🛡 Legal · Privacy Policy · GDPR & CCPA compliant

Your data, your call.

No surprises, no dark patterns, no selling to third parties. Here's exactly what we collect, why, and how to make us stop.

Last updated: April 28, 2026 Effective: May 1, 2026 ↧ Download PDF

The five-second version, before the lawyers get involved.

  • We collect only what we need to run AiGAP — your email, your project files, your usage stats.
  • Your project content (code, prompts, data) is yours. We don't train AI models on it.
  • We never sell your personal data to advertisers or data brokers. Ever. We make money from subscriptions, not surveillance.
  • You can export, edit, or delete everything we have on you, anytime, in one click.
  • We don't track you across other websites with ad pixels or third-party trackers.
  • We're SOC2 Type II certified and fully GDPR + CCPA compliant.
§ 01

Who we are

AiGAP is operated by AiGAP Robotic Inc., headquartered in Turkey. Our registered office is at Maslak Mah. AOS 55. Sk. 42 Maslak A Blok No: 2 Suite: 208, Sariyer / 34485 Istanbul, Turkey.

We also operate from a Turkey tech park branch at AiGAP Robotic Inc., Informatics Valley, Muallimkoy Dist. Deniz Cad. No: 143/5, 41400 Gebze, Kocaeli, Turkey.

For UK customers and European correspondence, our United Kingdom branch is AiGAP Inc., 86-90 Paul Street, 3rd Floor, London EC2A 4NE, United Kingdom (virtual office).

Throughout this policy, "we", "us", and "our" refer to AiGAP. "You" means the natural or legal person using our services.

This Privacy Policy applies to all websites, applications, APIs, and services we operate under the aigap.com domain and its subdomains (collectively, the "Services").

§ 02

What we collect

We've split this into four buckets, ordered by how sensitive each is.

Account information

Email address
To create your account, send confirmation emails, billing receipts, and security alerts. Required.
Display name & handle
What we call you in the UI and what your build URLs look like (e.g., aigap.com/u/your-handle). You can change either at any time.
Password hash
We never see or store your actual password. We use Argon2id with a per-user salt. If we get hacked, your password is still safe.
OAuth tokens (optional)
If you sign in with Google, GitHub, Apple, or Microsoft, we store an opaque token. We never see your password on those services.

Project content

Everything you create on AiGAP — chat messages, prompts, generated code, deployed apps, uploaded files, custom datasets. We treat this as your private property. See § 5 for what we don't do with it.

Usage & technical data

  • Build counts, API call counts, plan tier (used for billing and rate limiting)
  • IP address (kept for 30 days for fraud and abuse detection, then hashed)
  • Browser type, OS, language, timezone (used to render the UI correctly and detect anomalies)
  • Crash logs and error traces (no personal content included)

Payment data

If you upgrade, our payment processor (Lemon Squeezy globally, or iyzico for Turkish customers) handles your card details. We see only:

  • The last 4 digits and brand of your card (e.g., "VISA •••• 4242")
  • Billing email and country (for tax purposes)
  • Transaction IDs and amounts

We never see, store, or log your full card number or CVV.

§ 03

Why we collect it

Under GDPR, every piece of data we collect must have a lawful basis. Here's ours, item by item:

  • Contractual necessity — to provide the service you signed up for (your email, account data, project content, billing info).
  • Legitimate interest — to keep AiGAP secure, prevent abuse, and improve the platform (IP addresses, usage stats, crash logs).
  • Consent — for optional things like marketing emails or beta features (you can withdraw at any time).
  • Legal obligation — when we have to retain certain billing records for tax law (typically 7 years).
Plain English

We collect what's necessary to run AiGAP and what's useful to make it better. Nothing more. We never collect data "just in case" or to sell it later.

§ 04

Who we share it with

We share data only with the providers we need to run AiGAP. Each one is a contractually-bound subprocessor with a Data Processing Agreement (DPA).

AWS (United States) · hosting
Stores your project files, runs the AiGAP runtime, and hosts our database. Region: us-east-1 (default) or eu-west-1 (Europe-residency option).
Lemon Squeezy (United States) · payments
Processes credit card payments globally. They are our Merchant of Record and handle all VAT/sales tax. Card data goes directly to them — never to us.
iyzico (Turkey) · payments TR
Processes payments for Turkish customers. PCI DSS Level 1 certified.
Postmark (United States) · email
Sends transactional emails (signup confirmations, password resets, billing receipts). They never see project content.
Cloudflare (Global) · CDN & DDoS
Routes web traffic, blocks attacks, and speeds up load times. They see IP addresses and request paths, never request bodies.
Anthropic, OpenAI, Google · AI inference
If you use the cloud LLM option (default), your prompts go to one of these providers. They have their own retention and training policies — we configure them with "do not train on data" flags where available.

The full, current list is published at aigap.com/legal/subprocessors. We notify you 30 days before adding a new subprocessor.

What we never do

We do not sell your personal data, project content, or usage data to advertisers, data brokers, or any third party. Selling data is not part of our business model and never will be.

§ 05

AI training & your content

This is where most "AI platforms" get evasive. We won't.

What we do NOT do

  • We do not train AiGAP's foundation models on your prompts, generated code, uploaded files, or any project content.
  • We do not share your content with third-party AI training datasets (Common Crawl, LAION, etc.).
  • We do not use your content to fine-tune general-purpose models.

What we do

  • If you opt-in to "Improve AiGAP for everyone" in your settings (off by default), we may use anonymized, aggregated patterns from your workflow — never raw content — to improve our prompt-routing logic.
  • If you build a Custom Model on Gold plan, fine-tuning runs only on your data and the resulting weights belong to you.

Cloud LLM providers

When you use the default cloud LLMs (Claude, GPT, Gemini), your prompts are sent to those providers for inference. We send our requests with the strongest possible "no training" flags:

  • Anthropic Claude — default API does not train on inputs (per Anthropic's commercial terms).
  • OpenAI GPT — we use the API tier, which does not train on data by default.
  • Google Gemini — we use the paid Vertex AI tier with training disabled.

If you don't trust those guarantees, switch to a local LLM (Llama, Mistral) on Pro or Gold. Then nothing leaves your machine.

§ 06

Cookies & tracking

We use the smallest number of cookies we can get away with.

Strictly necessary (no consent required)

  • aigap_session — keeps you logged in. Lifetime: session or 30 days if "remember me" is checked.
  • aigap_csrf — prevents cross-site request forgery. Lifetime: session.
  • aigap_lang — remembers your language preference. Lifetime: 1 year.

Optional (only if you consent)

  • Plausible Analytics (privacy-friendly, no personal data, no cross-site tracking). You can opt out in your account settings.

Things we do NOT use

  • Google Analytics
  • Facebook Pixel
  • LinkedIn Insight Tag
  • TikTok Pixel
  • Any retargeting or advertising trackers

Our cookie banner reflects this — it's intentionally minimal. No "legitimate interest" trickery to opt you in by default.

§ 07

Your rights

Under GDPR (EU), CCPA (California), and similar laws elsewhere, you have the following rights, all of which we honor globally — not just where required:

  • Right to access. See exactly what data we have on you. Self-serve in Settings → Privacy → Export my data.
  • Right to rectification. Correct anything wrong. Most fields are editable in your account settings.
  • Right to erasure ("right to be forgotten"). Delete your account and all associated data. One click. Confirmation email follows.
  • Right to data portability. Export everything as a .aigap.zip file (account data + projects + builds).
  • Right to restrict processing. Pause certain processing while you investigate concerns.
  • Right to object. Opt out of any processing based on legitimate interest.
  • Right to not be subject to automated decision-making. No, we don't use AI to make consequential decisions about you (we use AI to make consequential decisions about your software).
  • Right to lodge a complaint. With your local data protection authority. We'd appreciate hearing from you first so we can fix it, but it's your right either way.
How to exercise

Most rights are self-serve at Settings → Privacy. For anything that needs a human, email support@aigap.com. We respond within 30 days (usually within 48 hours).

§ 08

Data retention

We don't keep things longer than we need.

Account data
For as long as your account is active. Permanently deleted within 30 days of account deletion (or 90 days if you cancel a subscription mid-period — to allow recovery).
Project content
Same as account data. Pro tip: always export a copy before deleting your account.
Build history & logs
30 days on Free, 30 days on Pro, 1 year on Gold. Older logs are permanently deleted.
IP addresses
30 days raw, then hashed for fraud detection. Hashed values cannot be reversed.
Billing records
7 years (required by US, EU, and Turkish tax law).
Backups
Encrypted snapshots are retained for 30 days for disaster recovery, then permanently destroyed. Deleted accounts are also purged from backups within 30 days.
§ 09

Security

We treat security as a feature, not a checkbox.

  • SOC2 Type II certified (annual audit by Bishop Fox).
  • Encryption in transit — TLS 1.3 on all connections. We don't speak HTTP.
  • Encryption at rest — AES-256-GCM for all stored data, including backups.
  • Argon2id password hashing with per-user salts and pepper.
  • Secrets isolation — API keys, tokens, and credentials are stored in HashiCorp Vault, not the application database.
  • Annual penetration testing — external red team with results published in our trust portal.
  • Bug bounty program on HackerOne. Critical bugs pay up to $25,000. Find one at hackerone.com/aigap.
  • 24/7 incident response. If we detect a breach affecting your data, we notify you within 72 hours as required by GDPR.
§ 10

International transfers

AiGAP is operated globally. This means your data may be processed in countries other than your own.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States and other jurisdictions without an adequacy decision, we rely on:

  • EU Standard Contractual Clauses (SCCs) — 2021 module-2 clauses with all required appendices.
  • EU-US Data Privacy Framework — for transfers to certified US subprocessors.
  • Supplementary technical measures — encryption keys held only by AiGAP, not the host.

If you're on the Gold plan, you can request EU-only data residency — all your data stays in our Frankfurt (eu-central-1) region. Email info@aigap.com.

§ 11

Children

AiGAP is not directed to anyone under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@aigap.com and we will delete it immediately.

For users between 16 and 18, we recommend parental supervision and review of this policy together.

§ 12

Changes to this policy

We may update this policy. When we do:

  • The "Last updated" date at the top changes.
  • For material changes (anything affecting your rights or how we handle data), we email all active users at least 30 days before the new version takes effect.
  • For minor changes (typos, clarifications), we update silently.

You can view the full revision history at aigap.com/legal/privacy/history. We never edit old versions — we keep them as a public record.

§ 13

Contact us

If you have any questions about this policy, want to exercise your rights, or just want to tell us we're doing privacy wrong, here's how to reach us.

Privacy questions?

We respond to every privacy email, usually within 24 hours. The Data Protection Officer is a real human, not a ticketing system.

support@aigap.com info@aigap.com Trust portal
— You might also need —
Read our Terms of Service