Privacy Notice

Overview

This Privacy Notice describes how Aquil Safety ("we," "us," or "our") collects, uses, discloses, and protects personal data in connection with our services, platforms, and websites. It applies to authorized users of the Aquil Safety dashboard, APIs, and related services.

By using our services, you acknowledge the data practices described in this notice.

Last reviewed: April 27, 2026.

Data we collect

Account and authentication data

We use Supabase to manage authentication. Depending on the sign-in method you use, we collect:

Google Sign-In

When you authenticate using Google, we receive the following information from your Google account:

• Full name
• Profile picture
• Email address

Email and password

When you register or sign in with an email address and password:

• Email address
• A hashed (never plaintext) password, managed by Supabase Authentication

We do not store your plaintext password. Supabase handles password hashing and credential storage.

Usage and operational data

We may collect data related to your use of the Services, including:

• Login timestamps and session metadata
• Actions performed within the dashboard
• API request logs (endpoint, timestamp, response status)
• API authentication metadata, including API key identifier, creation/rotation/revocation events, and last-used timestamps
• Source IP address and related request metadata (for example user agent) associated with dashboard and API access
• Device and browser type (for session security purposes)

Website analytics and feature flag data

On our marketing website, we use PostHog for web analytics and to support feature flagging for product rollouts. This may include:

• Technical metadata such as page URL, referrer URL, browser/device details, timestamp, and approximate location inferred from IP address.
• Event data tied to specific actions, including:
  • waitlist_signup_succeeded: email, source
  • waitlist_signup_failed: email, source, error, status
  • sign_in_clicked: location
  • nav_link_clicked: label, href
  • blog_post_clicked: post_id, title, slug
  • blog_searched: query

Where an event includes personal data (for example email address or free-text search query), we process it for product analytics, operations, security monitoring, and controlled feature releases.

Data provided through the Services

Clients and authorized operators may submit data through the Services in the course of safety operations, including incident reports, location data, and sensor outputs. This data is governed by the applicable executed agreement and the Acceptable Use Policy.

How we use your data

We use collected data to:

• Authenticate and authorize access to the Services
• Maintain session security and detect unauthorized access
• Enforce API security controls (including key lifecycle controls, anomaly detection, and abuse prevention)
• Provide, operate, and improve the Services
• Meet legal, contractual, and audit obligations
• Communicate operationally significant updates

We do not sell your personal data to third parties.

Third-party services

Supabase

We use Supabase for authentication and data storage. Supabase processes personal data on our behalf under its own privacy and data processing terms. For details, see Supabase's Privacy Policy.

Google OAuth

When you sign in with Google, Google processes your authentication request under Google's Privacy Policy. We receive only the data listed above (full name, profile picture, email address) and do not have access to your Google account password.

PostHog

We use PostHog to process analytics and feature flag data described in this notice. PostHog acts as a service provider/processor on our behalf for these functions.

Data retention

We retain personal data for the minimum period necessary to fulfill the purposes described in this notice, comply with applicable legal requirements, and meet contractual obligations. Account data may be retained for the duration of the contract term and for a period thereafter as required by law or audit obligations.

Data security

We apply industry-standard technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These include:

• Encrypted data transmission (TLS)
• Access controls and role-based permissions
• Audit logging for sensitive operations
• Supabase security infrastructure for authentication data

No system is completely secure. If you believe your account has been compromised, notify your administrator and use the incident contact path defined in your agreement immediately.

Your rights

Depending on your jurisdiction and applicable law, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Object to or restrict certain processing activities

To exercise these rights:

• Use Settings → Security → Privacy requests in the Aquil dashboard to download your current account data export.
• Use Settings → Security → Privacy requests to submit an access or deletion request that is tracked through our compliance workflow.
• You may also contact us through the legal contact path defined in your agreement or through your organization's designated data protection contact.

Children's privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us immediately.

Changes to this notice

We may update this Privacy Notice periodically. Material changes will be communicated through your contractual contact path. The "Last reviewed" date at the top of this page reflects the most recent update.

Contact

For privacy-related inquiries, data subject requests, or to report a privacy concern, use the legal contact path defined in your agreement.