The data controller for all personal data processed through Aileth is:
| Company | Aileth |
| Location | Apeldoorn, Netherlands |
| privacy@aileth.eu | |
| Jurisdiction | European Union — GDPR applies |
| Category | Data | Purpose |
|---|---|---|
| Account data | Name, email address | Authentication and account management (via Keycloak SSO) |
| Compliance documentation | Policies, procedures, and evidence documents uploaded by you | Analysing your ISO 27001 compliance posture. Documents are processed via Scaleway's EU-hosted AI infrastructure — never sent to US-based AI providers. |
| Usage data | Timestamps of uploads, analyses, and logins | Audit trail and service operation. No behavioural tracking or analytics. |
We do not use your documentation for model training, benchmarking, or any purpose beyond delivering the service described in your subscription.
We do not rely on consent as a legal basis for the core service. If we were to process your data for any other purpose, we would seek explicit consent before doing so.
This is a deliberate architectural choice, not just a policy commitment. Aileth analyses your compliance documentation automatically — no human ever reads, reviews, or has access to what you upload.
If you contact support, we can see basic account metadata from the authentication system: whether your account exists, is active, and when you last logged in. We cannot see your documents, reports, or the number of files you have uploaded — those are stored encrypted in your tenant storage and are indistinguishable to us.
Aileth applies a short and strict retention policy. We keep your data for as long as strictly necessary to deliver the service — and no longer.
| Data type | Retention period | Deletion method |
|---|---|---|
| Uploaded documents & analysis results | Duration of subscription + 30 days | Permanent deletion from object storage and vector database |
| Account data (name, email) | Duration of subscription + 30 days | User record removed from identity provider |
| Usage logs | 90 days | Automatic log rotation |
| Financial & invoicing records (name, email, company, payment history) | 7 years from invoice date | Retained for Dutch tax law compliance (Boek 2 BW); not used for any other purpose |
You may request early deletion of all your data at any time by contacting privacy@aileth.eu. We will complete the deletion within 5 business days and confirm in writing. Note that financial records cannot be deleted early, as retention is required by law.
All processing happens within a single EU datacenter. The diagram below shows every stage a document passes through from upload to deletion.
Your documents are never sent to US-based AI providers (no OpenAI, no Anthropic, no Google). Analysis runs via Scaleway's generative AI infrastructure — EU-hosted, and subject to the same data residency commitments as the rest of the service.
As a data subject under GDPR, you have the following rights. To exercise any of them, contact privacy@aileth.eu. We will respond within 30 days.
If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
Scope of data subject rights. Aileth only holds personal data of its own account holders. If you do not have an active or recent Aileth account, we hold no personal data about you and are not required to act on a data subject request.
Abusive requests. Submitting manifestly unfounded or abusive data subject requests — including mass or automated submissions — constitutes a breach of our Terms of Service. We reserve the right to terminate the account and permanently delete all associated data. Account termination satisfies any outstanding erasure request and ends our obligation to respond to further requests from that account.
Aileth is a computationally intensive service. Each gap analysis involves AI processing of your documentation — a process that carries real infrastructure cost. Our subscription pricing reflects typical usage by an organisation conducting a genuine ISO 27001 audit preparation.
Normal use includes uploading documentation as it is produced or updated, running analyses when your documentation set changes materially, and re-analysing individual controls as you address identified gaps.
If your organisation requires a higher processing volume — for example, managing multiple subsidiaries or running continuous compliance monitoring — please contact us at info@aileth.eu to discuss an appropriate arrangement.
We reserve the right to impose rate limits or suspend access for accounts showing patterns of systematic abuse. We will always notify an account holder before suspension except in cases of egregious abuse.
Aileth uses a language model (LLM) to analyse your compliance documentation against ISO 27001:2022 acceptance criteria. This section describes how that AI processing works, what data it touches, and how Aileth complies with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).
The AI receives short fragments (chunks) of your uploaded documents — selected by semantic relevance to a specific control — alongside the acceptance criteria for that control. It returns a structured assessment: PRESENT, PARTIAL, or MISSING, with reasoning and improvement suggestions. These outputs are presented in the application as analytical support, not as binding compliance decisions. The final compliance determination always rests with the professional conducting the audit.
Aileth uses a small, open language model running on Scaleway's EU-hosted generative AI infrastructure (Paris datacenter). This is not OpenAI, not Microsoft Azure OpenAI, not Google Gemini, and not Anthropic Claude. Your documents are never sent to a US-based AI provider. Processing is fully contained within the EU and not subject to the US CLOUD Act. The model is not trained on your data.
Aileth's AI system is classified as minimal risk under the EU AI Act (Regulation (EU) 2024/1689). ISO 27001 compliance gap analysis is an advisory B2B service; it does not make binding decisions about individuals' rights, access to essential services, employment, or any of the high-risk categories listed in Annex III of the Regulation.
In accordance with Article 50 of the EU AI Act, Aileth discloses AI use in its application interface. All AI-generated assessments are labelled as such within the application. Users are informed that assessments represent analytical output from a language model and should be reviewed by a qualified professional before being used as the basis for formal compliance determinations.
Obligations relating to general-purpose AI models under Title VIII of the AI Act apply to the model provider (Scaleway / the upstream model licensor), not to Aileth as a deployer. Aileth does not develop or place a general-purpose AI model on the market.
For all questions about this policy, data subject requests, or privacy concerns:
| privacy@aileth.eu | |
| Response time | Within 5 business days for data requests; 30 days for formal GDPR requests |
This policy was last updated in April 2026. We will notify active subscribers of any material changes at least 30 days before they take effect.