Privacy Policy

Effective 29 March 2026

1. Who we are

AID (Automation Information Directory) is operated by aidapp.uk. We provide a subscription service for tracking CVEs and CISA advisories affecting ICS, OT, and IIoT products.

For questions about this policy or to exercise your rights, contact us at [email protected].

2. Data we collect

Data	Source	Purpose
Email address	You (sign-up / OAuth)	Account identity, transactional emails
Name / avatar	OAuth provider (Google, GitHub, LinkedIn)	Display in your profile
Billing details	Stripe (card processing)	Subscription management
Session token	Generated on sign-in	Keeping you logged in
Sync preferences	You (settings page)	Scheduling automated CVE syncs

We do not collect IP addresses for tracking, run third-party analytics, or sell your data to anyone.

3. Legal basis for processing

Contract: Processing your email and billing data is necessary to provide the service you subscribe to.
Legitimate interests: We store session tokens to keep you authenticated securely.
Legal obligation: We retain billing records as required for tax and accounting purposes.

4. How we use your data

Authenticate you and maintain your account.
Process subscription payments via Stripe.
Send transactional emails (account verification, password reset, CVE alerts you enable).
Provide customer support when you contact us.

We do not use your data for marketing without your explicit consent.

5. Third-party processors

Processor	Purpose
Stripe	Payment processing and billing management
Resend	Transactional email delivery
Google / GitHub / LinkedIn	OAuth sign-in (only if you choose that provider)
Dokploy / hosting provider	Application hosting and database storage

All processors are contractually bound to handle your data securely and only for the stated purpose.

6. Data retention

Account data is kept for as long as your account is active.
On account deletion, personal data is removed within 30 days except where we are legally required to retain it (e.g. billing records, up to 7 years).
Session tokens expire automatically after 30 days of inactivity.

7. Your rights under UK GDPR

You have the right to:

Access: Request a copy of the personal data we hold about you.
Rectification: Ask us to correct inaccurate or incomplete data.
Erasure: Ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
Portability: Receive your data in a structured, machine-readable format.
Restriction: Ask us to limit how we process your data in certain circumstances.
Objection: Object to processing based on legitimate interests.

To exercise any right, email [email protected]. We will respond within 30 days. If you are unhappy with our response, you may lodge a complaint with the ICO (UK Information Commissioner's Office).

8. Security

We use HTTPS for all data in transit, server-side session management, and industry-standard practices for credential storage. Payment card data is handled entirely by Stripe and never stored on our servers.

9. Changes to this policy

We will notify you of material changes by email or a notice on the site. Continued use after the effective date constitutes acceptance of the revised policy.