Privacy Policy
How we handle your data.
Effective: April 2026 · Version 1.1 · Jurisdiction: France / EU (GDPR)
pilot5.ai is committed to protecting your personal data. This policy explains what information we collect when you use our platform, how we use it, and what rights you have over it.
1. Who we are
pilot5.ai is operated by ECOEMIT SOLUTIONS SARL, a French limited liability company (SARL), trading as pilot5.ai. When this policy refers to "pilot5", "we", "us", or "our", it refers to ECOEMIT SOLUTIONS SARL acting as data controller.
As a French entity offering services to users in the European Union, we operate in full compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").
For data protection inquiries, contact us at privacy@pilot5.ai. See our Legal Information page for full company details.
2. Data we collect
We collect only what is necessary to provide the pilot5 service.
| Category | What we collect | When |
|---|---|---|
| Account data | Email address, name, authentication credentials (managed via Clerk) | At registration |
| Deliberation content | Questions and context you submit; deliberation outputs (synthesis) | Each deliberation |
| Uploaded documents | Files you upload as deliberation context (PDF, text, structured data). Chunked embeddings are stored for semantic search. | When uploaded |
| Conversations | Chat messages with the AI assistant, conversation metadata | Each message |
| Deliberation profile | AI-extracted behavioral profile: expertise level, decision style, domains of expertise, recurring blind spots (see Section 6) | After each deliberation |
| Usage data | Mode used, credit consumption, deliberation timestamps, session metadata | Continuously |
| Billing data | Payment method tokens (not full card numbers — managed via Stripe). Invoices and transaction history. | At payment |
| MCP & connector data | MCP server URLs, connected source metadata (Google Drive, GitHub, Slack, Notion, OneDrive). Encrypted OAuth tokens. | When configured |
| Technical data | IP address, browser type, operating system, referring URL, error logs | Automatically |
We do not collect special categories of personal data (health, political opinions, biometric data) as part of our standard service. You remain responsible for any such data you choose to include in a deliberation question.
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the deliberation service | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing credits | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (credit low, deliberation complete) | Contract performance (Art. 6(1)(b)) |
| Personalizing AI responses based on your deliberation profile (see Section 6) | Legitimate interest (Art. 6(1)(f)) — you may object at any time (see Section 6) |
| Analyzing aggregate usage patterns to improve our service | Legitimate interest (Art. 6(1)(f)) — we do not use your data to train AI models |
| Security monitoring, PII detection, and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Sending product updates (optional, if you opt in) | Consent (Art. 6(1)(a)) |
We do not use your deliberation content to train AI models, and we do not sell your data to third parties.
4. AI model processing & provider eligibility
pilot5's deliberation engine routes your questions to one or more AI language model providers depending on the mode selected, the domain of your question, and your account's regional eligibility settings.
What happens to your content
When you submit a deliberation, your question and context are transmitted in full to each selected AI model provider as part of the inference request. Each provider processes this data under their own data processing terms. Your question and the provider outputs (synthesis) are stored in your account to display your deliberation history. The assembled prompts (system instructions sent to models) are not retained.
Current AI providers: All model requests are routed through OpenRouter (USA), which dispatches to the following upstream providers:
| Provider | Models | HQ |
|---|---|---|
| OpenAI | GPT-5.2, GPT-5, GPT-4o | USA |
| Anthropic | Claude Opus 4.6, Claude Sonnet 4.6 | USA |
| Gemini 3.1 Pro, Gemini 3 Flash, Gemini 2.5 Pro | USA | |
| Mistral AI | Mistral Large | France (EU) |
| xAI | Grok 4, Grok 3 | USA |
| Meta (open-weight) | Llama 3.1 | USA |
| Perplexity | Sonar (web search) | USA |
| DeepSeek | DeepSeek R1 | China |
| Qwen / Alibaba (open-weight) | Qwen3-235B | China (served via USA) |
| Inception | Mercury 2 | UAE |
Regional eligibility rules may exclude certain providers from your account (see below). Open-weight models are served via OpenRouter infrastructure in the USA, not directly by the originating company. This list is updated when new providers are added to the platform.
Web search providers: When research is enabled, your question may be sent to Perplexity (Sonar), Tavily, Brave Search, or Exa for web research.
Provider eligibility by region: pilot5 applies regional AI provider eligibility rules based on applicable law and internal compliance policy. Certain providers may be unavailable depending on your account's declared region. You can always see which providers were used in each deliberation result.
Content moderation: Your questions are screened by our content safety system, which includes OpenAI's Moderation API and heuristic pattern matching. A PII detection layer warns you if personal identifiers (credit card numbers, IBANs, national ID numbers, email addresses, and other government-issued identifiers) are detected in your input, though this does not block submission.
5. Data retention
We retain your data for as long as your account is active and for a period thereafter as required by law or legitimate business purposes.
- Deliberation history: retained for 2 years from creation, then anonymized
- Conversations: retained for 1 year from last message
- Account data: retained while active, plus 30 days after deletion request for hard-delete processing
- Billing records: retained for 10 years (French accounting law)
- Uploaded documents: retained while your account is active, deleted on account deletion or immediately upon your request
- User memories: retained while account is active, deleted on account deletion
- Server logs: retained for 90 days
- LLM cost logs: retained in anonymized form for 1 year (no deliberation content)
You may request complete deletion of your account and associated data at any time. See Section 7.
6. Automated profiling (GDPR Art. 22)
pilot5 builds a deliberation profile based on your usage patterns, including your expertise level, decision style, preferred analysis depth, domains of expertise, and recurring blind spots. This profile is extracted by AI after each deliberation and is used to personalize subsequent AI responses to your questions.
This profiling does not produce legal effects or similarly significantly affect you — the AI provides analysis and recommendations, but you always make the final decision.
You may object to profiling or disable profile personalization by contacting privacy@pilot5.ai.
7. Sharing & sub-processors
We share data only with the sub-processors required to operate the pilot5 platform. We do not sell data. We do not share data with advertisers.
| Sub-processor | Purpose | Location |
|---|---|---|
| Clerk | Authentication and identity management | USA (SCCs/DPF) |
| Supabase | Database and storage | EU (AWS eu-west-1, Ireland) |
| Railway | Backend hosting and compute | USA (GCP us-west, SCCs) |
| Vercel | Frontend hosting and CDN | USA (iad1, SCCs) |
| Stripe | Payment processing | USA (SCCs/DPF) |
| Sentry | Error tracking and session replay on errors (text masked) | EU (Germany, ingest.de.sentry.io) |
| OpenRouter | AI model routing and inference gateway (see Section 4 for upstream providers) | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Perplexity, Tavily, Brave Search, Exa | Web research for deliberations | USA (SCCs) |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914). DPF = EU-US Data Privacy Framework.
8. International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA). For these transfers, we rely on:
- The EU-US Data Privacy Framework (for certified sub-processors), and/or
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
Technical safeguards include:
- TLS 1.2+ encryption for all data in transit
- OpenRouter (our AI gateway) does not store prompts or responses — only metadata (token counts, latency) is retained
- Training endpoints are disabled at the account level — upstream providers cannot use your data for model training
You may request a copy of the relevant SCCs by contacting privacy@pilot5.ai.
9. Your rights (GDPR)
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
- Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations
- Right to restriction (Art. 18) — request that we restrict processing in certain circumstances
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON)
- Right to object (Art. 21) — object to processing based on legitimate interests, including profiling
- Right to withdraw consent — withdraw consent for product updates or analytics at any time
To exercise any of these rights, contact privacy@pilot5.ai. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or the supervisory authority in your country of residence.
10. Cookies
pilot5 uses a minimal set of cookies. We distinguish between strictly necessary cookies (which do not require consent) and optional analytics cookies (which require your explicit consent).
Strictly necessary cookies
| Cookie | Purpose | Duration |
|---|---|---|
| __session | Clerk authentication session token | Session |
| __client_uat | Clerk client-side auth state | 1 year |
Analytics cookies (optional — consent required)
If you accept analytics cookies via our consent banner, we load Google Tag Manager which may set the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| _ga | Google Analytics — distinguishes unique visitors | 2 years |
| _ga_* | Google Analytics — maintains session state | 2 years |
You can withdraw your consent at any time by clearing your browser cookies and declining when the consent banner reappears. Analytics cookies are never loaded without your prior consent.
Error monitoring
We use Sentry for error tracking. Sentry does not set cookies but may capture a session replay when an error occurs to help us diagnose issues. Text content and user input are masked in these replays to protect your privacy.
We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies.
11. Security
We implement appropriate technical and organizational measures to protect your data, including:
- TLS encryption for all data in transit
- Encryption at rest for database storage (Supabase managed encryption)
- Application-layer access controls ensuring users can only access their own data, backed by database-level row security policies as defense-in-depth
- API authentication via signed JWT tokens with audience verification
- Content safety guardrails with PII detection
- Encrypted storage of OAuth connector credentials (AES-128 + HMAC-SHA256)
- Regular dependency audits and security patching
12. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware of the breach (GDPR Art. 33). If the risk is high, we will also notify you directly (Art. 34), including: the nature of the breach, the likely consequences, the measures we have taken, and recommendations for steps you can take to protect yourself.
13. Children
pilot5 is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered an account, please contact us at privacy@pilot5.ai and we will delete the account promptly.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The effective date at the top of this page reflects the most recent version. Previous versions are available upon request.
15. Contact
For any questions about this Privacy Policy or to exercise your data rights:
Data Controller: ECOEMIT SOLUTIONS SARL, trading as pilot5.ai
Privacy: privacy@pilot5.ai
General: contact@pilot5.ai