Privacy Policy

1. Introduction & scope

Aeroz provides a supply-chain authentication platform that binds a cryptographic, unit-level identity to physical goods and records authentication events as an append-only audit trail. Our customers are businesses — brands, manufacturers, distributors, wholesalers, dispensers, and their service providers — who use Aeroz to verify product authenticity, prove chain of custody, and meet traceability obligations.

This policy applies to data we process through the Aeroz dashboard, mobile and verification applications, authentication hardware (chips and tags), APIs, and the aeroz.io website. It describes our practices as a data controller for our own business and website data, and explains the roles that apply when we process data on behalf of our customers. Where Aeroz processes personal data on a customer's instructions, the customer is the controller and Aeroz acts as a processor under the applicable agreement and data processing addendum (DPA).

Our operations and data handling span the United States, the European Union, and the United Arab Emirates. We align our practices with the EU General Data Protection Regulation (GDPR), the UAE Federal Decree-Law on the Protection of Personal Data (PDPL), and the California Consumer Privacy Act as amended (CCPA/CPRA), among other applicable laws.

2. Data we collect

The categories of data we process depend on how you interact with the Services.

Customer & account data

Business information provided when a customer sets up or administers an account — such as company name, billing details, business addresses, account configuration, product and SKU records, and the locations and facilities a customer chooses to enroll. This is primarily business data rather than personal data.

Authentication & event data

Data generated when goods are authenticated or move through the supply chain, including scan and verification events, timestamps, the approximate geolocation of a scan, seal state (armed or breached), custody handoffs, and unit and chip identifiers expressed as EPCIS 2.0 events. This data is recorded to an append-only audit log. It describes products and events; it is generally not personal data, though location and device signals associated with a scan may in some cases relate to an individual.

Dashboard-user personal data

Limited personal data of our customers' personnel who are granted access to the dashboard or applications — typically name, work email address, role or permissions, and authentication and activity logs needed to secure the account. We process this to provision access, secure the Services, and support our customers.

Consumer tap-to-verify

When an end consumer taps or scans a product to verify authenticity, verification is one-way: it confirms whether the item is genuine. It does not require the consumer to create an account and does not ask the consumer to share their personal identity with us. We may process limited, non-identifying technical signals (such as a coarse region, device type, and the verification result) to operate the check and detect fraud and diversion patterns.

Website & analytics data

When you visit aeroz.io, we and our analytics providers may collect standard technical data such as IP address, browser and device type, pages viewed, referring URLs, and interaction data, to operate, secure, and improve the site. If you submit a contact or audit request, we collect the details you provide (such as name, work email, company, and your message).

Cookies & similar technologies

We use a limited set of cookies and similar technologies for essential functionality, security, and aggregate analytics. Where required by law, we request consent for non-essential cookies, and you can manage your preferences through your browser or any cookie controls we provide.

3. How we use data

We use the data described above to:

• provide, operate, secure, and maintain the Services, including authentication, custody tracking, and audit-log functionality;
• verify product authenticity and detect and prevent counterfeiting, tampering, diversion, and fraud;
• provision and manage user access and protect accounts against unauthorized use;
• generate analytics, reports, and exports (including regulatory and compliance exports) for our customers;
• communicate with customers about the Services, support, security, and account matters;
• operate and improve our website and respond to inquiries and audit requests;
• comply with legal, regulatory, and contractual obligations, and establish, exercise, or defend legal claims.

We do not sell personal data, and we do not use customer authentication or event data for advertising. When we process personal data on behalf of a customer, we do so only on that customer's documented instructions.

4. Legal bases (GDPR)

Where the GDPR applies, we rely on the following legal bases:

• Contract — to provide the Services to our customers and the individuals authorized to use them.
• Legitimate interests — to secure the Services, prevent fraud and counterfeiting, operate and improve our website, and run our business, balanced against individuals' rights.
• Legal obligation — to meet retention, compliance, and other obligations to which we are subject.
• Consent — where required, for example for certain non-essential cookies or marketing communications. You may withdraw consent at any time.

5. Sharing & sub-processors

We do not sell personal data. We share data only as needed to operate the Services and as described here:

• Infrastructure & hosting — Amazon Web Services (AWS) hosts our serverless infrastructure and stores platform data.
• Service providers / sub-processors — vetted vendors that support analytics, communications, security, and support, acting under contract on our instructions.
• Customers — authentication and custody data is made available to the customer that owns the corresponding products and account.
• Legal & safety — where required by law, regulation, or valid legal process, or to protect the rights, safety, and security of Aeroz, our customers, or others.
• Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.

A current list of sub-processors is available on request at privacy@aeroz.io and is maintained under our customer DPA.

6. International transfers

Aeroz operates across the United States, the European Union, and the United Arab Emirates, and data may be transferred to and processed in countries other than where it was collected. Where we transfer personal data internationally — including from the EU/EEA, the UK, or the UAE — we use appropriate safeguards recognized under applicable law, such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent mechanisms under the UAE PDPL, together with supplementary technical and organizational measures where needed.

7. Data retention

We retain data for as long as needed to provide the Services, and thereafter as required to meet legal, regulatory, accounting, and security obligations or to resolve disputes. Retention periods vary by data type and by the customer's configuration and instructions.

Authentication and custody records on the append-only audit log are, by design, durable. Because these records can serve as compliance and traceability evidence, they may be retained for regulatory periods — for example, the six-year record-retention expectation under the U.S. Drug Supply Chain Security Act (DSCSA) where applicable — or for other periods specified by law or by the relevant customer agreement. When data is no longer needed, we delete or anonymize it in accordance with our retention schedule.

8. Your rights

Subject to applicable law, individuals may have rights over their personal data, including the right to access, correct, delete, restrict or object to processing, port their data, and withdraw consent. Under the CCPA/CPRA, California residents have rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising those rights — noting that Aeroz does not sell personal data. The UAE PDPL and other laws provide comparable rights.

Where Aeroz acts as a processor on behalf of a customer, requests relating to that customer's data should generally be directed to the customer (the controller); we will support our customers in responding. To exercise rights for data where Aeroz is the controller, or to ask a question, contact us using the details below. We may need to verify your identity before acting, and you may have the right to lodge a complaint with a supervisory authority.

9. Security

Security is core to the Aeroz platform. We apply technical and organizational measures designed to protect data, including encryption of data in transit and at rest, role-based access controls, least-privilege administration, logging and monitoring, and use of reputable cloud infrastructure (AWS). At the unit level, product identity is protected using AES-128 cryptographic chip identity, and authentication events are written to an append-only audit log to preserve integrity. No method of transmission or storage is completely secure, but we work to protect data using industry-standard safeguards and to improve them over time.

10. Children

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.

11. Contact

If you have questions about this policy or our data practices, or wish to exercise your rights, contact:

Aeroz Innovation LLC (a Lumi Enterprises Corp company)
Privacy: privacy@aeroz.io
Mailing address: 16192 Coastal Highway, Lewes, DE 19958, USA

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice.

This page is provided for transparency and is not legal advice. The definitive terms governing the Services are set out in the applicable customer agreement and data processing addendum.