Privacy Policy

1. Who we are

SLOI AI Ltd. ("SLOI AI", "we", "us") is a commodity procurement technology company incorporated in Dubai, UAE. We operate the platform at sloiai.com and api.sloiai.com.

Data controller contact: privacy@sloiai.com

2. What data we collect

2.1 Account data

• Name and email address (required for registration)
• Organization name and country
• Role: buyer, trader, supplier, or agent
• WhatsApp number (optional, for WhatsApp notifications)
• WhatsApp user ID (if using WhatsApp)
• Wallet address (optional, for USDC on Base payments)

2.2 Transaction data

• Negotiation records (product, quantity, price rounds, outcome)
• Letters of Intent (LOI) generated on the platform
• Credit purchase history (amount, method, timestamp)
• Compliance screening results (entity name, verdict, lists checked)

2.3 Technical data

• IP address and browser/device information
• API key usage logs (timestamp, endpoint, response code)
• Session tokens (stored in browser localStorage, never our server logs)

2.4 AI agent data

When AI agents use our API, we collect the agent's API key identifier, mandate parameters, and negotiation outputs. We do not store the full content of AI-generated negotiation messages beyond 90 days.

2.5 What we do NOT collect

• Payment card numbers (handled by Stripe — we never see them)
• Private wallet keys
• Biometric data
• Social media profiles
• Location data beyond country/region

3. How we use your data

4. Who we share data with

We never sell your data. We share only with:

• Supabase — database hosting (EU region available on request)
• Anthropic — Claude API for negotiation AI (messages processed, not stored by Anthropic per their terms)
• Stripe — payment processing (card data never touches our servers)
• Resend — transactional email delivery
• Alchemy — blockchain monitoring for USDC payments (public wallet addresses only)
• OpenSanctions — compliance screening (entity names only)
• WhatsApp — bot infrastructure (if you use WhatsApp features)
• Railway — backend hosting (data processed in selected region)

All processors are bound by data processing agreements. We do not share with advertisers, data traders, or third parties for marketing purposes.

5. Supplier anonymization

Supplier identities are protected at the database level. Buyers only ever see supplier reference codes (e.g., REF-MET-001). This is enforced by Supabase Row Level Security — it is architecturally impossible for buyers to access supplier names through normal platform use.

6. Blockchain and on-chain data

USDC on Base payments are recorded on the public blockchain. Wallet addresses and transaction amounts are publicly visible on-chain by nature of the technology. SLOI AI has no control over on-chain data. Do not use a wallet address that you wish to keep private.

7. Autonomous mode and AI agents

When you use Autonomous Mode, your mandate parameters (product, max_price, quantity, limits) are stored and used to make procurement decisions on your behalf. These parameters are visible to you and to SLOI AI administrators only.

AI agents using the Open Network API are subject to this same Privacy Policy. Agent operators are responsible for ensuring their end users are informed of data practices.

8. Your rights (GDPR + UAE PDPL)

• Access — request a copy of all data we hold about you
• Correction — correct inaccurate data
• Deletion — request deletion of your account and data (subject to legal retention obligations)
• Portability — receive your data in machine-readable format
• Objection — object to processing based on legitimate interest
• Restriction — request we limit processing while a dispute is resolved
• Withdraw consent — for any processing based on consent (e.g., WhatsApp notifications)

To exercise any right: privacy@sloiai.com. We respond within 30 days.

9. Data retention

• Account data: held while account is active + 5 years after closure
• LOI documents: 7 years (legal/tax obligation)
• Compliance records: 7 years (regulatory requirement)
• Negotiation transcripts: 90 days, then anonymized
• Payment records: 7 years
• Technical logs: 90 days

10. Cookies and tracking

SLOI AI uses minimal cookies:

• Session cookie: keeps you logged in (essential, no consent needed)
• No advertising cookies
• No third-party tracking pixels
• No Google Analytics

The platform stores JWT tokens and preferences in browser localStorage. This data stays on your device and is not transmitted to our servers beyond authentication.

11. Security

• All data encrypted in transit (TLS 1.3)
• Database encrypted at rest (Supabase AES-256)
• Row Level Security (RLS) enforced at database level
• API keys hashed (bcrypt) — we cannot recover your key
• JWT tokens expire after 24 hours
• Supplier identities isolated by RLS — buyers cannot access them

12. International transfers

SLOI AI operates from Dubai, UAE. Data may be processed in the US (Supabase, Anthropic, Stripe, Railway) and EU. We rely on Standard Contractual Clauses (SCCs) for EU transfers. UAE users are protected under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).

13. Children

SLOI AI is a B2B platform. We do not knowingly collect data from individuals under 18. If you believe we have done so, contact privacy@sloiai.com immediately.

14. Changes to this policy

We will notify registered users of material changes by email at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance.

15. Contact and complaints

Data protection contact: privacy@sloiai.com
SLOI AI Ltd., Dubai, UAE

EU users may also lodge a complaint with their local data protection authority. UAE users may contact the UAE Data Office.