Legal
Your data is yours. This policy explains what we collect, how we use it, and the rights you have over your information.
Effective date: March 27, 2026
Our privacy commitments
For individuals in the European Economic Area (EEA) and the United Kingdom, we process personal data under the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and service delivery | Contractual necessity (Art. 6(1)(b)) |
| Processing Customer Data (trade spend, deductions, etc.) | Contractual necessity (Art. 6(1)(b)) |
| Transactional emails (magic links, digests) | Contractual necessity (Art. 6(1)(b)) |
| Payment processing and billing | Contractual necessity (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Platform improvement and usage analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Tax and accounting record-keeping | Legal obligation (Art. 6(1)(c)) |
| Audit logging | Legitimate interest (Art. 6(1)(f)) and contractual necessity |
For a comprehensive overview of our security practices, visit our Security page.
We do not sell your data. We share data only with the following trusted subprocessors, each of which maintains a Data Processing Agreement (DPA) with AisleCore:
| Subprocessor | Purpose | Location | DPA |
|---|---|---|---|
| Stripe | Payment processing and subscription billing | United States | Active |
| Resend | Transactional email delivery (magic links, digests, notifications) | United States | Active |
| Vercel | Application hosting and edge network delivery | United States (global edge) | Active |
| Neon | PostgreSQL database hosting and storage | United States (AWS) | Active |
| Sentry | Error monitoring and application performance tracking | United States | Active |
We will notify customers at least 30 days before adding new subprocessors. You may subscribe to subprocessor change notifications by contacting privacy@aislecore.com.
We retain your data only as long as necessary to provide the service and comply with legal obligations. Below is a summary of our retention periods by data category:
| Category | Data | Retention Period |
|---|---|---|
| Account Data | Name, email, role, organization | Duration of account + 12 months after cancellation |
| Business Data | Products, retailers, promotions, deductions, shipments, metrics | Duration of account + 12 months after cancellation |
| Usage Data | Page views, feature usage, search queries, imports/exports | 24 months from collection |
| Audit Logs | All create, update, delete actions with actor and timestamp | Duration of account + 24 months |
| Billing Records | Invoices, payment history, subscription changes | As required by applicable tax and accounting law (typically 7 years) |
| Session Data | Authentication tokens, IP addresses, browser fingerprints | 90 days from session end |
You may request earlier deletion of your data at any time by contacting privacy@aislecore.com. Upon confirmed deletion, data is permanently removed from all active systems and backups within 30 days.
For EEA and UK residents
Under the General Data Protection Regulation (GDPR), you have the following rights over your personal data. We aim to respond to all requests within 30 days.
To exercise any of these rights, contact our Data Protection Officer at dpo@aislecore.com.
California Privacy Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights.
To exercise these rights, contact privacy@aislecore.com. We will verify your identity and respond within 45 days as required by law.
AisleCore is headquartered in the United States. If you access the Platform from outside the United States, your data may be transferred to, stored, and processed in the United States and other countries where our subprocessors operate.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:
Our DPA, available at aislecore.com/dpa, includes the full text of applicable Standard Contractual Clauses.
72-Hour Notification Commitment
In the event of a confirmed personal data breach, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will notify affected customers without undue delay.
Our breach notification will include:
AisleCore is a business-to-business platform and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at privacy@aislecore.com.
We may update this Privacy Policy from time to time. We will provide at least 30 days' written notice of material changes via email to the address associated with your account. The updated policy will indicate the new effective date at the top of this page.
Continued use of the Platform after the effective date of the updated policy constitutes acceptance. If you do not agree with the changes, you may terminate your account before the effective date.
For privacy inquiries, data subject requests, or questions about this policy:
Privacy inquiries: privacy@aislecore.com
Data Protection Officer: dpo@aislecore.com
Security: security@aislecore.com
General legal: legal@aislecore.com
AisleCore, Inc.
Wilmington, Delaware, United States