Privacy Policy — Aitemic

Last updated: 19 May 2026 · Effective: 19 May 2026 · Version 1.0

Summary: Aitemic Ltd is committed to protecting your privacy. We collect only what we need, store it securely, and never sell your data to third parties. This policy explains what data we collect, why, and your rights under UK GDPR.

1. Who we are

Aitemic Ltd ("Aitemic", "we", "us", "our") is a company registered in England and Wales. We operate the Aitemic platform at aitemic.com and the CyberAssure governance and compliance platform.

Data Controller: Aitemic Ltd
Contact: privacy@aitemic.com
Address: England, United Kingdom

2. What data we collect

2.1 Account and identity data

Name and email address (when you create an account or are invited by a consultant)
Password (stored as a salted hash — we never store plaintext passwords)
Organisation name and role
Profile information you choose to provide

2.2 Platform usage data

Audit tasks, gap findings, evidence uploads, and policy documents you create within CyberAssure
Asset register entries and onboarding questionnaire responses
AI assistant conversation history within your session
Files uploaded for policy review (processed in-session, not permanently stored)

2.3 Technical data

IP address and browser/device type (via server logs)
Session tokens and authentication data
Pages visited and features used (aggregated analytics only)

2.4 Data we do NOT collect

Payment card details (we do not process payments directly)
Biometric data
Data from third-party advertising networks
Special category data as defined by UK GDPR Article 9

3. How we use your data

Purpose	Legal basis
Providing the CyberAssure platform and its features	Contract (Article 6(1)(b))
Sending invitation emails and password reset links	Contract (Article 6(1)(b))
Generating AI-powered gap analysis and policy documents	Contract (Article 6(1)(b))
Communicating service updates, security notices	Legitimate interests (Article 6(1)(f))
Improving platform features and fixing bugs	Legitimate interests (Article 6(1)(f))
Complying with legal obligations	Legal obligation (Article 6(1)(c))
Marketing communications (opt-in only)	Consent (Article 6(1)(a))

4. AI processing

CyberAssure uses Claude (Anthropic) to power AI features including gap analysis, policy generation, and the AI assistant. When you use these features:

Your input is sent to Anthropic's API for processing
Anthropic processes data in accordance with their privacy policy
We do not use your data to train AI models
AI conversations are not permanently stored beyond your session unless you explicitly save output

5. Data storage and security

Your data is stored in Supabase (PostgreSQL), hosted in the European Union. We implement the following security measures:

All data encrypted at rest (AES-256) and in transit (TLS 1.3)
Row-level security (RLS) ensuring users can only access their own organisation's data
Authentication managed by Supabase Auth with bcrypt password hashing
Platform hosted on Vercel's global edge network with DDoS protection
Access to production systems restricted to Aitemic staff on a need-to-know basis

6. Data sharing

We share your data only with trusted sub-processors necessary to provide the service:

Sub-processor	Purpose	Location
Supabase Inc.	Database and authentication	EU (Frankfurt)
Vercel Inc.	Platform hosting and CDN	US/EU (edge)
Anthropic PBC	AI processing (CyberAssure AI features)	US

We do not sell, rent, or trade your personal data to any third party.

7. Data retention

Account data: Retained for the duration of your account plus 12 months after closure
Audit and compliance data: Retained for 7 years to support regulatory requirements
Server logs: Retained for 90 days
AI session data: Not retained beyond the session

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

Right of access: Request a copy of the data we hold about you
Right to rectification: Ask us to correct inaccurate data
Right to erasure: Request deletion of your data ("right to be forgotten")
Right to restriction: Ask us to limit how we process your data
Right to data portability: Receive your data in a machine-readable format
Right to object: Object to processing based on legitimate interests
Right to withdraw consent: Where processing is based on consent

To exercise any of these rights, email privacy@aitemic.com. We will respond within 30 days.

9. Cookies

We use essential cookies only — no advertising or tracking cookies. See our Cookie Policy for details.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by displaying a notice on the platform. Continued use of the platform after changes constitutes acceptance.

11. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113

We would appreciate the opportunity to address your concern directly first — please contact us at privacy@aitemic.com.

12. Contact

For any privacy-related queries:
Email: privacy@aitemic.com
General: hello@aitemic.com