Aegis Optikon

Privacy Policy

Last Updated: January 1, 2026

Introduction

This Privacy Policy explains how Aegis Optikon ("Company," "we," "us," or "our") collects, uses, stores, and protects information when you access or use our website, API, Device Producer Network, verification endpoints, and all related services (collectively, the "Service").

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, you must stop using the Service.

1. Information We Collect

1.1 Account Information

  • Email address
  • Password hash (never stored in plain text)
  • Subscription tier
  • Credits balance
  • Account settings

1.2 Session Cookies and Authentication Data

When you log into our Service, we use secure session cookies to maintain your authentication state:

  • Authentication Token: Secure, HTTP-only cookie containing encrypted session data
  • Session ID: Unique identifier for your current login session
  • CSRF Token: Security token to prevent cross-site request forgery attacks
  • Session Metadata: Timestamps, IP address (hashed), and user agent for security auditing

Cookie Characteristics:

  • Session cookies expire after 24 hours of inactivity or when you log out
  • All cookies are marked as HttpOnly (inaccessible to JavaScript)
  • Cookies use Secure flag (HTTPS only) and SameSite=Strict attributes
  • No third-party cookies are used for tracking or advertising

1.3 Billing Information

All payment information is processed by Paddle.com, our Merchant of Record. We do not store:

  • Credit card numbers
  • Bank details
  • Tax IDs

We receive from Paddle:

  • Payment confirmations
  • Subscription status
  • Next billing date
  • Transaction metadata

1.4 API Usage Data

When you use the API, we automatically log:

  • Timestamp
  • Endpoint accessed
  • Bytes requested
  • Credits consumed
  • API key used
  • IP address (hashed for privacy)
  • Rate-limit events
  • Error logs

This is required for security, abuse prevention, billing accuracy, and auditability.

1.5 Device Producer Network Data

If you link a device to contribute entropy, we collect:

  • Device ID (hashed)
  • Contribution volume
  • Uptime and activity metrics
  • Fraud-detection signals
  • Device suspension flags

1.6 Entropy and Verification Data

We collect:

  • Entropy contribution events
  • Verification requests
  • Timestamps
  • Limited rolling history of entropy pool states (automatically purged after 30 days)

1.7 Technical and Security Data

  • IP address (hashed for storage)
  • Browser or client metadata
  • Operating system (for security patching alerts)
  • Security logs
  • Automated abuse-detection signals

2. How We Use Session Cookies

Cookie Name Purpose Duration Essential
session_id Maintains your authenticated session 24 hours / until logout Yes
csrf_token Prevents cross-site request forgery attacks Session duration Yes
user_prefs Stores UI preferences (theme, language) 1 year No

Essential Cookies: Session and CSRF cookies are required for the Service to function. Without these cookies, you cannot maintain a secure login session.

Non-Essential Cookies: Preference cookies can be disabled through your browser settings, though this may affect your user experience.

Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing ones. However, disabling essential cookies will prevent you from using the Service.

3. How We Use Your Information

3.1 To Provide the Service

  • Authenticate users and maintain secure sessions
  • Generate random values via our TRNG
  • Process API requests
  • Maintain credits and subscription status
  • Manage user preferences and settings

3.2 To Maintain Security

  • Detect and prevent abuse or unauthorized access
  • Enforce rate limits and API quotas
  • Prevent fraud in the Device Producer Network
  • Protect the entropy pool integrity
  • Secure authentication sessions against hijacking

3.3 To Process Payments

  • Manage subscriptions and billing cycles
  • Calculate and deduct credits for API usage
  • Handle billing events via Paddle.com
  • Generate invoices and receipts

3.4 To Improve the Service

  • Optimize API performance and response times
  • Analyze anonymous usage patterns for infrastructure planning
  • Debug and resolve technical issues
  • Enhance reliability and uptime

3.5 To Comply With Legal Obligations

  • Respond to lawful requests from authorities
  • Maintain audit logs as required by regulation
  • Enforce our Terms of Service
  • Fulfill data subject rights requests

4. What We Do NOT Collect or Do

Aegis Optikon does NOT:

  • Collect personal documents or device files
  • Collect biometric or location data
  • Track browsing history across other websites
  • Use advertising identifiers or third-party trackers
  • Sell, rent, or trade user data to third parties
  • Use cookies for behavioral advertising
  • Retain session data beyond the retention period

Our session cookies are used exclusively for security and functionality, not for tracking or profiling users.

5. How We Share Information

5.1 Paddle (Billing Provider)

We share minimal billing information with Paddle.com for subscription management, tax compliance, and payment processing. Paddle operates as our Merchant of Record and processes all payments.

5.2 Infrastructure Providers

We use trusted cloud infrastructure providers for hosting the Service. These providers have access to technical data necessary to operate the Service but do not have access to your encrypted session data or API keys.

5.3 Legal and Regulatory Authorities

We may disclose information when required by law, subpoena, court order, or to protect the security and integrity of our Service. We will notify users of such requests when legally permitted to do so.

5.4 No Data Sharing for Marketing

We do not share your data with marketing companies, advertisers, or data brokers.

6. Data Retention

Data Type Retention Period Notes
Account Information Until account deletion Deleted within 30 days of account closure request
Session Cookies & Data 24 hours / Until logout Automatically purged after inactivity
API Usage Logs 90–180 days For security auditing and billing verification
Entropy Pool States 30 days maximum Rolling buffer, automatically deleted
Billing Records 7 years As required by tax and financial regulations
Security Logs 1 year For incident investigation and prevention

When data is no longer needed for the purposes described in this policy, it is securely deleted using cryptographic erasure methods. Backup data follows the same retention schedule and is purged during regular backup rotation.

7. Your Rights and Choices

Depending on your jurisdiction (GDPR, CCPA, etc.), you may have the following rights:

  • Right to Access: Request a copy of your personal data we hold
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Delete your account and associated data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to certain processing activities
  • Right to Restrict Processing: Limit how we use your data in specific circumstances
  • Cookie Controls: Manage cookies through browser settings
  • Session Management: Log out at any time to terminate your session immediately

To exercise these rights, contact us at support@aegisoptikon.com. We will respond to legitimate requests within 30 days, as required by applicable law.

Session Control: You can manage your active sessions through your account dashboard, where you can view active sessions and terminate any suspicious or unwanted sessions immediately.

8. Data Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption: TLS 1.3+ for data in transit, AES-256 for data at rest
  • Session Security: Secure, HttpOnly cookies with SameSite=Strict and Secure flags
  • Authentication: Argon2id password hashing, rate-limited login attempts
  • Infrastructure: Regular security updates, intrusion detection systems
  • Access Control: Principle of least privilege, multi-factor authentication for staff
  • Auditing: Comprehensive logging of all authentication and administrative actions
  • Session Protection: Automatic logout after 24 hours of inactivity, IP-based session validation

While we implement robust security measures, no system can guarantee absolute security. We continuously monitor and improve our security practices to protect your data.

9. Children's Privacy

The Service is not intended for individuals under the age of 18 (or the legal age of majority in your jurisdiction). We do not knowingly collect information from minors. If we become aware that we have collected personal data from a minor without parental consent, we will take steps to delete that information promptly.

10. International Data Transfers

As a global service, your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for these transfers, including:

  • Standard Contractual Clauses (SCCs) with all data processors
  • Data processing agreements that meet GDPR requirements
  • Encryption of all data in transit and at rest
  • Regular security assessments of our infrastructure providers

By using our Service, you consent to the transfer of your data to countries that may have different data protection laws than your country of residence.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or the Service. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify registered users via email at least 30 days before changes take effect
  • Post a prominent notice on our website
  • Provide a summary of material changes for your review

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you disagree with material changes, you may terminate your account before the changes take effect.

12. Contact Information

Aegis Optikon

30 N Gould St Ste R

Sheridan, WY 82801

United States

Email: support@aegisoptikon.com

Data Protection Officer: dpo@aegisoptikon.com

For questions about this Privacy Policy, to exercise your data protection rights, or to report a security concern, please contact us using the information above. We aim to respond to all legitimate inquiries within 30 days.

For EU/UK residents, you also have the right to lodge a complaint with your local data protection authority if you believe our processing of your data violates applicable law.