Privacy Policy

Last updated: 25 March 2026

1. Who we are

Imora (“we”, “us”, “our”) operates the Imora platform at imora.ai and related services. We are the data controller for personal data processed through our platform. For any privacy-related queries, contact us at privacy@imora.ai.

2. What data we collect

We collect the following categories of personal data:

  • Account data: name, email address, password (hashed), and billing information when you create an account or subscribe to a plan.
  • Creator content: text, documents, and other materials you provide to build your AI twin. This may include professional experience, opinions, writing samples, and uploaded files.
  • Conversation data: messages exchanged between users and AI twins, including metadata such as timestamps and token counts.
  • Usage data: pages visited, features used, device information, IP address, browser type, and referring URLs.
  • Payment data: processed securely by Stripe. We do not store full card numbers. We retain transaction IDs, plan details, and billing history.
  • Cookies: functional cookies for authentication and preferences. We do not use third-party advertising cookies.

3. How we use your data

  • To provide, maintain, and improve the Imora platform and services.
  • To build and operate AI twins based on creator-provided content.
  • To process payments, manage subscriptions, and handle creator payouts.
  • To send transactional emails (account confirmations, billing receipts, security alerts).
  • To monitor platform health, prevent abuse, and enforce our Terms of Service.
  • To generate anonymised, aggregated analytics to improve our product.

4. How AI twins use your data

When a creator builds a twin, the content they provide is used to construct a structured identity model (system prompt). This model is sent to our AI provider (Anthropic) at runtime to generate responses.

  • Creator content is used solely to power the creator's own twin(s). It is not used to train any base AI model.
  • Conversation data between users and twins is logged for quality calibration and analytics. Creators can access conversations with their own twins.
  • We do not sell, share, or use creator content or conversation data for advertising purposes.
  • Our AI provider (Anthropic) processes data under a data processing agreement and does not use API inputs to train their models.

5. Legal basis for processing

We process personal data on the following grounds:

  • Contract: processing necessary to provide services you have requested (account management, twin operation, billing).
  • Legitimate interest: platform security, fraud prevention, analytics, and product improvement.
  • Consent: where required, such as for optional marketing communications. You may withdraw consent at any time.
  • Legal obligation: where we are required to retain or disclose data by law.

6. Data sharing

We do not sell your personal data. We share data only with:

  • Anthropic: our AI provider, to generate twin responses. Subject to their data processing agreement.
  • Stripe: our payment processor, to handle subscriptions and payouts.
  • AWS: our infrastructure provider, for hosting, storage, and database services.
  • Law enforcement: where required by law, court order, or to protect our legal rights.

7. Data retention

  • Account data is retained for the duration of your account and for up to 12 months after deletion, for legal and compliance purposes.
  • Creator content is deleted when a twin is permanently deleted by the creator, or within 30 days of account closure.
  • Conversation logs are retained for up to 24 months for calibration and analytics, then anonymised or deleted.
  • Payment records are retained as required by applicable tax and accounting regulations (typically 6 years).

8. Data security

We implement industry-standard security measures including encryption at rest and in transit, access controls, secure authentication, and regular security reviews. Database credentials are managed via secrets management services. All services run in private subnets with restricted network access.

9. Your rights

Under applicable data protection laws (including UK GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (right to be forgotten), subject to legal retention requirements.
  • Restrict processing in certain circumstances.
  • Port your data to another service in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@imora.ai. We will respond within 30 days.

10. International transfers

Your data may be processed in countries outside the UK, including the United States (where our AI provider and certain infrastructure services operate). Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or equivalent mechanisms.

11. Children

Imora is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user is under 18, we will promptly delete their account and data.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on our platform. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact

For privacy-related queries, requests, or complaints, contact us at:
privacy@imora.ai

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.