Legal
Privacy Policy
Effective date: January 1, 2025 · Last updated: April 2025
AlektroAI is built on a principle of radical transparency. This policy explains exactly what we do — and don't do — with your data. Your API payloads are never stored beyond the request, never used to train our models, and never shared with third parties for commercial purposes. For questions, email privacy@alektroai.io.
1. Overview
AlektroAI, Inc. ("AlektroAI", "we", "us") operates an AI Security API used by engineering and security teams to detect threats, score anomalies, moderate content, scan for vulnerabilities, classify malware, and evaluate authentication risk. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have over it. It applies to all users of our website, API, and related services.
2. Data We Collect
2.1 Account & Contact Data
When you sign up, book a demo, or contact us, we collect: name, work email address, company name, job title, and any message content you provide. This is used to create and manage your account, respond to your enquiries, and send service-related communications.
2.2 API Request Payloads
To deliver security analysis, our endpoints receive the data you submit — which may include log files, network traffic excerpts, code snippets, configuration files, binary files, content strings, or authentication metadata. We process this data in-memory solely to return a security verdict. Payloads are not persisted after the response is returned, except where audit logging is enabled (see Section 2.3).
2.3 Audit Log Data
Every API decision generates an audit log entry containing: a unique request ID, the endpoint called, the verdict and confidence score, SHAP-based reasoning, timestamp, and your customer identifier. Audit logs do not include raw payloads. They are retained for 90 days by default and up to 7 years on Enterprise and Platform tiers for compliance purposes. You can retrieve, export, and delete audit log data via GET /v1/audit/logs.
2.4 Usage & Telemetry Data
We collect API call metadata (endpoint, latency, HTTP status, rate limit consumption) for billing, SLA monitoring, and service improvement. This data is aggregated and de-identified before use in analytics. We do not associate telemetry data with individuals beyond what is necessary for account management.
2.5 Website & Cookie Data
Our marketing website collects standard web analytics data — pages visited, referrer, device type, and approximate location derived from IP address. We use first-party analytics only. We do not use cross-site tracking cookies or sell browsing data to third parties.
3. How We Use Your Data
We use the data described above to: (a) deliver and operate the Services; (b) authenticate API requests and enforce rate limits; (c) generate audit trails for your compliance reporting; (d) detect and prevent abuse, fraud, and security threats against our own infrastructure; (e) communicate with you about your account, invoices, and service updates; (f) improve the reliability and performance of our detection models using aggregated, de-identified signal — never using raw customer payloads. We do not use customer-submitted data to train or fine-tune our AI models.
4. Data Minimization & Retention
AlektroAI is designed around data minimization. API payloads are processed ephemerally and discarded immediately after the response is returned. We collect only what is necessary for the requested security operation. Audit log entries contain decision metadata, not the raw input. Retention schedules by data type: account data is retained for the life of your account plus 30 days; audit logs 90 days by default (configurable); API telemetry 12 months; website analytics 24 months. You may request early deletion of any data we hold about you — see Section 8.
5. Sharing & Subprocessors
We do not sell your data. We share data only with subprocessors necessary to deliver the Services, and only under data processing agreements that impose equivalent privacy obligations. Our key subprocessors include: cloud infrastructure providers (compute, storage, and networking); observability platforms (aggregated metrics and logs); authentication providers (for API credential management); and threat intelligence feed providers (which receive hashed IOC lookups, not your raw payloads). An up-to-date subprocessor list is available on request at privacy@alektroai.io.
6. Security
AlektroAI maintains SOC 2 Type II certification. Security controls include: TLS 1.2+ for all data in transit; AES-256 encryption for data at rest; OAuth 2.0 and mTLS for API authentication; role-based access controls internally; automated vulnerability scanning in our CI/CD pipeline; and annual penetration testing by an independent third party. Incident response procedures are documented and tested. In the event of a breach affecting your data, we will notify you within 72 hours as required by applicable law.
7. International Data Transfers
AlektroAI is headquartered in the United States. If you access the Services from the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers. Enterprise customers may request a Data Processing Agreement (DPA) that includes SCCs by contacting privacy@alektroai.io.
8. Your Rights
GDPR Rights (EEA / UK residents)
You have the right to: access the personal data we hold about you; correct inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; and receive your data in a portable format. You also have the right to lodge a complaint with your local supervisory authority.
CCPA Rights (California residents)
You have the right to know what personal information we collect and how it is used; to request deletion of your personal information; and to opt out of the sale of personal information (we do not sell personal information). We will not discriminate against you for exercising these rights.
How to exercise your rights
Submit a request to privacy@alektroai.io or via the contact form at alektroai.io/contact. We will respond within 30 days. For audit log deletion, you may also use the API: DELETE /v1/audit/logs/{request_id}.
9. AI Model Governance
AlektroAI is committed to transparent, responsible AI. Our models are evaluated regularly against adversarial inputs, evasion attacks, and prompt injection attempts. We conduct bias testing across protected attributes and publish evaluation methodology summaries. Automated drift detection triggers model review when threat landscape changes are detected. These practices are aligned with NIST AI RMF. Customer data is never used as training data. Model decisions are explainable — every API response includes a confidence score and SHAP-based reasoning.
10. Children's Privacy
The Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at privacy@alektroai.io and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to the address on your account at least 30 days before taking effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Services after changes take effect constitutes acceptance of the revised Policy.
12. Contact Us
For privacy questions, data requests, or to request a Data Processing Agreement, contact our privacy team at privacy@alektroai.io. You can also write to: AlektroAI, Inc., Attn: Privacy, San Francisco, CA, United States. We aim to respond to all enquiries within 5 business days.