Privacy Policy

Last updated: April 16, 2026

Note: this is a template privacy policy. Have a lawyer review before publishing.

Contents

Introduction
Information we collect
How we use information
Data storage and security
Data sharing
Your rights
Cookies
Data retention
International users
Children's privacy
Changes to this policy
Contact us

1. Introduction

Ankos ("we," "us," or "our") operates the websites ankos.dev and app.ankos.dev, as well as the Ankos command-line interface (CLI) tool. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

By accessing or using Ankos, you agree to the terms of this Privacy Policy. If you do not agree with the terms of this policy, please do not access our services.

2. Information we collect

We collect the following types of information:

Account Information

Email address and name provided during registration
Organization name and billing information
Authentication credentials (passwords are stored hashed, never in plaintext)

Evidence Data

PCI compliance evidence you upload to the platform (documents, screenshots, PDFs)
Metadata associated with evidence entries (timestamps, status, assigned owners)

Usage Data

How you interact with the platform (pages visited, features used, actions taken)
Browser type, device information, and IP address
Referral sources and session duration

Infrastructure Scan Data

AWS configuration data collected by the Ankos CLI when you run scans
Scan results and generated evidence summaries uploaded to your compliance ledger
The CLI only collects data when explicitly invoked and only transmits data to Ankos when the --upload flag is used

3. How we use information

We use the information we collect to:

Provide and maintain the service — operate your compliance ledger, store evidence, generate exports, and manage your account
Improve the product — analyze usage patterns to improve features, fix bugs, and optimize performance
Communicate with you — send service-related notifications, respond to support requests, and share product updates (you can opt out of non-essential communications)
Ensure security — detect and prevent fraud, abuse, and unauthorized access

We do not use your evidence data to train AI or machine learning models. Your compliance evidence is your data. We process it only to provide the service you have requested.

4. Data storage and security

We take the security of your data seriously, especially given the sensitive nature of PCI compliance evidence.

Infrastructure: All data is stored on Amazon Web Services (AWS) infrastructure located in the United States
Encryption at rest: All stored data is encrypted using AES-256 encryption
Encryption in transit: All data transmitted between your browser/CLI and our servers is encrypted using TLS 1.2 or higher
Access controls: Internal access to customer data is restricted to authorized personnel on a need-to-know basis, with multi-factor authentication required
Audit logging: All access to customer data is logged and monitored

While we implement industry-standard security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

We do not sell your personal information or evidence data.

We may share limited information with the following parties:

AWS (infrastructure provider): Your data is stored on AWS infrastructure. AWS acts as a data processor and does not have access to the contents of your data
Payment processor: Billing information is shared with our payment processor (Stripe) to process subscription payments. We do not store credit card numbers on our servers
Legal requirements: We may disclose information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others

We do not share your evidence data with any third parties for marketing, advertising, or analytics purposes.

6. Your rights

You have the following rights regarding your data:

Access: You can request a copy of all personal data we hold about you
Correction: You can update or correct your account information at any time through the platform settings
Deletion: You can request deletion of your account and associated data. Note that PCI compliance evidence may be subject to regulatory retention requirements — we will work with you to determine appropriate retention periods before deletion
Export: You can export your compliance ledger data and evidence files at any time through the platform's export feature

To exercise any of these rights, contact us at privacy@ankos.dev. We will respond to your request within 30 days.

7. Cookies

We use essential cookies only. These cookies are necessary for the platform to function and include:

Session cookies to keep you logged in
Security cookies for CSRF protection
Preference cookies to remember your settings

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking or retargeting networks.

8. Data retention

Account data: Retained while your account is active and for a reasonable period afterward to comply with legal obligations
Evidence data (Team plan): Retained for 12 months of rolling history as part of the Team plan. Evidence from older cycles is archived and available upon request
Deleted data: When you delete evidence or your account, data is permanently deleted from our systems in accordance with our data retention policy
Usage data: Aggregated and anonymized usage data may be retained indefinitely for product improvement purposes

9. International users

Ankos is hosted and operated in the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For users in the European Economic Area (EEA) or United Kingdom, we process your data based on the following legal bases: contractual necessity (to provide the service you requested), legitimate interest (to improve our services and ensure security), and consent (where applicable). You may have additional rights under the GDPR, including the right to lodge a complaint with your local data protection authority.

10. Children's privacy

Ankos is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@ankos.dev.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or a prominent notice on our platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at:

privacy@ankos.dev