AIO Privacy Policy

Last updated: March 2026

1. About

Privacy and information protection are priorities for AIO. This document describes the core principles and practices we follow to ensure your privacy is protected when using our services.

Some of our services may be subject to separate privacy policies. We will publish individual privacy policies applicable to specific services.

2. Data Controller

This document applies to the processing of personal data by AIO. ALL IN ONE (hereinafter "AIO") is the property of AIO Group LLC, a company registered at: Gantiadis 44.

When processing personal data, AIO Group acts as the data controller of "User" personal data. This means the company determines the purposes and means by which personal data is processed.

AIO also provides delivery as a service to other companies. In such cases, AIO is the authorized processor for matters such as receiving, managing, and fulfilling delivery assignments, as well as communicating with the company and confirming delivery.

3. Personal Data Processed and Sources

We process personal data only for purposes relevant to the specific processing objective. Personal data can be divided into two main categories: "User Data" and "Usage Data."

User Data

User Data represents personal data we collect directly from you or from the organization through which you use AIO's services. We may collect User Data through various means, including after signing a service agreement or when you register for AIO services, subscribe to a newsletter, or complete a form.

Please note that we also collect details of any transactions and payments you make when using AIO services.

User Data Required for AIO Services

Collection and processing of personal data is necessary for proper performance of the agreement between you and us. When you register for AIO services and create a user account, you must provide:

• First and last name
• Phone number
• Email address
• Payment document information (card number, expiration date) — required for ordering through AIO; however, this data is not stored by AIO as we use a third-party payment service provider

Voluntarily Provided User Data

Your experience may be improved by providing the following additional information:

• Profile photo
• Delivery address
• Location data (if you consent to location data processing)
• Partner bonus card or loyalty program participation
• Age (when ordering age-restricted products)
• Other information provided during account creation or profile updates

We may also process other voluntarily provided information, such as:

• Order-related information (purchased items, special instructions, date/time, total cost, order history)
• Ratings, comments, or survey responses
• Favorite restaurants, suppliers, or manufacturers and other preferences
• Marketing notification opt-ins and opt-outs
• Information provided via phone, email, or chat correspondence, including call recordings with customer service

Third-Party Data

In addition to data provided by you and "Client Organizations," we also process data supplied by third-party service providers. For example, for corporate users, we may process the company's contact person data for communication and marketing purposes. Such data may initially be obtained from public sources such as local commercial registries, information service companies, or directly from the companies (corporate clients).

Sensitive Data

If your order includes products or services where health status or other sensitive personal data is important, AIO must process such data to provide you with the appropriate service. We take any additional protective measures required by applicable legislation for processing such personal data. If required by applicable laws, AIO will request separate consent for processing this type of data. You may withdraw such consent at any time through your profile settings or by emailing AIO support at contact@aiogroup.ge.

Social Media Data

If you connect to or log in to your account via Facebook, Facebook will share your personal information such as your profile photo, some Facebook friends, and your Facebook identification number. While AIO maintains its page on Facebook, AIO and Facebook are joint data controllers. Social media data processing will comply with the respective social network's privacy policy and Georgian legislation.

Usage Data

Usage Data is generated by your interaction with AIO services. When you visit or interact with AIO services, we may automatically collect:

• Device or web browser information, application versions, features, capabilities, and settings
• Carrier, internet service provider, and network connection type, including IP address
• Device identifiers, advertising identifiers, or identifiers we create ourselves
• Country, location, time zone, and IP geolocation information
• Referral sources and links followed from AIO services
• Interaction details and usage patterns — features used, ads seen, campaign participation, impressions, and order information
• Tracking and transaction data from our advertising partners, including timestamps and identifiers

4. Cookies and Other Technologies

When Users visit AIO services, we use various technologies to collect and store Usage Data and other information, including cookies, web storage, and application telemetry.

Cookies and other web data are stored on your device and allow us to identify visitors of AIO services, improve the experience, and compile aggregate visitor information. Cookies will not damage your device or files. We use cookies to personalize AIO services and information to individual user interests.

Users can configure their web browser to reject cookies. Please note that rejecting cookies may negatively affect the availability and proper functioning of certain AIO service components.

AIO uses pseudonymization to enable analysis and prediction of application and service usage and offerings.

AIO also uses session-only third-party tracking technologies for verifying and recording transactions initiated by our advertising partners.

You can manage your cookie preferences through the cookie banner on our website. You can also manage your communication and other privacy settings through the AIO application. The visitor identifier can be disabled on iOS and Android devices through your device settings.

AIO uses the following third-party analytics and technology partners:

Name	Partner	Purpose
Google Analytics	Google	Visitor and usage analytics
Google AdSense	Google	Ad targeting
Google Tag Manager	Google	Analytics and reporting
Facebook Graph API	Meta	Ad management
Facebook Pixel	Meta	Ad conversion tracking

5. Purposes and Legal Basis

We process personal data only within the scope necessary for specific processing purposes. One or more of the following purposes and legal bases may apply to a given case.

AIO primarily processes your personal data to fulfill contractual obligations to you or Client Organizations, for example:

• To offer you AIO services under the agreement between you and the Client Organization
• To fulfill the agreement between you and AIO — managing and delivering your order, and contacting you regarding terms, privacy policy, or other significant contractual changes
• To process your payments or refunds and provide our partners (restaurants, retailers, and couriers) with information necessary to prepare or deliver your order
• To respond to your inquiries or provide necessary support when you contact us

We may also process your personal data when we have an appropriate and justified legitimate interest to manage, maintain, and develop our business, as well as to build and maintain customer relationships. When we choose to use your data based on our legitimate interests, we prioritize your privacy rights over our interests and offer easy ways to opt out of marketing communications. We also use pseudonymized or depersonalized data wherever possible.

We process your personal data based on legitimate interest for purposes such as:

• Complaint handling, debt collection, and legal proceedings; fraud prevention, service abuse prevention, and ensuring information system and network security
• Communicating AIO service changes and requesting reviews or feedback
• Marketing AIO services, showing targeted or personalized advertisements, or otherwise providing targeted marketing of services and products that may interest you
• Improving AIO service quality and business development through usage trend analysis
• Customer satisfaction measurement using aggregated, depersonalized data whenever possible

During personal data processing, we may use automated means, which may also include automated decision-making.

We may process your personal data to administer and fulfill our legal obligations, including data for accounting purposes and providing information to relevant authorities such as tax or law enforcement authorities, in accordance with Georgian legislation.

At certain stages you may be asked to give consent for processing of your personal data. If data processing is based on your consent, you may withdraw consent at any time by contacting us or changing the relevant consent settings in the AIO application.

6. Data Recipients

We do not share your personal data with third parties outside AIO's organization except in the following cases:

• Service delivery: To the extent that third parties (restaurants, manufacturers, retailers preparing orders, our couriers delivering orders, and Client Organizations that may pay for your order) need access to your personal data to carry out AIO services or for other legitimate purposes. For example, we may share your phone number with a Partner preparing your order if necessary to ask about product substitutions, missing items, or special requirements.
• Partner data sharing: We provide Partners with personal data necessary for order fulfillment, which may include your name, delivery address, purchase details, order number, order and delivery times, delivery method, ordered products, comments, and feedback.
• Legal purposes: We may share your personal data with a third party if we believe in good faith that access is reasonably necessary to: (I) satisfy applicable laws, regulations, or court requirements; (II) detect, prevent, or address fraud, security, or technical issues; or (III) protect the property, interests, or safety of Users or the public in accordance with applicable law.
• Corporate transactions: If AIO is involved in a merger, acquisition, or asset sale, your personal data may be transferred to the third party involved. We will continue to ensure confidentiality and will notify all Users when their data is subject to a different privacy policy.

7. Retention Period

AIO does not retain your personal data longer than is permitted by law and necessary for the implementation of AIO services. The retention period depends on the nature of the information and processing purposes. The maximum retention period may vary depending on the usage.

After a User deletes their account, personal data may only be retained if required by law or reasonably necessary for our legal obligations or legitimate interests, such as complaint handling, accounting, internal reporting, and auditing.

We regularly assess personal data retention periods to ensure data is stored only for the necessary duration.

8. Your Rights

• Right of access: You have the right to access your personal data and be informed about our processing. Some data is available through your AIO account; you may also contact us to request a copy of your personal data.
• Right to withdraw consent: If data processing is based on your consent, you may withdraw it at any time free of charge. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to rectification: You have the right to correct or complete inaccurate or incomplete personal data held by us, either by contacting us or through your user account.
• Right to erasure: You may request deletion of your personal data from our systems. We will comply with your request unless we have a lawful basis for retaining such data.
• Right to object: You may object to personal data usage for purposes not necessary for AIO service delivery or legal compliance. Objection may affect access to AIO services.
• Right to restriction: You may request restriction of personal data processing when, for example, your request for erasure, rectification, or objection is being considered, or when we lack a lawful basis for processing. This may affect access to AIO services.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used format and to transfer it independently to a third party.

To exercise the above rights, contact the AIO support team or send a letter/email to the addresses provided above, including: first and last name, address, email address, and phone number. We recommend contacting us through AIO support for easier identification. We may request additional information for user identification and may refuse or charge a fee for requests that are unreasonably repetitive, excessive, or clearly unfounded.

9. Direct Marketing

Service Users may at any time prohibit the use of their personal data for direct marketing, market research, and profiling by notifying us at the addresses listed above, or by using the unsubscribe feature offered with any direct marketing communication.

10. Filing a Complaint

If a User believes that our personal data processing does not comply with applicable personal data protection legislation in Georgia, the User has the right to file a complaint in accordance with Georgian legislation.

11. Information Security

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Such measures include, for example, encryption, pseudonymization, firewalls, secure facilities, and access rights systems as necessary. Our security controls are designed to maintain appropriate levels of data confidentiality, integrity, availability, resilience, and data recovery. We regularly assess the security of AIO services, systems, and other assets. Furthermore, AIO employees' access to personal data is limited and availability is determined based on what is necessary for job performance.

12. Contact Information