Privacy Policy
Last updated: April 26, 2026
What we collect
- Account data — email address and a bcrypt-hashed password when you register.
- AI stack data — the AI services, use cases, and region you select in the scanner. This is stored to track your compliance obligations.
- Generated documents — compliance documents generated for your account are stored so you can access them later.
What we do not collect
- We do not show ads or use behavioral advertising cookies.
- We do not sell, share, or transfer your data to third parties beyond the processors listed under Analytics below.
- We do not store payment information (handled by Stripe when payment is enabled).
Analytics
PostHog (product analytics). We use PostHog hosted in the EU. Anonymous visitors are not tracked as individuals. When you create an account, we associate your user ID, email, company name, and signup date with your product usage to understand how the product is used, improve it, and provide support. We also record login-attempt outcomes (requested, rate-limited, failed) so we can detect abuse and spot delivery problems; these events include your email address (already associated with your account) and a hashed (SHA-256) representation of your IP address. We never store raw IPs in PostHog.
Google Analytics 4 (search-and-traffic measurement). We use GA4 to measure which search queries, referral sources, and pages lead to scans. GA4 sets cookies prefixed _ga to count repeat visits and approximates location at the country/region level. We have not enabled Google Signals or ad-personalization features. To opt out: use the toggle below, install Google's official browser opt-out add-on, or block cookies for aiactstack.com in your browser. A consent banner that lets you choose at first visit is in development.
Our legal basis for both processors is legitimate interest under GDPR (Art. 6(1)(f)). You can request deletion of your analytics data by emailing privacy@aiactstack.com.
Applies only to this browser. For account-wide deletion, email us above.
Sets a per-browser flag that gtag.js honors before loading on the next pageview.
Session cookies
We use a single session cookie to keep you logged in. This cookie is essential for the application to function and is not used for tracking. It expires when you log out or after your session ends.
Data storage
Your data is stored on servers hosted by Fly.io with encrypted connections (TLS). Passwords are hashed using bcrypt and are never stored in plaintext.
Data retention
Your data is retained as long as your account is active. You can request deletion of your account and all associated data by contacting us.
Your rights
Under the GDPR, you have the right to access, correct, delete, or export your personal data. To exercise these rights, contact us at the address below.
Contact
For privacy-related questions: privacy@aiactstack.com