Privacy
Last updated: 2026-05-04 — placeholder. Final policy ships with v1.0 launch and will be reviewed by counsel.
What we collect
- Account email and name (auth provider, EU-hosted).
- Scan input: property URL, repository URL, commit SHA, code diff.
- Detection output: DOM analysis only — no PII from end-users of scanned sites is captured.
- Anonymous product analytics via self-hosted infrastructure inside the EU; no third-party trackers.
- Audit trail (HAES): append-only event ledger of scans, violations, fixes, certs, overrides — this is by design (EU AI Act Art. 50).
What we don't collect
- End-user PII from properties you scan.
- Source code outside the lines flagged by detection rules.
- Third-party trackers or ad networks.
- Cross-property fingerprints. Each Org's data is isolated via Postgres row-level security.
Where it lives
All scan data and analytics are hosted in the EU (Hetzner FSN1 / HEL1, Cloudflare Pages static delivery). Multi-region (FSN+HEL) is on the Phase 2 roadmap; multi-cloud (Hetzner + OVH) is Phase 3. Retention default: 30 days. Enterprise tier: 7 years (EAA + EU AI Act Art. 50 audit-trail requirement). Export-on-cancellation is included in the MSA.
Legal basis
- Contract — service delivery to subscribed Orgs.
- Legitimate interest — product analytics on the marketing site.
- Legal obligation — EU AI Act Art. 50, EAA, GDPR Art. 28.
GDPR Article 28 DPA available for Business and Enterprise customers. Subprocessor list shipped with v1.0.
Contact
Privacy or data-protection questions: privacy@ariada.ai. Right-to-be-forgotten and access requests: dpo@ariada.ai.