Privacy and data protection

AACsearch takes your data privacy seriously. We comply with international and Russian data protection laws, including GDPR, 152-FZ (Russian data protection law), and other regulations.

What we collect

Data you upload

When you create an index and upload documents we store:

• Document content — product names, descriptions, attributes
• Metadata — prices, categories, links, images
• Configuration — search rules, synonyms, filters

Only you and members of your organization can see this data.

Usage data

To improve the service we collect:

• Search queries — what words people search for (not linked to identity)
• Search metrics — how many results are returned, processing time
• Errors and issues — what errors occur (helps us improve the service)

This data is anonymized — we don't know who searched, only what was searched.

Account data

For the service to operate we need:

• Email address — for sign-in and password recovery
• First and last name — to display in your profile
• Organization information — name, country, business type

You control all of this data.

How we use data

Allowed uses

✓ Storing and managing your indexes ✓ Processing search requests ✓ Sending service notifications (password change, important updates) ✓ Improving search algorithms (on anonymized data) ✓ Technical support ✓ Meeting legal obligations (court, law enforcement)

Forbidden uses

✗ Selling data to third parties ✗ Using it for advertising or marketing ✗ Sharing with competitors ✗ Using it to train other services (without your consent) ✗ Publishing on the internet or social media

Legal compliance

GDPR (European Union)

If you are in the EU or work with European users we comply with GDPR:

• Right of access — you can download all of your data
• Right to erasure — you can delete your account and all data
• Right of rectification — you can update your data
• Right to object — you can opt out of certain processing
• Data portability — you can export your data to another service

Legal basis: contract performance (running the service), your consent, legal obligation.

152-FZ (Russia)

If you are in Russia or work with Russian users we comply with 152-FZ (Russian Federal Law on Personal Data):

• Consent to processing — you give consent at registration
• Storage in Russia — your data is stored on Russian servers (if you pick the "Russia" region)
• Leak protection — we use encryption and access control
• Documentation — we maintain a personal data processing register

Data operator: AA Search JSC (АО), Moscow.

Other countries

We also comply with:

• CCPA (California) — right to access and delete
• PIPEDA (Canada) — personal data protection
• LGPD (Brazil) — internet data protection
• PDPA (Thailand) — consent to data processing

Data security

Encryption

All data is protected with encryption:

• In transit — HTTPS with TLS 1.3 (latest protocol)
• At rest — AES-256 (military-grade encryption)

This means: even if an attacker intercepts the data, they can't read it.

Access control

• Authorized users only — sign in by password or passkey
• Two-factor authentication — optional extra protection
• AACsearch employees — access limited to support; no access to your data
• Action logging — who, when, and what was done with data

Backups

• Automatic backups — every 6 hours
• Encrypted storage — backups are encrypted too
• Restore — we can restore data from any point in time

Vulnerability management

• Bug-bounty program — we pay for found vulnerabilities
• Continuous scanning — our systems are constantly checked
• Fast remediation — vulnerabilities are closed in hours, not days

User rights

How to download your data

1. Open Settings → Privacy
2. Click Download all my data
3. AACsearch creates an archive of all your documents and configuration
4. You receive a download link (valid for 7 days)

# Or via the API
curl "https://app.aacsearch.com/api/v1/export/data" \
  -H "Authorization: Bearer YOUR_API_KEY"

How to delete your data

1. Open Settings → Privacy
2. Click Delete my account
3. Confirm the deletion (enter your password)
4. All your data is removed within 30 days

After deletion:

• ✓ The account stops working
• ✓ All indexes and documents are deleted
• ✓ Your API keys stop working
• ✓ This action can't be undone

How to object to processing

If you disagree with how we process your data:

1. Email: privacy@aacsearch.com
2. Tell us which data and why
3. We respond within 10 days

How to request information

If you want to know what data we keep about you:

1. Open Settings → Privacy
2. Click Tell me what data you have on me
3. We send a detailed report by email

Cookies and tracking

What cookies are

Cookies are small files that store information about you in the browser. We use them for:

• Authentication — to remember you're signed in
• Preferences — to remember your language and theme (light/dark)
• Analytics — to understand how people use the service (without identity tracking)

How to manage cookies

You can disable cookies in the browser:

• Google Chrome — Settings → Privacy and security → Cookies
• Firefox — Settings → Privacy & Security → Cookies
• Safari — Preferences → Privacy → Cookies

Note: if you disable all cookies the service may run slower.

Analytics

We don't use third-party analytics like Google Analytics. All usage data stays inside AACsearch.

Third parties and contractors

Who we share data with

We share the minimum amount of data with third parties:

All contractors sign a Data Processing Agreement (DPA).

How we vet contractors

• Security standards — they hold SOC 2 or ISO 27001 certification
• Storage region — the contractor must comply with the region you chose
• Retention — the contractor stores data only for as long as needed

International data transfers

If you are in the EU but your data lives in the US, that's possible thanks to:

• Standard Contractual Clauses (SCCs) — legal mechanism for cross-border transfers
• CJEU C-311/18 (Schrems II) — court decision confirming the legality of transfers under specific conditions

If you want data to stay in the EU, pick the "Europe" region in settings.

Updates and changes

When we change the privacy policy:

1. We notify you 30 days before the change
2. You can read the new version
3. If you disagree, you can delete your account

Current privacy policy version: 2026-01-15

Contact information

For privacy questions:

• Email: privacy@aacsearch.com
• Mailing address: Moscow, Russia
• Contact form: aacsearch.com/privacy-contact

To file a privacy complaint:

• In Russia: Roskomnadzor
• In the EU: Your national supervisory authority

Frequently asked questions

Q: Can we trust AACsearch? A: Yes. We hold SOC 2 Type II certification, comply with GDPR and 152-FZ, and our code is audited by independent security researchers.

Q: Can your app track my users? A: No. The search widget does not track IP addresses, location, or other sensitive information. It only sends the search query and click analytics (which result the user opened).

Q: What about GDPR rights such as the right to be forgotten? A: You can delete individual documents in the dashboard or via the API. You can also delete the whole account, which removes all data.

Q: What if my company has special requirements (financial, healthcare)? A: Contact our sales team. We can sign a BAA (Business Associate Agreement), DPA, and other documents.

Q: How often do you update the privacy policy? A: We update it as needed, typically once a quarter. All changes are announced 30 days in advance.