LEGAL

Privacy Policy

Last updated: March 30, 2026

Aertous (“we,” “us,” or “our”) operates the website aertous.com and the Aertous platform at app.aertous.com. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our services.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR), applicable EU member state laws, and other relevant data protection legislation.

1. Data Controller

The data controller for information collected through our services is:

Aertous
Email: [email protected]

If you have questions about how your data is processed, contact us at [email protected].

2. What Data We Collect

Account Information

  • Name, email address, job title
  • Organization name and industry
  • Password (stored as a cryptographic hash, never in plaintext)
  • Multi-factor authentication data (encrypted TOTP secret)

Usage Data

  • Pages visited, features used, actions taken within the platform
  • Login timestamps, IP addresses, browser type
  • Error logs and performance data

Organization Data

  • Risk assessments, compliance controls, policies, incidents, KPIs, and other data entered by your organization into the platform
  • Vendor assessments and questionnaire responses
  • Documents uploaded to the platform

Contact Form Data

  • Name, email, company, and message content submitted through our website contact form

Cookies and Analytics

We use essential cookies required for the platform to function (authentication, session management). We may use analytics tools to understand website usage. We do not use third-party advertising cookies.

3. How We Use Your Data

We process personal data for the following purposes:

  • Service delivery: To provide, maintain, and improve the Aertous platform
  • Account management: To create and manage your account, authenticate access, and enforce security controls
  • Communication: To send transactional emails (invitations, password resets, incident notifications, policy distribution)
  • Security: To detect and prevent unauthorized access, fraud, and security incidents
  • Support: To respond to your inquiries and provide customer support
  • Legal compliance: To comply with applicable laws, regulations, and legal processes
  • Improvement: To analyze usage patterns and improve our services

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the services you have contracted for
  • Legitimate interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as security, fraud prevention, and service improvement, where these interests are not overridden by your rights
  • Legal obligation (Art. 6(1)(c)): Processing necessary to comply with legal requirements
  • Consent (Art. 6(1)(a)): Where we rely on consent, you may withdraw it at any time

5. Data Sharing and Subprocessors

We do not sell your personal data. We share data only with the following categories of service providers who act as our subprocessors:

  • Cloud infrastructure: Google Cloud Platform (hosting, compute, storage)
  • Database: Supabase (PostgreSQL database, authentication)
  • Email delivery: Resend (transactional emails)
  • Payment processing: Stripe (billing and subscription management)
  • Error monitoring: Sentry (application error tracking)
  • AI services: Google Gemini API (AI Risk Coach, threat intelligence processing)

Each subprocessor is bound by data processing agreements that require them to protect your data in accordance with GDPR. A current list of subprocessors is available upon request.

6. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (for example, to subprocessors in the United States), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Data Retention

We retain personal data for as long as necessary to provide our services and fulfill the purposes described in this policy. Specifically:

  • Account data: Retained while your account is active. Deleted upon account termination, subject to any legal retention requirements.
  • Organization data: Retained while your organization's subscription is active. Upon termination, data is deleted within 30 days unless a data export is requested.
  • Audit logs: Retained for up to 24 months for security and compliance purposes.
  • Contact form submissions: Retained for up to 12 months.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Mandatory multi-factor authentication (TOTP) for all user accounts
  • Encryption of data at rest and in transit (TLS 1.2+, AES-256)
  • Role-based access control with 7 defined roles and principle of least privilege
  • Row-level security (RLS) for multi-tenant data isolation
  • Comprehensive audit logging of all user actions
  • Rate limiting and brute-force protection on all endpoints
  • CSRF protection on all state-changing operations
  • Regular security reviews and vulnerability assessments

9. Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations
  • Right to restriction: Request limitation of processing in certain circumstances
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website. Your continued use of the services after changes take effect constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or your personal data, contact us at:

Aertous
Email: [email protected]