Privacy Policy
1 Introduction
This Privacy Policy explains how aictrl.dev ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform. aictrl.dev is operated by a company registered in England and Wales.
We act as the data controller for the personal data processed through our services. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using aictrl.dev, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
2 Data We Collect
We collect and process the following categories of personal data:
Account Information
When you sign up via Google OAuth, we receive your name, email address, and profile picture from Google. We do not store your Google password.
Organisation and Team Data
Information about your organisation, team memberships, roles, and permissions within the platform.
Session and Workflow Data
Data generated through your use of the platform, including session configurations, workflow states, and activity logs.
Epics and Tasks
Content you create within the platform, including epic definitions, task descriptions, acceptance criteria, and status updates.
Evidence Files
Screenshots, videos, logs, and other files you upload as evidence of task completion or for review purposes.
Skills Data
Skill definitions, library usage data, and plugin configuration data.
Chat Data
Messages and interactions within the platform's chat and codebase chat features.
Usage Analytics
We use PostHog (EU-hosted) to collect anonymised usage analytics, including page views, feature usage patterns, and performance metrics. This data helps us improve the platform experience.
Technical Data
IP addresses, browser type and version, operating system, referring URLs, device information, and access timestamps collected automatically when you use the service.
3 Lawful Basis for Processing
We process your personal data under the following lawful bases as defined by UK GDPR:
| Data Category | Lawful Basis | Purpose |
|---|---|---|
| Account, organisation, session, epic, task, evidence, skills, and chat data | Contract Performance (Art. 6(1)(b)) | Necessary to provide and operate the aictrl.dev service as agreed in our Terms of Service |
| Usage analytics | Consent (Art. 6(1)(a)) | To analyse usage patterns and improve the platform. You can withdraw consent at any time via your profile settings or cookie preferences |
| Technical data, access logs | Legitimate Interest (Art. 6(1)(f)) | To ensure platform security, prevent abuse, and maintain service integrity |
4 Infrastructure
Your data is processed and stored using the following infrastructure:
- Google Cloud Run (us-central1) — Application hosting and compute
- Google Cloud Firestore — Primary database for structured data
- Google Cloud Storage (GCS) — Storage for evidence files, skills content, and other binary assets
- PostHog EU — Analytics processing within the European Union
Our production infrastructure is deployed in Google Cloud's us-central1 region. We maintain a separate sandbox environment for testing and user acceptance purposes.
5 Third-Party Processors
We share data with the following third-party processors, each operating under appropriate data processing agreements (DPAs):
| Processor | Purpose | Data Processed | DPA Reference |
|---|---|---|---|
| Google Cloud Platform | Infrastructure hosting, compute, database, storage | All service data | Google Cloud Data Processing Addendum |
| Firebase (Google) | Authentication, real-time data | Account credentials, auth tokens | Firebase Data Processing Terms |
| PostHog | Product analytics | Usage analytics, feature flags | PostHog DPA (EU hosting) |
| SendGrid | Transactional email | Email addresses, notification content | Twilio/SendGrid DPA |
6 International Transfers
As our primary infrastructure is hosted in the United States (Google Cloud us-central1), personal data originating from the UK and EU is transferred to the US for processing.
These transfers are safeguarded through:
- Standard Contractual Clauses (SCCs) — as adopted by the European Commission and approved for UK transfers
- UK International Data Transfer Addendum — appended to the SCCs to ensure compliance with UK GDPR requirements
- Google's data processing commitments — including their compliance with the EU-US Data Privacy Framework
PostHog analytics data is processed within the EU and is not transferred outside the European Economic Area.
7 Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Session, epic, task, evidence, skills, and chat data | Duration of organisation membership + 90 days |
| Usage analytics | 24 months from collection |
| Access and security logs | 90 days |
After the applicable retention period, data is permanently deleted or anonymised. You may request earlier deletion of your data by exercising your rights under Section 8.
8 Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of Access — Request a copy of the personal data we hold about you
- Right to Rectification — Request correction of inaccurate or incomplete data
- Right to Erasure — Request deletion of your personal data ("right to be forgotten")
- Right to Restriction — Request that we limit how we process your data
- Right to Data Portability — Receive your data in a structured, machine-readable format
- Right to Object — Object to processing based on legitimate interest
- Right to Withdraw Consent — Withdraw consent for analytics processing at any time without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at privacy@aictrl.dev. We will respond to your request within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
9 Children's Privacy
aictrl.dev is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will take steps to delete such data promptly.
If you believe that a child has provided us with personal data, please contact us at privacy@aictrl.dev so we can investigate and take appropriate action.
10 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users via email at least 14 days before changes take effect
- Display a prominent notice within the platform
We encourage you to review this page periodically. Your continued use of aictrl.dev after changes are posted constitutes your acceptance of the updated policy.
Questions about your privacy?
If you have any questions or concerns about this Privacy Policy or our data practices, contact our data protection team:
Email: privacy@aictrl.dev