Bonterms-derivative. This Privacy Notice substantially follows the Bonterms Privacy Notice framework with adaptations for ElasticD3M, LLC's services, U.S. operations, GDPR for EU/UK/Swiss data subjects, CCPA/CPRA and other comprehensive U.S. state privacy laws, and the technical scope of the AIR™ (Automated Incident Response) product (intake responses only; no cloud connections, no telemetry, no regulated payloads).
1. Scope
This Privacy Notice describes how ElasticD3M, LLC ("we", "us") collects, uses, and discloses Personal Information when you visit ai4air.pages.dev, purchase AIR™, or otherwise interact with our Services. For data we process on Customer's behalf as a Processor under enterprise agreements, the Data Processing Addendum governs.
This Notice applies to all visitors and customers. EU, UK, and Swiss data subjects have additional rights under GDPR / UK GDPR / Swiss FADP described in Section 5. California and other U.S. state residents have additional rights under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and analogous comprehensive privacy laws described in Section 6.
2. Controller and Processor Roles
For Personal Information processed when you interact with our marketing site, purchase AIR™, or correspond with us, ElasticD3M, LLC is the Controller (or "Business" under CCPA/CPRA).
For Personal Data processed on Customer's behalf when the AIR™ Services process Customer's intake responses and generate the deliverable, ElasticD3M, LLC is the Processor (or "Service Provider"). Customer is the Controller. The DPA governs those processing activities.
3. Information We Collect
We collect the following categories of Personal Information:
- Identity and contact information: name, business email address, phone number, company name, business address, job title, provided at intake, checkout, or via direct correspondence.
- Engagement information: organization details, industry and regulatory profile, environment description, and security-program posture, provided through the 16-question AIR™ intake form.
- Intake responses: your answers to the AIR™ intake form, used solely to generate the deliverable. The Services do not connect to your systems and do not collect telemetry. Do not include regulated payload contents (PHI, cardholder data, GDPR Article 9 special categories) in intake answers; we do not request them and do not knowingly process them.
- Billing information: limited payment metadata (last 4 of card, billing zip, expiration) provided to us by Stripe. We do not store full payment card numbers; Stripe is our payment processor and is PCI-DSS Level 1 compliant.
- Technical information: IP address, browser type, device type, referrer, pages visited, timestamps, collected automatically via server logs and Cloudflare Web Analytics. Cloudflare Web Analytics does not use cookies and does not track users across sites.
- Communications: emails you send to agents@ai4ciso.ai, including the content and attachments.
We do not use behavioral tracking pixels in outbound emails, cross-site advertising cookies, or session-replay tools. We do not sell Personal Information.
4. How We Use Information
We use Personal Information to:
- Provide, maintain, and improve the Services, including generating the AIR™ deliverable from your intake responses.
- Process the one-time payment and send transactional emails (welcome email, intake link, deliverable delivery, billing receipt).
- Respond to support requests and other communications.
- Comply with legal obligations, enforce our Terms of Service, and protect against fraud or misuse.
- Send service updates and infrequent product communications. You may opt out of non-essential communications at any time by clicking the unsubscribe link in any such message or emailing privacy@elasticd3m.com.
5. GDPR Rights (EU, UK, Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your Personal Data:
- Access: you may request a copy of the Personal Data we hold about you.
- Rectification: you may request correction of inaccurate or incomplete Personal Data.
- Erasure ("right to be forgotten"): you may request deletion subject to legal-retention obligations.
- Restriction: you may request that we limit Processing in specified circumstances.
- Portability: you may request export of your Personal Data in a structured, commonly used, machine-readable format.
- Objection: you may object to Processing based on legitimate interests, including direct marketing.
- Withdrawal of consent: where Processing is based on consent, you may withdraw consent at any time without affecting prior lawful Processing.
- Right to lodge a complaint with your local Supervisory Authority.
Our lawful bases for Processing include: (i) performance of a contract; (ii) compliance with legal obligations; (iii) legitimate interests in operating, securing, and improving our Services; and (iv) consent where required. For international transfers, see Section 9. To exercise any GDPR right, email privacy@elasticd3m.com; we respond within thirty (30) days.
6. CCPA/CPRA Rights (California) and Other U.S. State Rights
California residents have the right to: (i) know what Personal Information we collect, (ii) request deletion of Personal Information, (iii) request correction of inaccurate information, (iv) opt out of sale or sharing of Personal Information (we do not sell or share), and (v) limit use of "sensitive Personal Information" (we do not knowingly process sensitive PI as defined under CPRA). To exercise any right, email privacy@elasticd3m.com. We respond within forty-five (45) days. We will not retaliate against you for exercising these rights.
If you are a resident of another U.S. state with comprehensive privacy law (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted), you have substantially similar rights and may submit a request through the same channel.
7. Disclosure to Third Parties
We disclose Personal Information to:
- Subprocessors: third-party service providers acting on our instructions. The full list with each provider's purpose, data scope, and location is published at /subprocessors and updated at least quarterly.
- Legal authorities: when required by valid subpoena, court order, or other legal process. We notify Customer of the request unless legally prohibited.
- Successors: in connection with a merger, acquisition, or sale of substantially all assets, subject to confidentiality protections consistent with this Notice.
We do not disclose Personal Information to advertising networks, data brokers, or other parties for marketing purposes. We do not engage in "cross-context behavioral advertising" as defined by CCPA/CPRA.
8. Data Retention
Active account data is retained for the duration of the customer relationship. Following termination, we retain account data for ninety (90) days to allow Customer to retrieve the deliverable, then delete or anonymize unless: (a) retention is required by law (tax records: seven years; communication archives for compliance: as required); or (b) data is part of routine database backups that are overwritten on a documented rotation (typically within 180 days). Intake responses are retained only as long as needed to generate and support the deliverable; they are not used for any other purpose.
| Category | Retention period |
|---|---|
| Active-account identity and contact | Duration of relationship |
| Intake responses | 90 days after deliverable delivery |
| Deliverable PDF | 13 months (so we can re-send it on request) |
| Billing and tax records | 7 years (legal obligation) |
| Email correspondence | 3 years |
| Server logs and analytics | 13 months |
| Backups | Up to 180 days, overwritten on rotation |
9. International Data Transfers
Our Services are operated from the United States. Subprocessors are predominantly located in the United States with some in the European Union; the Subprocessors List identifies each provider's primary location. For EU/UK/Swiss data subjects, transfers to the United States are made pursuant to Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, available on request to privacy@elasticd3m.com. Where applicable, we conduct transfer-impact assessments consistent with EDPB guidance.
10. Security
We maintain industry-standard administrative, physical, and technical safeguards to protect Personal Information. Specifics include: AES-GCM encryption at rest for sensitive data, TLS 1.2+ in transit, role-based access control with least-privilege defaults, isolated production credentials encrypted with a dedicated key management service, signed audit logs for material database actions, and a documented incident-response plan. We notify Customer of any confirmed Personal Data Breach within seventy-two (72) hours.
11. Children's Data
The Services are intended for business use by adults representing organizations. We do not knowingly collect Personal Information from anyone under the age of eighteen (18). If we discover we have collected such information, we will delete it promptly.
12. Changes to This Notice
We may update this Privacy Notice from time to time. For material changes, we will give at least thirty (30) days' advance notice via email or platform notice before the change becomes effective. The "Effective Date" at the bottom of this page indicates when the most recent version took effect.
13. Contact
Privacy questions, data subject requests, or general inquiries: privacy@elasticd3m.com
Postal address:
ElasticD3M, LLC
Attn: Privacy
7700 Broadway St, Ste 104 PMB1083
San Antonio, TX 78209, United States
Effective Date: June 12, 2026 · Version: 2.0 (Bonterms-derivative)
Replaces all prior versions of the Privacy Policy published at ai4air.pages.dev before this date.