Privacy Policy

1. Data controller

The controller responsible for your personal data is Aersynx OÜ, a company registered in Estonia (registry code [Estonian registry code]), with its registered address at Sepapaja tn 6, 15551 Tallinn, Estonia. We trade under the name AeroVigil.

For any privacy or data-protection question, or to exercise your rights, contact our privacy team at info@aerovigil.com.

Where this policy refers to a separate independent controller (for example our payments provider), that party determines its own purposes and means for the data it collects and is responsible for it under its own privacy notice.

2. Data we process

We process the following categories of personal data.

• Account data — name, work email address, password credentials (stored in hashed form), organisation or workspace name, role, and authentication metadata used to create and secure your account.
• Workspace content — the inputs, notes, queries, saved assessments and configuration you and your colleagues create inside the platform. This is content you control and may include the names or contact details of individuals you choose to enter.
• Usage and device data — log data, IP address, browser and device type, pages and features used, timestamps, and similar technical information generated when you interact with the service.
• Billing data — the subscription plan, transaction history and limited billing records associated with your account. Payment card processing is handled by Paddle as our Merchant of Record; AeroVigil never sees or stores full card numbers.
• Communications — the content of messages you send us by email or support channels, and your contact preferences, including whether you have subscribed to our monthly briefing.

3. Purposes and legal bases

We process personal data only where we have a lawful basis to do so under the GDPR and the KVKK.

• Providing the service (contract — Art. 6(1)(b)) — to create and administer your account, deliver the platform, process self-serve subscriptions, and provide support. This covers account data, workspace content, billing data and related communications.
• Legitimate interests (Art. 6(1)(f)) — to secure and improve the service, prevent fraud and abuse, understand product usage in aggregate, and maintain the integrity and reliability of our intelligence feeds. We balance these interests against your rights and you may object as described in Section 8.
• Consent (Art. 6(1)(a)) — to send you our monthly security briefing and other optional marketing email. You may withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable law, including tax, accounting and record-keeping requirements, and to respond to lawful requests from authorities.

Under the KVKK, the corresponding bases include performance of a contract, our legitimate interests where they do not override your fundamental rights and freedoms, compliance with a legal obligation, and your explicit consent for the monthly briefing.

4. Cookies and analytics

We use a small number of cookies and similar technologies that are strictly necessary to run the platform, and — subject to your choices — analytics technologies to understand how the service is used.

We use Google Analytics 4 for product and usage analytics. Non-essential analytics and similar technologies are used in line with your consent where required.

For the full list of cookies, their purposes and how to manage your preferences, see our Cookie Policy.

5. Processors and sharing

We do not sell your personal data. We share it only with the service providers we rely on to operate AeroVigil, and only as needed for the purposes above.

• Supabase — database, authentication and hosting infrastructure (processor).
• Vercel — application hosting and content delivery (processor).
• Resend — transactional and newsletter email delivery (processor).
• Google Analytics 4 — product and usage analytics (processor).
• Paddle (Paddle.com Market Ltd) — payments, billing and tax as our Merchant of Record.

Paddle as Merchant of Record — when you purchase a self-serve subscription, your purchase contract for the transaction is with Paddle as authorised reseller. Paddle handles checkout, payment processing, invoicing, billing and the collection and remittance of applicable sales tax, VAT or GST. For the payment, billing, tax and fraud-prevention data it collects at checkout, Paddle acts as an independent controller under its own privacy notice, not as our processor.

We may also disclose personal data where required by law, to enforce our agreements, or in connection with a corporate transaction such as a merger or acquisition, subject to appropriate safeguards.

6. International transfers

We aim to host and process personal data within the European Union or European Economic Area.

Where personal data is transferred outside the EEA or Türkiye — including by our processors — we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses and the equivalent transfer mechanisms of our providers, together with the providers' own transfer frameworks. You may request information about the safeguards in place by contacting info@aerovigil.com.

7. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected.

• Account and workspace data — retained while your account is active and for a reasonable period afterwards to allow reactivation and to handle disputes, then deleted or anonymised.
• Billing and transaction records — retained for the periods required by applicable tax and accounting law.
• Usage and analytics data — retained for limited periods in line with our analytics configuration, often in aggregated or de-identified form.
• Marketing data — retained until you withdraw consent or unsubscribe.

When a retention period ends, we delete or irreversibly anonymise the relevant data.

8. Your rights

Subject to the conditions in the GDPR and the KVKK, you have the following rights over your personal data.

• Access — to obtain confirmation of whether we process your data and a copy of it.
• Rectification — to have inaccurate or incomplete data corrected.
• Erasure — to have your data deleted where the legal conditions are met.
• Restriction — to ask us to limit processing in certain circumstances.
• Portability — to receive certain data in a structured, commonly used, machine-readable format.
• Objection — to object to processing based on our legitimate interests, and to object to direct marketing at any time.
• Withdraw consent — to withdraw any consent you have given, such as for the monthly briefing, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact info@aerovigil.com. We will respond within the timeframes required by applicable law. Where AeroVigil acts as a processor for workspace content on behalf of a customer organisation, we will direct your request to that organisation as controller.

If you are not satisfied, you have the right to lodge a complaint with a supervisory authority — the data protection authority in your EU country of residence, or, under the KVKK, the Turkish Personal Data Protection Authority (KVKK Kurumu).

9. Children

AeroVigil is a professional, business-to-business service. It is not directed to children and is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact info@aerovigil.com and we will take appropriate steps to delete it.

10. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, authentication safeguards and tenant isolation between customer workspaces. No method of transmission or storage is completely secure, but we work to protect your data and to detect and respond to incidents in line with our legal obligations.

11. Changes

We may update this Privacy Policy from time to time to reflect changes in our service, our processors or applicable law. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you. Your continued use of the service after an update takes effect indicates your awareness of the revised policy.