” “us,” or “our”) and the customer (“Customer” or “you”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data in connection with your use of the Services, including compliance with the EU General Data Protection Regulation (“GDPR”) and other applicable data protection laws.

1. Definitions

• “Applicable Data Protection Law” means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and any implementing or supplemental laws and regulations, in each case as amended or replaced.
• “Controller,” “Processor,” “Data Subject,” “Processing,” and “Personal Data” have the meanings given in Applicable Data Protection Law.
• “Customer Personal Data” means Personal Data Processed by Askpilot on behalf of Customer under the Agreement.
• “Sub‑processor” means any Processor engaged by Askpilot to process Personal Data on behalf of the Customer.
• “Services” means the Askpilot services provided by Askpilot to Customer under the Terms of Service.
• “EU Data Region” means data centers located within the European Union/European Economic Area (EU/EEA).

2. Roles and Scope

• Role of the Parties: For the purposes of the GDPR and similar laws, you are the Controller of your Personal Data, and we are the Processor that Processes such Personal Data on your behalf.
• Instructions: We will only Process your Personal Data on your documented instructions (as set out in the Terms of Service and this DPA) and only as necessary to provide our Services to you. We will not Process your Personal Data for any other purpose unless required by applicable law. If we are compelled by law to Process your Personal Data beyond your instructions, we will inform you of that requirement beforehand (unless prohibited from doing so). By using our Services, you hereby instruct us to Process Personal Data as needed to deliver the Services in accordance with the Agreement. If we believe an instruction violates any applicable data protection law, we will promptly inform you.
• Customer Responsibilities & Prohibited Data: Customer is responsible for (i) its configurations and use of the Services; (ii) implementing appropriate access controls and protecting credentials; and (iii) obtaining any required notices/consents. Customer shall not submit special categories of data, data relating to children, or other sensitive data (e.g., government IDs, financial account numbers, health data) unless expressly agreed in writing by Askpilot and subject to additional controls as required by Applicable Data Protection Law.
• App Store Instructions: By enabling an integration in the App Store or providing OAuth authorization, Customer instructs Askpilot to Process Personal Data as necessary to connect and operate that integration in accordance with Customer’s configuration and the Agreement.

3. Obligations of Askpilot

• Confidentiality: We ensure that all personnel authorized to Process Personal Data are subject to confidentiality obligations.
• Security Measures: We implement and maintain appropriate technical and organizational measures (“TOMs”) to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. A summary of TOMs appears in Annex II; TOMs may be updated without materially diminishing protection.
• Sub‑processors: We may engage Sub‑processors to Process Personal Data on your behalf. We will ensure Sub‑processors are bound by contractual obligations that are substantially the same as those set out in this DPA. A list of current Sub‑processors can be found in our Subprocessors List.
• Data Breach Notification: We will promptly notify you of a Personal Data Breach affecting your Personal Data of which we become aware and will assist you, at your request, with providing notices to regulatory authorities or affected Data Subjects, if legally required.
• Data Subject Requests: We will, to the extent legally permitted, promptly notify you if we receive a request from a Data Subject to exercise their rights of access, rectification, restriction, erasure, data portability, or objection. We will assist you, insofar as feasible, in responding to such requests.
• Security Policy Reference. The Information Security Policy is provided for reference; except for the TOMs summarized in Annex II, it is not incorporated as a contractual undertaking. A Personal Data Breach does not, by itself, establish that Askpilot failed to implement appropriate TOMs.
• Incident Notices; Costs; No Admission. Incident notifications and reports are provided for compliance purposes and do not constitute an admission of fault or liability. Unless required by Applicable Data Protection Law or expressly agreed in writing, each party bears its own costs related to the investigation, notification, and remediation of incidents impacting its systems or configurations.
• Integration Credentials and Tokens. Askpilot will protect integration credentials and access tokens using appropriate technical and organizational measures, restrict access to personnel with a need to know, and revoke or rotate tokens when an integration is disabled, credentials are compromised, or rotation is required by the provider or law.
• Limited Use; Data Minimization. Askpilot will Process Personal Data obtained via integrations only to provide the integration features, maintain the Services, fulfill legal obligations, or as otherwise instructed by Customer. Askpilot will not use such data for advertising or profiling unrelated to the Services.
• Exclusive Remedy for Incidents. To the maximum extent permitted by law, Customer’s exclusive remedies for a Personal Data Breach are those set out in this DPA (notification, cooperation, and remediation consistent with Annex II); no additional remedies or credits apply unless mandated by Applicable Data Protection Law or expressly agreed in a signed order form.
• No Third‑Party Beneficiaries. This DPA does not create third‑party beneficiary rights for Data Subjects or any other third party; remedies are between the parties only, without prejudice to mandatory statutory rights.

Sub-processor Updates and Objections

We will provide at least thirty (30) days’ prior notice of any new Sub-processor by updating the Subprocessors List and, where you subscribe to updates, by email. You may object on reasonable data protection grounds by notifying us within fifteen (15) days of the notice. If you object, we will work in good faith to provide a commercially reasonable alternative. If we cannot do so, you may terminate the affected Services and receive a pro-rata refund of prepaid fees for the terminated portion.

4. Data Residency and International Data Transfers

• EU/EEA Hosting by Default: Askpilot stores and Processes Customer Personal Data primarily in the EU/EEA. Production databases, backups, and disaster‑recovery copies that host Customer Personal Data are kept in the EU Data Region.
• Limited Remote Access: On a limited, audited basis, authorized personnel outside the EU/EEA may remotely access EU‑hosted systems solely to provide support, security, or maintenance. Such access constitutes a restricted transfer and will be protected as described below.
• Transfers Outside the EU/EEA, UK, or Switzerland: If Customer Personal Data is transferred to a country that does not provide an adequate level of protection, Askpilot will ensure an appropriate transfer mechanism is in place, which may include:
  - the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (“SCCs”);
  - the UK Addendum and/or UK IDTA for transfers subject to UK GDPR; and/or
  - reliance on an adequacy decision (e.g., for recipients certified under an approved framework) where applicable. Askpilot may implement supplementary measures (e.g., encryption in transit and at rest, access controls, pseudonymization where appropriate) to address the risks identified by transfer impact assessments.
• Customer-Directed Integrations. Where Customer enables or instructs integrations with third-party services that are not Askpilot’s Sub-processors (e.g., Customer’s own vendors acting as Customer’s processors or independent controllers), Customer is solely responsible for all required contracts, notices/consents, and cross-border transfer safeguards (e.g., SCCs/IDTA/adequacy) with such third parties. Askpilot transmits Personal Data only on Customer’s documented instructions, and is not responsible for those third parties’ compliance. Askpilot may reasonably request evidence of appropriate safeguards and may decline the transfer where none exists.

  For clarity, third-party services enabled by Customer under this section are not Askpilot Sub-processors unless Askpilot expressly engages them to Process Customer Personal Data on Askpilot’s behalf.

• Incorporation of SCCs: To the extent required for restricted transfers, the SCCs (including Annexes) are deemed executed between the parties and incorporated by reference. For the SCCs: (a) the governing law and forum shall be the law and courts of Ireland (unless Customer notifies us in writing to substitute another EU Member State that recognizes third‑party beneficiary rights); (b) the competent supervisory authority shall be the Irish Data Protection Commission (or the authority identified by Customer’s written notice); (c) the details of Processing and TOMs are as set out in Annex I and Annex II.
• SCC Modules and Roles. For the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the parties adopt: Module 2 (Controller → Processor) for Customer → Askpilot transfers, and Module 3 (Processor → Processor) for Askpilot → Sub‑processor transfers. Customer is the data exporter and Askpilot the data importer under Module 2; Askpilot is the exporter and each Sub‑processor is the importer under Module 3. Annex I (A–E) and Annex II of this DPA complete the SCC Appendices. For the UK, the parties adopt the UK International Data Transfer Addendum (or the IDTA where applicable); for Switzerland, the Swiss data transfer clauses as required. Clause 17 governing law and forum for the SCCs is Ireland (unless Customer designates another EU Member State that recognizes third‑party beneficiary rights).

5. Audit Rights

We will make available information necessary to demonstrate compliance with this DPA upon your reasonable request, subject to the confidentiality obligations herein. You may also request an audit or inspection of our Processing activities once per year, in accordance with the provisions set out in the Terms of Service and subject to reasonable scheduling and scope limitations. While we generally accommodate reasonable audit requests, we reserve the right to decline them at our discretion, except where contractually obligated.

6. Return or Deletion of Data

Upon termination or expiration of the Services, we will delete or return all Personal Data in our possession or control as set forth in the Terms of Service, unless applicable law requires retention.

7. Liability

Each party’s liability for any breach of this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service. To the extent permitted by Applicable Data Protection Law, each party is responsible for any administrative fines or penalties imposed directly on it by a supervisory authority or regulator, and neither party shall be required to indemnify the other for such fines or penalties. All claims between the parties arising from or relating to Personal Data Breaches are subject to the applicable liability cap and exclusions in the Terms of Service, unless prohibited by law.

8. Governing Law

Except for the EU Standard Contractual Clauses (“SCCs”), to which the governing law and forum specified in the Incorporation of SCCs clause above apply, (a) this DPA is governed by and construed in accordance with the laws of the State of Delaware, USA, without regard to its conflict-of-law rules; (b) the state and federal courts located in Delaware shall have exclusive jurisdiction over any dispute arising out of or relating to this DPA (other than disputes under the SCCs); and (c) to the extent required, the mandatory provisions of Applicable Data Protection Law shall prevail.

9. Exclusive Remedies; Claims Window

Except as prohibited by Applicable Data Protection Law, the remedies in this DPA (including notification, cooperation, and remediation consistent with Annex II) are the parties’ exclusive remedies for breaches of this DPA. Any time limits for bringing claims under the Agreement apply to claims under this DPA; where Applicable Data Protection Law prescribes a longer period, that period will control.

Annex I – Details of Processing

• A. Subject Matter & Duration. Processing of Customer Personal Data to provide, secure, support, and improve the Services for the term of the Agreement, plus any period necessary to return or delete Customer Personal Data and for standard backup rotation or as required by law.
• B. Nature & Purpose (addendum). Operation of Customer-enabled integrations (including App Store and MCP connectors), OAuth authorization and token management, and transmission of Customer-directed data flows as configured by Customer.
• C. Categories of Data Subjects. Customer’s end users, personnel, prospects, customers/contacts, and other Data Subjects whose Personal Data is submitted to the Services by or on behalf of Customer.
• D. Categories of Personal Data (addendum). Depending on Customer’s configuration and authorized scopes: contact information, communications content and metadata, files and file metadata, calendar/task records, CRM records, and other data exposed by the selected integration.
• E. Sensitive Data (if any). The Service is not intended to Process “special categories” of personal data or data relating to criminal convictions/offences. Customer shall not submit such data unless expressly agreed in writing by Askpilot and subject to additional controls required by Applicable Data Protection Law. If Customer submits such data without prior written agreement, Askpilot may suspend or delete the data and Customer remains solely responsible for all resulting compliance obligations.
• Processing Location. Customer Personal Data is primarily hosted and Processed in the EU/EEA (production, backups, and disaster recovery).
• Frequency of Transfers. Continuous and as needed to provide the Services.
• Competent Supervisory Authority. For SCCs, the Irish Data Protection Commission (unless Customer designates another competent authority in writing).

Annex II – Technical and Organizational Measures (TOMs) - Summary

• Scope; Changes; Compensating Controls. We implement and maintain appropriate technical and organizational measures (“TOMs”) to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, consistent with Article 32 GDPR and industry practice. The TOMs summarized below correspond to our Information Security Policy and may be updated from time to time without materially diminishing the overall level of protection. Where a specific control is not technically feasible or requires adjustment, we will maintain a functionally equivalent or compensating control providing a comparable level of protection. Immaterial deviations from named tools or configurations do not, by themselves, constitute a breach, provided that the overall protection remains appropriate under Applicable Law.
• Access Control & Authentication. Role‑based access and least privilege; AWS IAM with unique credentials (no shared accounts); MFA for privileged IAM and AWS console; application‑level controls including logical customer data isolation and limited, monitored, time‑bound support access (or equivalent mechanisms providing comparable protection).
• Database Security & Encryption. Non‑public production databases isolated in a dedicated Amazon VPC; not publicly addressable; app‑to‑database connections protected with TLS; encryption at rest for Customer Personal Data using AWS‑managed keys with key management in EU regions (or equivalent cryptographic safeguards meeting industry standards).
• Monitoring & Auditing. Restricted administrative access (authorized personnel only, MFA, full logging); centralized security logging (e.g., CloudTrail/GuardDuty) for admin actions, anomaly detection, alerts, and investigation support (or equivalent monitoring and alerting).
• Physical Security. AWS data centers with 24/7 surveillance, intrusion detection, and industry certifications (e.g., SOC 2, ISO 27001); strict multi-layer physical access controls.
• Office & Device Security. Company devices with strong authentication, and remote wipe; certified secure disposal at end-of-life; WPA3, secure Wi-Fi configuration, and network segmentation (guest vs. corporate); administrative access via VPN or equivalent secure channels.
• Intrusion Detection & Prevention. AWS GuardDuty monitoring (VPC Flow Logs, CloudTrail, DNS) and AWS WAF for common web exploits (e.g., SQLi, XSS), or equivalent threat detection and application‑layer protections.
• Incident Response. Documented IR Plan covering detection & analysis, containment & eradication, recovery from clean backups with testing and monitoring, and post-incident lessons learned.
• Breach Notification. For confirmed incidents affecting Customer Personal Data: notify without undue delay—goal within 72 hours (or sooner if required); provide incident summary, scope of impact, and steps taken; offer guidance on further protective measures.
• Audit Rights. Customers may request an audit once per year with prior written notice and scope limitations; relevant documentation (e.g., penetration test summaries) may be provided under NDA; while we generally accommodate reasonable audit requests, we reserve the right to decline them at our discretion, except where contractually obligated.

---

GDPR Compliance Statement

Effective Date: September 10, 2025

AI Number, Inc. ("Askpilot," “AI Number,” “we,” “us,” or “our”) is committed to compliance with the General Data Protection Regulation (“GDPR”). Below is an overview of how we comply:

• EU Data Residency. We host and Process Customer Personal Data primarily in the EU/EEA, including production databases, backups, and disaster‑recovery environments.
• Controller vs. Processor. We act as Controller for Personal Data relating to our own operations (e.g., billing, account administration) and as Processor for Customer Personal Data submitted to the Services.
• Lawful Bases. We Process Personal Data only where we have a lawful basis (e.g., contract necessity, legitimate interests, consent, legal obligation).
• Data Subject Rights. We honor Data Subject rights under the GDPR (e.g., access, rectification, erasure, restriction, portability, and objection). Contact us at support@askpilot.com to exercise your rights.
• Security Measures. We maintain administrative, technical, and physical safeguards consistent with industry standards (see our Information Security Policy and Annex II TOMs).
• Cross‑Border Transfers (If Needed). If Customer Personal Data must be accessed or transferred outside the EU/EEA, UK, or Switzerland (e.g., limited remote support or Customer‑enabled integrations), we rely on SCCs (and UK/Swiss equivalents) and implement supplementary measures. Where applicable, we also rely on adequacy decisions for eligible recipients.
• Cross-Border Transfers (If Needed). For transfers we control (e.g., our Sub-processors or limited, audited remote support), we rely on SCCs (and UK/Swiss equivalents) and implement supplementary measures; where available, we may rely on adequacy decisions. For Customer-directed transfers to third-party services that are not our Sub-processors, Customer is solely responsible for ensuring a lawful transfer mechanism and any required contracts/notices.
• Data Processing Addendum. Our DPA incorporates the SCCs and outlines our obligations as a Processor, including EU data residency, transfer mechanisms, and TOMs.

For questions about our GDPR practices, please contact support@askpilot.com.

---

List of Subprocessors

Effective Date: September 10, 2025

AI Number, Inc. engages certain third-party service providers (“Subprocessors”) to help deliver, secure, and support the Services. These Subprocessors may Process Customer Personal Data on our behalf as described in our DPA. Each Subprocessor is bound by a written agreement imposing confidentiality and data protection obligations no less protective than those in our DPA, including appropriate technical and organizational measures (TOMs). Where Subprocessor Processing involves a restricted transfer, we implement a lawful transfer mechanism (e.g., the EU Standard Contractual Clauses) and appropriate safeguards. This list may be updated from time to time in accordance with the notice provisions in our DPA. Links to each Subprocessor’s terms and privacy documentation are provided below for transparency.

Amazon Web Services, Inc. (AWS)

• Customer Agreement (Terms)
• Privacy Notice
• GDPR Center
• GDPR DPA (PDF)

Plus Five Five, Inc. (Resend)

• Terms of Service
• Privacy Policy
• Data Processing Addendum

OpenAI, LLC

• Terms of Use
• Privacy Policy
• Data Processing Addendum

Stripe, Inc.

• Services Agreement
• Privacy Policy
• Data Processing Agreement

Lemon Squeezy, Inc.

• Terms of Service
• Privacy Policy
• Data Processing Addendum

Google APIs

• Terms of Service
• Privacy Policy
• Data Processing Terms
• User Data Policy

Google Maps Platform

• Platform Terms
• Privacy Policy
• Data Processing Terms

Functional Software, Inc. (Sentry)

• Terms of Service
• Privacy Policy
• Data Processing Addendum

Google Analytics

• Google Analytics Terms of Service
• Privacy Policy
• Data Processing Terms

Zapier, Inc.

• Terms of Service
• Privacy Policy
• Data Processing Addendum

Attio Ltd.

• Attio Terms and Conditions
• Privacy Policy
• Cookie Policy

WorkOS, Inc.

• Terms of Service
• Privacy Policy
• Data Processing Addendum

PostHog, Inc.

• Terms of Service
• Privacy Policy
• Data Processing Addendum

Typeform S.L.

• Terms of Service
• Privacy Policy
• Data Processing Addendum

We may update this list from time to time. Continued use of the Services after any update constitutes your acceptance of the updated list of Subprocessors.

---

Information Security Policy

Effective Date: September 10, 2025

Overview

AI Number, Inc. ("Askpilot," “AI Number,” “we,” “us,” or “our”) is committed to protecting the confidentiality, integrity, and availability of our data and systems. This Information Security Policy sets out the technical and organizational measures (“TOMs”) we implement to defend against unauthorized access, data breaches, and other security threats. The TOMs described below apply globally and align with our EU/EEA data‑hosting posture. All employees, contractors, and partners must adhere to this Policy and the TOMs to ensure a secure environment for both company and customer information.

1. Access Control

Principle of Least Privilege

We enforce strict access controls to ensure only authorized individuals and services can access sensitive systems and data. Users and applications are assigned the minimum permissions required to perform their duties.

AWS Identity and Access Management (IAM)

We leverage AWS IAM for authentication and role-based authorization. Every engineer and service has unique IAM credentials; shared accounts are not allowed.

Multi-Factor Authentication (MFA)

MFA is mandatory for all privileged IAM accounts and AWS console access, adding an extra layer of security.

Application Access Control

• Customer Data Isolation: Each customer’s data is logically separated, so users can only access their own data.
• Limited Support Access: Support access to customer data is granted only as necessary, follows the principle of least privilege, and is monitored.

2. Database Security and Encryption

Non-Public, Isolated Databases

Production databases are isolated in a dedicated Amazon VPC. They are not publicly addressable and can only be reached by approved internal services.

Encrypted Connections (TLS)

All connections between application servers and databases use TLS to ensure data in transit is secure.

Encryption at Rest

Customer Personal Data is encrypted at rest using AWS‑managed keys, with key management in EU regions consistent with our EU/EEA hosting posture.

3. Monitoring and Auditing

Restricted Administrative Access

Administrative access to production systems is limited to authorized personnel. All actions are logged and require MFA.

Security Logging

We use AWS CloudTrail, AWS GuardDuty, and other logging services to track administrative actions, detect anomalies, and trigger alerts for unusual activities.

4. Physical Security

Our infrastructure is hosted in AWS data centers, which employ industry-leading physical security measures:

• AWS Data Center Controls: AWS data centers are protected by 24/7 surveillance, intrusion detection systems, and multiple compliance certifications (SOC 2, ISO 27001, etc.).
• Secure Access: Physical access is strictly controlled with multi-layer authentication and authorized personnel only.
• Compliance: For more details, visit https://aws.amazon.com/security/.

5. Office and Device Security

Device Management

All company-issued devices use strong authentication, and remote wipe capabilities.

Secure Disposal

End-of-life devices undergo secure data erasure and disposal by certified providers.

Network Security

Our office networks use WPA3 encryption, secure Wi-Fi configurations, and network segmentation to separate guest and corporate environments.

6. Intrusion Detection and Prevention

AWS GuardDuty

Continuously monitors AWS security logs (VPC Flow Logs, CloudTrail, DNS logs) to detect anomalies, malicious activity, or unauthorized access attempts.

Host-Based Security

Server instances have host intrusion detection agents monitoring system logs and file integrity.

AWS Web Application Firewall (WAF)

Protects against common web exploits, such as SQL injection and cross-site scripting (XSS).

7. Incident Response

We maintain a comprehensive Incident Response Plan (IRP):

• Detection and Analysis: Security alerts are monitored and investigated by our security team.
• Containment and Eradication: We isolate affected systems, remove threats, and patch vulnerabilities.
• Recovery: Systems are restored from clean backups, tested, and monitored for recurring threats.
• Lessons Learned: A post-incident review identifies process improvements and updates to security controls.

8. Breach Notification Policy

In the event of a confirmed data breach affecting customer data, we will:

• Notify affected customers without undue delay—our goal is within 72 hours in compliance with GDPR (or sooner if required by other regulations).
• Provide an incident summary, scope of impact, and immediate steps taken.
• Offer guidance to customers on further protective measures.

9. Audit Rights

Customers may request an audit of our security controls once per year, subject to prior written notice and scope limitations. We may provide relevant documentation (e.g., penetration test summaries) under a non-disclosure agreement. While we generally accommodate reasonable audit requests, we reserve the right to decline them at our discretion, except where contractually obligated.

---

Cookie Policy

Effective Date: September 10, 2025

This Cookie Policy explains how AI Number, Inc. ("Askpilot," “AI Number,” “we,” “us,” or “our”) uses cookies and similar technologies to recognize you when you visit our websites (including https://askpilot.com) and use our Services.

Consent Management (EEA/UK/Switzerland)

In the EEA/UK/Switzerland, we set non‑essential cookies (analytics/advertising) only with your consent via our cookie banner/consent management platform (CMP). You can change your preferences at any time via “Your Privacy Choices” in the site footer.

1. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites function more efficiently and provide reporting information.

2. Why Do We Use Cookies?

We use cookies to:

• Ensure the proper functioning of our website and Services.
• Enhance your user experience by remembering your preferences.
• Analyze website traffic and usage patterns.
• Deliver advertising and measure the effectiveness of our marketing campaigns.

3. Types of Cookies We Use

Essential Website Cookies

Purpose: These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Vendor:
PostHog, Inc. (https://posthog.com/)

How to Refuse: Because these cookies are strictly necessary, you cannot refuse them if you want to use our websites/Services.

Analytics and Customization Cookies

Purpose: Collect information used in aggregate form to help us understand how our websites are being used or to help us customize our websites for you.

Vendor:
Google Analytics (https://marketingplatform.google.com/about/analytics/)
PostHog, Inc. (https://posthog.com/)

How to Refuse: To refuse these cookies, follow the instructions below under “Managing Cookies.” Alternatively, click the relevant opt-out link below:

• Google Analytics Opt Out
• Posthog does not provide a direct opt-out link. For more information, see their documentation.

Advertising Cookies

Purpose: These cookies are used to make advertising more relevant to you and to measure the effectiveness of advertising campaigns.

Vendor:
Microsoft/Bing
Google Double Click and AdWords
Facebook Pixel
Google AdWords
Twitter/X
LinkedIn Ads

How to Refuse: To refuse these cookies, follow the instructions below under “Managing Cookies.” Alternatively, click on the relevant opt-out link below:

• Microsoft Opt Out
• Facebook Opt Out
• Google Opt Out
• Perfect Audience Opt Out
• Twitter/X Opt Out
• LinkedIn Ads Opt Out

4. Managing Cookies

Most internet browsers allow you to erase cookies from your computer’s hard drive, block all cookies (or just third-party cookies), or warn you before a cookie is stored on your device. If you choose to block all cookies, our Services may not function as intended, and some features may not be available. If you have blocked all cookies and wish to use our features fully, you will need to enable cookies in your browser settings. Rather than blocking all cookies, you can choose to block only third-party cookies.

5. How We Respond to Do Not Track (DNT) Signals

Some browsers offer a “Do Not Track” (“DNT”) setting. Currently, our websites do not respond to DNT signals. We will revisit this as the industry standards for online tracking evolve.

6. Updates to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes to the cookies we use or for operational, legal, or regulatory reasons. The updated version will be posted on our website, and the “Effective Date” at the top will be revised accordingly.

7. Contact Us

If you have questions about our use of cookies or other technologies, please email us at support@askpilot.com.

AI Number, Inc.
9450 SW Gemini Dr PMB 96629 Beaverton Oregon 97008-7105, US.
https://askpilot.com | support@askpilot.com

---

Additional California Privacy Disclosures (CCPA/CPRA)

These disclosures supplement the California Privacy Notice above. You may submit requests by emailing support@askpilot.com. We will acknowledge within 10 business days and respond within 45 days (extendable by 45 days where reasonably necessary, with notice). We may request information to verify your identity; authorized agents must provide proof of authorization.

• Categories Collected. We collect identifiers (e.g., name, email, IP), commercial information (billing/transaction data), internet or electronic network activity (usage, logs), and inferences generated to improve Services. Sensitive personal information is not routinely collected.
• Sources. Directly from you (account, communications), automatically from your device/browser, and from service providers (e.g., analytics, payment processors).
• Purposes. To provide and secure the Services; enable customer support; process transactions; detect/prevent fraud; comply with law.
• Disclosures. We disclose personal information to service providers and Subprocessors for business purposes as described in our DPA and Subprocessors List.
• Sale/Sharing. We do not sell personal information for money. Depending on your settings and product usage, we may share personal information for cross‑context behavioral advertising; you may opt out via Your Privacy Choices or by enabling a supported opt‑out preference signal (e.g., GPC).
• Non‑Discrimination. We will not discriminate against you for exercising your rights under the CCPA.