AION
Legal

Privacy Policy

AION Cover (“AION”, “we”, “us”) takes the protection of personal data seriously. This Privacy Policy explains what personal data we collect, how we use it, the legal bases on which we rely, with whom we share it, and the rights available to data subjects under the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national legislation.

Last updated · 27 April 2026

1. Data Controller

The data controller is AION Cover S.r.l., with registered office in Italy. You can reach our privacy team at privacy@aioncover.com.

For our enterprise (B2B) customers, AION acts as a processor in respect of personal data we handle on their behalf in connection with the AION platform; the relevant terms are set out in the data processing addendum executed between AION and each customer.

2. Scope

This Policy applies to personal data we process when:

  • you visit aioncover.com or any related marketing domain;
  • you contact us through the website, email, or other communication channels;
  • you receive aftersales protection administered through AION on behalf of one of our brand partners; or
  • you act as a representative of an actual or prospective AION customer, partner, supplier, or vendor.

Where AION processes data on behalf of a brand partner, that partner's own privacy notice will govern the relationship with its customers; this Policy describes only AION's own processing activities.

3. Personal Data We Collect

3.1 Information you provide directly

  • Identity & contact data: name, business email, company name, role, and any details you include in messages you send us.
  • Commercial data: information exchanged during sales, onboarding, and ongoing account management.
  • Asset & policy data (where applicable): item description, declared value, registration date, location, and related coverage details.

3.2 Information collected automatically

  • Technical data: IP address, device identifiers, browser type and version, operating system, language preferences, and approximate (city-level) location.
  • Usage data: pages viewed, referring URLs, timestamps, and aggregated session metrics.
  • Cookies and similar technologies: Cookie Policy.

3.3 Information from third parties

We may receive limited information from public registries, business information providers, our brand partners, and authentication services strictly to verify identity, establish eligibility, or prevent fraud.

4. Purposes & Legal Bases

We process personal data only where we have a lawful basis under Article 6 GDPR. The principal purposes and bases are:

  • To provide, operate, and improve the AION platform — performance of a contract (Art. 6(1)(b)) or, for representatives of corporate customers, our legitimate interest in delivering the service (Art. 6(1)(f)).
  • To respond to enquiries you send us — performance of pre-contractual steps at your request, or our legitimate interest in commercial communications.
  • To administer aftersales protection programmes on behalf of brand partners — performance of the underlying contract between you and the brand, or compliance with our legal obligations as service provider.
  • To prevent fraud, abuse, and security incidents — our legitimate interest in protecting AION, our partners, and their customers, and compliance with our legal obligations.
  • To send service communications (transactional updates, security notices, contractual notifications) — performance of a contract.
  • For limited B2B marketing to existing or prospective enterprise contacts — our legitimate interest, with opt-out provided in every message.
  • To comply with applicable law, respond to lawful requests, and exercise or defend legal claims — compliance with legal obligations and our legitimate interest.

Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests are not overridden by your rights and freedoms. You may request further information at any time.

5. Recipients & Sub-Processors

We share personal data only where necessary, and only with parties subject to confidentiality and appropriate data-protection obligations. Categories of recipients include:

  • Brand partners, where you have registered an asset or made a claim through one of their AION-powered programmes.
  • Insurance underwriters and intermediaries, who issue and administer the underlying coverage.
  • Cloud infrastructure providers hosting the AION platform, including Vercel Inc. and Amazon Web Services EMEA SARL.
  • Transactional email providers, including Resend (Resend, Inc.), used to deliver enquiry receipts and service messages.
  • Professional advisors (legal, audit, tax) under duties of confidentiality.
  • Public authorities, regulators, and law enforcement where compelled by law or strictly necessary to protect rights or safety.
  • Acquirers or successors in connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business, subject to equivalent privacy commitments.

A current list of our material sub-processors is available on request at privacy@aioncover.com.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (“EEA”). Where we transfer personal data outside the EEA, we rely on transfer mechanisms recognised under Chapter V GDPR, including the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) supplemented by additional safeguards where required, or adequacy decisions where these apply (e.g. the EU–US Data Privacy Framework, where the recipient is certified). A copy of the relevant safeguard can be requested at privacy@aioncover.com.

7. Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Indicative retention periods:

  • Sales and enquiry data: up to 24 months from last interaction, then deleted or anonymised.
  • Customer-account and contractual records: for the duration of the contract plus 10 years, in line with civil-law limitation periods and tax/audit requirements.
  • Claims and policy administration: per the retention schedule of the underwriting insurer and applicable insurance regulation, typically up to 10 years from claim closure.
  • Website logs and analytics: up to 14 months in identifiable form, then aggregated.

8. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include encryption in transit and at rest, role-based access control, multi-factor authentication for privileged users, network segmentation, vendor due diligence, regular vulnerability scanning, and a documented incident-response procedure.

No system is impenetrable. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals, in accordance with Articles 33–34 GDPR.

9. Your Rights

Subject to applicable conditions, you may exercise the following rights:

  • Access — obtain confirmation of whether we process your data and a copy of it.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — ask us to delete data, subject to limitations.
  • Restriction — ask us to limit processing in specific circumstances.
  • Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller, where technically feasible.
  • Objection — object to processing carried out on the basis of legitimate interests or for direct marketing.
  • Withdrawal of consent, where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with a supervisory authority, including the Italian Garante per la Protezione dei Dati Personali (gpdp.it) or the authority in your habitual residence.

To exercise any of these rights, write to privacy@aioncover.com. We will respond within one month from receipt of a verifiable request, extendable by a further two months for complex requests.

10. Automated Decision-Making

We do not use personal data for automated decisions producing legal effects concerning you, or similarly significantly affecting you, within the meaning of Article 22 GDPR. Where, in the future, we use such processing (e.g. fraud-prevention scoring), we will inform you, provide meaningful information about the logic involved, and offer appropriate safeguards.

11. Children

The AION platform is a B2B service not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected such data without a valid lawful basis, we will delete it promptly.

12. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the latest revision. Where changes are material, we will provide reasonable advance notice through the AION platform or by email.

13. Contact

For any question concerning this Policy or the processing of your personal data, please write to privacy@aioncover.com.