Privacy Policy | vCISO Aegis AI™

Plain-language summary. vCISO Aegis AI™ is an AI-Native AI Agent-as-a-Service (AaaS) product. All compliance, risk, and operational output is derived from live telemetry — we do not use checklists, surveys, or questionnaires to produce compliance output. We collect the minimum information needed to operate the Services and bill you for them. We never sell your data. Payment card information is handled by Stripe, not by us. Customer telemetry is processed only to provide the Services. You can request export or deletion of your data through the Customer Portal or by emailing support@ai4ciso.ai. This summary is for convenience only; the full policy below controls.

1. Scope of this Policy

This Privacy Policy explains how ElasticD3M, LLC ("we," "us," "our") collects, uses, discloses, and protects information in connection with vCISO Aegis AI™, our AI-Native AI Agent-as-a-Service (AaaS) product. "Services" means the vCISO Aegis AI™ website, dashboards, APIs, agents, collectors, and all related products that ingest live telemetry from systems you authorize and produce compliance, risk, and operational output from that telemetry.

This Policy applies to:

visitors to our marketing website;
customers and their authorized users of paid or pilot subscriptions; and
individuals who contact us for support, sales, or partnership inquiries.

It does not apply to third-party websites, services, or applications that we link to or integrate with. Those are governed by their own privacy policies.

2. Information We Collect

2.1 Information You Provide to Us

Account and billing information: name, business email, organization name, billing address, tax identifiers, and the subscription tier you select.
Payment information: handled by our payment processor, Stripe, Inc. We do not receive or store your full payment card number or CVV.
Support and communications: when you contact us by email or a support channel, we receive your message and any attachments.

2.2 Customer Data (Telemetry)

The Services process live telemetry from systems you authorize, which may include:

configuration states, endpoint identifiers, and system metadata;
access and audit logs;
security control statuses and compliance evidence;
user directory metadata (for example, role, group, or MFA status); and
network flow summaries and alerts.

You are responsible for ensuring that you have the legal right to provide this telemetry to us. Where your telemetry contains personal data of individuals, we process it as a service provider or processor on your behalf.

2.3 Information We Collect Automatically

When you visit our website or use the Services, we may automatically collect:

IP address, device identifiers, browser type and version, operating system, and language preference;
referring URL, pages viewed, and interactions within our application;
timestamps, session identifiers, and error diagnostics; and
cookies and similar technologies (see Section 7).

3. How We Use Information

We use the information we collect to:

provide, operate, secure, and improve the Services;
authenticate users and prevent fraud and abuse;
process subscriptions, payments, renewals, and refunds;
generate compliance evidence, reports, scores, and dashboards for the customer who owns the underlying telemetry;
send operational messages (receipts, service notices, security alerts);
respond to support requests and feedback;
comply with legal obligations, enforce our Terms of Use, and protect our rights; and
with appropriate safeguards, analyze aggregated or de-identified data to improve product performance.

We do not sell your personal information, and we do not share Customer Data with advertisers.

4. How We Share Information

We share information only as described here:

4.1 Service Providers

We work with vetted service providers who help us operate the Services, including cloud hosting, payment processing (Stripe), email delivery, error monitoring, and analytics. These providers are authorized to use your information only to perform services for us and are bound by confidentiality and security obligations.

4.2 Legal and Safety

We may disclose information if required by law, regulation, court order, subpoena, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, protect safety, investigate fraud, or respond to a government request.

4.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of all or part of our assets, information may be transferred as part of that transaction, subject to customary confidentiality arrangements and continued protection consistent with this Policy.

4.4 With Your Direction

We share information when you direct us to, for example when you connect a third-party integration or request we export your data.

5. Data Retention

Category	Typical retention
Account and billing records	For the life of the account, then seven (7) years for tax and accounting purposes.
Customer Data (telemetry)	While the subscription is active. After termination, available for export for thirty (30) days, then deleted from production systems subject to backup retention.
Security and audit logs	Typically twelve (12) to twenty-four (24) months, longer if required to investigate an incident.
Support communications	Three (3) years from last contact.
Webhook event logs	Retained as an audit and idempotency record for the life of the account.

We may retain information longer where required by law, to resolve disputes, or to enforce our agreements.

6. Security

We maintain administrative, technical, and physical safeguards designed to protect information from unauthorized access, loss, misuse, and alteration. These include encryption in transit, role-based access controls, audit logging, and employee confidentiality obligations. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

If we become aware of a security incident that affects your information, we will notify you as required by applicable law.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on our website for essential operation (such as session management and security) and, in limited cases, for aggregated analytics to understand how visitors use the site. We do not use third-party advertising trackers.

You can control cookies through your browser settings. Blocking essential cookies may affect the functioning of the site.

8. Your Privacy Rights

8.1 Rights Under U.S. State Laws (including CCPA/CPRA)

Depending on your state of residence, you may have the right to:

know what personal information we collect about you and how we use it;
request access to or a copy of your personal information;
request correction of inaccurate personal information;
request deletion of your personal information, subject to legal exceptions;
opt out of "sales" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising); and
not be discriminated against for exercising these rights.

8.2 Rights Under GDPR / UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you may have the right to access, rectify, erase, restrict, or object to processing of your personal data, as well as the right to data portability. Where we process personal data on behalf of a customer, we act as a processor and will refer your request to the relevant customer (the controller).

8.3 How to Exercise Your Rights

To exercise any of these rights, email us at support@ai4ciso.ai. We will verify your identity before responding. We will respond within the timeframe required by applicable law.

9. International Data Transfers

We are based in the United States. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. By using the Services, you acknowledge that your information may be transferred to jurisdictions that may have different data protection laws than your jurisdiction.

10. Children's Privacy

The Services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact support@ai4ciso.ai and we will delete it.

11. U.S. Government and Regulated Customers

We understand that our customers include DoD contractors, CMMC-regulated organizations, and other operators of sensitive systems. Customer Data for these customers is processed under the terms of the applicable subscription agreement and, where required, a separate Data Processing Addendum or Business Associate Agreement.

Do not submit classified information, export-controlled data beyond what is authorized by your organization, or protected health information unless expressly permitted by your subscription agreement with us.

12. Do Not Track

Our website does not respond to browser "Do Not Track" signals. However, we do not use third-party advertising trackers on the Services.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by email or an in-product notice. Your continued use of the Services after the effective date of the updated Policy indicates your acceptance of the changes.

14. Contact Us

If you have questions about this Privacy Policy or how we handle information, contact us at:

ElasticD3M, LLC — Attn: Privacy
[REGISTERED BUSINESS ADDRESS — TO BE INSERTED]
Email: support@ai4ciso.ai