Ayliea — AI Security Assessment & Compliance Consulting

Privacy Policy

Effective date: April 9, 2026

1. Introduction

Ayliea ("we", "our", "us") operates the Ayliea marketing website at ayliea.com, the Ayliea mobile application (the "App"), and provides AI Security Assessment consulting services (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding it.

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account & Authentication Data

When you create an account in the App, we collect your email address and a password. Authentication is managed by Supabase Auth. Session tokens are stored securely on your device using encrypted native storage (expo-secure-store on iOS/Android) or secure cookies on web. We may also offer sign-in via Google or Apple; if you use these providers, we receive your name and email address from them but never your password.

  • TOTP factor enrollment status and associated metadata (stored by Supabase Auth)
  • Hashed backup recovery codes (stored in our database; plaintext codes are shown once during generation and not retained)

2.2 Assessment Data

When you complete security assessments in the App, we collect:

  • Your answers to assessment questions across supported compliance frameworks (e.g., CIS Controls v8, NIST 800-53, NIST CSF 2.0, HIPAA, ISO 27001, SOC 2, PCI DSS, AI Security)
  • Optional evidence notes you provide for individual questions
  • Computed category scores and overall assessment scores
  • Historical assessment scores over time (Organization tier)
  • Composite posture scores across multiple frameworks and organization-configured framework weights (Organization tier)
  • Recommendation status tracking (not started, in progress, completed) and completion dates
  • Recommendation feedback ratings (helpful / not helpful) with optional text comments, used to improve recommendation quality

2.3 File Uploads

You may upload evidence attachments to support your assessment answers. Accepted file types are PDF, PNG, JPEG, TXT, and CSV, with a maximum size of 5 MB per file. Uploaded files are initially placed in a quarantine storage bucket, scanned for malware (see Section 5), and then promoted to an evidence storage bucket if they pass scanning. Files are accessible via time-limited signed URLs.

2.4 Organization Data

If you create or join an organization (Organization tier), we collect the organization name, industry, and size. Organization owners manage members via invite codes and collaborator links. Members within an organization can view shared assessments and recommendations scoped to that organization. Organization owners may also upload a logo image and set a brand color for customized PDF report generation.

2.5 Contact & Scheduling Data

When you use our contact form or schedule a scoping call, we collect your name, email address, organization, phone number (if provided), and the content of your message. Scheduling is handled through Cal.com; see their privacy policy for their data practices.

2.6 Consulting Engagement Data

During consulting engagements, we collect information about your organization's AI tools, data flows, security controls, and compliance posture as part of the assessment process. This data is covered by the engagement agreement and NDA executed between Ayliea and your organization.

2.7 Technical & Analytics Data

We automatically collect limited technical data necessary to operate and improve the Service:

  • Device type, operating system, and browser version
  • Pages visited, session duration, and referral source (website)
  • Approximate geographic location (city-level, via Google Analytics on the website)
  • Crash reports and error logs (sanitized to exclude personal data)

On the website, we use Google Analytics 4 and Umami. Google Analytics uses cookies to distinguish visitors (see our Cookie Policy for details). Umami does not set cookies and collects only anonymous, aggregated data.

In the App, we use PostHog for product analytics. PostHog collects usage events (e.g., assessment completion, feature usage, quick check retakes), device information, and session data. PostHog assigns a pseudonymous identifier to your device. We do not enable PostHog's session recording or personal data enrichment features.

2.8 Push Notification Data

If you grant permission, we may send push notifications via Expo Notifications to remind you about re-assessment schedules. We store your device push token to deliver these notifications. You can disable push notifications at any time through your device settings.

2.9 Resource Download Data

When you download a gated resource (such as a sample report or policy template), we collect your name, work email address, and company name. This information is stored with our email service provider, Resend, in a dedicated leads contact list separate from our newsletter subscriber list. We use this data to deliver the requested resource and to send occasional marketing communications about Ayliea's services and AI security insights.

You can opt out of marketing communications at any time by contacting us at privacy@ayliea.com or by using the unsubscribe link in any marketing email.

2.10 Newsletter Subscription Data

When you subscribe to our newsletter, we collect your email address. Your email is stored with our email service provider, Resend, as a contact in our subscriber list. We use this email address to send you a one-time welcome email and periodic newsletter content about AI security insights, compliance updates, and risk management guidance.

Unsubscribe and preferences links included in each email contain a cryptographically signed token that embeds your email address. These tokens expire after 90 days and cannot be forged or reused. You can unsubscribe at any time using the link in every email, through the email preferences page, or by contacting us at privacy@ayliea.com.

2.11 Data We Do Not Collect

We do not collect:

  • Precise location data (GPS)
  • Contact lists or address books
  • Browsing history outside the Service
  • Financial information (payment processing is handled by third-party processors; optional financial impact estimates for AI incidents are stored but are not payment data)
  • Biometric data

2.12 AI Governance Data

When you use the AI Governance Module, we collect additional data depending on which features your subscription tier includes:

  • AI System Registry (Pro+) — when you register AI systems, we collect system metadata including name, vendor, vendor URL, deployment type, status, department, data classification, and business criticality. For each registered system, you may document use cases (including whether the system processes PII or PHI, affects individuals, and the decision domain) and data flows (including cross-border transfer destinations and encryption status).
  • Risk Classification (Pro+) — when you classify AI system risk, we store classification results including EU AI Act risk tiers, NIST AI RMF impact and likelihood assessments, risk factors, governance requirements, and any override reasons you provide. Classification history is retained as an append-only audit trail.
  • Vendor Risk Assessments (Business+)— when you create a vendor assessment, we collect the vendor contact's name and email address to send the assessment invitation. Vendors complete questionnaires through a public portal (accessible via a time-limited tokenized URL without authentication) and may provide answers, evidence URLs, and notes. We score vendor responses and store the results.
  • Incident Tracking (Business+) — when you report AI incidents, we collect incident details including descriptions, severity, category, root cause analysis, contributing factors, remediation steps, and preventive measures. We also collect optional financial impact estimates and regulatory notification tracking information (regulatory bodies, deadlines, and notification sent status). Incident timelines record all status changes, assignments, and comments as an audit trail.
  • Regulatory Compliance (Business+)— when you use the regulatory timeline, we store your organization's operating jurisdictions and compliance status for tracked regulatory milestones, including owner assignments and target completion dates.

3. How We Use Your Information

  • Provide the App — authenticate your account, store and display your assessment answers and scores, generate recommendations, and deliver evidence reports
  • Generate AI recommendations — send assessment scores and weak category data to an AI model (see Section 5) to produce security improvement recommendations tailored to your results
  • Scan uploaded files — check file hashes and, when necessary, file contents against malware databases to protect the Service and its users (see Section 5)
  • Organization collaboration — share assessments, recommendations, and scores with members of your organization (Organization tier)
  • Send notifications — deliver push notifications for re-assessment reminders (if you have opted in)
  • Respond to inquiries — reply to contact form submissions and schedule scoping calls
  • Deliver consulting services — conduct assessments, produce deliverables, and provide advisory support as defined in your engagement agreement
  • Service communications — send essential notifications about your account, engagement, deliverables, and service updates
  • Newsletter communications — send AI security insights and company updates to subscribers who have opted in
  • Marketing communications — send occasional service-related communications to leads who downloaded gated resources and consented to receive marketing
  • AI Governance — register and manage AI systems, classify risk, track compliance, and generate governance reports
  • Vendor risk assessments — send questionnaires to your AI vendors, collect their responses, and score their security posture
  • Incident management — log, investigate, and resolve AI incidents; generate preventive recommendations
  • Regulatory compliance — track applicable AI regulations, monitor compliance deadlines, and manage compliance status
  • AI risk analysis— send AI system metadata to Anthropic's Claude API to generate risk classification narratives (Business tier; see Section 5)
  • Vendor communications — send assessment invitations and reminder emails to vendor contacts via Resend
  • Improve the Service — analyze aggregate, anonymized usage patterns on our website and App to improve content and user experience
  • Record consent — when you accept, reject, or customize cookie preferences, we log the action type, your selected preferences, consent version, and timestamp server-side. This fulfills our obligation under GDPR Article 7 to demonstrate that consent was given. These logs do not contain your IP address or any other personally identifiable information.

4. Data Protection

  • Encryption in transit — all data is transmitted over HTTPS/TLS
  • Encrypted credential storage— on native devices, authentication tokens are stored using expo-secure-store, which uses the device's hardware-backed keychain (iOS) or encrypted SharedPreferences (Android)
  • Row-level security— database access is enforced through Supabase Row Level Security policies, ensuring users can only access their own data (or their organization's data for Organization tier members)
  • File quarantine — uploaded files are held in a quarantine bucket and scanned for malware before being made accessible. Infected files are deleted automatically.
  • Signed URLs — evidence files are accessible only via time-limited signed URLs, not publicly accessible links
  • Non-disclosure agreements— all consulting engagements are conducted under strict NDAs that protect your organization's data
  • Access controls — engagement data is accessible only to authorized Ayliea personnel involved in your assessment
  • Sanitized logging — error logs never contain passwords, tokens, personal data, or raw error objects

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

We share data only in these limited circumstances:

  • Infrastructure & database provider— Supabase hosts the App's database, authentication, file storage, and serverless functions. Your account data, assessment data, and uploaded files are processed and stored by Supabase under their data processing agreement. See Supabase's Privacy Policy
  • AI recommendation provider— when you complete an assessment and request recommendations, your assessment scores and weak category names are sent to Anthropic's Claude API via a Supabase Edge Function to generate security improvement recommendations. We do not send your raw assessment answers, evidence notes, or uploaded files to Anthropic. See Anthropic's Privacy Policy
  • AI risk analysis provider— when you request AI-assisted risk analysis for a registered AI system (Business tier), the system's metadata, use cases, and data flow descriptions are sent to Anthropic's Claude API to generate a risk classification narrative. This includes the system's PII/PHI involvement flags and cross-border data flow destinations, but does not include individual names, email addresses, or user-generated assessment content. See Anthropic's Privacy Policy
  • Malware scanning provider— when you upload a file, the file's SHA-256 hash is sent to VirusTotal (owned by Google/Alphabet) to check against known malware signatures. If the hash is not found in VirusTotal's database, the full file may be submitted for analysis. VirusTotal retains submitted files and makes scan results available to its community of security researchers. See VirusTotal's Privacy Policy
  • App analytics provider — PostHog processes pseudonymized usage events from the App (feature usage, assessment completion events, device information). We do not send personal data or assessment content to PostHog. See PostHog's Privacy Policy
  • Website analytics provider — Google processes anonymized website usage data through Google Analytics 4. We do not enable advertising features, user-ID tracking, or data sharing with other Google products. See Google's Privacy Policy
  • Scheduling provider — Cal.com processes scheduling data when you book a scoping call
  • Email service provider — Resend processes newsletter subscriber data, lead contact data, and vendor assessment invitation emails (including vendor contact names and email addresses) to deliver communications on our behalf
  • Organization members — if you belong to an organization (Organization tier), your assessment data, recommendations, and scores are visible to other members of your organization. Organization owners control membership via invite codes and collaborator links.
  • Vendor respondents— when you send a vendor assessment, the vendor's designated contact receives a tokenized URL to complete the questionnaire. The vendor can see your organization's name and logo but cannot access any other data in your account. Vendor responses are visible to members of your organization.
  • Customer webhook endpoints — if your organization configures webhooks (Enterprise tier), incident event data (incident ID, title, severity, category, and status changes) is sent to your specified HTTPS endpoints. You control the destination URLs and are responsible for the security of your webhook endpoints.
  • Legal requirements — if required by law, court order, or governmental authority

6. Data Retention

Account data and assessment data are retained for as long as your account is active. You may delete your account and all associated data at any time through the App or by contacting us. Uploaded evidence files are retained for as long as the associated assessment exists. Files that fail malware scanning are deleted immediately.

Contact form submissions are retained for the duration of the business relationship. Resource download lead data is retained until you opt out of marketing communications or request deletion. Consulting engagement data is retained as specified in the engagement agreement. You may request deletion of your data at any time by contacting us.

AI governance data — including registered AI systems, risk classifications, vendor assessments, incident records, and regulatory compliance tracking — is retained for as long as your organization's account is active. Risk classification history is maintained as an append-only audit trail. Vendor assessment records persist after token expiry. Incident records cannot be deleted by end users (only closed with a note); administrators may permanently delete incident records. All governance data is cascade-deleted when your organization is deleted.

7. Your Rights

You have the right to:

  • Access — request a copy of personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your personal data
  • Portability — receive your data in a structured, machine-readable format

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.

9. International Data Transfers

Your data may be processed in the United States, where our infrastructure providers operate. By using the Service, you consent to the transfer of your data to the United States. We ensure appropriate safeguards are in place through our providers' data processing agreements.

When you use the AI risk analysis feature, AI system metadata (including cross-border data flow destinations and PII/PHI involvement flags) is transmitted to Anthropic's servers in the United States. When you send vendor assessment invitations, vendor contact names and email addresses are transmitted to Resend's servers in the United States.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@ayliea.com.