Aidy

Privacy Policy

Last updated: 4 December 2025

1. Introduction

Aidy.uk ("we," "our," or "us") operates the Aidy platform, an AI-powered security alert enrichment service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using Aidy, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Account Information

When you sign in using Google OAuth, we collect:

  • Name
  • Email address
  • Profile picture (if provided by Google)
  • Google account identifier

2.2 Organization and Workflow Data

We collect and store:

  • Organization name and settings
  • Workflow configurations and metadata
  • Workflow run history and execution logs
  • Integration settings (Slack channels, Jira project keys)
  • API keys for workflow authentication

2.3 Security Alert Data

Important: We do not store raw security alert data. When alerts are received through our webhook endpoints, we immediately redact all sensitive content before storage. The redaction process replaces all characters in strings and object keys with placeholder characters while preserving the structure and length of the data for debugging purposes. This means:

  • No actual IP addresses, domains, URLs, file hashes, or other indicators are stored
  • No sensitive alert content is retained in our systems
  • Only structural metadata (field names, data types, lengths) is preserved

2.4 Integration Tokens

To enable integrations with third-party services, we securely store:

  • Slack bot access tokens (encrypted)
  • Jira access and refresh tokens (encrypted)
  • Integration configuration data

2.5 Usage and Technical Data

We automatically collect:

  • Audit logs of user actions (retained for 30 days)
  • Workflow execution metrics and performance data
  • Error logs and debugging information
  • IP addresses and browser information for security purposes

2.6 Payment Information

Payment processing is handled by Stripe. We do not store credit card information. Stripe collects and processes payment data in accordance with their privacy policy. We only receive:

  • Stripe customer ID
  • Subscription status and billing information
  • Invoice history

3. How We Use Your Information

We use the collected information for the following purposes:

  • To provide, maintain, and improve our service
  • To process security alerts and enrich them with threat intelligence
  • To deliver enriched alerts to your configured integrations (Slack, Jira)
  • To authenticate and authorize access to your account
  • To manage your organization, workflows, and team members
  • To process payments and manage subscriptions
  • To send service-related communications
  • To monitor and analyze usage patterns and service performance
  • To detect, prevent, and address technical issues and security threats
  • To comply with legal obligations

4. AI Processing and Data Training

Important: Aidy uses OpenAI's GPT models to analyze and enrich security alerts. We want to be completely transparent about how your data is used:

  • We do not train AI models on your data. Your security alerts and workflow data are not used to train or improve any AI models.
  • OpenAI does not train on your data. When we send data to OpenAI for processing, it is used solely for generating responses to your requests. OpenAI does not use this data to train their models, as confirmed by their data usage policies.
  • AI processing is performed in real-time to analyze alerts and generate summaries. The processed data is not retained by OpenAI beyond the immediate request-response cycle.

5. Third-Party Services and Data Sharing

We use several third-party services to provide our platform. Here's how your data is shared:

5.1 Authentication

  • Google: We use Google OAuth for authentication. Google processes your authentication data according to their privacy policy.

5.2 Payment Processing

  • Stripe: Payment processing is handled by Stripe. Stripe processes payment information in the United States and is PCI-DSS compliant. Your payment data is subject to Stripe's privacy policy.

5.3 AI Processing

  • OpenAI: We use OpenAI's API to process security alerts and generate summaries. Data sent to OpenAI is processed in the United States. OpenAI does not use your data to train their models.

5.4 Workflow Processing

  • Trigger.dev: We use Trigger.dev as a subprocessor to execute workflows. Trigger.dev processes workflow execution data in accordance with their privacy policy and data processing agreements.

5.5 Threat Intelligence

To enrich security alerts, we query the following threat intelligence services:

  • VirusTotal (for file hashes and URLs)
  • IPInfo (for IP address intelligence)
  • AbuseIPDB (for IP reputation)
  • MalwareBazaar (for malware hash lookups)
  • URLhaus (for URL reputation)

Only the indicators extracted from alerts (IPs, domains, URLs, hashes) are sent to these services. No other data is shared.

5.6 Integrations

  • Slack: When you configure Slack integration, enriched alerts are posted to your specified Slack channels. Slack processes this data according to their privacy policy.
  • Jira: When you configure Jira integration, enriched alerts are created as Jira issues. Jira processes this data according to their privacy policy.

5.7 Other Service Providers

We may use other service providers for hosting, analytics, monitoring, and support. These providers are contractually obligated to protect your data and only use it for the purposes we specify.

6. Data Retention

We retain your data for the following periods:

  • Audit logs: Retained for 30 days, then automatically deleted
  • Account data: Retained until you delete your account
  • Workflow data: Retained until you delete the workflow or your account
  • Redacted alert metadata: Retained until you delete the workflow or your account
  • Integration tokens: Retained until you disconnect the integration or delete your account

When you delete your account, all associated data is permanently deleted within 30 days, except where we are required to retain data for legal compliance purposes.

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption of data in transit using TLS/SSL
  • Encryption of sensitive data at rest (integration tokens, API keys)
  • Secure authentication using OAuth 2.0
  • Regular security assessments and updates
  • Access controls and role-based permissions
  • Automatic redaction of sensitive alert data before storage
  • Secure API key management

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

8. International Data Transfers

Your data is primarily processed in the United Kingdom and European Union. However, some of our service providers operate in the United States:

  • OpenAI processes data in the United States
  • Stripe processes payment data in the United States

These transfers are necessary for the provision of our service. We ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) where applicable
  • Data Processing Agreements with all subprocessors
  • Compliance with GDPR and UK GDPR requirements

9. Your Rights

Under UK GDPR and applicable data protection laws, you have the following rights:

  • Right of Access: You can request a copy of the personal data we hold about you
  • Right to Rectification: You can request correction of inaccurate data
  • Right to Erasure: You can request deletion of your data (subject to legal obligations)
  • Right to Restrict Processing: You can request that we limit how we use your data
  • Right to Data Portability: You can request your data in a machine-readable format
  • Right to Object: You can object to certain types of processing
  • Right to Withdraw Consent: Where processing is based on consent, you can withdraw it

To exercise these rights, please contact us at support@aidy.uk. We will respond to your request within 30 days.

10. Age Restrictions

Our service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18. If you are under 18, please do not use our service or provide any personal information to us.

If we become aware that we have collected personal information from someone under 18, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

Material changes will be communicated via email or through a prominent notice on our website. Your continued use of the service after such changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@aidy.uk

Website: https://aidy.uk