Privacy Policy
Last Updated: November 6, 2025
Aisle Inc. ("Aisle," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our websites, products, recruitment portals, and services (the "Services"). It is designed to meet requirements under the EU General Data Protection Regulation ("GDPR") and the UK GDPR.
Contact Information
If you have questions or concerns about this Privacy Policy or our data-protection practices, or if you wish to exercise your privacy rights, please contact us:
- United States: Aisle Inc. 201 Spear Street, San Francisco, CA 94105, USA, [email protected]
- European Union: Aisle s.r.o., Jindřišská 939/20, 110 00 Prague 1, Czech Republic, [email protected]
We review and respond to all privacy inquiries and rights requests in accordance with applicable data-protection laws, including the EU GDPR and UK GDPR.
1. Information We Collect
We collect the following categories of personal information:
| Category | Examples of Data | Purpose |
|---|---|---|
| Identifiers | Name, email, phone number, account login credentials | To register accounts, provide Services, communicate |
| Recordkeeping Information | Billing details | To process payments |
| Commercial Information | Transaction history | To manage accounts |
| Internet or Other Electronic Network Activity Information | IP address, device identifiers, browser type, logs, interactions with Services | To operate and secure Services, analyze usage |
| Professional or Employment-related Information | Company name, role, business contact details | To provide enterprise Services and customer support |
| Professional or Employment-related Information | CVs, application forms, interview notes, references | To manage recruitment, evaluate candidates, comply with legal obligations |
| Customer Data | Code repositories and related data submitted to Services | To provide vulnerability detection and remediation |
| Inferences Drawn from the Above Information about Your Predicted Characteristics and Preferences | Preferences, product usage patterns | To improve Services and provide tailored communications |
We prohibit uploading of special categories of data (GDPR Art. 9), unless expressly agreed in writing.
2. How We Use Information
We process personal information only for the specific, legitimate purposes described below. Each purpose is matched with the legal basis that permits the processing under the GDPR (or equivalent provisions under other applicable laws).
| Purpose | Description of Processing Activities | Legal Basis (GDPR) |
|---|---|---|
| Provision of Services | Operate, maintain, and improve all Aisle Services (websites, APIs, recruitment portals, and related products). This includes authenticating users, managing sessions, storing configuration settings, and delivering content. | Contractual necessity (Art. 6 (1)(b)) |
| Account Management | Create and manage user accounts, verify identities, reset passwords, and provide customer‑support interactions. | Contractual necessity (Art. 6 (1)(b)) |
| Transaction Processing | Process payments, issue invoices, manage billing cycles, handle refunds, and maintain financial records for tax and accounting purposes. | Contractual necessity (Art. 6 (1)(b)) |
| Security & Fraud Prevention | Monitor for suspicious activity, detect and mitigate fraud, enforce security policies, conduct vulnerability scans, and respond to security incidents. | Legitimate interests (Art. 6 (1)(f)) |
| Regulatory & Legal Compliance | Preserve records required by law, respond to lawful requests from authorities, enforce our Terms of Service, and defend legal claims. | Legal obligation (Art. 6 (1)(c)) |
| Communications & Notifications | Send administrative messages (e.g., service updates, password resets, security alerts), respond to inquiries, and provide technical support. | Legitimate interests (Art. 6 (1)(f)) |
| Product Development & Analytics | Aggregate and analyze usage data (e.g., feature adoption, performance metrics) to improve existing features, develop new functionalities, and conduct research on system reliability. | Legitimate interests (Art. 6 (1)(f)) – data is pseudonymised where feasible |
| Recruitment & Talent Management | Store and evaluate CVs, application forms, interview notes, and reference checks; communicate with candidates; and retain applicant data for the duration of the hiring process. | Legitimate interests (Art. 6 (1)(f)) and, where required, explicit consent for sensitive recruitment‑related data |
| Marketing & Promotional Communications | Deliver newsletters, event invitations, product announcements, and promotional offers, only when you have opted‑in or otherwise given consent. You may withdraw consent at any time. | Consent (Art. 6 (1)(a)); also legitimate interests for limited "soft‑sell" messages where you have not opted out (subject to local e‑privacy rules) |
| Customer‑Provided Code Repositories & Related Data | Store, scan, and remediate code or other technical artifacts you submit to our vulnerability‑detection services. This data is used exclusively for providing the contracted service and is never used to train AI models. | Contractual necessity (Art. 6 (1)(b)) |
| Third‑Party Service Integration | Share necessary data with cloud‑hosting providers, analytics platforms, payment processors, AI/LLM providers, and other vendors that help us deliver the Services. All such transfers are governed by written contracts that contain appropriate data‑protection clauses. | Contractual necessity (Art. 6 (1)(b)) and/or legitimate interests (Art. 6 (1)(f)) |
| Data Subject Rights Management | Verify identity and process requests to access, rectify, erase, restrict, object, or port your data, as well as to withdraw consent. | Legal obligation (Art. 6 (1)(c)) |
We do not use Customer Data to train AI or machine learning models, whether ours or third-party providers.
3. How We Share Information
We may share each category of personal information we collect, as described above in "Information We Collect" section, with the following categories of entities, for our business and commercial purposes:
- Service Providers: Hosting, AI/LLM providers, analytics, support, recruitment platforms, and payment processors.
- Professional Advisors: Auditors, legal, and accounting advisors.
- Legal Authorities: If required by law or valid legal process.
- Business Transfers: In connection with a merger, sale, or acquisition, or other transfer of all or part of our assets, including in bankruptcy.
4. Data Retention
We retain personal information as long as necessary to provide the Services, manage recruitment processes, comply with legal obligations, resolve disputes, and enforce agreements. Customer Data is deleted in accordance with our Terms of Use or upon request, subject to applicable law.
Retention Schedule Matrix
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| Account credentials (username, password hashes, MFA tokens) | Until account deletion or inactivity > 24 months | User‑initiated deletion or automatic purge after 24 months of inactivity |
| Contact information (name, email, phone) | As long as the account remains active | Account closure or explicit user request |
| Billing & payment records (invoice, transaction IDs, payment method details) | 10 years (tax & accounting requirements) | Automatic archival after 10 years; deletion only if required by law |
| Customer code repositories & related data (uploaded source code, analysis results) | Until the service contract ends or the user deletes the data | User‑initiated deletion or end of contractual relationship |
| Recruitment applicant data (CVs, application forms, interview notes, references) | 12 months after the recruitment process concludes (extendable with explicit consent) | End of recruitment cycle + 12 months, unless consent obtained for longer storage |
| Professional/employment data (company name, role, business contacts) | As long as the user maintains an enterprise account | Account termination or user request |
| Marketing communication preferences (opt‑in status, subscription settings) | Until the user changes the preference or withdraws consent | Preference update or consent withdrawal |
| Legal & compliance records (e.g., evidence of consent, audit logs) | Minimum 6 years, or longer if required by applicable law | Expiration of statutory requirement |
5. Security
We implement appropriate technical and organizational measures to protect personal information from unauthorized access, loss, misuse, or disclosure. These measures include encryption, access controls, and secure development practices. However, no method of transmission or storage is completely secure.
6. International Transfers
Aisle Inc. processes personal data on a global scale. Because we operate in the United States, the Czech Republic, and serve users worldwide, your information may be transferred to, stored in, and accessed from countries outside your place of residence—including the United States, the European Economic Area (EEA), the United Kingdom, and other jurisdictions where we maintain data‑centres or third‑party service providers.
6.1 Legal Basis for Transfers
Whenever a transfer takes place outside the European Economic Area (EEA) or the United Kingdom, we rely on one or more of the following lawful mechanisms required by the GDPR (Article 46) and the UK GDPR (Article 45):
| Mechanism | When It Is Used | What It Guarantees |
|---|---|---|
| Adequacy Decisions | Transfers to countries that the European Commission (or the UK's Secretary of State) has recognised as providing an essentially equivalent level of data‑protection (e.g., the United Kingdom, Switzerland, Japan). | No additional safeguards are required because the destination country is deemed adequate. |
| Standard Contractual Clauses (SCCs) | Transfers to any third country that does not have an adequacy decision (e.g., United States, Singapore, India). | The SCCs create contractual obligations on the importer to protect the data in line with EU/UK standards. |
| Explicit Consent | When a specific transfer is required for a purpose that cannot be fulfilled otherwise and the data subject has given a clear, informed, and freely given consent. | The data subject acknowledges the possible risks of the transfer. |
| Derogations for Specific Situations (e.g., performance of a contract, vital interests) | Limited, case‑by‑case transfers where one of the GDPR derogation grounds applies. | Used only when no other mechanism is feasible. |
6.2 How We Implement the Safeguards
- Standard Contractual Clauses
All third‑party processors located outside the EEA/UK (cloud providers, analytics services, AI/LLM vendors, payment processors, etc.) sign the latest EU‑Commission SCCs (Version 2.0) and the UK‑equivalent SCCs.
We maintain a master data‑processing agreement that incorporates the SCCs and outlines the processor's obligations (confidentiality, security, sub‑processor approval, data‑subject rights assistance, breach notification). - Adequacy‑Based Transfers
When we store data in a jurisdiction with an adequacy decision, we document the specific decision (e.g., "European Commission Adequacy Decision for the United Kingdom, 2021‑05‑04").
No additional contractual clauses are required, but we still ensure that the processor complies with GDPR‑level security standards. - Explicit Consent for Special Cases
For transfers that involve particularly sensitive data (e.g., biometric data, health‑related information) and where no other lawful basis applies, we obtain explicit, granular consent before the transfer occurs. - Documentation & Transparency
We keep an up‑to‑date Transfer Impact Assessment for each cross‑border flow, documenting the nature of the data, the destination, the legal basis, and the risk‑mitigation measures.
A summary of these assessments is available to supervisory authorities upon request.
6.3 Data‑Subject Assistance
If you believe a transfer does not meet the required safeguards, you may:
- Contact our Data Protection Officer at [email protected] with a description of the concern.
- We will investigate, respond within 30 calendar days, and, if necessary, remediate the transfer (e.g., by adding SCCs or ceasing the flow).
7. Cookies and Tracking Technologies
For information about how Aisle uses cookies, please see our Cookie Policy.
8. Your Rights - Know Your Rights
| Right | What It Means for You | How to Exercise It |
|---|---|---|
| Right of Access | Request a copy of all personal data we hold about you, together with the purposes of processing, categories of data, recipients, and the legal basis we rely on. | Submit a "Data Access Request" to [email protected] |
| Right to Rectification | Ask us to correct inaccurate or incomplete personal data. | Identify the incorrect data and provide the correct information. |
| Right to Erasure ("Right to be Forgotten") | Request deletion of your personal data (subject to legal exceptions). | Specify the data you want removed; we will delete it unless a legal obligation requires retention. |
| Right to Restriction of Processing | Limit how we use your data (e.g., while a dispute is resolved). | Indicate the processing you want restricted and the reason. |
| Right to Data Portability | Receive your personal data in a structured, commonly used, machine‑readable format (e.g., CSV, JSON) and transmit it to another controller. | Request a portable copy; we'll provide it free of charge. |
| Right to Object | Object to processing based on legitimate interests or direct marketing. For direct marketing, you can object at any time. | Notify us of the objection; we will stop the relevant processing unless we demonstrate compelling legitimate grounds. |
| Right to Withdraw Consent | If we rely on your consent for a specific purpose (e.g., marketing emails), you can withdraw it at any time. | Click the "unsubscribe" link in any marketing communication. |
| Right to Lodge a Complaint | If you believe we have violated your GDPR rights, you may complain to a supervisory authority. | Contact the relevant authority in your EU member state or the UK Information Commissioner's Office (ICO). |
Important: Some rights may be limited where we must retain data for legal, tax, or contractual reasons.
9. Changes to This Policy
We may update this Privacy Policy from time to time by publishing a new version on our website. Continued use of the Services after changes means you accept the updated policy.
If you have questions about this Privacy Policy, please contact us at [email protected].