—— Legal
Privacy Policy
What we collect, why, and your rights. Last updated 1 July 2026.
Last updated: 1 July 2026
This policy explains how Hojt Communication AB, organisation number 559017-1459, registered in Sweden (“Adamiro“, “we“, “us“) processes personal data when you visit our website at adamiro.com, use the Adamiro service, contact us, or interact with our marketing.
1. Who is the controller
For personal data we collect about you as a website visitor, account holder, prospect, or contact person at a customer organisation, Hojt Communication AB is the data controller.
For personal data you submit through the Service about other people (your colleagues, contacts, prospects, or end users), you are the controller and we are the processor. That relationship is governed by the Data Processing Addendum, which forms part of these Terms.
| Item | Value |
|---|---|
| Controller | Hojt Communication AB |
| Organisation number | 559017-1459 |
| Postal address | Höjeågatan 243, 23433 Lomma, Sweden |
| Privacy contact | privacy@adamiro.com |
| General contact | hello@adamiro.com |
| Data Protection Officer | Not appointed — we are not required to appoint a DPO under GDPR Art. 37. Privacy enquiries are handled at the address above. |
2. Scope
This policy covers personal data we process as controller, including:
- Visitors to adamiro.com and adam.hojt.se (staging).
- People who fill in forms, sign up for a free trial, or subscribe.
- Account holders and seat-level users on customer accounts.
- Contact persons at prospects, suppliers, and partners.
- People who email or call us.
- Job applicants who contact us via the website.
Where customers process personal data of third parties through the Service (for example, contacts referenced in Mentor / The Tank conversations, or people named in content created with Voice and published with Reach), we act as a processor on the customer’s behalf and the DPA governs that processing.
3. What personal data we process, why, and on what lawful basis
The table below lists each processing activity. “Lawful basis” refers to GDPR Art. 6(1) letters (a) consent, (b) contract, (c) legal obligation, (d) vital interests, (e) public task, (f) legitimate interest. Where we rely on legitimate interest, we have carried out a documented Legitimate Interest Assessment (LIA) and the assessed interests are summarised in the Why column.
3.1 Visitors to our website
| Data | Examples | Source | Lawful basis | Why | Retention |
|---|---|---|---|---|---|
| Technical session data | IP address, browser type, OS, referrer, pages viewed | Browser | Art. 6(1)(f) legitimate interest in site operation, security, and abuse prevention | Operate and secure the site, detect attacks, debug | 12 months in security logs, then deletion |
| Cookie / analytics data | See section 8 below | Browser | Consent (Art. 6(1)(a)) for non-essential cookies; legitimate interest for strictly-necessary | Measure aggregate site traffic, improve UX | Up to 13 months from last visit (CNIL guidance) |
| Form submissions | Name, email, message, company | You | Art. 6(1)(b) (pre-contractual steps) for trial / sales enquiries; Art. 6(1)(f) for general enquiries | Respond to enquiries, set up a trial | 24 months from last contact, or until you object |
3.2 Account holders and customer users
| Data | Examples | Source | Lawful basis | Why | Retention |
|---|---|---|---|---|---|
| Account profile | Name, email, password hash, phone (optional), company, role, time zone, locale | You | Art. 6(1)(b) contract | Provide the Service, authenticate you | While account active + 90 days; then anonymised or deleted on request |
| Billing data | Card last 4 digits (held by Stripe), VAT ID, billing address, invoices, payment history, plan, Task balance | You via Stripe | Art. 6(1)(b) contract; Art. 6(1)(c) Swedish bokföringslagen (7 years for accounting records) | Charge you, fulfil tax/accounting duties | Accounting records: 7 years per Swedish law. Card data is held by Stripe, not us. |
| Usage and Service data | Run history, Task consumption, module activity, run inputs and outputs, file uploads, advisory session transcripts | You | Art. 6(1)(b) contract | Operate the Service, support, troubleshooting | While account active + 90 days unless you delete sooner; then deletion or anonymisation |
| Support correspondence | Tickets, chat transcripts, emails | You | Art. 6(1)(b) contract; Art. 6(1)(f) for record-keeping | Resolve your issues, audit trail | 36 months from ticket close |
| Security logs | Login times, IP, device fingerprint, abuse-detection incidents (see TODO §2) | System | Art. 6(1)(f) legitimate interest in account security and prevention of abuse | Detect compromised accounts, investigate abuse | 12 months; abuse incidents up to 24 months |
| Marketing communications | Email opens, clicks, preferences | System and you | Consent (Art. 6(1)(a)) for newsletters; Art. 6(1)(f) for B2B service updates to existing customers | Send relevant updates and offers | Until you unsubscribe; then suppression-list only |
| Privacy preferences | Your per-service decisions about including your personal details, your cross-service sharing opt-ins, and the consent record (timestamp, scope, IP, policy version) | You | Art. 6(1)(a) consent; Art. 6(1)(c) to evidence that consent | Honour your privacy choices and keep a lawful record of them | While account active + 90 days |
| Adam (assistant) interactions | The message you type to the in-dashboard Adam, the action it maps that to, and a short, redacted log of the steps it took (no full page contents, no secrets) | You | Art. 6(1)(b) contract to run the assistant; Art. 6(1)(f) for the redacted security log | Turn your request into a guided action in the dashboard and keep a short, redacted trail for security and troubleshooting | Redacted event log 60 days, then automatic deletion; anything you generate follows the usage-and-Service-data row above |
Confidential by default. Adamiro keeps your name, email, company, phone, and address out of anything a service generates or sends unless you opt that service in under Account → Privacy. Your Mentor and The Tank conversations are treated as confidential: they are not reused in other services, and not used to improve our models, unless you turn that on yourself. See section 3.4 for model training and the Terms of Service section 13 for conversation confidentiality.
You decide how long conversations are kept. Under Account → Privacy you can set a retention window for your Mentor and The Tank transcripts — keep them until you delete them, or have Adamiro remove them automatically after 30, 90, 180, or 365 days (a daily job enforces your choice). The default is 365 days. You can also delete every transcript immediately with one click. Anything you deliberately saved to Memories is kept until you remove it there; retention covers raw conversation logs, not the knowledge you chose to keep.
3.3 People you contact through the Service (third parties)
When you use any feature where you submit data about real people — for example, people referenced in Mentor documents, The Tank sessions, or content you publish — you are the controller. The DPA governs that processing. We do not use those individuals’ data for our own purposes beyond delivering the Service to you.
3.4 Service improvement and model training
We may use de-identified, anonymised Input and Output to evaluate, debug, and improve the Service, including to train and develop our own models, prompt libraries, and agentic workflows.
| Aspect | Detail |
|---|---|
| Lawful basis | Art. 6(1)(f) legitimate interest, balanced against the right to opt out at any time |
| What is collected | Anonymised Input/Output text only; no user, account, or session identifiers; PII surrogates replace names, emails, phone numbers, addresses, personnummer, organisation numbers, account numbers, IP addresses, and other re-identifying values |
| Where it lives | Separate corpus table with no foreign keys back to user identities |
| Retention | Up to 24 months from capture; then automatic deletion |
| Provider exclusions | Outputs we receive from upstream providers whose terms forbid downstream training are excluded at capture time |
| Opt-out | A toggle in your account settings; turning it off prevents future capture and triggers retroactive removal of already-captured rows within 7 days |
3.5 Connected social accounts (Reach publishing)
When you connect a social account to Reach so you can publish the content you create in Adamiro (for example, your own Instagram Business account connected via Facebook Login, or your LinkedIn account), we process the following:
| Data | Examples | Source | Lawful basis | Why | Retention |
|---|---|---|---|---|---|
| Connection credentials | An OAuth access token (encrypted at rest, never logged, never exposed through our API) and any refresh/expiry metadata | You, via the platform’s login | Art. 6(1)(b) contract | Publish to your own account on your behalf when you ask us to | Until you disconnect or the token is revoked; deleted on disconnect (see below) |
| Connected-account identity | The account or page id, username/handle, and — for Instagram — the linked Facebook Page id and your app-scoped Facebook user id | You, via the platform | Art. 6(1)(b) contract | Show “Connected as @handle”, let you pick which account to publish to, and target the right account | Same as the token |
| Published-post data | Ids of posts you published through Adamiro and their like/comment counts | The platform | Art. 6(1)(b) contract | Show you how the content you published performed | While the account is connected; deleted on disconnect |
We use these permissions only to (a) list the accounts you manage so you can choose where to publish, (b) publish the single image or multi-image carousel you composed, to your own account, when you click “Post now”, and (c) read engagement on the posts you published through Adamiro. We never post without an explicit action by you, never read other people’s content, never publish to a shared or Adamiro-owned account, and never use this data for advertising or model training.
Disconnecting and deleting this data. You can remove a connected account at any time, and there are three ways the stored data is deleted:
- In-app — click Disconnect in Reach → Connections. The access token and connected-account details are deleted immediately.
- From the platform — if you remove Adamiro from your Facebook or Instagram settings, the platform notifies us and we delete your stored token and account details automatically.
- By request — email privacy@adamiro.com, or use the platform’s data-deletion request flow; we delete the data and provide a confirmation you can check.
Meta Platforms Ireland Ltd. and LinkedIn Ireland Unlimited Company are the operators of the platforms you publish to; when you publish, your content is sent to your own account on their platform under their respective privacy policies. They act as independent controllers for the account you hold with them, not as our sub-processors.
4. Where we get personal data
We receive personal data from:
- You directly — when you sign up, fill in a form, send us an email, or use the Service.
- Your colleagues — when an account owner adds you as a seat or shares a workspace.
- Stripe — billing and payment data when you pay an invoice.
- Social platforms you connect — when you link an Instagram, LinkedIn, or other account to Reach, we receive the connection token and basic account details from that platform (see section 3.5).
- Public sources — when relevant for B2B prospecting on our side (LinkedIn profile pages, company websites, press releases).
- Cookies and similar technologies — see section 8.
5. Who we share personal data with
We share personal data only as needed to operate the Service:
- Sub-processors (see section 9 and the DPA Annex 2) — providers who process personal data on our behalf under written contracts that include GDPR Art. 28 obligations.
- Professional advisers — accountants, auditors, lawyers, under confidentiality obligations.
- Authorities — where required by Swedish or EU law, court order, or to defend our legal rights. We push back on overbroad requests.
- Acquirer or successor — in a corporate transaction (sale, merger, spin-out to a successor entity holding the Adamiro business); in that case the acquirer takes over as controller subject to this policy or a comparable one.
We do not sell personal data and do not share personal data with advertisers for cross-context behavioural advertising.
6. Children
The Service is intended for business users only. We do not knowingly collect personal data from anyone under 18. If you believe a minor has given us their data, contact privacy@adamiro.com and we will delete it.
7. Automated decisions and AI output
The Service uses generative AI to produce Output. We do not use the Service to make automated decisions producing legal or similarly significant effects on you within the meaning of GDPR Art. 22. Output is decision support — you remain responsible for any decision you make based on it.
We do run automated processes that may affect your account in operational ways (login throttling, fraud / abuse detection per TODO §2, billing-related suspensions). These are not Art. 22 decisions because a human can review them on request and they are necessary to perform the contract or to comply with law.
Assistant and agentic features (such as the in-dashboard Adam) are assistive and keep you in the loop: they prepare actions in the dashboard and carry them out only when you confirm them. They do not make automated decisions about you within the meaning of Art. 22.
8. Cookies and analytics
We use a small number of cookies and similar technologies, run by our own first-party consent manager (not a third-party plugin). They fall into two groups:
- Strictly necessary — required for sign-in, session security, and the basic functioning of the site/app. Set on the basis of legitimate interest; cannot be disabled without breaking the Service.
- Analytics — aggregate traffic measurement (Google Analytics, via Google Site Kit). Set only with your consent via the cookie banner, using Google Consent Mode: no analytics cookie is set, and no data reaches Google, until you choose “Accept all” or opt in under “Customize”.
The live, current cookie list — provider, purpose, and duration for every cookie in use — is:
You can change your choice at any time from the “Cookie settings” link in the site footer.
When you make a choice, we log it — a random identifier, the categories chosen, the action taken, and a hashed IP address (never the address itself) — so we can demonstrate consent under GDPR Art. 7. That log is kept for 24 months and then deleted automatically; it never contains your name, email, or any other directly identifying information.
9. Sub-processors
We use the following sub-processors. The current list with locations, roles, and transfer mechanism is also in DPA Annex 2; both lists must agree.
| Sub-processor | Role | Country of processing | Transfer mechanism |
|---|---|---|---|
| OpenAI Ireland Ltd. | Large-language-model inference for various modules | Ireland (with potential US transfer) | EU SCCs |
| Anthropic Ireland Ltd. | LLM inference (Claude) | Ireland (with potential US transfer) | EU SCCs |
| Google Ireland Ltd. | Gemini LLM inference; Google Workspace for our internal email/files; Google Analytics traffic measurement (Site Kit), only after you consent | Ireland / EU (with potential US transfer) | EU SCCs |
| Stripe Payments Europe Ltd. | Payment processing, invoicing | Ireland (with potential US transfer) | EU SCCs |
| n8n GmbH (n8n Cloud) | Workflow orchestration that ties module steps together | Germany | Within EU/EEA — no transfer required |
| Hojt Communication AB hosting (FTP / WordPress) | Hosting of adamiro.com and adam.hojt.se | Sweden | Within EU/EEA |
| Elestio Limited (managed Qdrant) | RAG and persona memory for Mentor and The Tank | Ireland (HQ); data hosted in Germany (Falkenstein) | Within EU/EEA — no transfer required |
| Hetzner Online GmbH | Underlying cloud infrastructure for the self-hosted vector store | Germany (Falkenstein) | Within EU/EEA — no transfer required |
| Mailjet SAS (a Sinch company) | Transactional email (account, billing, run notifications) | France (data centres in Belgium and Germany) | Within EU/EEA — no transfer required |
We will give you reasonable advance notice of new sub-processors in this list and offer you a right to object on documented data-protection grounds.
10. International transfers
The default position is to keep personal data inside the EU/EEA. Where a sub-processor processes data outside the EU/EEA (in particular for US- based AI providers and their parent companies), the transfer is covered by Standard Contractual Clauses (EU Commission decision 2021/914) and, where appropriate, supplementary measures (encryption in transit and at rest, access logging, contractual prohibitions on government access not strictly required by law).
You may request a copy of the relevant SCCs by writing to privacy@adamiro.com. Confidential commercial terms may be redacted.
11. Security
We apply technical and organisational measures appropriate to the risk of the processing, including:
- Transport encryption — TLS 1.2+ across all customer-facing endpoints.
- At-rest encryption — for databases, backups, file storage, and vector stores where supported by the provider.
- Access control — least-privilege role-based access; named-person admin accounts; multi-factor authentication required for production access.
- Secrets management — credentials and API keys are kept in a password manager / secrets store, not in source code.
- Logging and monitoring — application, security, and access logs with anomaly detection on the staging-to-production deploy pipeline.
- Backups — daily database backups retained for 30 days; recovery drills annually.
- Vulnerability management — dependency monitoring, patching on documented cadence; staging environment used for pre-production validation per DEVELOPMENT_PIPELINE.md.
- Personnel — confidentiality obligations for everyone with access; background checks for production access.
- Sub-processor diligence — contracts include GDPR Art. 28 and Art. 32 obligations.
A more detailed list of measures is in DPA Annex 3.
No system is perfectly secure. If you discover a vulnerability, please report it to security@adamiro.com — we operate good-faith vulnerability disclosure and won’t pursue researchers acting in good faith.
12. Your rights
Under GDPR Articles 15-22, you have the right to:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | A copy of personal data we hold about you and information about how we process it | Email privacy@adamiro.com |
| Rectification (Art. 16) | Correction of inaccurate or incomplete data | Account settings or email us |
| Erasure (Art. 17) | Deletion where there is no overriding lawful reason to keep it | Email us; note legal-retention exceptions (e.g. accounting records under Swedish law) |
| Restriction (Art. 18) | Processing limited while a dispute is resolved | Email us |
| Portability (Art. 20) | Your data in a structured, machine-readable format | Email us; we provide JSON exports for the data you submitted |
| Objection (Art. 21) | To processing based on legitimate interest, including direct marketing and the training-data use described in section 3.4 | Email us, or use the in-product opt-out for training |
| Withdraw consent (Art. 7(3)) | For processing based on consent: newsletters, optional cookies, letting Adamiro include your personal details in a given service, and reusing your Mentor or The Tank conversations in another service | Unsubscribe link, cookie-banner controls, or the per-service toggles under Account → Privacy |
| Not be subject to solely automated decisions (Art. 22) | We do not run such decisions; if you believe an automated process has affected you significantly, ask for human review | Email us |
We will respond within one month of receipt of a verifiable request, extendable by two further months for complex requests with notice. We may need to verify your identity before disclosing data — usually by asking you to confirm a recent account action or email from the address on file.
We do not charge a fee for the first request in a 12-month period and will not refuse a request unless it is manifestly unfounded or excessive (in which case we will explain).
13. Right to complain
If you believe we have processed your data unlawfully, you may complain to the Swedish data-protection authority:
Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden imy@imy.se · imy.se
You may also complain to the supervisory authority of the EU/EEA member state where you live or work.
14. Changes to this policy
We may update this policy. Material changes will be notified by email or in-app at least 30 days before they take effect. Non-material changes (typo fixes, sub-processor additions of the same type) take effect on posting.
A change log is maintained at the bottom of this document.
15. Contact
| Subject | Address |
|---|---|
| Privacy and data-subject requests | privacy@adamiro.com |
| Security disclosures | security@adamiro.com |
| Legal notices | legal@adamiro.com |
| General | hello@adamiro.com |
| Postal | Hojt Communication AB, Höjeågatan 243, 23433 Lomma, Sweden |
Change log
| Version | Date | Summary |
|---|---|---|
| 1.2 | 2026-07-01 | Added a section 3.2 processing row for the in-dashboard Adam (assistant): the message you type, the action it maps to, and a redacted 60-day event log, on Art. 6(1)(b)/(f); added a note in section 7 that assistant and agentic features are human-in-the-loop and make no Art. 22 decisions. |
| 1.1 | 2026-06-02 | Added section 3.5 (connected social accounts for Reach publishing): what we store on Instagram/LinkedIn connect, why, and the three deletion paths; added a matching source bullet in section 4. |
| 1.0 | 2026-04-29 | Initial draft (pending Swedish counsel review). |