Aegis Intercept ("we," "us," or "our") operates a geopolitical and city-level risk intelligence platform accessible at app.aegisintercept.com and demo.aegisintercept.com (the "Platform"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. By accessing or using the Platform, you agree to the practices described in this Policy.

We operate as a business-to-business platform. Our customers are corporate entities, and the individual users we interact with are typically employees of those organizations acting in a professional capacity.

1.1 Account Information

When you subscribe and create an account, we collect:

• Email address (collected via Stripe at checkout; used as your login identifier)
• Name (optional; provided during account setup)
• Password (stored as a bcrypt hash — we never store your plaintext password)
• Subscription tier and assigned feature modules
• Admin flag and MFA enrollment status
• Stripe customer ID and subscription ID (used for billing lifecycle management)

1.2 Authentication and Session Data

When you log in, we create a signed JSON Web Token (JWT) containing your user ID, email, name, subscription tier, feature modules, admin status, and MFA verification state. This token is stored in a single session cookie named grp_session, which is HttpOnly, Secure (HTTPS only), SameSite=Strict, and expires after 7 days. We do not use any advertising, analytics, or tracking cookies. No third-party scripts place cookies on our pages.

We collect your IP address at login solely for rate-limiting purposes (to block brute-force attacks). IP addresses are processed transiently and are not persisted to the database. Log entries reference a one-way 12-character SHA-256 hash of your email address — not the raw address — for correlation across log events.

1.3 Multi-Factor Authentication Data

All accounts require TOTP-based multi-factor authentication. We store a TOTP secret key (used solely to verify your authenticator app codes) in our database. We do not retain individual TOTP codes entered by you.

1.4 API Key Data

If you generate API keys, we store a SHA-256 hash of each key (not the key itself), a human-readable label you assign, your tier, daily rate limit, creation timestamp, and last use timestamp. The raw key is shown to you exactly once at creation and is never stored or recoverable by us.

1.5 Payment Information

All payment processing is handled by Stripe, Inc. We never receive, process, or store your payment card number, bank account information, or other financial credentials. Stripe provides us only with a customer ID, subscription ID, subscription status, and billing email address. Stripe's privacy practices are governed by the Stripe Privacy Policy.

1.6 Usage and Log Data

Our server logs record structured events (login attempts, API requests, billing events, errors) using hashed email identifiers rather than raw addresses. Logs are retained for 30 days and then deleted. We do not build behavioral profiles for advertising purposes.

We use the personal data described above to:

• Authenticate you and maintain your session
• Provision and manage your subscription (billing lifecycle, tier changes, cancellations)
• Deliver transactional emails — account invitations, password reset links, and (when implemented) score-change alerts — via AWS SES
• Enforce rate limits and protect the Platform against abuse and unauthorized access
• Diagnose errors and improve platform reliability
• Comply with applicable law, court orders, or regulatory requirements

We do not use your personal data for advertising, interest-based targeting, or sale to third parties. We do not use your data to train AI models.

We use exactly one cookie:

• grp_session — a first-party, HttpOnly, Secure, SameSite=Strict JWT cookie. It contains your session data (see Section 1.2). It expires after 7 days or when you log out, whichever comes first.

We do not use analytics cookies, marketing pixels, social media trackers, or any other persistent tracking technologies. No consent banner is displayed because no non-essential cookies are set.

We share personal data only with the following processors, each engaged under a data processing agreement or equivalent contractual safeguard:

• Auth0 / Okta — optional enterprise SSO authentication. If your organization uses SSO sign-in, Auth0 processes your OpenID Connect identity token. Auth0 privacy policy: okta.com/privacy-policy
• Stripe, Inc. — payment processing, subscription billing, and webhook notifications. Data flows: billing email, subscription tier, customer and subscription IDs. Stripe privacy policy: stripe.com/privacy. Data Processing Agreement: stripe.com/legal/dpa
• Amazon Web Services (AWS) — cloud infrastructure (EC2 compute, ECR container registry, S3 data storage) and email delivery via AWS SES. Your email address is transmitted to AWS SES to deliver transactional messages. AWS privacy policy: aws.amazon.com/privacy. AWS Data Processing Addendum (automatically incorporated into the AWS Customer Agreement): aws.amazon.com/service-terms
• Redis (ElastiCache) — in-memory cache used for API rate limiting. Stores hashed IP-based rate limit counters with short TTLs. No personal identifiers are written to Redis.
• PostgreSQL (AWS RDS) — primary relational database. Stores account data, hashed credentials, API key hashes, subscription records, and MFA secrets. Data is encrypted at rest.
• Anthropic, Inc. — optional AI-powered summary features. If your subscription tier includes AI features and you use them, your query context (risk query text) may be sent to the Anthropic API. Raw personal identifying information is not included in these queries. AI features can be disabled without affecting core platform functionality. Anthropic privacy policy: anthropic.com/privacy

We do not sell, rent, or share your personal data with advertising networks, data brokers, or any third party outside the list above.

• Account data (email, name, hashed password, MFA secret, subscription records) is retained for the life of your account plus 90 days after deletion or cancellation.
• API key records (hashes, labels, usage timestamps) are retained for 90 days after revocation.
• Server logs are retained for 30 days and then purged automatically.
• Password reset and invite tokens are single-use and expire within 72 hours of issuance.
• Stripe retains its own payment records subject to its retention policy and applicable financial regulations.

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or the UK GDPR, as applicable:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your personal data, subject to legal retention obligations.
• Right to portability — request your personal data in a structured, machine-readable format.
• Right to restrict processing — request that we limit how we use your data in certain circumstances.
• Right to object — object to processing based on legitimate interests.
• Rights related to automated decision-making — the Platform does not make automated decisions with legal or similarly significant effects on individuals.

Our legal basis for processing personal data is performance of contract (account operation, billing) and legitimate interests (security, rate limiting, log analytics). We do not rely on consent as a legal basis for core platform processing.

To exercise any of these rights, contact us at privacy@aegisintercept.com. We will respond within 30 days. You also have the right to lodge a complaint with your supervisory authority (e.g., the Irish Data Protection Commission or the UK ICO).

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, and disclose.
• Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt out of sale or sharing — We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm this.
• Right to non-discrimination — we will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request, contact privacy@aegisintercept.com. We may need to verify your identity before processing your request.

Our infrastructure is located in the United States (AWS us-east-1). If you access the Platform from outside the United States, your personal data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms as the legal basis for international transfers from the EU/EEA/UK where required by applicable data protection law.

We implement the following technical and organizational security measures:

• Passwords are hashed using bcrypt (cost factor 12) before storage
• Session tokens are HS256-signed JWTs; the signing secret is not exposed to clients
• All traffic is encrypted in transit via TLS (HTTPS)
• TOTP multi-factor authentication is required for all accounts
• API keys are stored only as SHA-256 hashes; the raw key is never retained
• Database connections use encrypted transport; data is encrypted at rest on AWS RDS
• Rate limiting protects authentication endpoints against brute-force attacks

No security measure is absolute. In the event of a data breach affecting your personal data, we will notify you and applicable supervisory authorities as required by law.

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us at privacy@aegisintercept.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address on file and will update the "Last updated" date above. Continued use of the Platform after the effective date of any change constitutes acceptance of the revised Policy.

For privacy-related inquiries, requests, or complaints:

• Email: privacy@aegisintercept.com
• Platform: app.aegisintercept.com