Privacy Policy
Effective Date: August 19, 2025
1. Introduction
This Privacy Policy describes how AION Technologies Inc. ("AION," "we," "us," or "our") collects, uses, discloses, and protects information obtained from users of our GPU compute platform and related services.
1.1 Scope of This Policy
This Privacy Policy applies to:
- Marketing Website (aion.xyz): Discovery and information
- Platform (console.aion.xyz): GPU compute services
- Pre-signup Browsing: Anonymous GPU catalog access
- Authenticated Services: Full platform functionality
- Support and Documentation: docs.aion.xyz, status.aion.xyz, api.aion.xyz
1.2 Our Commitment
We are committed to protecting your privacy while delivering high-performance GPU infrastructure services. This Policy explains our data practices and your rights regarding personal information in the context of cloud computing and AI infrastructure management.
2. Information We Collect by User Journey
2.1 Marketing Website Visitors (aion.xyz)
With Consent Only:
- Google Analytics 4 data (page views, session duration)
- Marketing pixel data (Meta, LinkedIn campaigns)
- UTM parameters (source, medium, campaign, term, content) for attribution tracking
- No personal data collected without explicit consent
2.2 Platform Browsers (Pre-Signup)
Anonymous Catalog Access:
- GPU availability viewing patterns
- Pricing calculator usage
- Region and SKU preferences
- No identity or personal data collection
2.3 Waitlisted Users
Upon Signup:
- Email address (required for waitlist)
- Company name (optional)
- Workload intent and use case
Enrichment via Folk CRM:
- Firmographic data (company size, industry)
- Technographic signals (current stack)
- Not shared with marketing pixels or third parties
2.4 Active Platform Users
Account Information:
- Name, email address, password (encrypted)
- Organization details, tax ID, billing address
- Verification documents for KYC compliance
Full Platform Telemetry:
- PostHog session recordings and analytics
- Resource usage metrics and patterns
- API call logs and patterns
- Stripe billing and payment data
- Intercom support interactions
2.5 Platform Usage Information
Through your use of our GPU compute platform, we collect:
- Resource Usage: GPU hours, compute cycles, storage consumption
- Instance Data: Configuration settings, deployment regions, instance types
- Project Information: Project names, descriptions, resource allocations
- SSH Keys: Public keys for secure instance access
- Firewall Rules: Security configurations for your resources
- API Usage: Endpoint calls, request patterns, rate limits
2.6 Payment and Billing Information
For billing purposes, we collect:
- Payment Method: Credit card details (processed by Stripe)
- Billing History: Invoices, payment records, usage statements
- Credit Information: Credit limits, payment terms
- Tax Information: VAT numbers, tax exemption certificates
2.7 Technical and Performance Data
We automatically collect:
- Infrastructure Metrics: Resource performance, availability, latency
- Error Logs: System errors, failed provisioning attempts
- Security Events: Login attempts, access patterns, anomaly detection
- Platform Performance: Response times, throughput, reliability metrics
2.8 Support and Communication Data
When you interact with our support team:
- Support Tickets: Issue descriptions, correspondence, resolutions
- Feedback: Feature requests, bug reports, suggestions
- Training Materials: Usage of documentation, tutorials accessed
- Community Participation: Forum posts, knowledge base contributions
3. How We Use Your Information
3.1 Service Delivery and Operations
We use your information to:
- Provision Resources: Deploy and manage GPU instances
- Manage Access: Authenticate users and enforce permissions
- Process Billing: Calculate usage, generate invoices, process payments
- Provide Support: Resolve technical issues, answer questions
- Maintain Infrastructure: Ensure platform availability and performance
3.2 Platform Enhancement
Your data helps us:
- Optimize Performance: Improve provisioning times and resource allocation
- Develop Features: Build new capabilities based on usage patterns
- Enhance Security: Detect and prevent unauthorized access
- Improve Reliability: Identify and resolve infrastructure issues
- Customize Experience: Tailor the platform to your workflow
3.3 Communications
We communicate with you about:
- Service Updates: Maintenance windows, new features, changes
- Security Alerts: Suspicious activity, required actions
- Billing Notifications: Invoices, payment reminders, usage alerts
- Product Announcements: New GPU types, regions, capabilities
- Educational Content: Best practices, optimization tips (opt-in)
3.4 Legal and Compliance
We process data to:
- Meet Legal Obligations: Comply with laws and regulations
- Enforce Terms: Ensure compliance with our Terms of Service
- Prevent Abuse: Detect and prevent fraudulent or harmful activities
- Respond to Legal Requests: Handle subpoenas, court orders
- Protect Rights: Defend our legal interests and intellectual property
4. Cookie and Tracking Technologies
We use various tracking technologies as detailed in our Cookie Policy. Key distinctions:
- Marketing Site (aion.xyz): Optional analytics cookies with explicit consent via CookieYes
- Platform (console.aion.xyz): Essential cookies plus PostHog analytics (required for service delivery)
- Legal Basis: Consent for marketing cookies, legitimate interest for platform operations
- Control Options: Full control on marketing site, limited options on platform due to operational requirements
For complete details about cookie types, purposes, and management options, please see our Cookie Policy.
5. Legal Basis for Processing
We process your personal information based on:
5.1 Contract Performance
- Providing GPU compute services
- Processing payments and billing
- Managing your account and projects
- Delivering customer support
5.2 Legitimate Interests
- Platform Analytics: PostHog tracking necessary for performance of our contract with you
- Infrastructure Monitoring: Essential for cloud platform operation
- Security: Threat detection and fraud prevention
- Service Improvements: Performance optimization based on usage patterns
Note: We cannot use legitimate interest for marketing cookies – those require consent.
5.3 Legal Obligations
- Compliance with data protection laws
- Tax and financial reporting requirements
- Responding to legal processes
- Export control and sanctions compliance
5.4 Consent
- Marketing communications to prospects
- Optional analytics and tracking
- Beta feature participation
- Research and development activities
6. Data Sharing and Third Parties
6.1 Our Data Sharing Principles
We do not sell, rent, or trade your personal information. We share data only when necessary for service delivery or legal compliance.
6.2 Service Providers
We share data with providers who help us operate:
- Infrastructure Partners: GPU providers, data centers
- Payment Processor: Stripe for all billing operations
- Analytics: PostHog for platform analytics (essential service)
- Support: Intercom for customer service
- CRM: Folk for lead enrichment and segmentation
- Marketing Analytics: Google Analytics, Meta, LinkedIn, Twitter/X (consent-based)
- Security Services: DDoS protection, threat detection
- Consent Management Platform: CookieYes – Google-certified CMP for GDPR compliance
6.3 Legal and Regulatory Sharing
We may share information when required:
- Legal Compliance: To comply with laws and regulations
- Legal Process: In response to subpoenas, warrants, court orders
- Emergency Situations: To protect safety and prevent harm
- Rights Protection: To protect our rights and property
- Breach Notification: To Indian Data Protection Board for all breaches regardless of risk level
6.4 Data Processing Agreements
We maintain GDPR-compliant DPAs with all sub-processors:
- PostHog: DPA available at posthog.com/dpa
- Stripe: Incorporated in Services Agreement
- Intercom: Standard DPA with EU SCCs
- Folk CRM: GDPR-compliant processor agreement
- CookieYes: DPA available at cookieyes.com/dpa
Enterprise customers may request copies by contacting [email protected].
6.5 Business Transfers
In the event of a merger, acquisition, or sale:
- Your information may be transferred to the successor entity
- We will notify you before any transfer occurs
- The successor will be bound by this Privacy Policy
7. Data Security Measures
7.1 Technical Safeguards
We implement industry-standard security measures:
- Encryption: AES-256 encryption at rest, TLS 1.3 in transit
- Access Controls: Role-based access, multi-factor authentication
- Network Security: Firewalls, intrusion detection, DDoS protection
- Infrastructure Security: Isolated environments, secure key management
- Monitoring: 24/7 security monitoring and incident response
7.2 Organizational Measures
Our security program includes:
- Security Policies: Comprehensive data protection procedures
- Employee Training: Regular security awareness training
- Access Restrictions: Limited access on need-to-know basis
- Vendor Management: Security assessments of service providers
- Incident Response: Established breach notification procedures (within 72 hours to authorities per GDPR, without undue delay to users)
7.3 Your Security Responsibilities
You play a crucial role in security:
- Maintaining strong, unique passwords
- Enabling multi-factor authentication
- Protecting API keys and credentials
- Reporting suspicious activities promptly
- Following security best practices
8. Data Retention
8.1 Retention Periods
We retain data based on:
- Active Accounts: Throughout your subscription period
- Billing Records: 7 years for tax and accounting purposes
- Consent Records: 2 years from consent date
- Usage Logs: 90 days for operational data
- Security Logs: 1 year for incident investigation
- Support Records: 3 years after ticket closure
- Deleted Projects: 30 days recovery period
8.2 Data Deletion
Upon account termination:
- Instance data is immediately terminated
- Account data is retained for 90 days for recovery
- Billing records are retained per legal requirements
- You may request immediate deletion (subject to legal obligations)
9. Your Privacy Rights
9.1 Rights You May Exercise
Depending on your location, you have rights to:
- Access: Request a copy of your personal data
- Correction: Update inaccurate information
- Deletion: Request removal of your data
- Portability: Receive data in machine-readable format
- Restriction: Limit how we process your data
- Objection: Opt-out of certain processing
- Withdraw Consent: Revoke previously given consent
9.2 How to Exercise Rights
To exercise your rights:
- Dashboard: Access and update most information
- Email: [email protected]
- API: Programmatic data export available
- Support: File a privacy request ticket
We respond to requests within 30 days, or 45 days for complex requests with notice.
9.3 California Privacy Rights (CCPA)
California residents have additional rights:
- Right to know categories and sources of data collected
- Right to know business purposes for collection
- Right to non-discrimination for exercising rights
- Right to opt-out of data sales (we don't sell data)
9.4 European Privacy Rights (GDPR)
EU/EEA residents have enhanced rights:
- Explicit consent requirements for processing
- Right to lodge complaints with supervisory authorities
- Right to object to automated decision-making
- Enhanced data portability rights
9.5 Indian Privacy Rights (DPDPA)
Indian residents have rights under the Digital Personal Data Protection Act:
- Right to access personal data in structured format
- Right to correction and erasure of personal data
- Right to grievance redressal
- Right to nominate a digital nominee
- Consent withdrawal at any time (may affect service availability)
10. International Data Transfers
10.1 Global Infrastructure
Your data may be processed in:
- United States (primary processing)
- European Union (regional deployments)
- Your selected GPU deployment regions
- Support centers globally
10.2 Transfer Safeguards
We ensure appropriate protection through:
- Standard Contractual Clauses: EU-approved mechanisms
- Data Processing Agreements: With all sub-processors
- Security Measures: Consistent global security standards
- Access Controls: Regional data isolation where required
11. Children's Privacy
Our platform is not intended for users under 18 (or under 16 in the EU without parental consent). We do not knowingly collect data from minors below these ages. If we discover such data collection, we will promptly delete it.
12. AI and Automated Processing
12.1 Automated Systems
We use automated systems for:
- Resource Allocation: Optimizing GPU assignments
- Fraud Detection: Identifying suspicious activities
- Performance Optimization: Workload distribution
- Anomaly Detection: Security threat identification
12.2 Human Oversight
You can request human review of automated decisions that significantly affect you, such as account suspension or credit limit determinations.
13. Policy Updates
13.1 Change Notifications
We will notify you of material changes via:
- Email to your registered address
- Platform dashboard notifications
- 30-day advance notice for significant changes
13.2 Continued Use
Continued platform use after changes constitutes acceptance of the updated policy.
14. Contact Information
14.1 Privacy Inquiries
For privacy-related questions:
Privacy Team
AION Technologies Inc.
Email: [email protected]
Response Time: Within 48 hours
Data Protection Officer
Email: [email protected]
14.2 Regulatory Contacts
Headquarters
AION Technologies Inc.
1450 Broadway
New York, NY 10018
United States
EU Representative
To be appointed. For EU data protection matters, contact [email protected]
Note: As an infrastructure provider (IaaS), we are not required to appoint a DPO under Article 37 GDPR as our core activities do not involve large-scale systematic monitoring of data subjects. We maintain a dedicated privacy team for all data protection matters.
Data Protection Officer for India
To be appointed when required under DPDPA. Contact [email protected]
15. Complaint Resolution
15.1 Internal Process
To file a privacy complaint:
- Contact [email protected]
- Receive acknowledgment within 48 hours
- Investigation completed within 30 days
- Escalation to DPO if unsatisfied
15.2 Regulatory Authorities
You may lodge complaints with:
- Your local data protection authority
- California Privacy Protection Agency (CPPA)
- European Data Protection Supervisor
16. Additional Resources
16.1 Related Policies
Cookie Policy – Detailed cookie information
Terms of Service – Platform usage terms
Document Version: 1.0
Last Review: August 19, 2025
© 2026 AION Technologies Inc. All rights reserved.
This Privacy Policy supersedes all previous versions and constitutes our commitment to protecting your privacy while delivering world-class GPU infrastructure services.