Privacy notice
Effective 15 May 2026
1. Who we are
Aletis B.V. (in oprichting) (the “Company”, “Aletis”, “we”, “our”) is a Dutch private limited company in formation, with its operating office in Eindhoven, the Netherlands. Registration with the Dutch Chamber of Commerce (KvK) is in progress; the KvK number and finalised registered address will be published on this page within 30 days of incorporation and reflected in any contract executed thereafter.
Aletis operates the marketing website at aletis.co and the multi-tenant platform reachable at <slug>.aletis.co, under which each Customer (a company that has signed an order form with Aletis) receives a dedicated subdomain, cloud machine, storage volume, and database.
2. Contact for privacy questions
For any question, complaint, or rights request relating to personal data, write to:
- Data protection contact: ask.aletis@gmail.com
- Postal address: Aletis B.V. (in oprichting), Eindhoven, the Netherlands. A specific street address will be published with the KvK registration.
Aletis has not designated a Data Protection Officer because processing does not meet the thresholds of Article 37(1) of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). The address above is the single point of contact for all data-protection matters.
3. Our role
The role Aletis plays depends on whose personal data is at issue:
- Visitors of aletis.co and sales contacts. Aletis acts as a controller. This notice describes that processing in full.
- End users of an onboarded Customer (people who sign in at
<slug>.aletis.co, create automations, and upload files). The Customer is the controller; Aletis is the processor acting solely on the Customer's documented instructions under the Data Processing Agreement (the “DPA”). Aletis's processor obligations, including notice of personal-data breach and sub-processor management, are set out in the DPA.
4. What we collect and why
4.1 Visitors of aletis.co
The website is statically hosted on Cloudflare's edge network. No analytics, advertising, fingerprinting, or session-recording tooling runs on the marketing site. Server logs retained by Cloudflare for the standard operational period contain truncated IP addresses and the request URL; Aletis does not enrich these with personal data.
The animated background on the home page is rendered by a third-party WebGL library loaded from cdn.jsdelivr.net. When the library executes it fetches the scene definition and texture data from unicorn.studio, assets.unicorn.studio and storage.googleapis.com/unicornstudio-production. No cookies are set, no user identifiers are sent, and no information typed into the page is transmitted; the only identifier in those requests is the public scene number of the animation itself. The third parties may log the request IP and user-agent as part of normal CDN and storage operation. If this is a concern for your organisation we will provide an animation-free version of the page on request.
4.2 Sales contacts
When a prospective customer contacts ask.aletis@gmail.com, we receive the name, business e-mail, employer, and any content the sender chooses to share. We use this information solely to respond to the enquiry, prepare a commercial proposal, and maintain a contact history if a relationship is established.
4.3 End users of a Customer tenant
When an end user signs in at <slug>.aletis.co, the platform processes the following on behalf of the Customer:
- Identification data — e-mail address and display name returned by Google Identity, required to authenticate the session and bind activity to a user.
- Session metadata — IP address and user-agent at sign-in, absolute 16-hour session expiry, last-activity timestamp.
- Automation content — prompts, the user-controlled CLAUDE.md instruction file, and files attached to chats. Stored only inside the Customer's dedicated Fly Volume and Neon Postgres database.
- Audit log — sign-in attempts, automation create / update / delete, chat-start, chat-continue, settings changes, account deletion. Kept hot for 90 days, then archived to object storage per the DPA's retention schedule.
- Operational telemetry — error reports, request traces, and structured logs from which e-mail addresses are removed outside the audit log.
5. Lawful basis (Article 6 GDPR)
| Processing | Lawful basis |
|---|---|
| Responding to sales enquiries | Article 6(1)(b) — pre-contractual steps at the data subject's request; and Article 6(1)(f) — our legitimate interest in growing the business. |
| Authenticating end users via Google Identity; running automations on Customer content | Article 6(1)(b) — performance of the contract with the Customer. Aletis processes this data only on the Customer's documented instructions under the DPA. |
| Maintaining the audit log and operational telemetry | Article 6(1)(f) — our and the Customer's legitimate interest in operating a secure service; Article 6(1)(c) — compliance with our security and breach-notification obligations. |
| Responding to a data-subject rights request | Article 6(1)(c) — compliance with a legal obligation under the GDPR. |
6. What we do not do
- We do not sell, rent, or trade personal data.
- We do not use customer prompts, attachments, automations, or audit data to train or fine-tune any AI model — neither our own nor any model operated by a third party. The Anthropic Claude API is invoked under terms that prohibit training on customer content.
- We do not operate advertising, analytics, retargeting, fingerprinting, or session-replay scripts on aletis.co or in the product.
- We do not retain Google sign-in tokens after the immediate sign-in transaction has been validated; the session is anchored by a server-side row, not the token.
7. Sub-processors and recipients
Aletis relies on the sub-processors listed in Annex A of the Data Processing Agreement to operate the platform. No personal data is shared with any other recipient except where required by Dutch or Union law, or with the Customer's prior written authorisation.
8. International transfers
Aletis stores Customer content in the cloud region selected at onboarding. Several of our sub-processors are headquartered in the United States. Where they hold or process personal data on our behalf, transfers outside the EEA rely on (a) the EU–U.S. Data Privacy Framework where the sub-processor is certified, and (b) the European Commission's Standard Contractual Clauses (Module Two, controller-to-processor; 2021/914) supplemented with the UK Addendum where applicable. A summary of the relevant mechanism per sub-processor is in DPA Annex A.
9. Retention
- Sessions. Hard 16-hour absolute expiry. Expired rows are removed each day.
- OAuth sign-in attempts. Cleaned up one hour after issuance.
- Chats not continued for 14 days. Irrevocably deleted with all attachments and cached Claude state. No warning, no extension, no archive.
- Upload drafts (files queued but not started). Cleaned up after 24 hours of inactivity.
- Audit log. 90 days hot in the tenant database; archived afterwards to encrypted object storage for the term agreed in the DPA.
- Sales-enquiry correspondence. Retained while the relationship is active and for a further 24 months thereafter, unless you ask us to delete it sooner.
- Deleted user account. Identity data, personal automations, and the user's personal workspace are deleted irrevocably. Company-owned automations the user created remain with
created_byset to null.
10. Your rights
Under the GDPR (and analogous rights under the UK GDPR and applicable Dutch implementing legislation) you may request access to your data, rectification of inaccurate data, erasure, restriction of processing, portability, and object to processing based on Article 6(1)(f). Where consent is the lawful basis you may withdraw it at any time without affecting prior processing.
If you are an end user of an onboarded Customer, the most efficient route is to ask your Customer's Aletis administrator: the platform provides them the tooling to delete your account and your personal data directly. If you write to us at ask.aletis@gmail.com we will forward the request to your Customer and assist them under our processor obligations.
If you are a website visitor or sales contact, write to the same address and we will respond within 30 calendar days.
You also have the right to lodge a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority of your habitual residence or place of work.
11. Automated decision-making
Aletis does not take decisions producing legal effects or similarly significantly affecting individuals on a solely automated basis (Article 22 GDPR). Claude-generated outputs inside the product are advisory; the end user (and their Customer) is responsible for any decision taken on the basis of those outputs.
12. Children
Aletis is a B2B service sold to companies for use by their employees. The platform is not directed at, marketed to, or intended for individuals under the age of 16. We do not knowingly process personal data of children; if you believe a child's data has reached us, contact us at ask.aletis@gmail.com and we will delete it without delay.
13. Security
Technical and organisational measures are described in Annex B of the DPA. In summary: each Customer's data is isolated in a dedicated machine, storage volume, and database; each end user runs inside a per-user Linux sandbox; OAuth state is HMAC-signed with PKCE; the session cookie is __Host--prefixed; data in transit is protected by TLS 1.2 or later; data at rest is encrypted by the underlying infrastructure providers.
14. Changes to this notice
Material changes will be announced to the primary commercial contact of every onboarded Customer at least 30 days before they take effect. Non-material clarifying edits refresh the “Effective” date at the top of this page. The previous version of this notice is available on request.