Privacy Policy

Effective: 29 May 2026 · Version 1.1

This Privacy Policy explains how Aeloria collects, uses, shares, and protects personal data when you visit our website, create an account, or use the Aeloria Service. It complies with the EU General Data Protection Regulation 2016/679 ("GDPR") and the Swiss Federal Act on Data Protection ("revDSG") in force as of 1 September 2023.

Privacy by design. Aeloria does not use tracking cookies, advertising cookies, or third-party profiling analytics. Our website analytics provider is cookieless and collects no personal data. We use only the minimum data necessary to provide the Service and meet our legal obligations.

1. Controller

The data controller responsible for the processing described in this Policy is:

Aeloria (a business name of Matteo Panzavolta, sole proprietor)
Im Lindengut 15
8803 Rüschlikon, Switzerland
Email: privacy@aeloria.ai

Aeloria will be transferred to a Swiss corporate entity (Aeloria GmbH or Aeloria AG) upon its incorporation. From that date, the new entity will become the controller for all processing described in this Policy. We will update this Policy and notify users in advance of the change.

2. EU/EEA Representative

Although Aeloria is established in Switzerland (a country recognised by the European Commission as providing an adequate level of data protection), where Article 27 GDPR applies to a specific processing activity, an EU representative will be appointed. Contact details will be published here once designated.

3. Categories of Personal Data We Process

3.1 Account & Identity Data

Name, work email address, job title, organisation, country
Password (stored hashed)
Language preference

3.2 Billing Data

Billing name and address, VAT identification number where provided
Payment method details (held by Stripe, not by Aeloria)
Invoice history and subscription tier

3.3 Usage Data

Application log data: IP address, browser type, device identifiers, timestamps, in-app actions performed
Feature usage: prompts and queries submitted to the Service, frequency of use, dashboard interactions
Aggregate, anonymous website analytics via Umami (see Section 5 and our Cookie Policy)

3.4 Brand & Workspace Data

Brand names and information you choose to monitor
Reference URLs, content uploaded, competitive sets defined
Notes, tags, and collaborative comments

3.5 Communications Data

Support tickets, emails to and from us, in-product chat
Marketing preferences and newsletter subscription status

4. Purposes & Legal Bases

Purpose	Legal Basis (GDPR Art. 6)
Provide the Service and manage your Account	Performance of contract (6(1)(b))
Process payments and issue invoices	Performance of contract (6(1)(b)); legal obligation (6(1)(c))
Customer support	Performance of contract (6(1)(b))
Improve and develop the Service (aggregated, non-identifying analysis)	Legitimate interest (6(1)(f)) — to run and improve a competitive SaaS product
Send transactional emails (renewals, security alerts, service notices)	Performance of contract (6(1)(b))
Send marketing emails and product updates	Consent (6(1)(a)), with opt-out at any time
Detect and prevent fraud, abuse, and security incidents	Legitimate interest (6(1)(f))
Comply with legal, accounting, and tax obligations	Legal obligation (6(1)(c))

5. Sub-Processors & Recipients

Aeloria uses the following sub-processors. A current list with names and locations is also maintained at aeloria.ai/sub-processors and is updated as sub-processors change.

Sub-Processor	Purpose	Location
Amazon Web Services EMEA SARL	Application hosting, storage, compute	EU (Ireland / Frankfurt)
Stripe Payments Europe Ltd.	Subscription billing, invoicing, payment methods	Ireland
OpenAI Ireland Ltd. / OpenAI L.L.C.	Querying ChatGPT for brand visibility measurement	Ireland / United States
Anthropic PBC	Querying Claude for brand visibility measurement	United States
Google Ireland Ltd. / Google LLC	Querying Gemini and Google AI Overviews	Ireland / United States
Perplexity AI Inc.	Querying Perplexity for brand visibility measurement	United States
Microsoft Ireland Operations Ltd.	Querying Copilot for brand visibility measurement	Ireland
Postmark (ActiveCampaign LLC)	Transactional email delivery	United States
Umami	Aggregate, cookieless website analytics — no personal data collected	EU

We enter into Data Processing Agreements with all sub-processors that process personal data on our behalf, and we ensure adequate safeguards for any international transfers (see Section 7).

6. AI Engine Queries — Important Notice

To measure visibility, the Service submits prompts and queries to third-party AI Engines (such as ChatGPT, Claude, Gemini, Perplexity, and Google AI Overviews). The content of these prompts may include Brand names, product descriptions, and reference URLs, but should not include personal data of individuals (employees, customers, end-users) unless strictly necessary and lawful.

You agree not to submit personal data of individuals through the Service in a way that would expose such data to AI Engines, and you remain responsible as controller for any personal data so submitted. We strongly recommend keeping all monitoring prompts focused on brand-level information rather than individuals.

7. International Data Transfers

Aeloria is based in Switzerland. The European Commission has recognised Switzerland as providing an adequate level of data protection (adequacy decision under Article 45 GDPR). Where personal data is transferred from the EU/EEA to Aeloria, this decision serves as the legal basis for the transfer.

Some sub-processors (in particular AI Engine providers) may process data in the United States or other jurisdictions. For such transfers, we rely on:

Adequacy decisions where available (e.g. EU–U.S. Data Privacy Framework);
Standard Contractual Clauses (SCCs) approved by the European Commission;
Equivalent safeguards under Swiss law (revDSG).

8. Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

Account data: for the duration of your Account, plus up to 12 months after closure for backup and dispute-resolution purposes;
Billing and invoice data: 10 years, as required by Swiss commercial and tax law (Art. 958f Code of Obligations);
Application logs: 12 months, then anonymised or deleted;
Customer Data within Workspaces: for the duration of the Subscription and 30 days after termination, after which it is deleted unless export is requested;
Support communications: 3 years from last interaction;
Marketing data: until consent is withdrawn;
Aggregate website analytics: retained in anonymous form indefinitely; no personal data is collected.

9. Your Rights

Under the GDPR and revDSG, you have the following rights:

Access — request a copy of the personal data we hold about you;
Rectification — correct inaccurate or incomplete data;
Erasure — request deletion, subject to legal retention obligations;
Restriction — request that we limit processing in certain circumstances;
Portability — receive your data in a structured, machine-readable format;
Objection — object to processing based on legitimate interest or direct marketing;
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing;
Lodge a complaint — with the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or, for EU residents, with your local supervisory authority.

To exercise these rights, email privacy@aeloria.ai. We may need to verify your identity before fulfilling the request and will respond within 30 days.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption in transit (TLS 1.2 or higher) and at rest;
Role-based access controls and the principle of least privilege;
Audit logging of access to sensitive data;
Regular security reviews of code and infrastructure;
Hashed and salted storage of authentication credentials;
Sub-processor due diligence and contractual security commitments.

In the event of a personal data breach likely to result in a risk to your rights, we will notify you and the competent supervisory authority within 72 hours of becoming aware.

11. Cookies & Tracking

Aeloria is cookieless by design with respect to tracking and analytics. We use only strictly necessary first-party session cookies for authentication and security, plus a single functional cookie (aeloria_lang) to remember your selected interface language. We do not use third-party tracking cookies, advertising cookies, or behavioural profiling technologies. Our analytics provider, Umami, operates without cookies and without collecting personal data. See our Cookie Policy for full details.

12. Children

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have done so inadvertently, please contact us and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email or in-product notice at least 30 days before taking effect. The version date at the top reflects the most recent update.

14. Contact

Privacy-related questions, requests, or complaints may be sent to privacy@aeloria.ai.