AegeanAll legal docs

Privacy Policy

Draft — pending counsel review.

This document captures Aegean’s current operational posture transparently, but is not yet a legally-binding agreement. Customer #1 onboarding uses a written side letter signed off by both parties until this document has been reviewed and ratified by qualified counsel. The page is published so prospective customers can see the direction of travel; do not rely on it for due diligence as-is.

This page describes how Aegean handles personal data. It applies in two roles: as a data controller when you sign up, log in, and use the dashboard, and as a data processor when you use the service to send messages to your own customers. The processor role is governed by the Data Processing Agreement (available on request) and prevails over this page where they conflict.

1. Who we are

Aegean Engine is operated by Ege Turan as an individual EU-based service provider, pending legal-entity formation. For privacy questions today, contact egeturanf@gmail.com. A dedicated privacy@aegeanengine.com mailbox and registered legal entity will be substituted here once counsel review is complete.

2. What personal data we collect

When you create and use an Aegean account, we hold the following categories of personal data:

  • Account email, name, password (BCrypt-hashed) — for login, account contact, and billing. Lawful basis: contract.
  • Plan, balance, payment-method metadata, transactions — for service provision and tax-law retention (typically 7 years).
  • API keys (BCrypt-hashed prefix + secret) — for programmatic access. Held until you revoke them.
  • Verified sender domains and DKIM keys — for email authentication. Held until you remove them.
  • Email log metadata (sender, recipient, subject, status, timestamp) but not the email body — for service operation, debugging, and abuse prevention. Customer-configurable retention; default 90 days.
  • Webhook delivery URLs — for service integration. Held until removed.
  • IP addresses — for anti-abuse, rate-limiting, and audit. Stored truncated (/24 for IPv4, /48 for IPv6) on engagement events; held 90 days then anonymised.
  • Audit log — admin actions taken on your account, retained 365 days for security and compliance.

3. Where your data is stored

All Customer personal data is stored on servers in the European Union (Hetzner Falkenstein for development, Contabo Frankfurt for production). Off-host backups stay within the EU. We do not transfer your personal data outside the EU/EEA except as listed in the subprocessors document, and any such transfer is governed by Standard Contractual Clauses or an adequacy decision. See data residency for the operational detail.

4. Who we share data with

We share data only with the parties listed in our subprocessors page. We notify customers in advance of any new subprocessor.

We do not sell your data. We do not use email content or recipient lists for advertising. We do not train AI models on customer data.

5. Your rights under GDPR

You have the following rights, exercised via the address in §1 or — where indicated — self-service in the dashboard. We respond within 30 days (or 60 days for complex requests per Art. 12(3), with notice).

  • Access (Art. 15) + Portability (Art. 20) — a machine-readable export of your account data on request. A self-service export endpoint is on the roadmap.
  • Rectification (Art. 16) — your dashboard settings page lets you correct your name and (with re-verification) your email.
  • Erasure (Art. 17) — request via the address in §1. Deletion runs through a 30-day grace window, after which personal data is hard-deleted, redacted, or anonymised.
  • Restrict processing (Art. 18), object (Art. 21), withdraw consent (Art. 7) — contact the address in §1.
  • Complain to a supervisory authority — your local data-protection authority. The specific authority for Aegean will be added once the legal entity is incorporated.

6. Cookies

We use one cookie: aegean_token — strictly necessary, used to keep you signed in for 7 days, set on the dashboard domain only. We do not use analytics, advertising, or tracking cookies.

7. Security

  • All data in transit is encrypted with TLS 1.2+; HSTS enforced for one year.
  • Sensitive secrets (DKIM private keys, SSM SecureString parameters, SMS carrier credentials, webhook signing secrets) are encrypted at rest with AES-256-GCM.
  • Passwords and API keys are stored as BCrypt hashes (cost 12).
  • Database volumes use full-disk encryption.
  • We follow the Art. 33 72-hour breach-notification practice — affected customers and the relevant supervisory authority are notified within 72 hours of becoming aware.

8. Children’s data

Aegean is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we will delete the account.

9. Changes to this policy

Material changes are notified by email at least 30 days before they take effect.

10. Contact

Email egeturanf@gmail.com. Postal address and DPO appointment (if any) will be added once counsel review is complete.