Plain-English Summary
AESIR builds defense and commercial technology. Different products handle different kinds of data; the per-product sections below describe what each one collects. The basics across everything we do:
- We only collect data we need to deliver the product you're using.
- We do not sell your data. Ever.
- We do not share data between products without your consent.
- You can request access, correction, or deletion of your data at any time.
- If a third-party service is involved (an AI provider, Apify, Hunter, etc.) we identify it in the relevant product section.
HEIMDALL operates a separate domain (heimdall.projectaesir.com) with a separate, more detailed privacy policy specific to OAuth-connected third-party platforms (TikTok, Instagram, YouTube, LinkedIn, X). See HEIMDALL Privacy Policy for those specifics.
Who We Are
AESIR is a defense technology and commercial AI company founded by Gage Ludwig. Our products serve special operations forces, defense contractors, and commercial operators. Contact: [email protected].
This policy covers projectaesir.com and all subdomains (heimdall.projectaesir.com, etc.) and all products listed below, unless an individual product publishes a more specific policy at its own URL.
General Data Practices
What we typically collect
- Account data — email, name, hashed password, organization name (where applicable).
- Usage data — what features you use, error logs, request timestamps. Used for debugging and improving the product.
- Communications — when you email us or fill in a contact form, we keep the message so we can reply.
What we never do
- Sell or rent your personal data to anyone.
- Use your data to train AI models for other customers.
- Track you across the web with advertising cookies (see Cookies below).
Where data lives
All AESIR data is stored on infrastructure we directly control (on-premise servers in the United States). Some operations call third-party APIs (listed per product); those calls send only the minimum data required.
By Product
Each AESIR product handles data differently because each does different work. Sections below describe what each product collects, why, and from whom.
HEIMDALL — AI-Driven Market Intelligence & Revenue Engine
Surface: heimdall.projectaesir.com
HEIMDALL helps operators discover, evaluate, and reach out to ecommerce brands. It collects two distinct categories of data:
About operators (people who use HEIMDALL):
- Email, hashed password, organization name, role, brand profile (services / value prop / tone — for AI personalization).
- Optional connected social handles for any of: Instagram, TikTok, YouTube, LinkedIn, X. We use these to fetch public bio / followers / recent post themes so the AI can personalize outbound emails in the operator's voice.
- Optional OAuth access tokens for connected platforms. Tokens are AES-GCM encrypted at rest; they are read-only and used solely to fetch public profile metadata.
- Optional SMTP/IMAP credentials for sending outreach and parsing replies. Also AES-GCM encrypted at rest.
About leads (the brands operators research):
- Public business data: domain, brand name, product category, price range, social handles, follower counts, public emails / phone numbers scraped from the brand's own website or returned by Hunter / Apollo.
- AI-generated analysis (brand reports, fit scores, outreach drafts).
- Decision-maker contact information where publicly listed.
Third parties HEIMDALL uses:
- AI inference provider — AI brand analysis, outreach drafting, intent classification.
- Apify — Instagram / TikTok / YouTube / LinkedIn / X / Etsy / Amazon scraping.
- Hunter.io — email discovery + verification.
- Apollo.io — optional, on-demand decision-maker phone reveal.
- Meta, TikTok, Google, LinkedIn, X — only when an operator actively connects their own social profile via OAuth.
- Cloudflare — DNS + tunnel for the heimdall.projectaesir.com domain.
- Plausible — privacy-friendly analytics for the marketing site only (no cookies, no cross-site tracking).
See the dedicated HEIMDALL Privacy Policy for OAuth scope details, token storage specifics, deletion procedures, and per-platform data flows.
BIFROST — Closed-Loop Rebreather
BIFROST is hardware (combat diving life-support). The product itself does not collect personal data. Customer interactions — sales inquiries, defense-contracting communications — fall under the General Data Practices above.
SINDRI — Autonomous Bug Bounty System
SINDRI is an internal AESIR system that operates on authorized external attack surfaces in scope of bug-bounty programs we participate in. It does not handle data of website visitors or third-party customers. When SINDRI submits a finding to a bug bounty platform, that platform's privacy policy governs the submission.
MIMIR — From-Scratch Autonomous AI
MIMIR is deployed either fully local (no data leaves your infrastructure) or cloud-hosted by us. In the cloud-hosted configuration, prompts and responses are stored only for the duration needed to deliver the response unless you explicitly opt in to retention for fine-tuning. MIMIR is not used to train models on customer data without explicit, contract-level opt-in.
LIMITING FACTOR — Pipeline Training Platform
Surface: aesir.tsgpc.com
LIMITING FACTOR is a training platform used by active-duty service members preparing for selection pipelines (BUD/S, SFAS, MARSOC, RASP, PJ/CCT, Delta, etc.). It collects training logs, biometric inputs the athlete chooses to enter (sleep, HRV, body weight, RPE), nutrition entries, and program adherence data — used only to render the athlete's own dashboard and to allow their coach (if any) to view it. No data is shared outside the team account without the athlete's explicit consent.
Third Parties
We use the following third-party services across AESIR products. Each link goes to that provider's privacy policy.
- AI inference provider — AI inference for analysis, drafting, classification.
- Apify — public-data scraping.
- Hunter.io — email discovery.
- Apollo.io — optional contact enrichment.
- Cloudflare — DNS, CDN, tunnel.
- Plausible — privacy-respecting analytics (no cookies, no personal data).
- Operator-initiated OAuth providers (Meta/Instagram, TikTok, Google/YouTube, LinkedIn, X). Each provider's policy applies when an operator chooses to connect.
Data Retention
- Account data — retained for the lifetime of your account, plus 90 days after deletion request to allow recovery in case of mistake.
- Operational logs — 90 days, then aggregated or deleted.
- HEIMDALL lead/brand data — retained until the operator deletes the lead or closes the tenant.
- OAuth tokens — retained until the operator disconnects the platform, the token expires, or the operator deletes their account.
- LIMITING FACTOR athlete data — retained until the athlete deletes their account.
Your Rights
Regardless of where you live, AESIR honors these rights for everyone whose data we hold:
- Access — request a copy of the data we hold about you.
- Correction — ask us to fix anything inaccurate.
- Deletion — ask us to delete your data. We will, unless a legal hold requires retention.
- Export — request your data in a machine-readable format.
- Withdraw consent — disconnect any OAuth integration, revoke SMTP credentials, etc., at any time from the app's settings.
To exercise any of these rights, email [email protected] with the subject "Privacy request". We respond within 30 days; usually within 72 hours.
Children
AESIR products are not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe we have done so, contact us and we will delete it.
Changes to This Policy
Material changes will be announced via email to active operators and prominent notice on our site at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Contact
AESIR
Email: [email protected]
Privacy requests: [email protected]