Privacy Policy

Effective Date: 1st July 2024 • Last Updated: 18th August 2025

A.I. Machines Inc (“we,” “our,” or “us”) provides software-as-a-service (SaaS) solutions to automotive dealers (“Dealers”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal information—including nonpublic personal information (NPI)—in compliance with the Gramm-Leach-Bliley Act (GLBA) and other applicable privacy laws. This policy applies to our website and to our services offered to Dealers.

1) Information We Collect

We may collect the following categories of information from Dealers and their customers:

a) Dealer & Customer Data (Imported from Legacy Systems)

Customer contact information (e.g., name, phone number, email, address).
Vehicle information (e.g., VIN, make, model, year, service history).

b) Information You Provide

Dealer account details (dealer representative name, dealership name, email, phone, login credentials).
Billing and payment information.

c) Automatically Collected Information

Log data (IP address, browser type, operating system, access times).
Usage data (features accessed, pages visited, actions taken).
Cookies and similar technologies for functionality, security, and analytics.

2) How We Use Information

Provide, operate, and improve our SaaS product and related services.
Import, process, and maintain accurate dealership customer records.
Facilitate secure data migration from legacy systems.
Provide customer support and respond to inquiries.
Process payments and manage subscriptions.
Monitor usage, detect and prevent fraud, and ensure system security and integrity.
Comply with legal, regulatory, and contractual obligations (including GLBA).

3) GLBA Notice: Collection & Disclosure of Nonpublic Personal Information (NPI)

Under the Gramm-Leach-Bliley Act (GLBA), we are required to protect the confidentiality and security of nonpublic personal information (“NPI”) that we process as a service provider to financial institutions (which may include Dealers offering or arranging financing).

We do not sell NPI.
We disclose NPI only as permitted by law and as described in this policy.

Limited Sharing

With Dealers: Customer data imported into our system is accessible only to the Dealer that owns or controls that data.
For Legal Reasons: When required to comply with applicable law, regulation, or valid legal process, or to protect rights, safety, and security.
Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to continued protections consistent with this policy.

Dealer Responsibilities: Dealers remain responsible for providing any required GLBA consumer privacy notices and honoring applicable opt-out rights related to their own sharing practices. We support Dealers’ compliance by processing data solely as instructed, implementing safeguards, and assisting with consumer requests directed to the Dealer.

4) Data Retention

Dealer customer data is retained for as long as the Dealer maintains an active account or as required by law or contract.
Dealers may request deletion or export of customer data by contacting us at [contact email].
Website visitor and system usage data is retained for a limited period for analytics, security, and troubleshooting.

5) Data Security (GLBA Safeguards Rule)

We implement administrative, technical, and physical safeguards designed to protect information, including:

Encryption of Data, where appropriate.
Role-based access controls and multi-factor authentication.
Vendor due diligence and contractual confidentiality requirements.
Risk assessments, logging/monitoring, and incident response procedures.
Employee training on data security and confidentiality.

While we take reasonable steps to protect information, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

6) Your Privacy Rights

Depending on applicable laws, individuals may have rights to access, correct, or delete personal information, or to restrict/opt out of certain processing. Dealers are primarily responsible for handling their customers’ requests. We will support Dealers in fulfilling verified requests that relate to data we process on their behalf.

7) Cookies & Tracking

We use cookies and similar technologies to operate our site, enhance user experience, analyze traffic, and improve security. Most browsers allow you to manage cookies through settings. Disabling certain cookies may affect site functionality.

8) Children’s Privacy

Our services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children.

9) Data Protection Rights

Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Our Company for copies of your personal data.

The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete information you believe is incomplete.

The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.

DPO - If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact our Data Protection Officer or
Email us at: nayeem@aimachinesai.com
Call us: +1 (571) 998-4585
Data Protection Officer(DPO) and their responsibilities:
Name: Nayeem S
Email: nayeem@aimachinesai.com

DPO Roles and Responsibilities:

Oversee the implementation of data protection policies and procedures. Ensure the organization’s compliance with data protection regulations. Conduct risk assessments related to data processing activities.

Serve as a point of contact for data subjects and supervisory authorities.

Monitor data security measures, investigate breaches, and enforce staff training to uphold data security.

Data Breach Procedure and Reporting Time Period:

In the event of a data breach, we follow a stringent procedure to mitigate and address the incident promptly. Our response includes identifying the breach, containing its impact, assessing affected data, notifying relevant authorities, and communicating transparently with affected individuals. We conduct thorough investigations to understand the extent of the breach and implement corrective measures to prevent recurrence.

Any detected data breach will be reported to relevant authorities and affected individuals within 72 hours of its identification, in compliance with applicable data protection regulations.

10) International Data Transfer Policy

Our organization stores and processes customer and operational data within AWS infrastructure hosted in the United States (Virginia region).

Access to this data may be performed by authorized personnel located in other regions, including but not limited to India and Tunisia. All such access is governed by strict security and compliance controls.

Access to production systems is restricted based on role and business need, and is enforced through role-based access control (RBAC), multi-factor authentication (MFA), and least privilege principles.

All data transmitted across networks is encrypted using industry-standard protocols (TLS 1.2 or higher), and data at rest is encrypted using AWS-managed encryption mechanisms.

Remote access to production data is permitted only through secure channels. Unauthorized downloading, storage, or transfer of sensitive data to local systems is strictly prohibited unless explicitly approved.

All access to sensitive data is logged and monitored. Any anomalies or unauthorized access attempts are investigated in accordance with the organization’s incident response procedures.

The organization ensures that all subprocessors, including cloud service providers, are subject to appropriate data protection agreements and security assessments.

This policy supports compliance with SOC 2 requirements, particularly in the areas of access control, data protection, and monitoring.ate. Material changes will be communicated as required by law.

11) Updates to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised “Last Updated” date. Material changes will be communicated as required by law.

12) Contact Us

A.I. Machines
Email: support@aimachine.zendesk.com