Privacy Policy

Last updated July 2026

AIMS-in-a-Box is in pre-launch. This policy describes how the marketing site, the waitlist and the free readiness scorecard handle your data today. It will be expanded as the full workspace (accounts, evidence storage, billing) goes live.

1. Who we are

AIMS-in-a-Box (“we”, “us”) provides an ISO/IEC 42001 and EU AI Act readiness workspace for small and medium AI vendors and the consultants who serve them. For the personal data described here we act as the data controller. If you have any question about this policy, contact us at hello@aims-box.com.

2. What we collect

  • Waitlist & scorecard details — the email address you give us to join the waitlist or receive your scorecard results.
  • Scorecard answers — the readiness answers you select. These are scored in your browser; a summary is stored only if you ask us to email your report.
  • Usage analytics — anonymised, aggregated product analytics (pages viewed, scorecard started/completed) via PostHog, so we can improve the product.
  • Error diagnostics — if something breaks, limited technical error data is captured via Sentry to help us fix it.

We do not sell your data, and we do not use it for third-party advertising.

3. How we use it

  • To send you your scorecard results and waitlist updates you asked for.
  • To operate, secure and improve the site and the scorecard.
  • To let you know when the paid workspace and Founding membership open.

4. Legal bases (UK GDPR / GDPR)

We rely on your consent when you join the waitlist or ask for your results by email, and on our legitimate interests in running and improving a secure service. You can withdraw consent at any time (see section 7).

5. Who processes it for us

We use a small set of reputable processors, each under a data-processing agreement:

  • Supabase — database and storage.
  • Vercel — application hosting and delivery.
  • Resend — transactional email delivery.
  • PostHog — product analytics (EU region).
  • Sentry — error monitoring.
  • Lemon Squeezy — merchant of record for payments (only when you buy).

6. International transfers & retention

Where a processor holds data outside the UK/EEA, transfers are covered by appropriate safeguards such as Standard Contractual Clauses. We keep waitlist and scorecard data only as long as needed for the purposes above, and remove it on request.

7. Your rights

Under UK GDPR you can request access to, correction of, or deletion of your personal data, object to or restrict processing, and request portability. Email hello@aims-box.com and we will respond within one month. You may also complain to the UK Information Commissioner’s Office (ICO).

8. Cookies & similar technologies

The marketing site and scorecard use only what is needed to function plus privacy-respecting, aggregated analytics. Your scorecard progress is stored in your browser’s local storage so you can resume — it never leaves your device unless you ask us to email your report.

9. Security

Every customer workspace will be isolated at the database level with row-level security, so one organisation can never read another’s data. Evidence files are private and reachable only through short-lived signed links issued after a membership check. We follow the principle of least privilege and keep secrets out of client code.

10. Changes

We will update this policy as the product grows and post the revised version here with a new “last updated” date. Material changes affecting you will be communicated directly.