Privacy Policy

Last updated: May 9, 2026 · Effective: May 9, 2026 · Contact: [email protected]

Short version: We collect what we need to run the service. We don't sell your data. We don't run advertising. Your tool stack data is yours and can be deleted at any time.

1. Who We Are

AlignCube ("AlignCube", "we", "us", "our") provides AI stack governance software. This Privacy Policy explains how we collect, use, and protect your information when you use our website at aligncube.ai and our web application (together, the "Service").

2. What We Collect

Account Data

Email address — used to identify your account and communicate with you
Password — stored as a salted PBKDF2-HMAC-SHA256 hash. We never store or transmit your plaintext password
Subscription tier — free, monitor, or govern, managed via Stripe

Stack & Audit Data

Tool names, costs, categories, and team usage information you enter during audits
Audit results, recommendations, and your accept/reject decisions (your "Decision Log")
Company name, industry, and headcount you provide during intake

Usage Data

Token counts for each AI API call made on your behalf (used for billing and internal cost monitoring)
Timestamps of audit runs and AI Advisor conversations

Session Data

A session cookie issued on login to authenticate your requests. This is a necessary cookie — the service cannot function without it
We do not use analytics, advertising, or tracking cookies

3. How We Use Your Data

Purpose	Legal basis (GDPR)
Providing and operating the Service	Performance of contract
Processing payments via Stripe	Performance of contract
Sending account-related emails (receipts, alerts)	Performance of contract
Improving the Service (aggregated, non-identifiable insights)	Legitimate interests
Complying with legal obligations	Legal obligation

We do not use your data for advertising. We do not sell your data. We do not share your individual stack or audit data with any third party except as described in Section 4.

4. Third-Party Services

Service	Purpose	Data shared	Their privacy policy
Anthropic	AI audit and advisor responses	Your tool stack and chat messages are sent to Anthropic's API to generate responses. Anthropic's enterprise API does not use API inputs to train models.	anthropic.com/privacy
Stripe	Payment processing	Email and payment details. We never see your full card number.	stripe.com/privacy
Railway	Hosting infrastructure	Application data is stored on Railway-hosted servers (US region). As our hosting provider, Railway's handling of infrastructure is governed by its own privacy and security practices.	railway.app/privacy

5. Data Retention

Account data: retained until you request deletion
Audit and decision data: retained until you request deletion
Usage logs: retained for up to 12 months
Session tokens: expire after 30 days of inactivity

6. Cookies

We use one cookie: a session authentication cookie set on login. It is a strictly necessary cookie — it is required for you to stay logged in and use the Service. It expires after 30 days.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking cookies. We do not serve advertising.

7. Your Rights

GDPR (EU/UK residents)

Access: Request a copy of all data we hold about you
Rectification: Correct inaccurate personal data
Erasure ("right to be forgotten"): Delete your account and all associated data
Portability: Export your audit history and decision log as JSON (available in-app under Usage & Plan → Data Export)
Restriction & Objection: Restrict certain processing or object to legitimate interests processing
Lodge a complaint: With your local data protection authority

CCPA (California residents)

Right to know: What personal information we collect and how we use it
Right to delete: Request deletion of your personal information
Right to opt-out of sale: We do not sell personal information
Non-discrimination: We will not discriminate against you for exercising these rights

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Data Security

All data is transmitted over HTTPS/TLS. Passwords are hashed with salted PBKDF2-HMAC-SHA256. Session tokens are stored in httpOnly, Secure cookies. We do not store payment card details — all payment processing is handled by Stripe's PCI-DSS compliant infrastructure.

In the event of a data breach that affects your personal data, we will notify affected users within 72 hours as required by GDPR.

9. Children

The Service is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We will notify you by email and post a notice on the Service at least 30 days before material changes take effect. Continued use after the effective date constitutes acceptance.

11. Contact

Data controller: AlignCube · [email protected]