Aevum Encyclopedia / Legal / Privacy & Security

Privacy & Security Policy v2.1

📅 Last Updated: December 15, 2024 🔒 Applies to: All users, contributors, & API consumers 📄 Compliance: GDPR, CCPA, SOC 2 Type II, ISO 27001

1. Introduction & Scope

Aevum Encyclopedia ("we", "our", or "us") is committed to protecting your privacy and securing your data while delivering a world-class, AI-enhanced knowledge platform. This policy applies to all individuals who access, contribute to, or interact with Aevum services, including our website, mobile applications, developer API, and partner integrations.

Our approach to privacy is built on transparency, user control, and purpose limitation. We do not sell personal data, and we design our AI systems to minimize data retention while maximizing utility and safety.

2. Information We Collect

We collect only what is necessary to provide, secure, and improve our services. Data falls into three categories:

  • Account & Profile Data: Name, email, public profile details, contributor credentials, and preferences.
  • Usage & Interaction Data: Search queries, article views, reading history, navigation patterns, and device/browser metrics.
  • Contribution & Content Data: Edited articles, citations, multimedia uploads, peer-review submissions, and moderation actions.
Note: We do not collect sensitive personal information (e.g., health, political affiliation, biometric data) unless explicitly provided for verified contributor status or accessibility accommodations.

3. How We Use Your Data

Data Type Primary Purpose Legal Basis
Account Data Authentication, profile management, contributor verification Contract Performance
Usage Data Search optimization, content recommendation, platform analytics Legitimate Interest
Contribution Data Knowledge base expansion, peer review, version control Contract & Legitimate Interest
Security Logs Threat detection, fraud prevention, incident response Legal Obligation

4. AI Processing & Transparency

Aevum utilizes machine learning models to enhance search relevance, summarize content, detect misinformation, and suggest cross-disciplinary connections. Our AI systems operate under strict data governance:

  • Training Data: Our models are primarily trained on publicly available, licensed, and user-contributed content. We do not use private conversations or non-consensual data.
  • Query Processing: Search and AI assistance queries are processed in real-time and are not stored with identifying metadata unless you opt into research improvements.
  • Opt-Out Mechanism: Users may disable AI personalization, disable usage tracking for model refinement, and request full query deletion via Settings → Privacy → AI Controls.
  • Algorithmic Accountability: We conduct regular bias audits, maintain human-in-the-loop verification for high-impact recommendations, and publish transparency reports quarterly.
\n

5. Security Infrastructure

We treat data security as a foundational engineering requirement, not an afterthought. Our security posture includes:

  • Encryption: AES-256 at rest, TLS 1.3 in transit, and end-to-end encryption for contributor verification documents.
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for all staff, and zero-trust network architecture.
  • Monitoring & Response: 24/7 automated threat detection, quarterly penetration testing, and a documented incident response plan with 72-hour user notification compliance.
  • Compliance: ISO 27001 certified, SOC 2 Type II audited annually, and GDPR/CCPA compliant by design.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. Data is shared only under the following conditions:

  • Service Providers: Hosted infrastructure (AWS, Cloudflare), analytics (Plausible, privacy-first), and payment processing (Stripe). All vendors are bound by data processing agreements (DPAs) and undergo security vetting.
  • Legal Requirements: When compelled by valid legal process, we disclose only what is legally required and notify affected users where permitted.
  • Academic & Research Partners: Aggregated, anonymized datasets may be shared with accredited institutions for educational research. Individual identities are never exposed.

7. Your Rights & Controls

Depending on your jurisdiction, you have the right to:

  1. Access, export, or delete your personal data
  2. Rectify inaccurate information
  3. Object to or restrict processing activities
  4. Withdraw consent at any time without affecting service functionality
  5. Request human review of automated decisions

Exercising these rights is free and can be done through your dashboard or by contacting our Data Protection Officer. We respond to valid requests within 30 days.

8. Data Retention

We retain data only as long as necessary to fulfill the purposes outlined in this policy:

  • Active Accounts: Retained until deletion is requested
  • Inactive Accounts: Anonymized after 24 months of inactivity
  • Search/Usage Logs: Purged after 90 days unless aggregated for analytics
  • Security/Abuse Reports: Retained for 12 months or as required by law

9. International Data Transfers

Aevum operates globally. Data may be processed in jurisdictions outside your country of residence. All cross-border transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards. You acknowledge and consent to these transfers upon using our services.

10. Contact & Data Protection Officer

If you have questions about this policy, wish to exercise your rights, or report a security concern, please contact:

Aevum Encyclopedia Trust & Safety Team
📧 privacy@aevumencyclopedia.org
🔐 PGP Key: 0x8F3A9C21E4D7B6
📍 42 Knowledge Way, Suite 100, Cambridge, MA 02142, USA
🌐 security.aevumencyclopedia.org (Vulnerability Disclosure Program)

This policy may be updated to reflect changes in technology, law, or platform features. Material changes will be communicated via email or prominent on-site notice. Your continued use constitutes acceptance of the revised terms.