Skip to main content
Global
AIMenta
Legal Last updated: 2026-04-19

Privacy Policy

We are AIMenta, a mentor-led AI adoption firm working with mid-market enterprises across nine Asian markets. This page explains exactly what we collect when you visit aimenta.ai or talk to our team, and what we do not.

This is a baseline policy. We recommend consulting qualified legal counsel for your jurisdiction before relying on this for compliance. Statutory obligations vary by territory and by the nature of the data you exchange with us.

1. Data we collect

We collect three categories of data, all of them limited to what we genuinely need to run a B2B consulting business.

Contact form submissions

When you fill out a form on aimenta.ai — to book a discovery call, request a proposal, or download a report — we receive your name, work email, company name, role or job title, and the free-text message you provide. If the form is for a downloadable resource we also record which asset you requested. We do not ask for personal phone numbers, government identifiers, or financial information through web forms.

Analytics

We rely on Cloudflare Web Analytics for aggregate page-view counts and basic referrer data. Cloudflare Web Analytics is cookie-free and does not fingerprint individual visitors. We do not use Google Analytics, Meta Pixel, or any third-party advertising tracker.

Cookies

The site sets only operational cookies. A session cookie keeps your form input intact across pages. A CSRF token cookie protects form submissions from cross-site forgery. Both expire when you close the browser. We do not set marketing or advertising cookies.

2. Why we collect it

Each category of data has a single, declared purpose:

  • Contact form data is used to respond to your inquiry, qualify whether we are the right fit, and follow up with relevant material.
  • Analytics data is used in aggregate to understand which insights and pages provide value, so we can invest in the content that helps practitioners.
  • Operational cookies are used to keep the site secure and your form input intact. They are not analytics.

We do not sell, rent, or share personal data with third parties for their own marketing purposes — full stop.

3. Retention periods

We hold data only as long as we have a working reason to:

  • Contact form submissions are retained for 24 months from the last interaction, then archived or deleted on our regular review cycle.
  • Active client engagement records are retained for the duration of the engagement plus seven years, in line with standard professional services audit norms.
  • Analytics data is aggregated and retained indefinitely in non-identifying form. Raw event data, where it exists, is purged within 90 days.
  • Operational cookies expire at the end of the browser session.

4. Lawful basis for processing

Where applicable data protection law requires a lawful basis, ours are as follows:

  • Legitimate interest — for first-party analytics that help us improve the site and for follow-up communication about an active inquiry you initiated.
  • Consent — for any future marketing email program. We do not currently operate one. If we launch one, opt-in will be explicit and revocable in one click.
  • Contract — for processing related to the negotiation, performance, and administration of a paid engagement.
  • Legal obligation — for the limited records we are required to retain by tax, accounting, or sectoral regulation.

5. Your rights as a data subject

Subject to local law, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Request deletion where we no longer need the data and there is no overriding legal basis to retain it
  • Request portability of data you provided directly to us, in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent for any processing based on consent, at any time
  • Lodge a complaint with the supervisory authority in your jurisdiction

To exercise any of these rights, email [email protected] from the address tied to the inquiry. We respond within 30 days and verify identity before disclosing or modifying records.

6. Sub-processors

We keep our vendor footprint deliberately small. The current sub-processor list:

  • Cloudflare — content delivery, DDoS protection, and cookie-free analytics. Cloudflare processes the IP address and HTTP request metadata of every visitor as part of the network handshake.
  • Managed MySQL infrastructure — primary application database, hosted on managed cloud infrastructure in our primary HK/SG region.
  • Transactional email provider — for delivering inquiry confirmation and engagement-related correspondence. Limited to email address and the content of the message we send to you.

We do not currently use any third-party advertising network, customer data platform, session-replay tool, or behavioural targeting service. Material changes to this list will be reflected here with an updated date.

7. International data transfers

Our application data is stored on infrastructure in our primary Hong Kong / Singapore region. Cloudflare operates a global network and may serve cached static assets from edge locations near your visit; the underlying personal data we hold remains in our primary region.

Where personal data is transferred across borders, we rely on the cross-border transfer mechanisms permitted by the originating jurisdiction — Standard Contractual Clauses where the EU model applies, sector-specific safeguards under PIPL for Mainland China data, and contractual assurances under the relevant APAC frameworks.

8. APAC jurisdictional notes

The following are short, non-exhaustive notes on the data protection regimes most relevant to our client base. None of these notes constitute legal advice or a claim of full compliance with the regime described.

Hong Kong — PDPO

The Personal Data (Privacy) Ordinance applies to data we collect from individuals in Hong Kong. We honour PDPO Data Access Requests and Data Correction Requests; the contact for such requests is [email protected].

Singapore — PDPA

The Personal Data Protection Act applies to the personal data of individuals in Singapore. We respect the Do Not Call provisions and process data in line with the Consent, Purpose Limitation, Notification, and Accountability obligations.

Japan — APPI

The Act on the Protection of Personal Information applies to data of Japanese residents. We do not engage in the joint use of personal data with third parties for direct marketing purposes.

South Korea — PIPA

The Personal Information Protection Act applies to data of Korean residents. We minimise sensitive information collection and obtain separate consent where any sensitive category is unavoidable.

Mainland China — PIPL

The Personal Information Protection Law applies to personal information of individuals in Mainland China. For engagements involving Chinese personal information, we discuss data localisation and cross-border transfer requirements at the contracting stage and reflect them in the executed agreement.

9. Children

AIMenta operates a business-to-business service directed at enterprise practitioners and decision-makers. The site is not directed at minors, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has provided data, contact us and we will remove it.

10. Changes to this policy

When we make a material change to how we collect or use personal data, we update this page and revise the "Last updated" date at the top. We do not retroactively use data in ways the original notice did not permit. Where required, we will give individual notice and a meaningful opportunity to object.

11. Contact

Privacy questions, data subject requests, or concerns: [email protected]. Postal mail can be addressed to AIMenta, c/o the registered office in Hong Kong SAR — request the current address by email and we will provide it.

For broader trust, security, and compliance documentation, see our Trust & Security page.

Related governance reading

The rest of our governance posture.

Privacy is one slice of how we run the business. The full picture lives across these pages.

Trust & security posture

Data residency, encryption, incident SLAs, certifications.

Terms of service

The contract that governs your use of this site and our services.

About AIMenta

Who we are, where we operate, and how the firm is structured.

Infrastructure & cloud

How we architect for residency and compliance in client environments.

AI strategy & advisory

Where AI governance fits into the broader adoption roadmap.

AI encyclopedia

Definitions for the technical terms used in this policy.

Questions about how we handle data?

We respond to every inquiry from a real person on the team — usually within one business day.

Email [email protected] Read our trust posture