Privacy Policy
Last updated: 2026-05-07
1. Who we are
AAS Studio is a software-as-a-service product that helps manufacturers create Asset Administration Shell (AAS) files. Operator: Miguel Reis (sole proprietor, Portugal). Contact: privacy@aas-studio.com.
2. What data we collect
- Account data: email address, name, profile image (provided by you via Clerk).
- Usage data: AI extraction count per month (for telemetry).
- Cloud-saved models: AAS file content (XML/JSON) you explicitly save via the Cloud Library feature. The editor itself runs locally — we do not see files unless you save them.
- PDF text for AI extraction: when you use the PDF→AAS feature, the extracted text from the PDF is sent to Anthropic for processing. We do not store the PDF or its content beyond the extraction request.
- Cookies / local storage: session cookies (Clerk), authentication tokens, and IndexedDB (your in-browser model storage).
3. Why we process it (legal basis under GDPR Art. 6)
- Contract performance (Art. 6.1.b): account, billing, providing the service.
- Legitimate interest (Art. 6.1.f): security logging, fraud prevention, basic analytics.
- Consent (Art. 6.1.a): non-essential cookies / marketing emails (you opt in).
4. Sub-processors
We use the following third-party services:
- Clerk (USA, EU residency available) — authentication.
- Neon (EU/Frankfurt) — Postgres database.
- Vercel (USA, EU region available) — hosting.
- Anthropic / OpenAI (USA) — AI extraction (PDF text only, no output stored).
- Resend (USA, EU residency available) — transactional email.
- Vercel Analytics (hosted SaaS only) — anonymous page-view metrics. Disabled on self-hosted / air-gapped deployments.
Self-hosted note: a self-hosted or air-gapped install sends no telemetry. Analytics loads only on the hosted SaaS host; on any other host the beacon is never loaded. With a local LLM endpoint configured, no document content leaves your network at all.
Transfers to non-EEA countries are covered by EU Standard Contractual Clauses (SCCs) where applicable. See /security for the full sub-processor list with regions, and /dpa for our Article 28 Data Processing Agreement template.
5. Data retention
- Account data: kept while your account is active. Deleted within 30 days of account deletion.
- Cloud-saved models: kept until you delete them or your account is deleted.
- Usage logs: 12 months for billing reconciliation.
- Payment records: 10 years (legal requirement).
6. Your rights (GDPR Art. 15-22)
You have the right to access, correct, delete, export, restrict, and object to processing of your personal data. To exercise any right, email privacy@aas-studio.com. We respond within 30 days. You can also lodge a complaint with your national data protection authority.
7. Security
Data in transit is encrypted with TLS 1.3. Database access is restricted to our application via row-level isolation. Passwords are not stored — authentication is delegated to Clerk. See /security for details.
8. Changes to this policy
We may update this policy. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
Questions? privacy@aas-studio.com