Privacy Policy

1. Who We Are

Aidana is a product of Frostgate AS, a company registered in Norway.

Data Controller: Frostgate AS
Email: [email protected]
Website: https://aidana.ai

If you have questions about this privacy policy or how we handle your personal data, contact us at [email protected].

2. What Personal Data We Collect

2.1 Account and Authentication Data

Email address
Password (stored as a cryptographic hash; we never store your plaintext password)
User ID and organization membership
Account creation and update timestamps

2.2 Usage Data and Metadata

Report generation counts and timestamps
AI model selection and token usage
IP address and user agent string (stored in session records)

2.3 Content Data

Text extracted from uploaded documents (processed transiently during report generation)
Instructions and report parameters sent to AI models
Agent configurations (names, system prompts, settings)

Important: Document content is extracted client-side in your browser and is only sent to AI model providers during active report generation. We do not permanently store your document content on our servers.

2.4 Communication Data

Email address for transactional messages (verification, password reset, invitations)

3. Why We Process Your Data (Purposes and Legal Basis)

Purpose	Legal Basis (GDPR)
Account creation and authentication	Contract performance (Art. 6(1)(b))
Delivering the report generation service	Contract performance (Art. 6(1)(b))
Subscription and billing management	Contract performance (Art. 6(1)(b))
Transactional email communication	Contract performance (Art. 6(1)(b))
Security monitoring and abuse prevention	Legitimate interest (Art. 6(1)(f))
Usage measurement and service management	Legitimate interest (Art. 6(1)(f))

4. Data Processors and Third-Party Recipients

We share personal data with the following service providers (data processors), with whom we maintain data processing agreements:

Provider	Role	Data Processed
OpenRouter	LLM inference and web search	Prompt text, extracted file content, model metadata
Polar.sh	Payment and subscription management	User ID, email, subscription plan metadata
Brevo	Transactional email	Email address, user name
Cloudflare	DNS, CDN, and reverse proxy	Encrypted HTTP traffic and network metadata
OpenAI / Anthropic / Google	Underlying model providers (via OpenRouter or BYOK)	Prompt text and extracted file content

We do not sell your personal data to any third party. Data is only shared with processors as necessary to provide the service.

A current list of our data processors and their data handling details is available at aidana.ai/api/compliance/subprocessors.

5. International Data Transfers

Some of our data processors (notably OpenRouter and underlying model providers) may process data outside the European Economic Area (EEA), including in the United States. Where such transfers occur, we ensure appropriate safeguards are in place, including:

EU Standard Contractual Clauses (SCCs)
Adequacy decisions by the European Commission, where applicable

Cloudflare processes traffic at edge locations globally, but acts as a network-level processor and does not persistently store personal data.

6. Data Retention

Data Type	Retention Period	Deletion Method
User accounts and profiles	Until user requests deletion	User-initiated or admin deletion
User sessions	30 days from creation	Automated cleanup
Report generation records	12 months	Automated cleanup
Soft-deleted agents	30 days after deletion	Automated cleanup
Server logs	30 days	Automatic log rotation
Database backups	7 days (rolling)	Automatic cron cleanup
Transactional email content (Brevo)	30 days	Automatic purge by Brevo
LLM API request logs (providers)	Up to 30 days (provider-dependent)	Automatic purge by provider

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.

How to exercise your rights: You can export or delete your data directly from your account settings. For other requests, email us at [email protected]. We will respond within 30 days.

Right to lodge a complaint: If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no.

8. Cookies and Local Storage

Aidana uses only strictly necessary and functional cookies and browser storage. We do not use any analytics, advertising, or tracking cookies. No cookie consent banner is required.

Cookies

Cookie	Purpose	Category
better-auth.session_token	Authentication session	Strictly necessary
__cf_bm	Cloudflare bot management	Strictly necessary
cf_clearance	Cloudflare security challenge clearance	Strictly necessary

Browser Local Storage

We use your browser's localStorage and IndexedDB to store functional preferences and data that stays entirely on your device:

Layout preferences (wide/centered view)
AI model configuration preferences
Agent configuration cache
Workspace/vault directory handles (for local file access)
Vault encryption key cache (for seamless workspace access)

This data never leaves your browser and is not transmitted to our servers.

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS) and at rest
Client-side document extraction (your files are not uploaded to our servers)
Client-side encryption of API keys stored in workspaces
Server-side access control and role-based authorization
Password hashing using industry-standard algorithms
Automated session expiry and security monitoring

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or through a notice in the application. We encourage you to review this page periodically.

11. Contact

For any privacy-related inquiries:
Frostgate AS
Email: [email protected]