Privacy Policy
Last Updated: October 16, 2025
Aisle Inc. ("Aisle," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our websites, products, recruitment portals, and services (the "Services"). It is designed to meet requirements under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA").
Contact Information
If you have questions or concerns about this Privacy Policy or our data-protection practices, or if you wish to exercise your privacy rights, please contact us:
- United States: Aisle Inc. 201 Spear Street, San Francisco, CA 94105, USA, [email protected]
- European Union: Aisle s.r.o., Jindřišská 939/20, 110 00 Prague 1, Czech Republic, [email protected]
We review and respond to all privacy inquiries and rights requests in accordance with applicable data-protection laws, including the EU GDPR, UK GDPR, and CCPA/CPRA.
1. Information We Collect
We collect the following categories of personal information:
| Category | Examples of Data | Purpose |
|---|---|---|
| Identifiers | Name, email, phone number, account login credentials | To register accounts, provide Services, communicate |
| Commercial Information | Billing details, transaction history | To process payments and manage accounts |
| Internet/Usage Data | IP address, device identifiers, browser type, logs, interactions with Services | To operate and secure Services, analyze usage |
| Professional/Employment Data | Company name, role, business contact details | To provide enterprise Services and customer support |
| Customer Data | Code repositories and related data submitted to Services | To provide vulnerability detection and remediation |
| Recruitment Data | CVs, application forms, interview notes, references | To manage recruitment, evaluate candidates, comply with legal obligations |
| Inferences | Preferences, product usage patterns | To improve Services and provide tailored communications |
We prohibit uploading of special categories of data (GDPR Art. 9), unless expressly agreed in writing.
2. How We Use Information
We process personal information only for the specific, legitimate purposes described below. Each purpose is matched with the legal basis that permits the processing under the GDPR (or equivalent provisions under other applicable laws).
| Purpose | Description of Processing Activities | Legal Basis (GDPR) |
|---|---|---|
| Provision of Services | Operate, maintain, and improve all Aisle Services (websites, APIs, recruitment portals, and related products). This includes authenticating users, managing sessions, storing configuration settings, and delivering content. | Contractual necessity (Art. 6 (1)(b)) |
| Account Management | Create and manage user accounts, verify identities, reset passwords, and provide customer‑support interactions. | Contractual necessity (Art. 6 (1)(b)) |
| Transaction Processing | Process payments, issue invoices, manage billing cycles, handle refunds, and maintain financial records for tax and accounting purposes. | Contractual necessity (Art. 6 (1)(b)) |
| Security & Fraud Prevention | Monitor for suspicious activity, detect and mitigate fraud, enforce security policies, conduct vulnerability scans, and respond to security incidents. | Legitimate interests (Art. 6 (1)(f)) – balanced against your rights and freedoms |
| Regulatory & Legal Compliance | Preserve records required by law, respond to lawful requests from authorities, enforce our Terms of Service, and defend legal claims. | Legal obligation (Art. 6 (1)(c)) |
| Communications & Notifications | Send administrative messages (e.g., service updates, password resets, security alerts), respond to inquiries, and provide technical support. | Legitimate interests (Art. 6 (1)(f)) |
| Product Development & Analytics | Aggregate and analyze usage data (e.g., feature adoption, performance metrics) to improve existing features, develop new functionalities, and conduct research on system reliability. | Legitimate interests (Art. 6 (1)(f)) – data is pseudonymised where feasible |
| Recruitment & Talent Management | Store and evaluate CVs, application forms, interview notes, and reference checks; communicate with candidates; and retain applicant data for the duration of the hiring process. | Legitimate interests (Art. 6 (1)(f)) and, where required, explicit consent for sensitive recruitment‑related data |
| Marketing & Promotional Communications | Deliver newsletters, event invitations, product announcements, and promotional offers, only when you have opted‑in or otherwise given consent. You may withdraw consent at any time. | Consent (Art. 6 (1)(a)); also legitimate interests for limited "soft‑sell" messages where you have not opted out (subject to local e‑privacy rules) |
| Customer‑Provided Code Repositories & Related Data | Store, scan, and remediate code or other technical artifacts you submit to our vulnerability‑detection services. This data is used exclusively for providing the contracted service and is never used to train AI models. | Contractual necessity (Art. 6 (1)(b)) |
| Third‑Party Service Integration | Share necessary data with cloud‑hosting providers, analytics platforms, payment processors, AI/LLM providers, and other vendors that help us deliver the Services. All such transfers are governed by written contracts that contain appropriate data‑protection clauses. | Contractual necessity (Art. 6 (1)(b)) and/or legitimate interests (Art. 6 (1)(f)) |
| Data Subject Rights Management | Verify identity and process requests to access, rectify, erase, restrict, or port your data, as well as to withdraw consent. | Legal obligation (Art. 6 (1)(c)) |
We do not use Customer Data to train AI or machine learning models, whether ours or third-party providers.
3. How We Share Information
We may share information with:
- Service Providers: Hosting, AI/LLM providers, analytics, support, recruitment platforms, and payment processors.
- Professional Advisors: Auditors, legal, and accounting advisors.
- Legal Authorities: If required by law or valid legal process.
- Business Transfers: In connection with a merger, sale, or acquisition.
We do not sell personal information under the CCPA/CPRA.
4. Data Retention
We retain personal information as long as necessary to provide the Services, manage recruitment processes, comply with legal obligations, resolve disputes, and enforce agreements. Customer Data is deleted in accordance with our Terms of Service or upon request, subject to applicable law.
Retention Schedule Matrix
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| Account credentials (username, password hashes, MFA tokens) | Until account deletion or inactivity > 24 months | User‑initiated deletion or automatic purge after 24 months of inactivity |
| Contact information (name, email, phone) | As long as the account remains active | Account closure or explicit user request |
| Billing & payment records (invoice, transaction IDs, payment method details) | 10 years (tax & accounting requirements) | Automatic archival after 10 years; deletion only if required by law |
| Customer code repositories & related data (uploaded source code, analysis results) | Until the service contract ends or the user deletes the data | User‑initiated deletion or end of contractual relationship |
| Recruitment applicant data (CVs, application forms, interview notes, references) | 12 months after the recruitment process concludes (extendable with explicit consent) | End of recruitment cycle + 12 months, unless consent obtained for longer storage |
| Marketing communication preferences (opt‑in status, subscription settings) | Until the user changes the preference or withdraws consent | Preference update or consent withdrawal |
| Legal & compliance records (e.g., evidence of consent, audit logs) | Minimum 6 years, or longer if required by applicable law | Expiration of statutory requirement |
5. Security
We implement appropriate technical and organizational measures to protect personal information from unauthorized access, loss, misuse, or disclosure. These measures include encryption, access controls, and secure development practices.
5.1 Security Incident & Data Breach Notification
Aisle Inc. takes the security of your personal information seriously. In the unlikely event that a data breach affecting your personal data occurs, we will act swiftly and transparently in accordance with applicable laws (e.g., GDPR, UK‑GDPR, CCPA/CPRA, and other regional breach‑notification statutes).
5.1.1 Our Immediate Response Process
- Containment – Upon discovery of a suspected breach, we immediately isolate the affected environment to prevent further unauthorized access.
- Investigation – A forensic investigation is launched to determine the scope, root cause, and the categories of personal data involved.
- Risk Assessment – We evaluate the likelihood of adverse consequences (e.g., identity theft, financial loss) for the affected individuals.
5.1.2 Notification to Affected Individuals
If our assessment indicates that the breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, in any event, no later than 72 hours after becoming aware of the breach (or as required by the governing law).
The notification will be delivered by the most effective means available (e.g., email, or public announcement) and will contain the following information:
- Date of the breach (or the earliest date we became aware of it).
- Description of the incident in plain language, including the nature of the breach (e.g., unauthorized access, accidental disclosure).
- Categories of personal data that were compromised (e.g., name, email address, billing information, IP address).
- Potential consequences for you (e.g., phishing risk, fraud exposure).
- Steps we have taken to contain the breach and mitigate its effects.
- Recommended actions you can take to protect yourself (e.g., change passwords, monitor bank statements, place fraud alerts).
- Contact information for our breach‑response team (email: [email protected])
5.1.3 Notification to Regulators & Authorities
When required by law, we will promptly (typically within 72 hours) report the breach to the appropriate supervisory authority or regulatory body, providing:
- A concise description of the breach and its impact.
- The categories and approximate number of data subjects affected.
- The measures taken to address the breach and prevent recurrence.
5.1.4 Follow‑Up Communication
- Updates – If new information emerges that changes the risk assessment or the scope of the breach, we will provide timely updates to affected individuals and regulators.
- Post‑Incident Review – After resolution, we will conduct a thorough review, update our security controls, and, where appropriate, share lessons learned with you in a summary report.
5.1.5 Your Role in Reducing Harm
While we strive to protect your data, you can also help minimize potential damage:
- Follow best practices in cyber security (e.g., enable two‑factor authentication, minimize vulnerabilities, be aware of phishing attempts, etc).
- Remain vigilant for unsolicited communications that request personal or financial information.
- Report any suspicious activity you observe to our support team at [email protected].
5.1.6 Record‑Keeping
We maintain a detailed internal log of all security incidents, investigations, and notifications for a minimum of 6 years (or longer where required by law) to demonstrate compliance with applicable breach‑notification obligations.
If you have any questions about this breach‑notification policy or wish to discuss a specific incident, please contact us at [email protected]. We are committed to keeping you informed and safeguarding your personal information.
6. International Transfers
Aisle Inc. processes personal data on a global scale. Because we operate in the United States, the Czech Republic, and serve users worldwide, your information may be transferred to, stored in, and accessed from countries outside your place of residence—including the United States, the European Economic Area (EEA), the United Kingdom, and other jurisdictions where we maintain data‑centres or third‑party service providers.
6.1 Legal Basis for Transfers
Whenever a transfer takes place outside the European Economic Area (EEA) or the United Kingdom, we rely on one or more of the following lawful mechanisms required by the GDPR (Article 46) and the UK GDPR (Article 45):
| Mechanism | When It Is Used | What It Guarantees |
|---|---|---|
| Adequacy Decisions | Transfers to countries that the European Commission (or the UK's Secretary of State) has recognised as providing an essentially equivalent level of data‑protection (e.g., the United Kingdom, Switzerland, Japan). | No additional safeguards are required because the destination country is deemed adequate. |
| Standard Contractual Clauses (SCCs) | Transfers to any third country that does not have an adequacy decision (e.g., United States, Singapore, India). | The SCCs create contractual obligations on the importer to protect the data in line with EU/UK standards. |
| Binding Corporate Rules (BCRs) (if applicable) | Internal transfers within the Aisle corporate group when BCRs have been approved by the relevant supervisory authority. | Provides a unified set of data‑protection commitments across the entire corporate structure. |
| Explicit Consent | When a specific transfer is required for a purpose that cannot be fulfilled otherwise and the data subject has given a clear, informed, and freely given consent. | The data subject acknowledges the possible risks of the transfer. |
| Derogations for Specific Situations (e.g., performance of a contract, vital interests) | Limited, case‑by‑case transfers where one of the GDPR derogation grounds applies. | Used only when no other mechanism is feasible. |
6.2 How We Implement the Safeguards
- Standard Contractual Clauses – All third‑party processors located outside the EEA/UK (cloud providers, analytics services, AI/LLM vendors, payment processors, etc.) sign the latest EU‑Commission SCCs (Version 2.0) and the UK‑equivalent SCCs. We maintain a master data‑processing agreement that incorporates the SCCs and outlines the processor's obligations (confidentiality, security, sub‑processor approval, data‑subject rights assistance, breach notification).
- Adequacy‑Based Transfers – When we store data in a jurisdiction with an adequacy decision, we document the specific decision (e.g., "European Commission Adequacy Decision for the United Kingdom, 2021‑05‑04"). No additional contractual clauses are required, but we still ensure that the processor complies with GDPR‑level security standards.
- Binding Corporate Rules (if adopted) – Should Aisle obtain BCR approval, all intra‑group transfers will be governed by those rules, which are filed with the lead supervisory authority and publicly available on request.
- Explicit Consent for Special Cases – For transfers that involve particularly sensitive data (e.g., biometric data, health‑related information) and where no other lawful basis applies, we obtain explicit, granular consent before the transfer occurs.
- Documentation & Transparency – We keep an up‑to‑date Transfer Impact Assessment for each cross‑border flow, documenting the nature of the data, the destination, the legal basis, and the risk‑mitigation measures. A summary of these assessments is available to supervisory authorities upon request.
6.3 Your Rights Concerning International Transfers
- Right to Information – You may request details about any international transfer that involves your personal data, including the destination country and the safeguards applied.
- Right to Object – Where a transfer relies on legitimate interests, you may object to the transfer. We will suspend the transfer unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to Withdrawal of Consent – If a transfer is based on your consent, you may withdraw that consent at any time, which will halt further transfers for that purpose.
6.4 Data‑Subject Assistance
If you believe a transfer does not meet the required safeguards, you may:
- Contact our Data Protection Officer at [email protected] with a description of the concern.
- We will investigate, respond within 30 calendar days, and, if necessary, remediate the transfer (e.g., by adding SCCs or ceasing the flow).
6.5 Future Changes
International data‑transfer frameworks evolve (e.g., new adequacy decisions, revisions to SCCs, or changes in US‑EU data‑privacy arrangements). We commit to:
- Monitoring legal developments continuously.
- Updating our contracts and internal policies promptly.
- Notifying you of material changes that could affect the legal basis of transfers, either via a website notice or a direct communication to affected users.
If you have any specific questions about a particular transfer—such as the location of a data centre that processes your information—please reach out to [email protected]. We are happy to provide the relevant details and the safeguards that protect your data.
7. Cookies and Tracking Technologies
For information about how Aisle uses cookies, please see our Cookie Policy [LINK]
8. Legal Basis for Processing (GDPR)
Where GDPR applies, we process personal data based on the following legal bases:
- Contractual necessity: To provide and perform Services under a contract with you.
- Legitimate interests: To operate and improve Services, communicate with users, and secure our systems.
- Consent: For marketing communications and where required by law.
- Legal obligations: To comply with applicable laws and regulations.
9. Your Rights - Know Your Rights
9.1 Rights Under the EU‑UK General Data Protection Regulation (GDPR / UK‑GDPR)
| Right | What It Means for You | How to Exercise It |
|---|---|---|
| Right of Access | Request a copy of all personal data we hold about you, together with the purposes of processing, categories of data, recipients, and the legal basis we rely on. | Submit a "Data Access Request" to [email protected] |
| Right to Rectification | Ask us to correct inaccurate or incomplete personal data. | Identify the incorrect data and provide the correct information. |
| Right to Erasure ("Right to be Forgotten") | Request deletion of your personal data when it is no longer needed for the purposes for which it was collected, you withdraw consent, or you object to processing (subject to legal exceptions). | Specify the data you want removed; we will delete it unless a legal obligation requires retention. |
| Right to Restriction of Processing | Limit how we use your data (e.g., while a dispute is resolved). | Indicate the processing you want restricted and the reason. |
| Right to Data Portability | Receive your personal data in a structured, commonly used, machine‑readable format (e.g., CSV, JSON) and transmit it to another controller. | Request a portable copy; we'll provide it free of charge. |
| Right to Object | Object to processing based on legitimate interests or direct marketing. For direct marketing, you can object at any time. | Notify us of the objection; we will stop the relevant processing unless we demonstrate compelling legitimate grounds. |
| Right to Withdraw Consent | If we rely on your consent for a specific purpose (e.g., marketing emails), you can withdraw it at any time. | Click the "unsubscribe" link in any marketing communication. |
| Right to Lodge a Complaint | If you believe we have violated your GDPR rights, you may complain to a supervisory authority. | Contact the relevant authority in your EU member state or the UK Information Commissioner's Office (ICO). |
Important: Some rights may be limited where we must retain data for legal, tax, or contractual reasons (e.g., financial records for 7 years).
9.2 Rights Under the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)
| Right | What It Means for You | How to Exercise It |
|---|---|---|
| Right to Know | Request a list of the personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it. | Send a "Know Request" to [email protected] |
| Right to Delete | Ask us to delete the personal information we hold about you, subject to certain exemptions (e.g., for fraud detection, legal obligations). | Submit a "Deletion Request." |
| Right to Correct | Request correction of inaccurate personal information (newer CPRA amendment). | Provide the corrected data. |
| Right to Opt‑Out of Sale | Although we do not sell personal information, you can still request confirmation that we do not sell your data. | Send an "Opt‑Out" request; we will confirm in writing. |
| Right to Non‑Discrimination | You may not be discriminated against (e.g., denied services) for exercising any CCPA/CPRA right. | If you experience discrimination, let us know immediately. |
| Right to Designate an Authorized Agent | You can authorize someone else (e.g., a lawyer) to act on your behalf. | Provide a signed authorization letter naming the agent. |
| Right to a Data Portability Copy (CPRA) | Receive a portable copy of your personal information in a readily usable format. | Request a "Portability Copy." |
Verification: For California requests we may ask for proof of identity (e.g., driver's license, utility bill) before fulfilling the request.
9.3 Additional Rights (Where Applicable)
| Jurisdiction | Right | Brief Description |
|---|---|---|
| Virginia (VCDPA) | Right to Access, Correct, Delete, Opt‑Out of Processing for Targeted Advertising | Similar to CCPA; request via [email protected] |
| Colorado (CPA) | Right to Access, Delete, Opt‑Out of Sale | Same process as CCPA. |
| Other Regions | May have comparable rights (e.g., Brazil's LGPD, Canada's PIPEDA) | Contact us for specifics at [email protected] |
9.4 How We Handle Your Requests
- Acknowledgement – Within 5 business days we'll acknowledge receipt of your request.
- Verification – We'll verify your identity to protect your data.
- Response Time – We aim to respond within 30 calendar days (extendable by another 30 days for complex requests).
- Fees – Requests are free of charge, except where we must verify a large number of requests or where the request is manifestly unfounded or excessive (in which case we may charge a reasonable fee).
- Format – We'll provide the information in a commonly used electronic format (CSV, PDF, JSON) unless you specify otherwise.
If you have any difficulty exercising your rights, please let us know and we'll work with you to find a solution.
10. Children's Privacy
The Services are not directed to individuals under 18, and we do not knowingly collect personal information from them. If we learn that we have, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time by publishing a new version on our website. Continued use of the Services after changes means you accept the updated policy.
If you have questions about this Privacy Policy, please contact us at [email protected].