Skip to content

Privacy

"Your datais yours.
We protect itlike it's
our own.Transparency
is not optional."

Privacy Policy

Last updated: April 3, 2026

Last updated: April 3, 2026

Effective date: April 3, 2026

1. Introduction

This Privacy Policy describes how AI.BEST ("AI.BEST," "we," "us," or "our"), a French simplified joint-stock company (société par actions simplifiée) with a share capital of €1,000, registered with the Registre du Commerce et des Sociétés of Créteil under number 799 482 120 (SIRET: 799 482 120 00018, VAT: FR25799482120, NAF: 7022Z), collects, uses, stores, shares, and protects your personal data when you access or use the ai.best platform (the "Platform"), including the website located at https://ai.best and any associated applications, services, or tools (collectively, the "Services").

ai.best is a digital marketplace where users buy, sell, and discover AI prompts, agents, skills, and workflows (collectively, "Digital Products").

We are committed to protecting your privacy and processing your personal data in compliance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, as amended), and all applicable data protection laws.

Please read this Privacy Policy carefully. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Services.

2. Data Controller

The data controller responsible for the processing of your personal data is:

AI.BEST

RCS Créteil 799 482 120

SIRET: 799 482 120 00018

TVA: FR25799482120

Email: the contact form at https://ai.best/contact

3. Data Protection Officer

We have appointed a Data Protection Officer ("DPO") who can be contacted for any questions or requests relating to the processing of your personal data or the exercise of your rights:

AI.BEST

Email: the contact form at https://ai.best/contact

4. Categories of Personal Data We Collect

4.1 Data You Provide Directly

When you create an account, list Digital Products for sale, make purchases, or otherwise interact with the Services, we may collect the following categories of personal data:

Account and Identity Data: full name, username, email address, password (stored in hashed form), profile picture, biography, and any other information you include in your user profile.

Seller Verification Data: if you register as a seller, we may collect additional identity verification information, including government-issued identification documents, tax identification numbers (e.g., VAT number, SIRET/SIREN for French sellers), proof of address, and bank account or payment details (IBAN, BIC/SWIFT).

Transaction Data: details of purchases and sales you make on the Platform, including transaction amounts, dates, Digital Product descriptions, invoices, and payment confirmations.

Payment Data: credit/debit card information, bank account details, or third-party payment provider account information. Note that payment card data is processed directly by our PCI DSS-compliant payment service providers and is not stored on our servers.

Communication Data: the content of messages you exchange with other users through the Platform's messaging system, support requests, feedback, reviews, ratings, and any correspondence with us.

Content Data: Digital Products you upload, descriptions, tags, documentation, preview materials, and any associated metadata.

Tax and Invoicing Data: billing address, VAT number, tax residency information, and data necessary to comply with applicable tax reporting obligations.

4.2 Data Collected Automatically

When you access or use the Services, we automatically collect certain technical and usage data:

Device and Technical Data: IP address, browser type and version, operating system, device type, device identifiers, screen resolution, language preferences, and time zone.

Usage Data: pages visited, features used, links clicked, search queries, referring/exit URLs, session duration, frequency of visits, and interaction patterns with Digital Products.

Cookie and Tracking Data: cookies, pixel tags, web beacons, and similar tracking technologies as described in our Cookie Policy.

Log Data: server logs recording access times, error logs, and diagnostic data.

4.3 Data from Third Parties

We may receive personal data from third parties, including:

Payment Service Providers: transaction confirmation data, fraud screening results, and payment status information.

Identity Verification Providers: results of identity and fraud checks when you register as a seller.

Social Login Providers: if you choose to register or log in using a third-party service (e.g., Google, GitHub, LinkedIn), we receive your name, email address, and profile picture as authorized by you through that provider.

Analytics Providers: aggregated and individual-level analytics data about your use of the Services.

Public Sources: publicly available information relevant to compliance, fraud prevention, or identity verification.

5. Purposes and Legal Bases for Processing

We process your personal data for the following purposes, each associated with a legal basis under Article 6 of the GDPR:

5.1 Performance of Contract (Article 6(1)(b) GDPR)

Creating and managing your user account.

Facilitating transactions between buyers and sellers, including processing payments, issuing invoices, and managing refunds or disputes.

Providing, operating, and maintaining the Platform and its features.

Delivering purchased Digital Products and managing download access.

Enabling communication between buyers and sellers through the Platform.

Providing customer support and responding to your inquiries.

5.2 Legitimate Interests (Article 6(1)(f) GDPR)

Improving and optimizing the Platform's functionality, user experience, and performance.

Conducting analytics and research to understand usage patterns and market trends.

Detecting, preventing, and investigating fraud, security incidents, abuse, and violations of our Terms and Conditions.

Enforcing our Terms and Conditions and protecting our rights, property, and safety, and those of our users.

Sending you service-related communications (e.g., transaction confirmations, security alerts, policy updates).

Maintaining and improving the security of the Platform.

5.3 Legal Obligations (Article 6(1)(c) GDPR)

Complying with applicable tax, accounting, and financial reporting obligations (including French tax law, EU VAT directives, and DAC7 reporting requirements).

Responding to lawful requests from competent authorities, courts, and regulatory bodies.

Complying with anti-money laundering (AML) and know-your-customer (KYC) regulations where applicable.

Fulfilling record-keeping obligations under French commercial law (Code de commerce).

Complying with the EU Digital Services Act (Regulation (EU) 2022/2065) obligations, including content moderation, transparency reporting, and complaint handling.

5.4 Consent (Article 6(1)(a) GDPR)

Sending you marketing communications and newsletters (where you have opted in).

Placing non-essential cookies and similar tracking technologies on your device (see our Cookie Policy).

Processing special categories of data, if applicable and only where explicit consent is obtained.

You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, you may use the unsubscribe mechanism provided in marketing emails, adjust your cookie preferences, or contact us at the contact form at https://ai.best/contact.

6. Data Sharing and Recipients

We do not sell your personal data. We may share your personal data with the following categories of recipients, solely for the purposes described in this Privacy Policy:

6.1 Other Users of the Platform

When you engage in transactions, your username, profile information, and relevant transaction details are shared with the other party. Sellers' public profiles, including username, ratings, reviews, and Digital Product listings, are publicly visible.

6.2 Service Providers and Processors

We engage third-party service providers who process personal data on our behalf, including:

Payment processors (e.g., Stripe, PayPal) for transaction processing and fraud prevention.

Cloud hosting and infrastructure providers (e.g., AWS, OVHcloud) for data storage and platform hosting.

Email and communication service providers for transactional and marketing communications.

Analytics providers for usage analytics and performance monitoring.

Identity verification providers for seller onboarding and KYC compliance.

Customer support platforms for managing support tickets.

Content delivery networks (CDNs) for delivering Digital Products efficiently.

All service providers are bound by data processing agreements in compliance with Article 28 of the GDPR.

6.3 Legal and Regulatory Disclosures

We may disclose your personal data when required to do so by law, regulation, legal process, or enforceable governmental request, including to tax authorities (e.g., under DAC7 reporting obligations), law enforcement agencies, courts, and regulatory bodies.

6.4 Business Transfers

In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy proceeding, your personal data may be transferred to the acquiring entity, subject to the commitments made in this Privacy Policy.

6.5 With Your Consent

We may share your data with other third parties when you provide explicit consent.

7. International Data Transfers

Your personal data may be transferred to, and processed in, countries outside the European Economic Area ("EEA") that may not provide the same level of data protection as France or the EEA.

When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place, including:

Adequacy Decisions: transfers to countries that the European Commission has determined provide an adequate level of data protection (Article 45 GDPR).

Standard Contractual Clauses (SCCs): we use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a transfer mechanism, supplemented by a transfer impact assessment where required.

Binding Corporate Rules: where applicable, transfers within a corporate group subject to approved binding corporate rules.

Derogations: in limited circumstances, transfers based on explicit consent, the performance of a contract, or other derogations under Article 49 of the GDPR.

You may obtain a copy of the relevant transfer safeguards by contacting us at the contact form at https://ai.best/contact.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

Account Data: retained for the duration of your account and for a period of three (3) years following account closure or last activity, in accordance with French commercial prescription periods.

Transaction Data: retained for ten (10) years from the end of the financial year in which the transaction occurred, in compliance with French accounting and tax obligations (Article L. 123-22 of the Code de commerce and Article L. 102 B of the Livre des procédures fiscales).

Payment Data: payment card details are not stored by us. Transaction records with payment service providers are retained in accordance with their respective retention policies and applicable law.

Seller Verification Data (KYC): retained for five (5) years after the end of the business relationship, in compliance with AML regulations.

Communication Data: retained for three (3) years from the date of the communication, or longer if required for the resolution of disputes or legal proceedings.

Technical and Log Data: retained for a maximum of thirteen (13) months from collection, in accordance with CNIL recommendations.

Marketing Consent Records: retained for three (3) years from the date of last interaction, in compliance with CNIL guidelines.

Cookie Data: retention periods vary by cookie type and are detailed in our Cookie Policy.

When retention periods expire, personal data is securely deleted or anonymized so that it can no longer be associated with you.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, destruction, or accidental loss, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).

Secure hashing and salting of passwords.

Access controls and authentication mechanisms, including role-based access and multi-factor authentication for administrative access.

Regular security audits, vulnerability assessments, and penetration testing.

Incident detection, monitoring, and response procedures.

Employee training on data protection and information security.

Physical security measures for data center facilities.

Data processing agreements with all service providers requiring equivalent security standards.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

10. Your Rights Under the GDPR

Under the GDPR and applicable French data protection law, you have the following rights with respect to your personal data:

Right of Access (Article 15 GDPR): you have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and receive a copy.

Right to Rectification (Article 16 GDPR): you have the right to request the correction of inaccurate personal data and the completion of incomplete data.

Right to Erasure (Article 17 GDPR): you have the right to request the deletion of your personal data, subject to legal retention obligations and other exceptions.

Right to Restriction of Processing (Article 18 GDPR): you have the right to request the restriction of processing of your personal data in certain circumstances.

Right to Data Portability (Article 20 GDPR): you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

Right to Object (Article 21 GDPR): you have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7(3) GDPR): where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR): you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, unless exceptions apply.

Right to Lodge a Complaint: you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French supervisory authority:

CNIL

3 Place de Fontenoy

TSA 80715

75334 Paris Cedex 07

France

Website: https://www.cnil.fr

How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: the contact form at https://ai.best/contact

Postal mail: AI.BEST — Privacy — contact details available at https://ai.best/contact

We will respond to your request within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.

We may request additional information to verify your identity before processing your request.

11. Children's Privacy

The Services are not directed at individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe that a child under 16 has provided us with personal data, please contact us at the contact form at https://ai.best/contact.

12. Automated Decision-Making and Profiling

We may use automated processing in the following contexts:

Fraud Detection: automated systems analyze transaction patterns and account behavior to detect potentially fraudulent activity. Transactions flagged by automated systems are subject to human review before any adverse action is taken against your account.

Content Moderation: automated tools may be used to screen Digital Products for compliance with our Terms and Conditions (e.g., malicious code detection, intellectual property screening). Decisions resulting in removal of content or account sanctions are subject to human review and appeal.

Personalization: we may use algorithmic recommendations to personalize the Digital Products displayed to you based on your browsing and purchase history. This profiling does not produce legal effects or similarly significantly affect you.

You have the right to object to profiling and to request human intervention in automated decision-making processes. Contact us at the contact form at https://ai.best/contact to exercise these rights.

13. Links to Third-Party Websites

The Services may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you visit. We are not responsible for the data practices of third parties.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. We will notify you of material changes by posting the updated Privacy Policy on the Platform with a new "Last updated" date and, where required by applicable law, by sending you a notification by email or through the Platform.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Applicable Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with French law. Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts of Paris, France, without prejudice to your right to lodge a complaint with the CNIL or to bring proceedings before the courts of your habitual residence as permitted under applicable law.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

AI.BEST

Email: the contact form at https://ai.best/contact

DPO: the contact form at https://ai.best/contact

RCS Créteil 799 482 120