// PRIVACY POLICY

1. Information We Collect

When you use AISEC, we collect the following categories of information:

Account Information:

• Email address and company name (if provided)
• Billing and payment information (processed by Paddle.com as Merchant of Record)
• Authentication data (email-based OTP, no passwords stored)
• Communication records (support tickets, emails)

Technical Information:

• Domain verification records
• Scan configuration, parameters, and results
• Credit usage and billing metrics
• IP addresses used to access the Service
• Browser type, operating system, and device information

Usage Information:

• Pages visited, features used, actions taken
• Timestamps and session duration
• Error logs and performance data

2. Scan Data

When you run security scans, our AI engine collects and processes information discovered during the scan, including but not limited to:

• URLs, endpoints, and API routes discovered
• Vulnerability findings, evidence, and proof-of-concept payloads
• HTTP request/response data exchanged during testing
• Technology stack and configuration information
• DNS records and subdomain enumeration results
• Screenshots and rendered page content (for browser-based testing)
• Custom exploit scripts generated by the AI engine during scanning

This data is essential for providing comprehensive security reports and is stored securely with access limited to your account only. We do NOT access your scan data for any purpose other than providing the Service unless required by law.

3. AI Model Data Processing

AISEC uses proprietary AI models to analyze targets and generate security findings. During this process:

• Your target data is sent to our AI processing infrastructure for analysis
• AI-generated exploit scripts and analysis are created specifically for your scan
• Anonymized, aggregated vulnerability patterns may be used to improve our AI models
• We do NOT use your specific scan data, target URLs, or findings to train models for other customers
• AI model inputs and outputs are logged for quality assurance and debugging purposes

Our AI models are continuously retrained on publicly available vulnerability databases (CVE, NVD, ExploitDB) and anonymized aggregate patterns — never on individual customer data.

4. How We Use Your Information

We use the collected information for the following purposes:

• Providing, operating, and improving the AISEC scanning service
• Generating vulnerability reports and security assessments
• Processing payments and managing subscriptions
• Sending service notifications, security alerts, and billing communications
• Providing customer support and responding to inquiries
• Analyzing usage patterns to improve our AI models and service quality
• Detecting and preventing fraud, abuse, and unauthorized use
• Complying with legal obligations and enforcing our Terms of Service

4a. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Ukraine, we process your personal data on the following legal bases under GDPR / applicable data protection law:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service — account creation, running scans, generating reports, billing, and support
• Legitimate interest (Art. 6(1)(f)): Improving our AI models using anonymized aggregate data, fraud prevention, service security, and analytics
• Legal obligation (Art. 6(1)(c)): Tax records, billing data retention, responding to lawful requests from authorities
• Consent (Art. 6(1)(a)): Marketing communications (if any) — you can withdraw consent at any time

You may object to processing based on legitimate interest at any time by contacting [email protected]. We will cease processing unless we have compelling legitimate grounds that override your rights.

5. Data Security Measures

We implement industry-standard and above-standard security measures to protect your data:

• All data encrypted in transit (TLS 1.3) and at rest
• Scan results isolated per account with strict access controls
• Infrastructure hosted on trusted cloud providers (Railway, Neon)
• Passwordless authentication via email OTP — no passwords to steal
• Regular security testing of our own infrastructure
• Access to customer data limited to need-to-know basis

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your data and are not liable for breaches resulting from sophisticated attacks beyond industry-standard defenses.

6. Data Retention

• Active account data: retained for the duration of your subscription
• Scan results and reports: retained for 12 months after generation, then auto-deleted
• Account deletion: all associated data permanently removed within 30 days of request
• Billing records: retained for 7 years as required by tax and financial regulations
• Server logs: retained for 90 days for security and debugging purposes
• Anonymized aggregate data: may be retained indefinitely for statistical purposes

You may request immediate deletion of specific scan data at any time through your dashboard or by contacting us.

7. Data Sharing & Disclosure

We do NOT sell, rent, or trade your personal data or scan results. We only share information in these limited circumstances:

• With your explicit consent (e.g., sharing reports with team members you invite)
• With certified pentesters who review findings (bound by NDAs and data processing agreements)
• With service providers necessary to operate the Service (see Section 8)
• To comply with valid legal requirements, subpoenas, or court orders
• To protect the rights, safety, or property of AISEC, our users, or the public
• In connection with a merger, acquisition, or sale of assets (with advance notice)

8. Third-Party Service Providers

AISEC uses the following categories of third-party services that may process data on our behalf:

• Cloud infrastructure providers (Railway, Neon — for hosting and database)
• AI processing infrastructure (Anthropic — for vulnerability analysis)
• Payment processors (Paddle.com — Merchant of Record for subscriptions, credit purchases, and invoicing. Paddle processes your payment details directly; we do not store card numbers. See Paddle Privacy Policy)
• Email service providers (Resend — for transactional notifications)
• Analytics providers (Plausible — privacy-friendly, no personal data tracking)
• Proxy infrastructure providers (for stealth scanning via residential IPs)

All third-party providers are vetted for security, bound by data processing agreements, and required to maintain confidentiality of processed data.

9. Your Rights (GDPR/CCPA)

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data we hold
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Export your data in machine-readable format (JSON, PDF)
• Restriction: Restrict processing of your data in certain circumstances
• Objection: Object to processing of your data for certain purposes
• Withdraw consent: Withdraw consent at any time where processing is based on consent
• Non-discrimination: We will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law).

10. Cookies and Tracking

We use the following types of cookies and tracking technologies:

• Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
• Preference cookies: Store your language and display preferences.
• Analytics: We use Plausible Analytics, which is privacy-friendly and does not use cookies or track personal data. No data is shared with advertising networks.

We do NOT use advertising cookies, retargeting pixels, or share data with ad networks. You can disable non-essential cookies through your browser settings.

11. International Data Transfers

Your data may be processed in countries outside your jurisdiction, including the United States and European Union. When transferring data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) for transfers from the EEA/UK
• Data Processing Agreements (DPAs) with all service providers
• Adequacy decisions where applicable

12. Children's Privacy

AISEC is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a minor, we will delete it promptly.

13. Data Breach Notification

In the event of a data breach that affects your personal data or scan results, we will:

• Notify affected users within 72 hours of discovery (as required by GDPR)
• Notify relevant supervisory authorities as required by law
• Provide details of the breach, data affected, and remedial actions taken
• Take immediate steps to contain and remediate the breach

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service with at least 14 days notice. Continued use of the Service after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top indicates the most recent revision.

15. Contact

Data controller: FOP Stepanenko Stanislav Ruslanovych (ФОП Степаненко Станіслав Русланович), Ukraine.

For privacy-related questions, data access requests, or to exercise your rights:

• Email: [email protected]

If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.