Privacy Policy

1. Data We Collect

We collect and process the following categories of data:

• Account data — name, email address, and authentication credentials managed via Clerk. We do not store passwords directly.
• Session inputs — the architecture descriptions and answers you provide when using the Service.
• Generated outputs — HLD documents and pipeline data produced by the Service on your behalf.
• Billing data — subscription and payment information processed by Stripe. We do not store card numbers.
• Usage data — session counts, feature usage events, and aggregate telemetry used to improve the Service.
• Technical data — IP addresses, browser type, and request logs retained for security and debugging purposes.

2. Legal Basis for Processing

• Contract performance — to provide the Service you have subscribed to.
• Legitimate interests — to maintain security, prevent fraud, and improve the Service.
• Legal obligation — to comply with applicable laws including financial record-keeping requirements.
• Consent — for any marketing communications (you may withdraw consent at any time).

3. How We Use Your Data

• To provide, maintain, and improve the Service
• To process subscriptions and payments
• To send transactional communications (e.g. session completion, billing receipts)
• To detect and prevent abuse, fraud, and security incidents
• To comply with legal obligations

We do not sell your personal data. We do not use your session inputs or outputs to train AI models without your explicit consent.

4. Data Sharing

We share data only with the following trusted sub-processors:

• Anthropic — AI model inference for pipeline generation
• OpenAI — AI model inference for output formatting
• Neon — serverless PostgreSQL database (EU region)
• Clerk — authentication and user management
• Stripe — payment processing
• Render — backend hosting (Frankfurt, EU)
• Netlify — frontend hosting

All sub-processors are contractually bound to process data only as instructed and in accordance with applicable data protection law.

5. Data Retention

We retain your account and session data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. financial records are retained for 7 years as required by HMRC).

6. Your Rights (UK GDPR)

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — ask us to restrict processing in certain circumstances
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, email privacy@getasaa.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Cookies

We use only essential cookies required for authentication and session management. We do not use third-party advertising cookies or tracking pixels. The authentication provider (Clerk) may set cookies as part of the sign-in flow.

8. Security

We implement industry-standard security measures including TLS encryption in transit, encrypted storage at rest, and HMAC-signed access tokens. Access to production data is restricted to authorised personnel only.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

10. Contact

For privacy-related questions or to exercise your rights, contact our Data Protection contact at privacy@getasaa.com.