Legal
Privacy Policy
1. Controller
The controller responsible for the processing of personal data on this website and through the Aikraft platform is:
Tonoy Akanda, operating as Aikraft
Berlin, Germany
E-mail: privacy@aikraft.eu
When we refer to "Aikraft", "we", "us" or "our" in this policy, we mean Tonoy Akanda in his capacity as operator of the Aikraft service and, where applicable, data controller. For processing carried out in our capacity as a data processor on behalf of our customers, please refer to our Data Processing Agreement.
2. Data We Collect
We collect only the personal data necessary to provide and improve our service. The categories below describe what we collect, where it comes from, and why.
2.1 Account Data
When you create an account we collect your name, work email address, company name, job title, and the password you choose (stored as a salted bcrypt hash — we never see your plaintext password). If you sign up via SSO, we receive only the attributes your identity provider sends.
2.2 Usage Data
We record which features you use, page navigation within the application, session start and end times, browser type and version, and operating system. We do this to understand how the product is used and to detect performance or security issues. Individual-level usage logs are retained for 90 days and then deleted or anonymised.
2.3 AI System Data
The core purpose of Aikraft is to help you classify, document, and monitor your organisation's AI systems. To do this we store the descriptions, classification inputs and results, technical documentation, and compliance records that you enter or generate inside the platform. We never receive or store the underlying AI model weights, training datasets, or inference inputs of the systems you are documenting — you describe those systems to us in plain text; the underlying artefacts stay with you.
2.4 Billing Data
Payment card details are handled entirely by our payment processor, Stripe, Inc. We never see or store full card numbers. We do retain billing contact information (name, billing address, VAT number) and invoice history as required by German commercial and tax law.
2.5 Support Communications
If you contact us by email or through an in-product support form, we retain the content of your messages and our replies. These are used to resolve your query and, in anonymised form, to improve documentation and support quality.
2.6 Marketing Communications
If you subscribe to our newsletter or marketing updates, we store your email address and a record of your consent. You can unsubscribe at any time via the link in every marketing email.
3. Legal Basis for Processing (GDPR Art. 6)
Every processing activity we carry out rests on one of the following legal bases under the General Data Protection Regulation:
| Processing activity | Legal basis | Article |
|---|---|---|
| Creating and managing your account; delivering the platform | Performance of a contract to which you are party | Art. 6(1)(b) |
| Sending transactional emails (password reset, invoices, alerts) | Performance of a contract | Art. 6(1)(b) |
| Security monitoring, fraud prevention, abuse detection | Legitimate interests — protecting the integrity of our platform and our customers | Art. 6(1)(f) |
| Product analytics and service improvement | Legitimate interests — understanding usage to improve our product | Art. 6(1)(f) |
| Marketing emails and newsletters | Consent, freely given and withdrawable at any time | Art. 6(1)(a) |
| Retaining invoices and billing records | Legal obligation (§ 147 AO, § 257 HGB — German tax and commercial law) | Art. 6(1)(c) |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests are not overridden by your interests or fundamental rights. You may request a copy of that assessment by writing to privacy@aikraft.eu.
4. How We Use Your Data
- Service delivery: Authenticate you, display your workspace, process your AI system records, and generate compliance documentation.
- Transactional communications: Send account confirmations, password resets, billing receipts, and critical service notifications via email. These cannot be opted out of while you hold an active account.
- Product improvement: Analyse aggregated, anonymised usage patterns to prioritise features, fix bugs, and improve the user interface. We do not build individual behavioural profiles.
- Security: Detect and investigate suspicious activity, prevent unauthorised access, and respond to incidents.
- Legal and regulatory compliance: Retain records required by applicable law and respond to lawful requests from public authorities.
- Marketing (opt-in only): Send product updates, guides, and event invitations to subscribers who have given explicit consent.
5. Data Retention
| Data category | Retention period | Basis |
|---|---|---|
| Account and workspace data | 30 days after account cancellation, then deleted | Contract / customer expectation |
| Application and access logs | 90 days, then deleted | Security & debugging |
| Billing records and invoices | 7 years from date of invoice | § 147 AO (German tax law) |
| Support correspondence | 3 years after case closure | Legitimate interests |
| Marketing consent records | Until consent withdrawn + 3 years (proof of consent) | Legal obligation (GDPR accountability) |
| Anonymised analytics data | Indefinitely (no personal data once anonymised) | Not subject to GDPR retention limits |
When a retention period expires, data is securely deleted or irreversibly anonymised. We do not archive data "just in case".
6. Sub-Processors
We engage the following sub-processors who may process personal data on our behalf in order to provide the Aikraft platform. All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, database, object storage | Frankfurt, Germany (eu-central-1) | EEA — no transfer |
| Hetzner Online GmbH | Encrypted backup storage | Nuremberg, Germany | EEA — no transfer |
| Postmark (Wildbit LLC / ActiveCampaign) | Transactional email delivery | USA (EU data centre available) | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. | Payment processing and billing | USA (European entity: Stripe Payments Europe, Ltd.) | SCCs; adequacy decision for UK |
| Plausible Analytics | Privacy-first website analytics (no cookies, no personal data) | Frankfurt, Germany (Hetzner) | EEA — no transfer |
We review our sub-processor list at least annually. If we add or replace a sub-processor, we will notify customers via our DPA update process with at least 30 days' notice.
7. International Transfers
All primary data processing takes place within the European Economic Area (EEA), specifically in Frankfurt, Germany. Where any sub-processor is located outside the EEA, we ensure that an appropriate transfer mechanism is in place before any personal data is transferred. Mechanisms we rely on include:
- Standard Contractual Clauses (SCCs) — the European Commission's 2021 standard contractual clauses for controller-to-processor and processor-to- processor transfers.
- Adequacy decisions — where the European Commission has determined that the destination country provides an adequate level of protection.
You may request copies of the relevant SCCs by emailing privacy@aikraft.eu.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of them, please contact privacy@aikraft.eu. We will respond within 30 days (extendable by two months for complex requests, with notice to you).
- Right of access (Art. 15): Obtain confirmation of whether we process your personal data and a copy of that data.
- Right to rectification (Art. 16): Have inaccurate personal data corrected or incomplete data completed.
- Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data where there is no longer a lawful basis for processing, subject to retention obligations.
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where technically feasible.
- Right to restriction of processing (Art. 18): Restrict processing in certain circumstances, for example while a rectification request is under review.
- Right to object (Art. 21): Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint (Art. 77): Lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or alleged infringement. For Aikraft, the lead supervisory authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (www.datenschutz-berlin.de).
9. Cookies
We use only strictly necessary and functional cookies. We do not set advertising cookies, social media cookies, or any third-party tracking cookies. For a full list of the cookies we use and instructions on how to manage them, please see our Cookie Policy.
Our website analytics are provided by Plausible Analytics, which does not use cookies and does not process personal data in identifiable form. No consent banner is required for this tool.
10. Children's Data
Aikraft is a B2B SaaS platform intended for use by businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@aikraft.eu.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email at least 30 days before the changes take effect, and update the "Last updated" date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
12. Contact
For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact:
Aikraft (Tonoy Akanda) — Privacy
Berlin, Germany
E-mail: privacy@aikraft.eu