Aerea LabsAerea Labs
Skip to content
Aerea LabsAerea Labs

Privacy Policy

Last updated: [YYYY-MM-DD]

This Privacy Policy explains how [YOUR-COMPANY-NAME] ("we", "us") collects, uses, retains, and shares personal data when you use our website, dashboard, and APIs (the "Service").

We are the data controller for the data described below. If you are in the European Economic Area, the United Kingdom, or Switzerland, our processing relies on the legal bases set out under "Legal basis". You can exercise the rights described under "Your rights" at any time.

  • We collect only what we need to operate the Service.
  • We do not sell your personal data to third parties.
  • You can request deletion, portability, or restriction of your data at any time.

Data we collect

We only collect what we need to operate the Service. Concretely, that means:

  • Account data — your email address, display name, hashed password (or OAuth identifier), preferred language, and theme.
  • Organization data — the organizations you belong to, your role (owner / admin / member), and invitation history.
  • Billing data — your Stripe customer id, subscription tier, billing cycle, and invoice history. We never see your full card number; Stripe processes it directly.
  • Security data — IP address, user-agent, sign-in timestamps, and audit-trail entries (see Audit chain below). Used for fraud prevention, account recovery, and tamper-evident compliance logs.
  • Product usage — pages visited, features used, and error events. Captured with PostHog when analytics is enabled by the operator and you have not opted out.
  • Support data — anything you send us via email, support form, or chat (subject, body, attachments).

Why we use it

We use your data for the following purposes only:

  • Providing the Service — creating your account, authenticating you, serving the dashboard, sending product emails (welcome, password reset, invoice).
  • Billing — running subscriptions, generating invoices, handling refunds and disputes through Stripe.
  • Security and abuse prevention — detecting compromised credentials, rate-limiting, and producing the tamper-evident audit chain regulators expect.
  • Product improvement — aggregated, de-identified usage analytics to decide what to fix and what to build next. Never sold, never used to profile you individually.
  • Legal compliance — responding to lawful requests, enforcing our Terms, and meeting tax / accounting / GDPR obligations.

Legal basis (EEA / UK / Switzerland)

Where GDPR applies, we rely on the following legal bases:

  • Performance of a contract — to deliver the Service you signed up for (account, dashboard, billing).
  • Legitimate interests — to keep the Service secure, prevent fraud, and improve our product through privacy-respecting analytics.
  • Legal obligation — to retain billing records, respond to lawful requests, and maintain audit logs required by tax or regulatory frameworks.
  • Consent — for non-essential cookies and product-marketing emails; you can withdraw consent at any time without affecting the lawfulness of prior processing.

Sub-processors

We use a small set of carefully chosen sub-processors to operate the Service. Each one is bound by a Data Processing Agreement aligned with GDPR Article 28.

  • Stripe — payment processing, subscription management, invoicing (United States, with Standard Contractual Clauses).
  • Resend — transactional email delivery (welcome, password reset, invoices, invites).
  • Sentry — error monitoring; payloads are scrubbed of secrets and PII before transmission.
  • PostHog — product analytics; only enabled when the operator configures it, and IP addresses are anonymised at ingestion when required.
  • Cloudflare R2 — encrypted object storage for data exports, document packets, and static assets.
  • Our hosting provider — server compute, Postgres database, and CDN edge.

How long we keep your data

We keep data only as long as we need it for the purpose it was collected, then we delete or anonymise it.

  • Account data — kept while your account is active. After you delete your account (see Your rights), it is hard-deleted within 30 days, with FK cascade across memberships, sessions, exports, and preferences.
  • Audit chain — append-only, tamper-evident; rows flagged WORM (write-once-read-many) cannot be deleted by design and are retained for the period required by the relevant compliance framework (typically 6 to 7 years).
  • Billing records — invoices and payment history are retained for 7 years to comply with tax and accounting law in most jurisdictions, even after account deletion.
  • Security logs — sign-in timestamps and IP addresses are retained for up to 12 months for fraud and abuse investigations.
  • Support email — kept for up to 24 months after the ticket is closed, then deleted.
  • Backups — encrypted database snapshots are rotated on a 30-day window; deletion requests propagate at the next rotation.

Your rights

Subject to applicable law, you can exercise the following rights at any time:

  • Access and portability — download a machine-readable export of your data from /dashboard/settings → Security → "Request export". The export is delivered as a signed, time-limited link valid for 24 hours.
  • Rectification — update your name, email, password, language, and notification preferences directly in /dashboard/settings.
  • Erasure — schedule account deletion from /dashboard/settings → Security → "Delete my account". A 30-day grace period applies; you can cancel deletion any time during the window.
  • Restriction and objection — contact us at [YOUR-DPO-EMAIL] to restrict or object to specific processing.
  • Withdraw consent — for analytics or marketing emails, opt out from /dashboard/settings → Preferences.
  • Lodge a complaint — with your local supervisory authority. EU users can find their authority via edpb.europa.eu.

Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under 13 years old (or under 16 in jurisdictions where that higher threshold applies). If you believe a child has created an account, contact [YOUR-DPO-EMAIL] and we will delete the account and any associated data.

  • If you are under the applicable minimum age, do not create an account or submit personal data.
  • Parents or guardians who discover that a child has provided personal data without consent should contact [YOUR-DPO-EMAIL]. We will verify and delete the data within 30 days.

How we protect your data

The boilerplate stack is designed to support modern security frameworks (the controls behind SOC 2, ISO 27001, and HIPAA Technical Safeguards). Concretely:

  • Encryption in transit (TLS 1.2+) and at rest for the database and object storage.
  • Strict Content Security Policy, HSTS preload, X-Frame-Options DENY, and a hardened Permissions-Policy.
  • Append-only, hash-linked audit chain that surfaces tampering at verification time.
  • Role-based access control (owner / admin / member) with server-side re-checks on every privileged action.
  • Secret rotation, scoped API keys, and a published security.txt at /.well-known/security.txt for responsible disclosure.

International data transfers

Some of our sub-processors are located outside the European Economic Area. When data is transferred to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) and, where relevant, supplementary measures such as encryption and pseudonymisation. A copy of the relevant transfer documentation is available on request at [YOUR-DPO-EMAIL].

  • Stripe (United States) — Standard Contractual Clauses under GDPR Decision 2021/914.
  • Resend (United States) — Standard Contractual Clauses.
  • Sentry (United States) — Standard Contractual Clauses.
  • PostHog (United States / EU) — EU-hosted option available; SCCs where applicable.
  • Cloudflare R2 (United States / EU) — Standard Contractual Clauses.

Changes to this policy

We may update this Privacy Policy to reflect new features, regulatory changes, or operational adjustments. When we do, we update the "Last updated" date at the top of this page. For material changes that affect how we use your data, we will notify active users by email at least 14 days before the change takes effect.

  • Minor changes (wording, formatting, clarifications) take effect immediately upon publication.
  • Material changes (new data uses, new sub-processors, changes to retention periods) are notified by email at least 14 days in advance.
  • Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact us

Questions, concerns, or formal data-subject requests? Reach the right team:

  • Privacy / DPO — [YOUR-DPO-EMAIL]
  • Security — security@[YOUR-DOMAIN]
  • Postal address — [YOUR-COMPANY-LEGAL-NAME], [YOUR-POSTAL-ADDRESS]