Legal

Privacy Policy

Last updated: 1 June 2026 · Effective: 1 June 2026 · Controller: AEGIS OS (operated by Ben Carkaxhia)

Plain-language summary: We collect only what we need to run your AI team. We never sell your data. You can export your account data, request deletion, and cancel a pending account deletion before it is executed. Active AEGIS tenant data can be erased and verified; backups, legal obligations, legal hold, and external source systems follow their own retention rules.

1. Who we are and how to reach us

AEGIS OS is an AI Operating System for businesses, operated by Ben Carkaxhia ("we", "us").

Data Controller: Ben Carkaxhia, operating AEGIS OS
Contact: [email protected]
Response time: We aim to respond to all privacy enquiries within 72 hours.

This policy covers the AEGIS OS platform at aegis-agents.work and any related mobile or API access.

2. What data we collect and why

2.1 Account & subscription data

Name, email address, company name — provided when you register
Subscription tier, billing status — managed via Stripe
Team member email addresses — when you invite your team

Lawful basis: Contract performance (GDPR Article 6(1)(b)) — necessary to provide the service.

2.2 AI interaction data

Messages you send to your AI agents via Omni, Telegram, WhatsApp or email
Task prompts, responses, and agent delegation records
Your Company Mission and agent configuration settings

Lawful basis: Contract performance — this is the core service you pay for. Your agent conversations are stored in your tenant schema, isolated from other customers.

2.3 Usage & audit data

Audit log entries (logins, Omni chats, task executions, settings changes)
Task counts, agent usage statistics
Session activity for security purposes

Lawful basis: Legitimate interests (GDPR Article 6(1)(f)) — fraud prevention, security monitoring, and service improvement.

2.4 Integration credentials

Telegram bot tokens, WhatsApp credentials, email configuration — when you connect integrations
These are stored encrypted and never exposed outside your tenant

Lawful basis: Contract performance — required to deliver integrations you have enabled.

2.5 Technical & analytics data (with your consent)

Browser type, operating system, device type
Pages visited, time spent — if you accept analytics cookies
IP address (hashed, not stored in plain text)

Lawful basis: Consent (GDPR Article 6(1)(a)) — only collected if you accept analytics/marketing cookies. You can withdraw consent at any time via our cookie banner.

3. How we use AI to process your data

AEGIS OS is an AI-powered platform. When you interact with your agents:

Your messages are processed by large language models (LLMs) to generate responses
We use Groq (primary) and Google Gemini (fallback) as LLM providers — see Section 5 for sub-processors
Your Company Mission is automatically injected into agent prompts to provide context
AI responses are generated in real-time and not used to train external models

AI transparency (EU AI Act awareness): AEGIS OS AI agents are decision-support tools. They assist your business processes but do not make final binding decisions. You remain in control of all outcomes.

4. Data retention

Data type	Retention period
Account & subscription data	Duration of account; active AEGIS account data is erased after a confirmed account deletion request is executed, except records we must retain for legal, tax, security, or dispute reasons
AI agent conversations (Omni, tasks)	Duration of subscription, until you delete them where supported, or until account-level erasure executes
Audit logs	12 months rolling
Integration credentials	Until you disconnect the integration
Cookie consent records	3 years (required for demonstrable consent)
Support chat transcripts	90 days
Billing records (Stripe)	7 years (tax/legal obligation)

5. Sub-processors and international transfers

We share your data with the following sub-processors solely to deliver the service:

Sub-processor	Purpose	Location	Safeguard
Groq, Inc.	LLM inference (primary AI processing)	USA	SCCs / Groq DPA
Google (Gemini)	LLM inference (fallback)	USA	SCCs / Google DPA
Telegram Messenger	Message delivery (if integration enabled)	UAE/Global	User-consented channel
Twilio (WhatsApp)	WhatsApp message delivery (if integration enabled)	USA	SCCs / Twilio DPA
Stripe, Inc.	Payment processing & subscription management	USA/EU	SCCs / PCI-DSS
Hetzner Online	VPS hosting (production infrastructure)	Germany (EU)	GDPR-native

For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission.

6. Your rights under GDPR

As a data subject, you have the following rights. We will respond within 30 days (extendable to 3 months for complex requests):

Access (Art. 15): Request a copy of all personal data we hold about you
Rectification (Art. 16): Correct inaccurate data — most fields are editable directly in Settings
Erasure (Art. 17): Request deletion of personal data. Logged-in owners can schedule account-level deletion in Settings; pending account deletions can be cancelled before execution. Subject-specific requests inside a live business tenant are handled through the Data Request form and may require identity verification.
Portability (Art. 20): Export your data in JSON format — available in Settings
Restriction (Art. 18): Request we pause processing while a dispute is resolved
Object (Art. 21): Object to processing based on legitimate interests
Withdraw consent (Art. 7(3)): Withdraw cookie consent at any time via the cookie banner
Complaint (Art. 77): Lodge a complaint with your supervisory authority

To exercise any right: [email protected] or use our Data Request form. We may refuse or limit deletion where GDPR or another law requires continued processing, and we will explain the reason if that happens.

7. Cookies

Essential cookies (no consent required)

Cookie	Purpose	Duration
`session`	Authentication session — keeps you logged in	Session / 24h
`aegis-theme-v2`	Light/dark theme preference	1 year (localStorage)
`aegis-cookie-consent`	Stores your cookie consent choice	1 year

Analytics cookies (consent required)

We do not currently use third-party analytics trackers. If we add them in the future, we will request your consent first via the cookie banner.

Marketing cookies (consent required)

We do not use retargeting or advertising cookies.

8. Security

All data in transit is encrypted via TLS 1.2+
Each customer's data is stored in an isolated PostgreSQL schema (tenant isolation)
Integration credentials are stored encrypted at rest
Access to production systems is restricted and logged
We maintain an audit log of all significant account actions

9. Children's data

AEGIS OS is a B2B platform intended for businesses and professionals. We do not knowingly collect personal data from individuals under 16. If you believe a minor has registered, please contact us immediately.

10. Changes to this policy

We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance.

11. Contact & supervisory authority

For privacy questions: [email protected]

You have the right to lodge a complaint with your national data protection authority. In the EU, you can find your authority at edpb.europa.eu.