1. Who We Are
Alesko AI Pty Ltd ("we", "us", or "our") operates the Alesko BluPrint platform (the "Service"). We are committed to protecting your personal information and handling it with transparency and care.
For GDPR purposes, Alesko AI Pty Ltd is the data controller for personal data collected through the Service. If you have questions about how we process your data, contact our Data Protection Officer at dpo@alesko.ai.
2. Data We Collect
We collect the following categories of personal data:
- Account data: Your name, email address, company name, and any profile information you provide when registering or updating your account.
- Authentication data: Magic link tokens, hashed security passcodes, and session identifiers. We never store passwords or passcodes in plain text.
- Usage data: Pages visited, features used, actions taken within the Service, and timestamps of those actions. This data helps us improve the Service.
- Workspace content: Projects, tasks, documents, comments, and any other content you create or upload through the Service.
- Technical data: IP address, browser type, operating system, device identifiers, and log data generated during your use of the Service.
- Consent records: Timestamps and version numbers of your acceptance of our Terms of Service and Privacy Policy.
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing the Service: Creating and managing your account, processing requests, and delivering core platform functionality.
- Authentication and security: Verifying your identity, preventing unauthorised access, and detecting abuse.
- AI-powered features: Providing AI task creation, document generation, and other AI-assisted features using your workspace content as context.
- Communications: Sending service-related emails such as magic links, notifications, and important account updates.
- Product improvement: Analysing aggregated usage patterns to improve performance, reliability, and user experience.
- Legal compliance: Meeting our obligations under applicable laws, including data retention requirements and responding to lawful requests.
4. Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases:
- Contract (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service.
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and product analytics — balanced against your privacy rights.
- Consent (Art. 6(1)(a)): Where you have explicitly consented, such as accepting our Terms of Service during onboarding.
- Legal obligation (Art. 6(1)(c)): Where we are required to process data to comply with applicable law.
5. Data Sharing and Sub-Processors
We do not sell your personal data. We may share your data with trusted third-party service providers ("sub-processors") who assist us in delivering the Service. All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards.
Our key sub-processors include:
- Microsoft Azure — Cloud infrastructure and database hosting (Australia East region)
- MongoDB Atlas — Multi-tenant document storage
- Cloudflare — Bot protection and content delivery
- Resend / email provider — Transactional email delivery
We may also disclose your data to law enforcement or government authorities where required by law.
6. International Data Transfers
Your data is primarily stored and processed in Australia (Azure Australia East). Where data is transferred outside Australia or the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms.
7. Data Retention
We retain personal data for as long as your account is active or as needed to provide the Service. If you request account deletion, we will anonymise or delete your personal data within 30 days, subject to any legal obligations requiring us to retain certain records.
Audit logs and security records may be retained for up to 12 months for compliance purposes.
8. Security
We implement industry-standard security measures to protect your personal data, including:
- Encryption in transit using TLS 1.2 or higher for all data communications
- Encryption at rest for database storage
- HttpOnly, Secure, SameSite cookies for authentication tokens
- Bcrypt hashing for any stored passcodes
- Role-based access controls limiting data access to authorised personnel
- SOC 2-aligned controls including audit logging and session management
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@alesko.ai.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten").
- Right to portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
- Right to restrict processing (Art. 18 GDPR): Request that we limit how we use your data in certain circumstances.
- Right to object (Art. 21 GDPR): Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at dpo@alesko.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
10. Cookies
We use essential cookies to maintain your authenticated session (HttpOnly JWT cookies). We do not use third-party tracking or advertising cookies. If we introduce non-essential cookies in the future, we will request your prior consent.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-app notification at least 14 days before the changes take effect. The effective date at the top of this page reflects the most recent update.
13. Contact Us
For general privacy inquiries: privacy@alesko.ai
For GDPR-specific requests or to reach our Data Protection Officer: dpo@alesko.ai
Alesko AI Pty Ltd, Sydney, Australia.