Privacy Through Architecture
Traditional AI wrappers store full message content, creating privacy risks. When breaches occur, everything stored is exposed.
Aqta is different. Sensitive data never enters our infrastructure. Messages flow through our gateway without storage. Only operational metadata is logged for audit.
We cannot leak what we never store.
Overview
Aqta Technologies Limited ("we", "us" or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our trust layer for AI.
For customer account, billing and support data, we act as an independent data controller under GDPR. For AI traffic and metadata processed through the Aqta gateway, your organisation remains the data controller and we act as your data processor under a Data Processing Agreement (DPA) available on request.
Information We Collect
Account Information
- Email address
- Organisation name
- Billing information
- API usage metadata
Technical Data
- API request metadata (timestamps, model names, token counts)
- Real-time request protection events
- Cost tracking data
- System performance metrics
Network Intelligence and Data Sharing
To improve threat detection for all customers, we use network intelligence: patterns seen at one deployment can help protect others. Shared data is strictly limited to anonymised metadata and threat fingerprints (e.g. hashed pattern signatures), anonymised to the standard in GDPR Recital 26 so that no individual or customer is identifiable. Because this data is anonymised it falls outside the scope of GDPR; where any personal data is processed before anonymisation, the lawful basis is our legitimate interest (Article 6(1)(f)) in securing the service and protecting all customers against abuse. Your prompts, completions, and user data are never shared across customers or used to train models.
When we have published metrics (e.g. faster threat detection or fewer false positives), we will cite the source here.
What We Don't Store
- Full prompts or responses
- Training data for AI models
- Original API keys (only hashed values)
Full prompt and response content are not logged. If personally identifiable information (PII) or sensitive data is sent inadvertently, it is processed only as transient traffic for routing and real-time request protection and is not stored.
How We Use Your Information
- Provide and maintain the Aqta service
- Protect against AI agent loops and runaway costs
- Track API usage and costs
- Process billing and payments
- Send service updates and security alerts
- Improve our platform
Data Storage and Security
Customer data is stored primarily in EU-based infrastructure, with encryption at rest and in transit, and any transfers are handled as set out under International Transfers below. We implement industry-standard security measures including:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Security reviews of code and infrastructure; independent penetration testing planned before general availability
- Access controls and audit logging
Data Retention
In line with our transparency obligations under GDPR Article 13, the table below sets out how long operational metadata (timestamps, model names, token counts, protection events) is retained on each plan. Retention applies to metadata only; full prompt and response content is never stored.
| Plan | Metadata retention |
|---|---|
| Free | 7 days |
| Starter | 90 days |
| Pro | 365 days |
| Enterprise | Up to 7 years, configurable to your contract |
Account and billing data is retained for the duration of your subscription plus 7 years for tax and legal compliance.
Recruitment Data (Job Applicants)
If you apply for a role at Aqta through the form on this site, we process the information you submit (your name and email, the role, where you are based, your message, any link you share, and your CV if you attach one) for the sole purpose of assessing your application. The lawful basis is your consent, given when you submit the form, and you can withdraw it at any time.
- Controller: Aqta Technologies Limited (CRO 807530), Dublin and Switzerland.
- Processors: we use Amazon SES (EU region) to deliver your application and confirmation by email. We also rate-limit submissions using your IP address to prevent abuse; this is a transient check and your IP is not stored alongside your application. Your application is delivered to hello@aqta.ai and reviewed only by Aqta's hiring team.
- Retention: we keep applications for up to 6 months, then delete them, unless you ask us to keep your details on file for future roles.
- Minimisation: we ask only for what we need to assess you. We do not need special-category data (Article 9 GDPR), such as health, religion, or political views; please do not include it in your message, your CV, or the material you link us to.
To withdraw consent or have your application deleted before the retention period ends, email hello@aqta.ai.
Cookies & Tracking
We take a privacy-first approach to analytics:
- Vercel Web Analytics: Cookieless, aggregated, IP-anonymised. No personal data, no cross-site tracking. Gives us basic visitor counts + country breakdown so we know what's resonating.
- No cookies on aqta.ai: Vercel Analytics is cookie-free by design, and we don't set any analytics cookies of our own. The only cookie anywhere in the product is the strictly-necessary session cookie on app.aqta.ai that keeps you signed in.
- No advertising scripts: We don't serve personalised ads or share data with ad networks.
- No cross-site tracking: We don't follow you across the web.
- Plausible removed May 2026: We previously used Plausible alongside Vercel; consolidated to one cookieless analytics layer for clarity.
This site uses cookieless analytics (Vercel Web Analytics); no cookies are set on aqta.ai. Authenticated sessions on app.aqta.ai use a single strictly-necessary session cookie to keep you signed in; it is exempt from consent under ePrivacy Art 5(3) and is not used for analytics or tracking.
Vercel Web Analytics is cookieless by design (server-side daily-rotating hash, IP-anonymised, no device storage). No consent banner is shown on aqta.ai because none is required under GDPR / ePrivacy where no cookies are set. If we ever introduce a feature that needs a non-essential cookie, we will surface a consent prompt before any such cookie is written and update this section on the same day.
Sub-processors that touch customer data are named in the sub-processors section on /trust, with region, role, and the 30-day notice window we commit to before any change.
What is written client-side today:
- localStorage preference keys: Two small preference flags, written only when you change a setting yourself:
aqta-marketing-theme(light/dark toggle) andtext-size(blog reader size). Both are strictly-necessary-exempt under ePrivacy Art 5(3); both are local to your browser and never sent to our servers. - Vercel Web Analytics: Cookieless, aggregated, IP-anonymised. Counts a visit, country, page, and referrer; writes nothing to your device.
- No third-party trackers, no advertising scripts, no cross-site identifiers: verifiable: open your browser DevTools, Application tab, Storage. We do not appear there.
Third-Party Services
We use the following third-party services:
- Hosting: EU-based cloud infrastructure with GDPR data-processing commitments
- Analytics: Vercel Web Analytics only. Cookieless, aggregated, IP-anonymised. No personal data collected.
- Payment processing: Limited billing information shared with our payment processor for subscription processing
Your Rights (GDPR)
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request deletion of your data
- Object to processing
- Data portability
- Withdraw consent
To exercise these rights, email hello@aqta.ai with the subject line Data protection request.
International Transfers
Primary processing and storage take place on EU-based infrastructure. Some processing reaches our operations in Switzerland; transfers to Switzerland are covered by the European Commission's adequacy decision for Switzerland under GDPR Article 45, which permits transfers without additional safeguards.
A limited number of sub-processors have a US parent (for example Amazon Web Services, which provides Amazon SES). Where such transfers occur, they are governed by the European Commission's Standard Contractual Clauses under GDPR Article 46, together with supplementary technical and organisational measures. Our current sub-processors are listed in the sub-processors section on /trust.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Aqta platform.
Contact Us
For data-subject requests (access, rectification, erasure, portability, restriction, objection) or any data-protection enquiry:
Email: hello@aqta.ai with the subject line Data protection request.
We acknowledge receipt within two working days and respond substantively within one month of receipt, extendable by up to two further months for complex requests, under GDPR Articles 12(3)-(4). For security-vulnerability disclosures use security@aqta.ai or see /.well-known/security.txt.
Aqta Technologies Limited · 26/27 Upper Pembroke Street, Dublin 2, D02 X361, Ireland · CRO 807530.