Privacy Policy
Last updated: 28 May 2026 · Version 2.0 (GDPR rewrite)
1. Who is responsible (data controller)
AEDSC is operated by Alessandro, sole proprietor based in Lyon, France. The full legal notice (mentions légales) is at /legal-notice/.
For any privacy-related question, including data subject rights requests: contact@aedsc.xyz (subject: Privacy). No DPO is appointed — under GDPR Article 37, the processing scale and risk profile do not trigger that requirement for this service.
2. What we collect, why, and on what legal basis
We process the following categories of personal data. Each row is a separate processing activity under GDPR Article 6.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email submitted for a scan | Send you the scan report | Contract performance · Art 6(1)(b) | 30 days after scan |
| Contact-form fields | Reply to your message | Legitimate interest · Art 6(1)(f) | Until message thread is closed, max 24 months |
| Solidity source you submit | Run Slither / Aderyn on it; cache the result by SHA-256 so identical contracts return instantly | Contract performance · Art 6(1)(b) | Source: 30 days · cache (hash-keyed): until engine upgrade invalidates it |
| IP address (rate limiting) | Throttle abusive scan/contact volume | Legitimate interest · Art 6(1)(f) | In-memory only (per-process deque, lost on restart) |
| IP + UA in nginx access logs | Security incident investigation | Legitimate interest · Art 6(1)(f) | 90 days then rotated out |
| Stripe billing data (name, address, card, VAT ID) | Process Founder Pro subscriptions | Contract + legal obligation · Art 6(1)(b)+(c) | Per Stripe's policy + 10 years French accounting law |
We do not collect health, biometric, political, religious, or other special-category data (GDPR Article 9). If you inadvertently include any in your Solidity source or message, email us to delete it immediately.
3. Sub-processors and recipients
We rely on a small set of third parties strictly necessary to run the service. None of them sell your data.
| Provider | Role | Country | What they see |
|---|---|---|---|
| Stripe Payments Europe | Payment processor | Ireland (EU) | Billing data, card. International onward transfer to Stripe US under EU Standard Contractual Clauses. |
| Hostinger International Ltd | Marketing site hosting + SMTP relay | Lithuania (EU) | Static HTML, outbound email payloads |
| IONOS SE | Backend VPS — runs the scan engine | Germany (EU) | Submitted source, scan results, nginx access logs |
| GitHub Inc. | Hosts the CLI source, the Action source, and the Action's execution runner (only when a customer installs the Action — runs inside their repo's GitHub Actions environment) | United States | Only what the customer's own workflow exposes; covered by GitHub's DPA + SCCs |
| npm Inc. (subsidiary of GitHub) | CLI distribution | United States | Download counts. No personal data transmitted by us. |
We do not transfer your data to any other third party. If we add a sub-processor (e.g. an LLM provider for the planned automated rewriter), we will update this list and notify active subscribers by email 14 days before activation.
4. Cookies and tracking
We do not set any cookies. No analytics (Plausible, Google, Fathom — none), no ad pixels, no third-party JavaScript. Fonts are self-hosted via Next.js next/font (no request to Google Fonts). No consent banner is required because no consent-bearing technology is in use. You can verify by opening DevTools → Application → Cookies/Storage on any aedsc.xyz page.
5. Your rights under GDPR
You may exercise these rights at any time by emailing us:
- Access (Art 15): get a copy of your data
- Rectification (Art 16): correct inaccurate data
- Erasure / right to be forgotten (Art 17): delete your data
- Portability (Art 20): export your data in JSON
- Objection (Art 21): stop processing under legitimate-interest basis
- Restriction (Art 18): pause processing pending dispute
- Withdraw consent wherever consent is the basis (currently: none — we use contract or legitimate interest exclusively)
Email contact@aedsc.xyz with subject GDPR request. We commit to responding within 30 days (extensible to 90 days for complex cases under Art 12.3, with notification).
You also have the right to lodge a complaint with the French supervisory authority CNIL (Commission Nationale de l'Informatique et des Libertés), 3 place de Fontenoy, 75007 Paris, France.
6. International transfers
All scan processing happens on EU soil (Germany via IONOS). Stripe and GitHub may transfer billing or Action-runner data outside the EU; both vendors are bound by the European Commission's Standard Contractual Clauses (SCCs) for transfers to the United States. Stripe's DPA: stripe.com/legal/dpa. GitHub's DPA: docs.github.com/.../github-data-protection-agreement.
7. Security
All traffic is TLS 1.2+ (Let's Encrypt certs, auto-renew). Source code on the backend VPS is stored under /var/lib/aedsc/scans/<id>/ with aedsc-user-only read access. SMTP credentials are stored in /etc/aedsc/secrets.env (root-owned, mode 640). The backend listens only on 127.0.0.1 behind nginx — no public bind. Backups are encrypted at rest with restic.
8. Data Processing Agreement for Pro customers
If you are a business subscribing to Founder Pro and need a signed DPA under Article 28 (because you are uploading your customers' or your team's Solidity source), email contact@aedsc.xyz with subject DPA request. We'll send the standard template (subject matter, duration, data categories, our security commitments, sub-processors, deletion procedure, breach notice obligations) for signature.
9. Children
AEDSC is a developer tool and is not directed at people under 16. We do not knowingly collect data from minors. If you believe a minor has submitted data through the service, email us — we will delete it.
10. Updates to this policy
Material changes (new sub-processor, new processing activity, different retention) are announced by email to active paid subscribers at least 14 days before they take effect. Non- material changes (typos, restructure) are versioned in the git history of the public site repository.
11. Contact
For anything in this policy: contact@aedsc.xyz — Alessandro, sole operator. A real human reads every message.