Privacy Policy

1. Who We Are

Aidana is a product of Frostgate AS, a company registered in Norway.

Data Controller: Frostgate AS
Email: [email protected]
Website: https://aidana.ai

If you have questions about this privacy policy or how we handle your personal data, contact us at [email protected].

2. What Personal Data We Collect

2.1 Account and Authentication Data

Email address
Password (stored as a cryptographic hash; we never store your plaintext password)
User ID and organization membership
Account creation and update timestamps

2.2 Usage Data and Metadata

Report generation counts and timestamps
AI model selection and token usage
IP address and user agent string (stored in session records)
First-party funnel events, page views, anonymous session IDs, hashed IP addresses, and campaign parameters when you consent to analytics or advertising measurement
UTM parameters and external referrer information when you arrive through a campaign link and consent to analytics or advertising measurement

2.3 Content Data

Text extracted from uploaded documents (processed transiently during report generation)
Instructions and report parameters sent to AI models
Agent configurations (names, system prompts, settings)

Important: Document content is extracted client-side in your browser and is only sent to AI model providers during active report generation. We do not permanently store your document content on our servers.

2.4 Communication Data

Email address for transactional messages (verification, password reset, invitations)

2.5 Optional Advertising Measurement Data

If you consent to advertising measurement, we may load Meta, LinkedIn, or Google advertising tags. These providers may receive technical identifiers, page view and conversion events, campaign parameters, and browser metadata so we can measure whether campaigns lead to signups, generated reports, or upgrades.

3. Why We Process Your Data (Purposes and Legal Basis)

Purpose	Legal Basis (GDPR)
Account creation and authentication	Contract performance (Art. 6(1)(b))
Delivering the report generation service	Contract performance (Art. 6(1)(b))
Subscription and billing management	Contract performance (Art. 6(1)(b))
Transactional email communication	Contract performance (Art. 6(1)(b))
Security monitoring and abuse prevention	Legitimate interest (Art. 6(1)(f))
Usage measurement and service management	Legitimate interest (Art. 6(1)(f))
Optional first-party analytics, page views, and campaign attribution	Consent (Art. 6(1)(a)); ePrivacy consent for non-essential browser storage
Optional advertising conversion measurement	Consent (Art. 6(1)(a)); ePrivacy consent for advertising tags/cookies

4. Data Processors and Third-Party Recipients

We share personal data with the following service providers (data processors), with whom we maintain data processing agreements:

Provider	Role	Data Processed
OpenRouter	LLM inference and web search	Prompt text, extracted file content, model metadata
Polar.sh	Payment and subscription management	User ID, email, subscription plan metadata
Brevo	Transactional email	Email address, user name
Cloudflare	DNS, CDN, and reverse proxy	Encrypted HTTP traffic and network metadata
Cloudflare Web Analytics	Optional privacy-conscious website analytics	Page views and technical request metadata, only after analytics consent and only when configured
Meta, LinkedIn, and Google	Optional advertising measurement and campaign attribution	Page views, conversion events, advertising identifiers, campaign parameters, and browser metadata, only after advertising measurement consent and only when configured
OpenAI / Anthropic / Google	Underlying model providers (via OpenRouter or BYOK)	Prompt text and extracted file content

We do not sell your personal data to any third party. Data is only shared with processors as necessary to provide the service or, where you consent, to measure advertising campaigns. Advertising providers may also act as independent controllers for their own processing under their respective terms and privacy notices.

A current list of our data processors and their data handling details is available at aidana.ai/api/compliance/subprocessors.

5. International Data Transfers

Some of our data processors (notably OpenRouter and underlying model providers) may process data outside the European Economic Area (EEA), including in the United States. Where such transfers occur, we ensure appropriate safeguards are in place, including:

EU Standard Contractual Clauses (SCCs)
Adequacy decisions by the European Commission, where applicable

Cloudflare processes traffic at edge locations globally, but acts as a network-level processor and does not persistently store personal data.

6. Data Retention

Data Type	Retention Period	Deletion Method
User accounts and profiles	Until user requests deletion	User-initiated or admin deletion
User sessions	30 days from creation	Automated cleanup
Report generation records	12 months	Automated cleanup
Soft-deleted agents	30 days after deletion	Automated cleanup
Server logs	30 days	Automatic log rotation
Consent-gated first-party analytics events	Up to 12 months	Database retention cleanup or manual deletion request
Campaign attribution stored in your browser	Up to 90 days	Browser storage expiry or clearing your browser data
Database backups	7 days (rolling)	Automatic cron cleanup
Transactional email content (Brevo)	30 days	Automatic purge by Brevo
LLM API request logs (providers)	Up to 30 days (provider-dependent)	Automatic purge by provider

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.

How to exercise your rights: You can export or delete your data directly from your account settings. For other requests, email us at [email protected]. We will respond within 30 days.

Right to lodge a complaint: If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no.

8. Cookies and Local Storage

Aidana uses strictly necessary cookies and browser storage to run the service. Analytics and advertising measurement are optional and are disabled until you consent. You can reject non-essential tracking and still use the product.

Cookies

Cookie	Purpose	Category
aidana_cookie_consent	Stores your cookie and tracking choices for up to 180 days	Strictly necessary
aidana-locale	Remembers your selected language	Functional
better-auth.session_token	Authentication session	Strictly necessary
__cf_bm	Cloudflare bot management	Strictly necessary
cf_clearance	Cloudflare security challenge clearance	Strictly necessary
_fbp, _fbc	Meta campaign and conversion measurement, only after advertising measurement consent	Advertising measurement
bcookie, li_gc, lidc, UserMatchHistory, AnalyticsSyncHistory, li_sugr	LinkedIn campaign and conversion measurement, only after advertising measurement consent	Advertising measurement
_ga, _gid, _gcl_au, _gcl_aw	Google analytics/ads measurement, only after advertising measurement consent	Advertising measurement

Browser Local Storage

We use your browser's localStorage and IndexedDB to store functional preferences and data that stays entirely on your device:

Layout preferences (wide/centered view)
AI model configuration preferences
Agent configuration cache
Workspace/vault directory handles (for local file access)
Vault encryption key cache (for seamless workspace access)
Anonymous analytics session ID in sessionStorage, only after analytics or advertising measurement consent
Campaign attribution in localStorage for up to 90 days, only after analytics or advertising measurement consent

Functional workspace data never leaves your browser unless you actively use product features that require server processing. Consent-gated analytics and campaign attribution may be sent to Aidana and, if advertising measurement is enabled, to the configured advertising platforms.

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS) and at rest
Client-side document extraction (your files are not uploaded to our servers)
Client-side encryption of API keys stored in workspaces
Server-side access control and role-based authorization
Password hashing using industry-standard algorithms
Automated session expiry and security monitoring

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or through a notice in the application. We encourage you to review this page periodically.

11. Contact

For any privacy-related inquiries:
Frostgate AS
Email: [email protected]