Legal

Privacy Policy

How AISHIPSAFE collects, uses, stores, and protects your personal data.

Last updated: March 25, 2026

1. Introduction

This Privacy Policy explains how AISHIPSAFE ("we," "us," "our") collects, uses, discloses, retains, and protects personal data when you visit our website, use our security scanning service, or otherwise interact with us. It applies to all users, including visitors, free-tier users, and paying customers.

By accessing or using AISHIPSAFE, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you must not use our service.

2. Data Controller

The data controller responsible for your personal data is:

  • Entity: AISHIPSAFE
  • Location: Grenoble, France
  • Contact: contact form

For any data protection inquiry, including exercising your rights under applicable law, please reach out via our contact form.

3. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Data You Provide Directly

  • Scan targets: URLs, domain names, and related parameters you submit for analysis.
  • Email address: when you contact us or otherwise communicate with us directly.
  • Payment information: billing details processed through our third-party payment processor (Stripe). We do not store full credit card numbers on our servers.
  • Communications: content of emails, support requests, or feedback you send us.

3.2 Data Collected Automatically

  • Technical logs: IP address, browser type and version, operating system, device type, referral URL, pages visited, timestamps, and request metadata.
  • Scan results: findings, risk scores, technology stack signals, and coverage data generated by our scanning engine.
  • Usage data: feature interactions, scan frequency, session duration, and navigation patterns.

3.3 Cookies and Tracking Technologies

We use strictly necessary cookies to ensure the proper functioning of our service. We may also use analytics cookies to understand how visitors interact with our website. You can control cookie preferences through your browser settings. For more detail, see Section 11 below.

4. Purposes of Processing

We process your personal data for the following purposes:

  • Service delivery: to perform security scans, generate reports, deliver results, and provide access to your scan history.
  • Payment processing: to process transactions, issue receipts, and manage billing for paid features.
  • Communication: to send scan status updates, security alerts, service notifications, and respond to your inquiries.
  • Abuse prevention: to detect and prevent unauthorized use, fraud, rate-limit violations, and service abuse.
  • Security: to protect the integrity, availability, and confidentiality of our service and infrastructure.
  • Legal compliance: to comply with applicable laws, regulations, legal processes, or governmental requests.
  • Service improvement: to analyze usage patterns, improve product quality, develop new features, and enhance threat detection coverage.
  • Dispute resolution: to establish, exercise, or defend legal claims.

5. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation (GDPR) and applicable EU/EEA data protection laws, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): processing necessary to deliver the scanning service you requested, generate reports, and manage your account or transaction.
  • Legitimate interests (Art. 6(1)(f)): processing necessary for our legitimate interests, including security monitoring, abuse prevention, fraud detection, service improvement, and analytics — provided these interests are not overridden by your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): processing necessary to comply with a legal obligation to which we are subject, such as tax, accounting, or law enforcement requirements.
  • Consent (Art. 6(1)(a)): where we rely on your consent (e.g., for optional marketing communications or non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Data Sharing and Sub-Processors

We do not sell your personal data. We share personal data only with the following categories of recipients, under contractual confidentiality and data-protection obligations:

  • Hosting and infrastructure providers: Vercel (website hosting and edge functions), cloud database providers for scan data storage.
  • Payment processor: Stripe, Inc. for secure payment processing. Stripe operates as an independent data controller for payment data under its own privacy policy.
  • AI/LLM providers: we may use third-party AI services (such as OpenAI) to enhance scan analysis and report generation. Data shared with these providers is limited to technical scan results and does not include your email address or payment information.
  • Email delivery services: for sending transactional emails (scan notifications, report links).
  • Analytics tools: for aggregated, anonymized usage analysis to improve our service.
  • Legal and regulatory authorities: when required by applicable law, court order, or governmental request.
  • Professional advisors: lawyers, accountants, or auditors where necessary for the operation of our business.

We require all sub-processors to implement appropriate technical and organizational measures to protect personal data, and to process it only on our documented instructions.

7. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). When personal data is transferred to a country that the European Commission has not deemed to provide an adequate level of data protection, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • The EU-U.S. Data Privacy Framework, where the recipient is a certified participant.
  • Binding Corporate Rules of the data importer, where applicable.
  • Your explicit consent, where no other mechanism is available and you have been informed of the risks.

You may request a copy of the relevant transfer mechanisms by reaching out via our contact form.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

  • Scan data and reports: retained for up to 12 months after the scan completion date to allow you to access your results, after which they may be anonymized or deleted.
  • Account and contact data: retained for the duration of your use of the service and up to 36 months after your last interaction, unless a longer period is required by law.
  • Payment records: retained for the period required by applicable tax and accounting regulations.
  • Technical logs: retained for up to 12 months for security and abuse prevention purposes, in compliance with applicable data retention laws.
  • Communications: retained for as long as necessary to resolve your inquiry, plus any additional period required for legal or compliance purposes.

When data is no longer needed, it is securely deleted or irreversibly anonymized.

9. Your Rights Under GDPR

If you are located in the EU/EEA or the UK, you have the following rights under the GDPR (and equivalent UK GDPR provisions):

  • Right of access (Art. 15): you may request confirmation of whether we process your personal data and obtain a copy of such data.
  • Right to rectification (Art. 16): you may request correction of inaccurate personal data or completion of incomplete data.
  • Right to erasure (Art. 17):you may request deletion of your personal data where there is no compelling reason for its continued processing ("right to be forgotten").
  • Right to restriction (Art. 18): you may request that we restrict the processing of your data in certain circumstances.
  • Right to data portability (Art. 20): you may request to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): you may object to processing based on our legitimate interests, including profiling.
  • Right related to automated decision-making (Art. 22): you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our security scoring is automated but informational only and does not produce legal effects.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, reach out via our contact form. We will respond within 30 days (or as required by applicable law). We may ask you to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

  • Right to know: you may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: you may request deletion of personal information we collected from you, subject to certain exceptions.
  • Right to correct: you may request correction of inaccurate personal information.
  • Right to opt-out of sale/sharing: we do not sell or share (as defined by CCPA/CPRA) your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.
  • Right to limit use of sensitive personal information: to the extent we process sensitive personal information, you may limit our use to what is necessary for the service.

To exercise these rights, reach out via our contact form. We will verify your identity and respond within 45 days as required by law.

11. Cookies and Tracking Technologies

We use the following types of cookies:

  • Strictly necessary cookies: required for the operation of the website (e.g., session management, security tokens). These cannot be disabled.
  • Functional cookies: enable enhanced functionality and personalization (e.g., remembering your scan preferences).
  • Analytics cookies: help us understand how visitors interact with our website by collecting and reporting anonymized information.

We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the service.

12. Children's Privacy

AISHIPSAFE is not intended for use by individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will take steps to delete it.

13. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (TLS/HTTPS) and sensitive data at rest.
  • Cryptographic access tokens with SHA-256 hashing and timing-safe comparison.
  • Role-based access controls and least-privilege principles for internal systems.
  • Regular security monitoring and logging of system activity.
  • Secure coding practices and dependency vulnerability scanning.
  • Infrastructure hosted on platforms with SOC 2 Type II and ISO 27001 compliance.

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, as required by Article 34.

15. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policies of any website you visit.

16. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry consensus on how to respond to DNT signals, and we do not currently alter our data collection practices in response to DNT signals. If a standard for responding to DNT signals is established, we will revisit this policy.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice (such as an email notification or a prominent notice on our website).

We encourage you to review this Privacy Policy periodically. Your continued use of the service after any changes constitutes acceptance of the updated policy.

18. Contact

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Please use our contact form and include "Privacy Request" in your message. We will acknowledge your request within 5 business days and aim to provide a substantive response within the timeframes required by applicable law.

Need help with legal or data requests? Use the contact form on our homepage.

Quick links: Terms of ServicePrivacy Policy