Privacy Policy

AegisQ Corporation ("Company," "we," "us," "our," or "AegisQ") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and otherwise process information about you in connection with our services, including:

• AegisQ-Security — Autonomous cybersecurity platform
• AegisQ-Helm — AI executive suite SaaS
• AegisQ-CodeShield — Code security scanning tool
• AegisQ-AISentinel — AI governance platform for software and physical AI systems (robots, drones, autonomous vehicles)

This Privacy Policy applies to information collected through our websites, applications, APIs, and customer interactions. Please read this policy carefully. If you do not agree with our practices, please do not use our services.

2.1 Personal Information

When you create an account or interact with our services, we collect:

• Name and email address
• Phone number (optional)
• Password (stored as securely hashed values)
• Authentication credentials (2FA/WebAuthn)
• Profile information and preferences

2.2 Organizational Information

For business accounts, we collect:

• Organization/company name
• Business address
• Billing information and payment details (processed via Stripe)
• Team member information and roles
• Organizational policies and compliance configurations

2.3 Technical Data

We automatically collect technical information when you use our services:

• IP address (for fraud prevention and security incident response only)
• Browser type and version (for service compatibility)
• Timestamps of service access (for support troubleshooting)
• Session information necessary for authentication

2.4 Product-Specific Data Collection

2.5 Usage Data

We collect minimal usage information, only as necessary to provide support, troubleshoot issues, and meet our service commitments. We do not collect usage data for behavioral targeting or third-party advertising. Specifically:

• Configuration changes (to enable rollback and audit)
• Performance metrics and error reporting (to maintain service quality)

2.6 Payment Information

Payment information is processed securely through Stripe. We do not store full credit card numbers. Stripe retains payment data according to their retention policies. We retain billing records for accounting, tax, and dispute resolution purposes.

We use the information we collect for the following purposes:

3.1 Providing Services

• Delivering the features and functionality of AegisQ products
• Authenticating users and managing accounts
• Processing transactions and sending invoices
• Providing customer support and responding to inquiries
• Fulfilling user requests and personalizing experiences

3.2 Security and Threat Detection (AegisQ-Security)

• Identifying and responding to security threats
• Analyzing threat patterns and behavioral anomalies
• Generating threat intelligence and risk assessments
• Maintaining tamper-evident audit logs (post-quantum blockchain anchoring planned, H2 2026)
• Preventing unauthorized access and protecting assets

3.3 AI Agent Governance and Compliance (AegisQ-AISentinel)

Software AI Governance:

• Monitoring AI agent behavior, decision-making, and trust scoring
• Helping demonstrate compliance with organizational policies, EU AI Act, and ISO 42001
• Generating governance reports, audit trails, and regulatory exports
• Detecting anomalous or concerning AI behaviors via multi-layer detection (statistical, behavioral, intent, twin, correlation, anti-circumvention)
• Providing cost attribution, budget enforcement, and FinOps reporting

Physical AI / Robotics Governance:

• Evaluating kinematic safety charters (joint limits, velocity caps, force thresholds, proximity zones)
• Verifying sensor integrity via Merkle-proof attestation and drift/tamper detection
• Running pre-execution validation through physical digital twin (URDF models, collision prediction)
• Monitoring robot operating modes (Connected, Degraded, Disconnected) and managing cryptographic lease systems
• Coordinating multi-robot safety in shared workspaces and detecting emergent fleet-level risks
• Enforcing safety compliance with ISO 10218, IEC 62443, IEC 62304, and EU AI Act physical AI requirements
• Providing hardware failsafe integration and fleet emergency stop capabilities

3.4 Code Security Scanning (AegisQ-CodeShield)

• Scanning code for vulnerabilities and security flaws
• Providing remediation guidance and security recommendations
• Tracking scan results and security improvement metrics
• Analyzing code patterns to improve detection models

3.5 Executive Decision Support (AegisQ-Helm)

• Providing AI-driven business intelligence and insights
• Analyzing organizational financial and operational data
• Generating recommendations for strategic decisions
• Maintaining decision audit trails and compliance records

3.6 Product Improvement and Analytics

• Aggregated, de-identified product-performance metrics only (e.g., service uptime, error rates, response latency)
• Testing and optimizing service performance

3.7 Communications

• Sending service announcements and updates
• Notifying users of security incidents or policy changes
• Providing billing statements and receipts
• Responding to support requests

3.8 Legal and Compliance

• Complying with legal obligations, court orders, and regulatory requirements
• Enforcing our Terms of Service and other agreements
• Preventing fraud and illegal activity
• Protecting the rights, safety, and property of AegisQ, our users, and the public

4.1 We Do Not Sell Your Data

AegisQ does not sell, rent, or trade personal information to third parties for marketing purposes. Your data is a core component of our trustworthy relationship with you.

4.2 Service Providers

We share information with trusted service providers who assist in operating our services and conducting our business:

• Cloud Hosting: Google Cloud Platform (GCP) in the us-central1 region for infrastructure, storage, and processing
• Payment Processing: Stripe for secure credit card processing and billing
• Email Services: Resend for transactional email delivery
• Other Vendors: Analytics, monitoring, customer support, and security partners under data processing agreements

All service providers are contractually bound to use your information only as necessary to provide services to us and must maintain confidentiality and security.

4.3 Multi-Tenant Environments

For AegisQ-Security and AegisQ-Helm, customer data is strictly isolated by tenant. Your organization's raw data is logically and physically separated from other customers. MSSP (Managed Security Service Provider) customers can view only data from their managed client accounts under the consent scopes you grant.

4.3.1 Immunity Propagation (AegisQ-Security)

To strengthen detection for every AegisQ-Security tenant, the platform uses a vaccine-style federated learning mechanism. When one tenant's environment encounters a previously-unseen threat, the detection signature is anonymized — stripped of all identifying information including tenant IDs, IP addresses, hostnames, user names, file paths, account names, and any other personal, customer-identifiable, or proprietary data — and the anonymized pattern is propagated across the platform so every other tenant gains the same defense, typically within minutes.

What we propagate: anonymized detection metadata only — behavioral patterns, attack signatures, threat-class indicators, and the resulting detection rule. What we never propagate: raw customer data, customer-identifiable information, or any content from your environment.

Because immunity propagation operates on anonymized data that cannot reasonably identify any individual or organization, it is not personal data within the meaning of GDPR or CCPA, and is enabled by default for all AegisQ-Security tenants. This mechanism is core to the platform's value (and is the subject of patent AegisQ-002 — Distributed Autonomous Coordination Protocol). If you have specific concerns about this mechanism for your environment, contact info@aegisq.com.

4.4 Law Enforcement and Legal Requests

We may disclose information when required by law, regulation, or court order, or to comply with valid legal processes. We will:

• Require proper legal documentation (subpoena, warrant, court order)
• Notify you of requests when legally permitted to do so
• Disclose only the minimum information legally required
• Maintain records of all disclosure requests

4.5 Business Transfers

If AegisQ is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you and provide you with choices regarding your data.

4.6 With Your Consent

We may disclose information when you explicitly consent to such disclosure, such as when you authorize us to integrate with third-party services or when you participate in joint research initiatives.

4.7 Aggregated and De-Identified Data

We may use and disclose aggregated, anonymized, or de-identified data for research, analytics, marketing, and other purposes without restriction, provided such data cannot reasonably identify you.

AegisQ implements comprehensive technical, administrative, and physical safeguards to protect your information from unauthorized access, alteration, disclosure, or destruction.

5.1 Encryption

• At Rest: AES-256 encryption for all sensitive data stored in databases and file systems
• In Transit: TLS 1.3 for all data transmitted over networks, including API calls and web traffic
• Key Management: Secure key derivation and storage using industry-standard practices

5.2 Post-Quantum Cryptography

For applicable systems (AegisQ-Security and AegisQ-AISentinel), we implement NIST-approved post-quantum cryptographic algorithms to prepare for future quantum computing threats:

• Dilithium: Lattice-based digital signature scheme
• Kyber: Lattice-based key encapsulation mechanism
• SPHINCS+: Hash-based signature scheme

5.3 Audit Logging

AegisQ-Security and AegisQ-AISentinel use tamper-evident, chain-hashed audit logging to ensure that security actions, decisions, and governance events cannot be altered retroactively. Post-quantum blockchain anchoring is on our H2 2026 roadmap.

5.4 Access Control

• Role-Based Access Control (RBAC): Users can only access data and functions appropriate to their assigned role
• Principle of Least Privilege: Employees have access only to information necessary for their job functions
• Multi-Factor Authentication (MFA): Required for all administrative and customer accounts
• Session Management: Secure session tokens with appropriate expiration and revocation

5.5 Multi-Tenant Isolation

Our architecture ensures strict logical and physical isolation between customer data. Tenants cannot access or influence each other's data through any means.

5.6 Security Assessments

• Regular penetration testing by independent security firms
• Continuous vulnerability scanning and patch management
• SOC 2 Type II readiness tracking and implementation
• Annual third-party security audits
• Internal security review and incident response procedures

5.7 Limitations

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of your information. You use our services at your own risk, and you are responsible for protecting your passwords and account credentials.

We retain your information for as long as necessary to provide our services, comply with legal obligations, and resolve disputes. Retention periods vary by data type:

Data Type	Retention Period	Purpose
Account Information	While account is active + 30 days after deletion	Service provision and dispute resolution
Audit Logs	7 years	IRS/SOX compliance, security investigations
Security Telemetry (AegisQ-Security)	Configurable per customer (default: 90 days)	Threat detection, incident response
Decision Logs (AegisQ-Helm)	7 years	Compliance, audit trail, executive accountability
CodeShield Scan Results	Local only, user-controlled	Local development and vulnerability tracking
AI Behavior Data (AegisQ-AISentinel)	1-7 years (configurable)	AI governance, compliance reporting
Physical AI Kinematic Telemetry	3 years minimum (configurable up to 7 years)	Safety compliance, incident investigation, regulatory audit
Safety Event Logs (Physical AI)	7 years	Incident investigation, regulatory compliance (OSHA, ISO 10218)
Sensor Attestation Data	5 years	Sensor integrity verification, calibration audit trail
Digital Twin Simulation Records	3 years	Pre-execution validation history, collision prediction logs
Fleet Coordination & Cryptographic Lease Records	5 years	Multi-robot coordination audit, operating mode transitions
Payment Records	Per Stripe's retention policy + 7 years for tax	Billing, tax compliance, dispute resolution
Communication Logs (Support)	3 years	Customer support, quality assurance

Data Deletion

Upon account termination or deletion request, we will delete or de-identify your information within 30 days, except where:

• Retention is required by law or regulation
• Deletion would violate another customer's legitimate interests
• Data is aggregated or anonymized (no longer identifiable as yours)
• Backup copies exist and are securely destroyed in accordance with our data retention schedule

Depending on your location, you may have certain rights regarding your personal information:

7.1 General Rights (All Users)

• Access: You have the right to know what personal information we hold about you
• Correction: You can request that we correct inaccurate or incomplete information
• Deletion: You can request deletion of your data, subject to legal retention requirements
• Portability: You can request a copy of your data in a machine-readable format
• Restrict Processing: You can request that we limit how we process your information
• Withdraw Consent: Where our processing is based on consent, you can withdraw it at any time

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to Know: What personal information we collect, use, share, and sell
• Right to Delete: Delete personal information collected from you
• Right to Correct: Correct inaccurate personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (we do not sell data)
• Right to Limit Use: Limit our use of sensitive personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights

7.3 European Residents (GDPR)

If you are located in the EU, EEA, or UK, you have GDPR rights:

• Right of Access: Request access to your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion under certain circumstances
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, portable format
• Right to Object: Object to processing for direct marketing or other purposes
• Rights Related to Automated Decision-Making: Request human review of decisions based on automated processing

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us at info@aegisq.com with:

• A clear description of your request
• Your name and account email address
• Proof of identity (for sensitive requests)

We will respond to valid requests within 30-45 days (or as required by applicable law). We may ask for additional information to verify your identity or clarify your request. We will not charge a fee unless your request is excessive or manifestly unfounded.

7.5 Appeal Rights

If you are unsatisfied with our response to a rights request, you may appeal within 30 days by sending a detailed explanation to info@aegisq.com.

AegisQ uses cookies and similar tracking technologies to provide and improve our services. Here's what you need to know:

8.1 Types of Cookies We Use

Essential Cookies

• Session cookies for user authentication and authorization
• CSRF tokens for security
• Language and preference settings
• You cannot disable these cookies as they are necessary for our services to function.

Analytics Cookies

• Track usage patterns and feature adoption
• Measure service performance and reliability
• Improve user experience and product design
• You can opt out of these cookies.

Advertising Cookies

• AegisQ does not use third-party advertising cookies. We do not allow advertisers to track you across websites.

8.2 Your Cookie Choices

Most web browsers allow you to control cookies through settings. You can:

• Delete existing cookies
• Prevent new cookies from being set
• Receive warnings before cookies are created

Note: Disabling essential cookies may prevent you from using some features of our services. Analytics cookies can be disabled without affecting functionality.

8.3 Similar Tracking Technologies

We may use other tracking technologies such as web beacons, pixels, and local storage (localStorage, sessionStorage) to provide similar functionality to cookies. These technologies are subject to the same principles as our cookie policy.

8.4 Do Not Track (DNT)

Some browsers include a "Do Not Track" feature. Currently, there is no industry standard for recognizing DNT signals. AegisQ does not respond to DNT headers, but you can control tracking through our cookie preferences and browser settings.

AegisQ services are not designed for, directed to, or intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.

If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete such information and terminate the child's account immediately. Parents or guardians who believe their child has provided information to AegisQ should contact us immediately at info@aegisq.com.

For users aged 13-18 (or the age of digital consent in their jurisdiction), we provide additional protections and do not use behavioral data for targeted marketing.

AegisQ operates from the United States. Your information is processed and stored primarily in the United States (Google Cloud Platform, us-central1 region).

10.1 Cross-Border Transfers

If you are located outside the United States and provide information to AegisQ, your data will be transferred to and processed in the United States. By using our services, you consent to this transfer and processing under this Privacy Policy and applicable laws.

10.2 Data Processing Agreement (DPA)

For customers processing EU Personal Data through AegisQ services, AegisQ offers a Data Processing Agreement (DPA) in compliance with GDPR Article 28. The DPA sets out the subject matter, duration, nature, and purpose of processing, the types of personal data processed, and the obligations and rights of both the controller and processor. To request and execute a DPA, contact info@aegisq.com.

10.3 Standard Contractual Clauses

For transfers of personal data from the EU/EEA to the United States, AegisQ relies on Standard Contractual Clauses (SCCs) approved by the European Commission. These contractual mechanisms provide adequate protections for personal data transferred outside the EEA.

10.4 Adequacy Determinations

The United States does not have an adequacy determination from the European Commission. However, AegisQ implements comprehensive safeguards (encryption, access controls, audit logging) to protect EU personal data in compliance with GDPR requirements.

10.5 Data Subject Rights

If you are an EU resident, you retain all rights under the GDPR regardless of where your data is processed (see Section 7.3).

AegisQ may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this policy
• Notify you via email or prominent in-product notification
• Request your consent if the changes involve new processing purposes

Your continued use of AegisQ services after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy regularly to stay informed about how we protect your information.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Response Time

We will respond to all privacy inquiries within 5 business days. For data access requests or rights inquiries, please allow 30-45 days for a complete response.

Additional Resources

• Terms of Service: aegisq.com/terms
• Security Page: aegisq.com/security
• Cookie Preferences: Available in account settings