Data Breach Notification Policy

Effective: March 2026

This policy describes how Aelu detects, responds to, and communicates security incidents that may affect your personal data. We take the security of your information seriously and commit to transparency if something goes wrong.

1. What Constitutes a Breach

A data breach is any incident where personal data is accessed, disclosed, altered, or destroyed without authorization. This includes:

• Unauthorized access to user accounts or the database
• Accidental exposure of personal data (email addresses, hashed passwords, study data)
• Loss or theft of data through a vulnerability in our systems
• Compromise of third-party services that process data on our behalf (Stripe, Resend)

2. Detection and Assessment

We monitor for potential breaches through:

• Security audit logging of all authentication events
• Automated alerts for unusual access patterns
• Sentry error monitoring for application-level anomalies
• Regular review of access logs and system health

When a potential breach is detected, we assess: what data was affected, how many users are impacted, the severity and likelihood of harm, and whether the breach is ongoing or contained.

3. Notification Timeline

Within 72 hours of confirming a breach that poses a risk to your rights or freedoms, we will:

• Send an email to every affected user describing what happened, what data was involved, and what we are doing about it
• Post a notice on the Aelu website and, if warranted, in the app itself
• Notify any relevant supervisory authorities as required by applicable law (GDPR Article 33, state breach notification laws)

If the breach is limited in scope and poses minimal risk (e.g., an internal logging error that exposed no data externally), we will document it internally and disclose it in our next transparency update.

4. What We Will Tell You

Our breach notifications will include:

• A clear description of what happened, in plain language
• What types of personal data were involved
• What we have done to contain and remediate the breach
• What you should do (e.g., change your password, monitor accounts)
• How to contact us with questions

5. Remediation

Depending on the nature of the breach, we may:

• Force-reset passwords for affected accounts
• Invalidate active sessions
• Patch the vulnerability that caused the breach
• Engage external security expertise for forensic analysis
• Offer credit monitoring if financial data was exposed (note: Aelu does not store payment card data — Stripe handles this)

6. Record Keeping

We maintain an internal log of all security incidents, including those that do not meet the threshold for user notification. This log includes the nature of the breach, data affected, timeline of detection and response, and remediation steps taken.

7. Contact

If you believe you have discovered a security vulnerability or suspect a breach, please contact us immediately at hello@aeluapp.com. We take all reports seriously and will respond within 24 hours.