What we collect, why, and how to make us forget.
Last updated: 2026-05-10 · v1.0
Plain-English summary
AEGIBIT is an Indian software company. When you visit www.aegibit.com or submit a form, we collect a small set of operational data (your email if you give it, your session fingerprint, which pages you visited, where you arrived from). We never sell your data. You can ask us to export it or delete it at any time by emailing contact@aegibit.com.
The rest of this page lists every data category we collect, where each one ends up, and what your rights are. If your buying process requires a Data Processing Agreement (DPA), we can provide one, contact us with the request and the AEGIBIT team will respond within 5 business days.
Who we are
AEGIBIT (the brand) is operated from India by the founding team behind the AEGIBIT product line, PayMint, MCP Shield, and Aira. Operational contact: contact@aegibit.com. Postal address is shared on request to verified counterparties.
Under India's Digital Personal Data Protection Act 2023 (DPDP Act), AEGIBIT acts as the "Data Fiduciary" for personal data of visitors and customers. Under the EU GDPR, AEGIBIT acts as the "Data Controller" for EU residents who voluntarily submit data to us.
What we collect
We collect these categories, and only these, for the purposes listed.
Identity data
email, name, company, phone (all optional except email when you submit a form)
Responding to your inquiry, scheduling demos, sending product updates only if you opt in
Engagement data
page views, time on page, scroll depth, click events, behavior score
Understanding which pages help visitors, deciding what to improve next, classifying inbound leads as hot vs warm
Attribution data
UTM source, UTM medium, UTM campaign, HTTP referrer, landing page
Knowing which channels bring real interest so we don't waste outreach on the wrong audiences
Technical data
anonymized IP (used for rate limiting), user-agent string, device class, browser, OS
Operational security (rate-limit abuse, bot detection), basic compatibility
Chat transcripts
messages you send to the Aira chat widget, plus the bot's replies
Answering you in real time; if you provide your email through the chat, also routing the conversation to the AEGIBIT team for follow-up
Admin session data (admins only)
iron-session httpOnly cookie containing an opaque session ID
Authenticating admins to /admin and /dashboard surfaces, never set for public visitors
Cookies and similar storage
We use a small set of browser-storage entries. None of them are advertising cookies. None are shared with a third party for re-targeting.
- vc_return, a 30-day cookie that lets us recognize a returning visitor and show appropriate copy (e.g. "welcome back" instead of the first-time hero). No personal information attached.
- aegibit_session a httpOnly, Secure, SameSite=Lax encrypted cookie set only when an admin logs in to /admin. Never set for public visitors.
- sessionStorage short-lived browser-storage entries holding UTM attribution and chat-widget state. Cleared when you close the tab.
- localStorage first-visit marker (so we don't replay one-time animations) and visitor ID. No personal information.
A formal cookie-consent banner is on the polish roadmap. Until it ships, your operating-system "Do Not Track" signal and your browser's third-party cookie controls remain authoritative on this site.
Who we share data with (sub-processors)
We use third-party services to run the website and respond to inquiries. Each sub-processor receives only the minimum data they need.
Vercel (USA)
hosting, edge functions, anonymized traffic analytics
Serves every page on www.aegibit.com
Supabase (Singapore region)
Postgres database storing leads, visitor events, agent action audit log
Primary database; India-adjacent region chosen to reduce cross-border transfer
Upstash Redis (Mumbai region)
rate-limit counters keyed by anonymized IP
Per-IP rate limiting to prevent form/chat abuse
Resend (USA)
email address + message body when you submit a lead form
Delivers the lead notification email + your auto-acknowledgement
Groq (USA)
the text content of your chat messages and the bot's replies
Runs the Llama 3.3 70B model that powers the chatbot
Slack (USA, internal channel)
hot-lead notifications (email + a short summary of the lead context)
Notifying the AEGIBIT team in real time so high-intent leads get a same-hour reply
We do not sell data to advertisers or data brokers. Sub-processors handle only what is described above and are bound by their own published Data Processing Agreements. If you need names of legal contacts at any sub-processor, contact us.
How long we keep data
Retention is by category, not blanket:
- Leads (forms + chat email captures): kept indefinitely until you ask us to delete them, because ongoing business relationships often span years.
- Engagement + attribution events: kept for 365 days in the visitor_events table for funnel analytics, then aggregated and deleted at row level.
- Chat transcripts: kept for 90 days; auto-purged unless the conversation produced a captured lead (in which case it follows the lead retention rule above).
- Rate-limit state: ephemeral, Redis TTL of 60 seconds. Never persisted.
- Server logs: ephemeral, Vercel runtime rotation; no long-term storage of request logs.
Your rights
Regardless of jurisdiction, you can:
- Access, request a copy of every piece of personal data we hold about you.
- Correct, fix anything that's wrong.
- Delete, ask us to remove your data entirely (we will, except where we have a regulatory obligation to retain, e.g. tax records).
- Opt out, stop future processing, including any product-update emails.
- Complain, lodge a complaint with your local data protection regulator (India: Data Protection Board of India once operational; EU: your member-state DPA).
To exercise any of these, email contact@aegibit.com with subject "Privacy Rights Request." We respond within 14 days under DPDP, or sooner under GDPR if you cite that framework specifically.
Security
The full security posture is documented at /security, including CSP-hardened headers, per-IP rate limiting, httpOnly cookie sessions, scrypt-hashed admin credentials, and an append-only audit trail on every automation action.
In the event of a personal-data breach affecting you, we will notify you and the relevant regulator within 72 hours of becoming aware, in line with GDPR Article 33 and the comparable DPDP timeline. Notification will include what happened, what data was affected, and what we've done.
Children
AEGIBIT's products are operational software for businesses. We do not knowingly collect data from children under 18 (or under 16 where local law sets the digital-consent age there). If you believe a child has submitted data to us, email contact@aegibit.com and we will delete it immediately.
International transfers
Where a sub-processor is located outside India (USA, Singapore), data transfers happen under either the sub-processor's standard contractual clauses or their published cross-border framework (e.g. Vercel + Resend rely on EU-US DPF for EU data transfers; AEGIBIT relies on their adequacy). If additional clauses are required for a specific buyer's compliance obligations, contact us.
Changes to this policy
When we change this policy materially, we update the "Last updated" date at the top and ship the change as a normal git commit (the diff is public on github.com/AegibitSecurity/aegibit-website). For customers under an active DPA, we also send written notice to the contact on file.
Not legal advice
This page describes how AEGIBIT actually operates today. It is written by the founding team in plain English before formal counsel review. AEGIBIT will engage external counsel to review this policy before our first enterprise customer contract; the policy text may tighten as a result, and that history will be visible in the public git log. For specific legal questions about your situation, consult your own counsel.