Privacy Policy

aithic.org - GDPR & CCPA Compliant Privacy Protection

Last Updated: September 2025

Our Privacy Promise:

We collect minimal data necessary for service operation and account management. No personal data sales, no behavioral tracking, no marketing profiles. Full GDPR & CCPA compliance with strong privacy rights protection.

1. Data Controller Information

Data Controller: aithic.org

Address: Aithic.org, Via Magenta 1/16, 22060 Cabiate (CO), Italia

Email: privacy@aithic.org

Data Protection Officer: dpo@aithic.org

Website: aithic.org

As the data controller, we process all collected data internally for the purposes outlined in this policy. Our primary server is located in Iceland (EEA) and some data may be transferred to and processed in Italy (EU).

2. Introduction

Welcome to aithic.org ("we," "our," or "us"). This Privacy Policy explains how we collect, use, and protect your information in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We are committed to privacy-by-design principles and data minimization.

By using our service, you agree to the collection and use of information in accordance with this policy.

3. Information We Collect

Account Registration Data (Provided by You)

When you register for an account on aithic.org, we collect:

  • First Name
  • Last Name
  • Company/Organization Name
  • Email Address

Legal Basis (GDPR): Contract performance for providing account services (Art. 6(1)(b))

Technical Information (Automatically Collected)

  • IP Address (for service delivery and security)
  • Browser type and version
  • Operating system information
  • Device type and screen resolution
  • Referring website URL
  • Timestamp of service access

Legal Basis (GDPR): Legitimate interest for service operation and security (Art. 6(1)(f))

Domain Analysis Data

  • Domain names submitted for ethical analysis
  • Analysis timestamps
  • Analysis results (linked to your account if logged in)

Legal Basis (GDPR): Legitimate interest for providing requested service (Art. 6(1)(f))

Information We Do NOT Collect

  • Behavioral tracking or user analytics
  • Marketing or advertising data
  • Social media data or connections
  • Browsing history or cross-site tracking
  • Personal preferences or behavioral profiles

4. How We Use Your Information

Account Registration Data

  • Account Management: Creating and maintaining your user account
  • Service Delivery: Providing personalized access to AI ethics analysis tools
  • Communication: Sending service-related notifications and updates
  • Support: Responding to customer service inquiries

Technical and Analysis Data

  • Service Delivery: Processing domain names through AI analysis and displaying results
  • Security: Preventing abuse, detecting malicious activity, and maintaining service integrity
  • Technical Operations: Ensuring service availability and performance optimization
  • Legal Compliance: Meeting regulatory requirements and responding to legal requests

No Automated Decision-Making: We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.

5. Third-Party Data Sharing

Account Data Protection

We do NOT share your account registration information (first name, last name, company, email address) with any third parties for any purpose, including:

  • Marketing or advertising companies
  • Data brokers or analytics services
  • Social media platforms
  • Business partners for commercial purposes
  • Any external service provider

Exception: We may only disclose account data if legally required by law enforcement or court order.

Google Gemini AI (Service Provider)

Domain names submitted for analysis are processed through Google's Gemini AI service. This transfer:

  • Only includes domain names, not account information
  • Is covered by Standard Contractual Clauses (SCCs) for GDPR compliance
  • Falls under Google's Data Processing Agreement
  • Does not result in personal data retention by Google for this service

Google's privacy policy: https://policies.google.com/privacy

6. Cookies and Tracking Technologies

For detailed information about our cookie practices, please see our Cookies Policy.

Summary - We do NOT use:

  • Analytics or tracking cookies for behavioral monitoring
  • Advertising or marketing cookies
  • Social media tracking pixels
  • Cross-site tracking technologies
  • Persistent behavioral tracking or user profiling

7. Your Rights Under GDPR (EU Users)

Your Data Protection Rights

Right of Access (Art. 15)

Request information about data processing and copies of your personal data

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data

Right to Erasure (Art. 17)

Request deletion of personal data ("right to be forgotten")

Right to Restriction (Art. 18)

Limit processing of your personal data

Right to Portability (Art. 20)

Receive your data in structured, machine-readable format

Right to Object (Art. 21)

Object to processing based on legitimate interests

How to Exercise Your Rights:

Contact us at privacy@aithic.org. We respond within 30 days (1 month) as required by GDPR Article 12(3).

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe your privacy rights have been violated.

EU Data Protection Authorities: Find your local authority

8. California Privacy Rights (CCPA)

Your CCPA Rights (California Residents)

Right to Know

Request disclosure of personal information collection, use, and sharing practices

Right to Delete

Request deletion of personal information we have collected

Right to Opt-Out

Opt-out of the sale of personal information (We do not sell personal information)

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights

CCPA Disclosure Categories

Categories of Personal Information Collected (Last 12 Months):

  • Identifiers: First name, last name, email address
  • Commercial Information: Domain analysis requests, account activity
  • Internet/Network Information: IP address, browser data, device information
  • Professional Information: Company/organization name

Business Purposes for Collection: Account management, service provision, security, legal compliance

Categories of Third Parties With Whom We Share Personal Information: Service providers (Google Gemini AI - domain data only, not account data)

Sale of Personal Information: We do not sell, rent, or lease personal information to third parties

How to Exercise CCPA Rights

Submit requests to privacy@aithic.org with subject line "CCPA Request". We respond within 45 days as required by CCPA § 1798.130(a)(2).

We may request verification of your identity to protect your personal information from unauthorized access.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Technical Measures

  • TLS 1.3 encryption for all communications
  • Encrypted data storage
  • Regular security patches and updates
  • Secure server configurations
  • Automated threat detection and monitoring

Organizational Measures

  • Privacy by design implementation
  • Regular security assessments
  • Incident response procedures
  • Staff training on data protection
  • Limited access controls

Data Breach Notification:

In case of a data breach affecting your personal data, we will notify you and relevant authorities within 72 hours as required by GDPR Article 33.

10. Data Retention

Account Registration Data

Retained while your account is active, plus 30 days after account deletion for administrative purposes

Technical and Error Logs

Automatically deleted after 365 days

Domain Analysis Data

Retained for service provision and aggregated statistics (anonymized)

Security Data

Retained for 365 days for abuse prevention and security monitoring

Retention Principle: We apply data minimization and only retain personal data for the shortest period necessary for specified, legitimate purposes.

11. Business Transfers and Acquisitions

Business Transfer Notification:

In the event of a merger, acquisition, asset sale, or other business transfer involving aithic.org, your personal data may be transferred to the new ownership or controlling entity.

What Happens to Your Data

If aithic.org is acquired, merged, or sells its assets, the following applies to your personal data:

Data Transfer Rights and Protections

  • All personal data will be transferred subject to the same privacy protections outlined in this policy
  • The acquiring entity must honor your existing privacy preferences and consent choices
  • Your GDPR and CCPA rights will remain fully intact under new ownership
  • We will provide 30 days advance notice of any planned business transfer
  • You will have the right to delete your account and data before the transfer if you choose
  • The acquiring entity must comply with all applicable data protection laws

Your Options During Business Transfer

Before the transfer, you can:

  • Delete your account and all associated personal data
  • Update your privacy preferences
  • Contact us with any concerns about the transfer

We will clearly communicate all available options and ensure you have sufficient time to make informed decisions about your data.

Due Diligence Commitment

We commit to conducting thorough due diligence on any acquiring entity to ensure they:

  • Have appropriate data protection policies and practices
  • Commit to maintaining equivalent privacy standards
  • Agree to honor existing user privacy choices
  • Comply with applicable data protection regulations

Notification Method: We will notify affected users via email and website notice at least 30 days before any data transfer occurs.

12. International Data Transfers

When personal data is transferred outside the EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for transfers to countries with adequate protection levels
  • Additional safeguards including encryption and data minimization
  • Regular review of transfer mechanisms and recipient country laws

Google Services: Domain data processed by Google Gemini AI is subject to Google's GDPR-compliant data processing agreements and Standard Contractual Clauses. Your account registration data is never transferred to Google.

13. Children's Privacy

Children's Privacy Protection

Our service does not knowingly collect personal information from children under 16 (GDPR) or 13 (COPPA). We do not target our services to children, and our terms require users to be at least 18 years old to consent to data processing and account creation.

  • We do not knowingly collect, use, or store personal information from minors
  • We do not create profiles or track behavior of users under 18
  • We comply with COPPA, GDPR Article 8, and other applicable children's privacy laws
  • If we become aware that we have collected information from a minor, we will delete it promptly

Parent/Guardian Notice: If you believe a child under 18 has provided information to our Service, please contact us immediately at privacy@aithic.org for prompt removal.

14. Account Management and Data Control

Your Account Control Options

  • Delete your account and associated personal data
  • Opt-out of non-essential communications

Account Deletion: When you delete your account, all associated personal data is permanently removed within 30 days, except where retention is required by law.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated through:

  • Prominent notice on our website
  • Email notification to registered users
  • Updated "Last Updated" date
  • For significant changes affecting rights: 30-day advance notice

Continued use of our service after changes constitutes acceptance of the updated policy. For material changes affecting your rights, we may require explicit consent.

16. Contact Information

For privacy inquiries, rights requests, or concerns, please contact us:

General Privacy:
privacy@aithic.org

Data Protection Officer:
dpo@aithic.org

GDPR Requests:
gdpr@aithic.org

CCPA Requests:
ccpa@aithic.org

Website: aithic.org

Response Time: We respond to privacy requests within 30 days (GDPR) or 45 days (CCPA) as required by law.

17. Transparency Report

Our Commitment to Privacy Transparency

Account Data Sales:

$0 revenue from personal data sales

Marketing Cookies:

0 tracking cookies deployed

Data Breaches (2025):

0 incidents reported

GDPR Compliance:

All requests processed within required timeframes

CCPA Compliance:

All requests processed within required timeframes

Third-Party Account Sharing:

0 instances of account data sharing

This privacy policy reflects our commitment to GDPR and CCPA compliance, user account protection, and comprehensive privacy rights protection.