Legal
Privacy Policy
Last updated: March 7, 2026 · Effective: March 21, 2026
1. Overview
Aegis ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our holding company management platform (the "Service"). Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.
2. Information We Collect
Information You Provide
- Account information: name, email address, and profile data from your Manus OAuth login
- Business data: entity names, compliance information, asset details, property records, and financial data you enter into the Service
- Documents: files you upload to the document vault (stored encrypted in cloud storage)
- Team information: email addresses of team members you invite
- Payment information: processed by Stripe; we store only your Stripe customer ID and subscription status — never your full card number
Information Collected Automatically
- Log data: IP address, browser type, pages visited, and timestamps (retained for 90 days)
- Audit logs: actions taken within the Service (entity changes, document access) for security and compliance purposes
- Analytics: aggregated, anonymized usage statistics via our analytics provider
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process transactions and send related billing notifications
- Send compliance deadline reminders and operational alerts you have configured
- Respond to support requests and communicate about your account
- Detect and prevent fraud, abuse, and security incidents
- Improve the Service through aggregated, anonymized analytics
- Comply with legal obligations
We do not sell your personal information or Your Data to third parties. We do not use Your Data for advertising purposes.
4. Data Sharing and Disclosure
We may share your information only in the following circumstances:
- Service providers: Cloud infrastructure (database, file storage) and payment processing (Stripe) that operate under strict data processing agreements
- Legal requirements: When required by law, court order, or governmental authority
- Business transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to you
- Your consent: When you explicitly authorize sharing with a specific third party
5. Data Security
We implement industry-standard security measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest for stored documents, HTTP Strict Transport Security (HSTS), Content Security Policy headers, rate limiting, and session cookies with the __Host- prefix and SameSite=Strict attribute.
While we take reasonable precautions, no method of transmission over the internet is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication where available.
6. Data Retention
We retain your account data for as long as your account is active or as needed to provide the Service. After account termination, we retain your data for 30 days to allow for recovery, then permanently delete it upon request. Audit logs are retained for 12 months for security purposes. Anonymized, aggregated analytics data may be retained indefinitely.
7. Your Rights
All Users
- Access and export your data at any time from Settings → Export
- Correct inaccurate personal information
- Delete your account and associated data (subject to legal retention requirements)
- Opt out of non-essential communications
California Residents (CCPA)
You have the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.
European Union Residents (GDPR)
You have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to withdraw consent at any time. Our legal basis for processing is contractual necessity (to provide the Service) and legitimate interests (security and fraud prevention). To exercise these rights, contact us at [email protected].
8. Cookies and Tracking
We use a single session cookie (named __Host-session) to maintain your authenticated session. This cookie is strictly necessary for the Service to function and is not used for advertising or tracking across other websites. We use privacy-respecting analytics (self-hosted Umami) that does not use cookies and does not track you across sites.
9. International Data Transfers
Your data is stored on servers located in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.
10. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete such information immediately.
11. Third-Party Services
The Service integrates with third-party services. Their privacy practices are governed by their own policies:
- Stripe (payment processing): stripe.com/privacy
- Intuit QuickBooks (accounting integration): intuit.com/privacy
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact Us
For privacy-related questions, data requests, or to exercise your rights, please contact our privacy team at [email protected]. We will respond to all requests within 30 days.