How we handle your data

What data we collect

We collect only what is necessary to provide the service. Here is exactly what we store.

Account data

• •Email address and name (for account registration and login)

Identity data

• •Email addresses (@aliaskit.com) created for agent identities
• •Phone numbers provisioned for agent identities
• •Card metadata: only the last 4 digits of the card number are stored in plaintext, so you can identify which card is attached to each identity in your dashboard. Card brand, expiry, full number, and CVC are never stored in plaintext.
• •TOTP secrets for two-factor authentication management — encrypted server-side (AES-256-GCM) but not zero-knowledge. Unlike card data, AliasKit can decrypt TOTP secrets to generate time-based codes on behalf of your agents. This is necessary for agents to complete 2FA challenges autonomously.
• •Agent profiles (name, persona, configuration)

Card data (encrypted)

• •Encrypted card blobs (AES-256-GCM) — we store these but cannot read them
• •Card number, CVC, brand, and expiry are encrypted on your device. Only the last 4 digits are stored in plaintext for identification

Usage data

• •API call logs (endpoint, timestamp, response code)
• •Card reveal audit logs (IP address, user agent, timestamp, declared amounts)

Technical data

• •Session cookies (no tracking cookies, no third-party cookies)
• •Server logs (standard web server access logs)

How card data is handled (zero-knowledge)

AliasKit uses a BYOC (Bring Your Own Card) model with zero-knowledge encryption. Your card details never exist in plaintext on our servers.

• ✓Card number and CVC are encrypted on your device before transmission
• ✓AliasKit stores only the encrypted blob — we cannot decrypt it
• ✓Your card encryption key is generated on your device and never sent to our servers
• ✓Last 4 digits, card brand, and expiry month/year are stored in plaintext for display purposes
• ✓Encrypted card data is permanently deleted when a card is cancelled
• ✓If you lose your card encryption key, we cannot recover it — this is by design

Lawful basis for processing (UK GDPR)

We process your data under the following legal bases.

• •Account data — Performance of contract (necessary to provide the service under our Terms of Service, Article 6(1)(b) UK GDPR)
• •Card data encryption — Consent (you actively add a card and agree to the terms)
• •Usage and audit data — Legitimate interest (security monitoring, abuse prevention)

Data retention

We do not keep data longer than necessary. Here are our target retention periods.

• •Account data — retained until you delete your account
• •Encrypted card blobs — retained until you cancel the card, then permanently wiped
• •Audit logs — our target retention period is 12 months for security purposes
• •Usage data — we aim to delete usage data after 90 days

Your rights (UK GDPR)

You have the following rights over your data. We will respond to any request within 30 days.

• ✓Right to access — request a copy of all data we hold about you
• ✓Right to erasure — delete your account and all associated data, or cancel individual cards
• ✓Right to rectification — correct any inaccurate data we hold
• ✓Right to data portability — receive your data in a machine-readable format
• ✓Right to object — object to processing based on legitimate interest
• ✓Right to complain — you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data in accordance with UK GDPR

To exercise any of these rights, contact us at privacy@aliaskit.com.

Where your data is stored

• •Database — hosted on Supabase (AWS eu-west region)
• •Application — hosted on Vercel (edge network, with primary compute in EU)

We do not sell your data to third parties. We do not share your data with advertisers. We do not use your data for training AI models.

International data transfers

Some of your data may be processed by US-based sub-processors.

• •Vercel, Twilio, Resend — US-based processors. Data transfers are protected by Standard Contractual Clauses (SCCs) or the UK-US Data Bridge, as applicable.
• •Supabase — processes data in the EU (AWS eu-west region), which is an adequate country under UK GDPR. No additional transfer mechanism is required.

Third-party processors

We use the following third-party services to operate AliasKit. Each processes only the minimum data necessary for their function.

• •Supabase — database hosting and authentication
• •Vercel — application hosting and CDN
• •Stripe — subscription billing only. Stripe does not receive or process any card data from the BYOC system. Stripe only handles your subscription payment method, which is entirely separate.
• •Resend — email delivery for @aliaskit.com inboxes
• •Twilio — SMS delivery for provisioned phone numbers

Breach notification

In the event of a data breach that affects your personal data, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Affected users will be notified without undue delay, including details of what data was affected and what steps we are taking.

Cookies

AliasKit uses session cookies only, required to keep you logged in. We do not use tracking cookies, analytics cookies, or any third-party cookies. There is nothing to opt out of.

Contact

For any privacy-related questions or data requests, contact us at privacy@aliaskit.com.

For security issues, contact security@aliaskit.com.

Children's data

AliasKit is intended for use by adults aged 18 or over. We do not knowingly collect personal data from individuals under 18.

Automated decision-making

AliasKit performs automated budget checks when agents attempt card reveals. These checks compare the declared transaction amount against your configured spending limits and are carried out without human review. No other automated decision-making or profiling takes place. You can adjust your budget limits at any time from your dashboard.

Data Protection Officer

AliasKit is not currently required to appoint a Data Protection Officer. For data protection queries, contact privacy@aliaskit.com.

AliasKit is operated by [Entity to be registered]. This policy will be updated with the registered entity details and ICO registration number once the entity is incorporated.