Privacy Policy

AIROTECH INC ("AIROTECH", "we", "us", or "our") operates AIROTECH Connect™, a multi-tenant integration platform available at connect.airotech-inc.com. This Privacy Policy describes the information we collect, how we use it, how we protect it, and the choices available to tenants and end users.

By using AIROTECH Connect™ you agree to the collection and use of information in accordance with this policy. This policy may be updated from time to time; the effective date above reflects the most recent revision.

Account data. When a tenant registers a workspace or an administrator signs in, we collect the email address, a one-way hashed password, the workspace name, and the plan tier.

Event payloads. Under our zero-knowledge payload architecture, inbound webhook bodies received at /api/events/ingest are never persisted to the canonical event log. They live only inside an ephemeral in-flight cache for the duration of the retry window (hard-capped at 10 minutes, typical lifetime < 40 seconds) and are deleted the moment delivery reaches a terminal state. The audit log stores only routing metadata, a SHA-256 fingerprint, and byte size — never the body itself.

Operational telemetry. HTTP request metadata, latency, error class, and retry counts are captured in application logs for incident response, capacity planning, and SLA reporting.

Cookies. A single HTTP-only session cookie named connect_session is issued on successful sign-in. No advertising cookies, no third-party tracking cookies, and no cross-site analytics beacons are set by AIROTECH Connect™.

We use collected information to provide the platform, authenticate users, route events between connectors, enforce plan-tier limits, operate the retry and dead-letter pipeline, and produce audit logs. We do not sell personal information. We do not use tenant event payloads to train machine-learning models.

Every piece of tenant data — connectors, credentials, routing rules, event payloads, audit records — is scoped to a tenant_id at the database layer and is enforced at every API endpoint. The Kafka-compatible topic model isolates tenants with the naming scheme airotech.{tenant_id}.{event_type} so that no cross-tenant visibility exists at the message-bus layer.

All traffic between the browser, the platform API, and downstream connectors is transported over TLS 1.2+ with modern ciphers. Passwords are persisted as bcrypt hashes. Tenant API keys and connector credentials are persisted as SHA-256 one-way hashes and are never returned in plaintext after creation. MongoDB deployments use WiredTiger encryption at rest with AES-256; Enterprise deployments support customer-managed keys via cloud KMS integration.

AIROTECH Connect™ sets one functional cookie: connect_session — a JSON Web Token issued on authentication, marked HTTP-only, SameSite=Lax, and Secure when served over HTTPS. The cookie expires after seven days of inactivity. No cross-site tracking cookies are ever set.

Event payloads: zero retention. Customer event bodies are never written to durable storage. They exist only in the ephemeral in-flight cache (MongoDB TTL ≤ 10 min) and are purged on delivery, dead-letter, or dismissal — whichever comes first. Replay of a dead-lettered event is therefore only possible within the 10-minute window following the final delivery attempt.

Audit metadata. Routing metadata — event ID, event type, source and destination connector IDs, rule ID, status, timing, retry count, SHA-256 payload fingerprint, and byte size — is retained for the lifetime of the tenant workspace for compliance, SLA reporting, and idempotency. No payload contents are retained alongside this metadata.

Tenants may request earlier deletion of audit metadata by writing to privacy@airotech-inc.com. Application logs are retained for 90 days unless a longer retention window is contractually required for an Enterprise tenant.

Payment processing for Starter and Growth tiers is handled by Stripe, Inc. Stripe receives the card details directly from the browser; AIROTECH Connect™ does not store card numbers. Cloud infrastructure is provided by the tenant's contracted region and identified in the Enterprise Master Services Agreement where applicable.

Tenants and their end users may request access to, correction of, or deletion of personal information by contacting privacy@airotech-inc.com. Where applicable, GDPR, CCPA, and equivalent data subject rights are honored within the statutory response windows.

Questions about this Privacy Policy or privacy practices should be directed to privacy@airotech-inc.com.

This Privacy Policy is governed by the laws of the State of Georgia, United States, without regard to its conflict-of-laws provisions. Exclusive venue for any dispute arising out of this Policy lies in the state or federal courts located in Fulton County, Georgia.