Legal

Privacy Policy

Effective April 13, 2026

Aleph Compliance, Inc. (“Aleph,” “we,” “us,” or “our”) operates the Aleph product compliance platform at alephco.io. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Data We Collect

Account Information

When you register, we collect your name, email address, and business information (company name, role).

Product & Compliance Data

Data you enter about your products, suppliers, compliance assessments, and any documents or certificates you upload.

Payment Information

Billing details are collected and processed by Stripe. We do not store credit card numbers on our servers. We receive only a confirmation of payment status and the last four digits of your card.

Usage Analytics

We collect anonymized usage data (pages visited, features used, session duration) to understand how the platform is used and where to improve it. No personally identifiable information (PII) is stored in our analytics system.

Communication Data

If you contact us via email or our contact form, we retain that correspondence to provide support.

2. How We Use Your Data

  • Provide the service: Store your products, run compliance workflows, generate certificates and labels.
  • Send notifications: Compliance alerts, expiration reminders, account updates, and billing receipts.
  • Improve the platform: Analyze aggregated usage patterns to prioritize features and fix issues.
  • Respond to support requests: Process and follow up on questions or issues you raise.

We will never sell your personal data to third parties.

3. Third-Party Services

We use the following third-party services to operate Aleph. Each has its own privacy policy governing how they handle data:

Supabase — Database and authentication. Stores your account data, product data, and compliance documents. US-based servers.
Stripe — Payment processing. Handles subscription billing and stores payment information. Aleph never sees your full card number.
PostHog — Product analytics. Tracks anonymized usage patterns (feature usage, page views). No PII is stored in PostHog.
Resend — Transactional email. Sends notifications, compliance alerts, and account emails on our behalf.
Railway — Application hosting. Runs the Aleph application infrastructure.
ENERGY STAR API — Public data source for appliance specifications. No user data is shared with this service.

4. Data Storage & Security

Your data is stored in a PostgreSQL database managed by Supabase, hosted on US-based servers. We use encryption in transit (TLS) and follow security best practices for access control, authentication, and data handling.

While we take reasonable measures to protect your data, no system is 100% secure. We encourage you to use a strong, unique password for your Aleph account.

5. Data Retention

  • Active accounts: Your data is retained for as long as your account is active.
  • Deleted accounts: When you delete your account, we retain your data for 30 days (in case you change your mind), then permanently purge it from our systems.
  • Backups: Data may persist in encrypted backups for up to 90 days after deletion, after which it is automatically removed.

6. Your Rights

You have the right to:

  • Access your data — view everything we have stored about you and your business.
  • Export your data — download your products, compliance records, and documents.
  • Delete your data — request complete removal of your account and all associated data.
  • Correct your data — update any inaccurate information in your account.

To exercise any of these rights, email privacy@alephco.io.

7. Cookies

Aleph uses a minimal set of cookies:

  • Session cookie: Required for authentication. Keeps you logged in while you use the platform.
  • Analytics cookie (PostHog): Tracks anonymized usage patterns to help us improve the product. Does not contain PII.
  • Theme preference: Stores your light/dark mode choice in localStorage (not a cookie, but worth mentioning).

We do not use advertising cookies or sell cookie data to third parties.

8. Children

Aleph is a business tool intended for users who are 18 years of age or older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it promptly.

9. California & EU User Rights

California (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of any sale of personal information. We do not sell personal information. To make a request, email privacy@alephco.io.

European Union (GDPR)

If you are located in the EU/EEA, you have additional rights under GDPR, including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing your data is the performance of our contract with you (providing the Aleph service). To exercise your rights, email privacy@alephco.io.

10. Changes to This Policy

We may update this Privacy Policy as our platform evolves. If we make material changes, we will notify you via email or through the platform. The “Effective” date at the top of this page will always reflect the latest version.

11. Contact

Questions about your privacy or this policy?

Email: privacy@alephco.io
Web: alephco.io/contact