AICS Privacy Policy

AICS Ltd ("AICS", "we", "us", "our") operates the website and application at aics.solutions. We are registered in the United Kingdom. Our contact address is United Kingdom. For data enquiries, contact us at info@aics.solutions.

We are committed to protecting your personal data and complying with the UK GDPR and the Data Protection Act 2018. We act as the data controller in respect of the personal data we collect through the service.

• Account data: Email address and password (stored as a one-way hash; we never see your plaintext password) when you register.
• Profile data: Full name, phone number, and postal address if you choose to provide them to improve scan coverage.
• Scan data: Email addresses and usernames you submit for breach checks. These are hashed or anonymised before being sent to our data providers (see §5).
• Usage data: IP addresses, browser type, pages visited, and timestamps, collected automatically for security and service operation.
• Payment data: Billing transactions are handled entirely by our secure payment processor. We receive only a customer reference and subscription status; we never see or store full card numbers.

We do not knowingly collect data from persons under the age of 18. If you are under 18, please do not use the service. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly.

We use your data to:

• Provide and operate the AICS breach monitoring service
• Check your email addresses and usernames against breach and security intelligence databases
• Send you scan results, security alerts, and service-related emails
• Process your membership or one-time purchase via our secure payment processor
• Prevent fraud, abuse, and unauthorised access, and maintain the security of our systems
• Improve and develop the service based on aggregated, anonymised usage patterns
• Comply with our legal obligations

We do not sell, rent, or trade your personal data to third parties for any commercial purpose. We do not use your data for advertising or profiling.

• Contract performance: Processing necessary to provide the service you have registered for or purchased.
• Legitimate interests: Security monitoring, fraud prevention, abuse detection, and service improvement, provided these interests are not overridden by your rights.
• Consent: Where you have opted in to optional communications. You may withdraw consent at any time by contacting us or using account settings.
• Legal obligation: Where processing is required by UK law (e.g., financial record-keeping).

We do not use solely automated decision-making that produces legal or similarly significant effects in relation to you.

We share the minimum necessary data with the sub-processors named below. Each is contractually bound to process data only as directed by AICS and to maintain appropriate technical and organisational security measures.

• Supabase, Inc. (USA) — authentication, database hosting, and data storage. Used for your account, profile, scan history, and entitlements. Transfers covered by the UK-US Data Bridge.
• Stripe Payments UK, Ltd. (UK / USA) — secure payment processing. Stripe's own privacy policy applies to your payment data; we receive only a customer reference, subscription status, and billing email.
• Have I Been Pwned (HIBP) — we send a privacy-preserving SHA-1 hash prefix of your email so the service can return a candidate list for matching, then we do the final check locally. Your full email address is never transmitted to HIBP.
• Microsoft Corporation (USA / EU) — Microsoft Graph for transactional email delivery (scan results, security alerts, account notifications, password resets).
• Meta Platforms, Inc. (USA) — Conversions API + Meta Pixel for ad-attribution measurement, only when you have accepted analytics cookies. Email addresses are SHA-256-hashed before transmission.
• Google LLC (USA) — Google Analytics 4 for traffic measurement, only when you have accepted analytics cookies. IP addresses are anonymised.
• VirusTotal (Google LLC, USA) — URL and file-hash safety lookups, only when you submit a URL or file to the scanner.
• Vercel, Inc. (USA) — application hosting, edge network, and runtime logs.

US transfers rely on the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework, recognised by the UK Government as providing adequate protection). Where a sub-processor has not self-certified to the Data Bridge, we rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as approved by the Information Commissioner's Office.

We do not share your data with any other third party except where required by law or a valid court order, in which case we will notify you to the extent permitted by law.

• Account data is retained while your account is active and is permanently removed from active systems within 30 days of account deletion. Residual backups are purged on their normal rotation cycle.
• Scan results are retained for the lifetime of your account to provide access to scan history.
• Usage and log data is retained for up to 12 months for security and operational purposes.
• Payment records are retained as required by UK tax and financial regulation (typically 7 years).

We review and purge unnecessary data at least annually.

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate or incomplete data
• Erasure ("right to be forgotten"): request account and data deletion via your Account page or by emailing us
• Restriction of processing in certain circumstances
• Data portability: receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at info@aics.solutions. We will respond within one calendar month. We may need to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

Several of our sub-processors (named in §5) are based in the United States. Transfers to these processors rely on the UK-US Data Bridge — an extension of the EU-US Data Privacy Framework that the UK Secretary of State recognises as providing an adequate level of data protection for transfers from the UK. Where a US processor has not self-certified to the Data Bridge, we rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office.

Where a processor is based in the European Economic Area (EEA), transfers rely on the UK Adequacy Decision for the EEA.

We will tell you which transfer mechanism applies to a specific processor on request.

Strictly necessary cookies (no consent required under UK PECR):

• Authentication session cookies (Supabase) — keep you signed in
• Cookie-consent preference cookie (aics_cookie_consent) — remembers your choice on this banner so it doesn't reappear
• Attribution cookies (aics_attribution_v1, _fbp, _fbc when present) — first-party storage of the marketing source you arrived from, used to credit your scan / signup back to the originating campaign

Analytics cookies (require your consent):

• Google Analytics 4 — anonymised page-view and event measurement so we can see which pages help users most. IP addresses are anonymised at the source.
• Meta Pixel + Conversions API — measures whether visitors who arrived from our Meta ads went on to subscribe, so we can budget ad spend correctly. Email addresses are SHA-256-hashed before transmission.

We ask for your consent through a cookie banner the first time you visit. You can change your choice at any time by clearing the aics_cookie_consent cookie in your browser settings (the banner will reappear). Rejecting analytics cookies does not affect your ability to use AICS.

We implement industry-standard technical and organisational measures to protect your personal data, including encrypted connections (TLS/HTTPS), one-way password hashing, role-based access controls, and regular security reviews. No system is completely secure, and we cannot guarantee absolute security. We encourage you to use a strong, unique password and to enable two-factor authentication on your AICS account.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.

We may update this policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified by email or via a prominent notice in the application at least 14 days before the change takes effect. The "Last updated" date at the top of this page indicates when the most recent revision was made. Continued use of the service after the effective date of any changes constitutes your acceptance of the updated policy.

For any privacy queries or to exercise your data rights, contact us at info@aics.solutions.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.