IT First Aid Kit

Legal

Privacy Policy

Effective April 5, 2026

Data minimization by design: The Software does not read, copy, or transmit user documents, email contents, browser data, or file contents. Operations are limited strictly to Microsoft 365 authentication state.

1. Overview

Indelible Systems Inc., DBA IT First Aid Kit (“Company”) provides this Privacy Policy to explain how we collect, use, disclose, and protect information in connection with the IT First Aid Kit software and control plane.

This Policy applies to account administrators, IT professionals who deploy the Software, and end users on whose machines the Software is executed.

2. Data We Collect

Account and Billing Data

Name, business email, company name, billing address, and payment metadata (last four digits, card type, expiry). Full card numbers are processed exclusively by Stripe and never stored by us.

Basis: Contract performance. Retained: subscription term + 7 years.

License Validation Data

When the Software validates a license, it transmits:

License key hashSHA-256 hash of the license keyNo
Client ID (hardware fingerprint)One-way hash of MAC + CPU ID + Windows MachineGuid — raw values never leave the endpointPseudonymous
Software versionVersion string (e.g. 1.0.0)No
TimestampUTC timestamp of validationNo

Basis: Contract performance. Retained: subscription term + 2 years.

Telemetry Data

After each execution, the Software transmits:

Hardware fingerprint hashSee abovePseudonymous
Operationremediate, dry_run, or rollbackNo
SuccessBoolean outcomeNo
DurationExecution time in millisecondsNo
OS versionWindows version stringNo

Basis: Legitimate interest. Retained: 90 days, then automatically deleted.

Data That Never Leaves the Endpoint

The following is generated and stored only on the endpoint machine — never transmitted to us:

  • Audit logs — full operation record, ACL-restricted to local Administrators
  • Rollback snapshots — registry state, identity cache references, AppX state
  • Credential Manager — the Software deletes entries by name only; credential secrets (passwords, tokens) are never read, stored, or transmitted

3. How We Use Data

PurposeData UsedBasis
License validation & seat enforcementKey hash, client ID, versionContract
Billing & paymentAccount data, payment metadataContract
Customer supportAccount data, validation recordsContract
Service reliability & diagnosticsTelemetry, validation logsLegitimate interest
Fraud & abuse preventionValidation patterns, seat countsLegitimate interest
Product improvementAggregated, anonymized telemetryLegitimate interest
Marketing (opt-in only)Email addressConsent

We do not sell, rent, or trade personal data to third parties.

4. Data Sharing

Sub-processors

Sub-processorPurposeLocation
Amazon Web ServicesHosting, compute, storageUSA (us-east-1)
Stripe, Inc.Payment processingUSA
AWS SESTransactional emailUSA

We also disclose data where required by law and in connection with business transfers (with notice provided). We do not share data for third-party advertising.

5. International Data Transfers

Our Control Plane is hosted in AWS us-east-1 (USA). If you are in the EEA, UK, or Switzerland, transfers are protected by:

  • EU Standard Contractual Clauses (Decision 2021/914, Module 2)
  • UK International Data Transfer Agreement (IDTA) for UK transfers

Enterprise customers requiring a Data Processing Addendum (DPA) should contact legal@itfirstaidkit.com.

6. Your Data Rights

If you are in the EEA, UK, or a jurisdiction with applicable data protection rights, you may exercise the following rights by contacting privacy@itfirstaidkit.com:

AccessObtain a copy of your personal data
RectificationCorrect inaccurate personal data
ErasureRequest deletion (subject to legal retention obligations)
RestrictionLimit how we process your data
PortabilityReceive your data in machine-readable format
ObjectionObject to legitimate-interest processing
Withdraw consentFor consent-based processing (e.g. marketing)

We respond within 30 days. Identity verification may be required.

7. Retention

Account and billing dataSubscription term + 7 years
License validation recordsSubscription term + 2 years
Telemetry events90 days
Audit logs (endpoint-local)Controlled by Account administrator
Support correspondence3 years after last interaction

8. Security

We protect personal data with:

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest (AWS-managed)
  • Least-privilege IAM — no standing production access
  • License keys stored as SHA-256 hashes — plaintext never persisted server-side
  • AWS Secrets Manager for all secrets
  • DynamoDB PITR for backup and recovery

In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware. To report a security vulnerability, contact security@itfirstaidkit.com.

9. Changes to This Policy

We will provide at least 30 days’ notice of material changes via email and website notice. The “Effective” date above reflects the most recent revision.

10. Contact

Privacy inquiries: privacy@itfirstaidkit.com

If you believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.

Also see: