Who We Are
Aether HQ ("Aether", "we", "our", or "us") is the data controller for information described in this policy. We are a company organized under the laws of the State of Delaware, United States.
- Website: aetherhq.dev
- Privacy inquiries: privacy@aetherhq.dev
- Legal inquiries: legal@aetherhq.dev
This Privacy Policy explains how we collect, use, share, and protect information about you when you use our unified social media API platform, website, and dashboard (collectively, the "Service").
By using the Service you agree to the practices described in this policy. If you do not agree, please discontinue use.
1. Information We Collect
Account and Contact Information
When you register we collect your name, email address, and a hashed password. If you invite team members we store their email addresses and the role you assign them.
Payment Information
Billing is handled by Polar. We store only Polar customer and subscription identifiers — we never see or store raw card numbers. Polar's privacy policy governs how they handle payment data.
Connected Social Accounts
When you connect a social media account through our OAuth flow we receive and store encrypted OAuth access and refresh tokens, the platform account identifier, username, and profile picture URL. We use these solely to perform actions you request (publishing posts, reading inbox messages, fetching analytics).
Usage and Technical Data
We automatically collect IP addresses, browser and device information, API request logs (endpoint, timestamp, response code), and error traces. We use this data to operate, secure, and improve the Service.
Analytics Events
Post performance metrics (impressions, likes, comments, shares) fetched from social platforms on your behalf are stored and attributed to your organization to power the analytics dashboard.
2. Meta Platform Data (Facebook, Instagram, and Threads)
Aether integrates with products operated by Meta Platforms, Inc. ("Meta") — including Facebook Pages, Instagram professional accounts, and Threads. This section describes what information we receive from Meta when you connect an account, how we use it, and the choices available to you. It supplements the general descriptions above and applies only when you authorize a Meta platform through our OAuth connect flow.
What We Receive from Meta
When you connect a Facebook Page, Instagram account, or Threads profile, Meta shares information with us only after you grant permission on Meta's authorization screen. Depending on the permissions you approve and the features you use, this may include:
- Account identifiers — Meta user ID, Page ID, Instagram business account ID, Threads user ID, and connected username or display name.
- Profile metadata — profile picture URL, Page name, and account type (e.g. business or creator).
- OAuth credentials — short-lived and long-lived access tokens (and refresh tokens where applicable), stored by us in encrypted form.
- Content you publish or schedule — post text, captions, media files, and scheduling metadata that you submit through the Service for delivery to Meta platforms.
- Engagement and analytics — metrics such as impressions, reach, likes, comments, shares, and other insights Meta makes available for your connected accounts and posts.
- Inbox data — comments on your posts, direct messages sent to your connected Instagram or Facebook accounts, and related metadata (sender identifier, message text, timestamps) when you use inbox or messaging features.
We access Meta data only for accounts you or your organization explicitly connect. We do not obtain information from your Meta friends, followers, or contacts except as needed to deliver inbox or comment features you enable (for example, displaying a commenter's username on a message in your unified inbox).
How We Use Meta Data
We use information received from Meta solely to provide the Service you request:
- Authenticating and maintaining your connection to Facebook, Instagram, or Threads
- Publishing, scheduling, and managing content on your connected accounts
- Displaying and responding to comments and direct messages in your inbox
- Fetching and presenting post and account analytics in the dashboard and API
- Detecting connection errors, expired tokens, and permission issues so you can reconnect
- Complying with applicable law and Meta Platform Terms
We do not sell, license, or rent Meta platform data to third parties. We do not use Meta platform data to build advertising profiles, train machine-learning models, or serve third-party advertisements. We do not use Meta data for purposes unrelated to operating the Service on your behalf.
How Meta Data Is Shared
Content and API requests are transmitted to Meta when you take an action that requires it (for example, publishing a post or sending a reply). We may also share Meta-derived data with infrastructure sub-processors listed in Section 5 (such as our database and queue providers) strictly to store and process it on your behalf. We do not share Meta platform data with other social networks or unrelated third parties.
If you use Aether's API or Connect Links to serve your own end users, you are responsible for informing those users how their data is processed. Our Data Processing Agreement governs how we process personal data on your behalf where applicable data protection laws require it.
Retention and Deletion
Meta OAuth tokens are deleted when you disconnect a social account from the Service. Other Meta-derived data (posts, analytics, inbox messages) is retained according to our general retention policy in Section 6 and deleted or anonymized when you close your organization or submit a valid data deletion request.
Your Choices and Meta Settings
You can disconnect a Meta platform at any time from the Profiles section of the Aether dashboard, which revokes our access to new data from that account. You can also remove Aether from your Meta account by visiting Facebook Settings → Apps and Websites (this applies to Facebook, Instagram, and Threads apps connected through Meta's platform). To request deletion of data we hold about you, see Section 9 (User Data Deletion) or email privacy@aetherhq.dev.
Meta's own data practices are described in the Meta Privacy Policy. Aether is not responsible for how Meta processes data on its platforms.
3. How We Use Your Information
- Provision and operation of the Service
- Authentication and authorization
- Publishing and scheduling content on connected social accounts
- Sending transactional emails (receipts, team invites, alerts)
- Detecting and preventing fraud, abuse, and security incidents
- Improving product features through aggregated, anonymized usage analysis
- Responding to support requests
- Complying with legal obligations
We do not use your data to train machine-learning models or sell it to advertisers.
4. Legal Bases for Processing (GDPR)
For users in the European Economic Area and United Kingdom we rely on the following lawful bases:
- Contract performance — processing necessary to provide the Service you signed up for.
- Legitimate interests — security monitoring, fraud prevention, and service improvement, where those interests are not overridden by your rights.
- Legal obligation — retaining records required by law.
- Consent — marketing communications, where applicable.
5. Information Sharing
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
- Social platforms — content and tokens are transmitted to connected platforms (Instagram, Facebook, Threads, TikTok, and LinkedIntoday; additional platforms as they launch) when you request it, subject to each platform's own terms.
- Infrastructure providers — we use Cloudflare (CDN, edge, and R2 media storage), MongoDB Atlas (database), and Redis (queues). Each operates under a data processing agreement where applicable.
- Analytics — Tinybird processes aggregated post and account metrics for the Service. Our marketing website may use PostHog and Google Analytics (see Section 10).
- Email delivery — Resend sends transactional emails (invites, receipts, alerts) on our behalf.
- Payment processor — Polar processes billing information.
- Legal requirements — we may disclose information if required by law, court order, or to protect the rights and safety of Aether or others.
- Business transfers — in the event of a merger, acquisition, or asset sale, your data may be transferred with appropriate notice.
6. Data Retention
We retain account data for the duration of your subscription plus 90 days after account closure, at which point personal information is anonymized or deleted. Post content and analytics data are retained for up to 24 months. Billing records are retained for 7 years to meet legal requirements. OAuth tokens are deleted immediately upon account disconnection.
7. Security
OAuth tokens are encrypted at rest using AES-256-GCM with per-token keys. Data is transmitted over TLS 1.2+. We perform regular security reviews and limit employee access to production data on a need-to-know basis. Despite these measures, no system is completely secure — please report vulnerabilities to security@aetherhq.dev.
8. Your Rights
Depending on your jurisdiction you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure— request deletion of your data ("right to be forgotten").
- Portability — receive your data in a machine-readable format.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Opt-out of sale / sharing (CCPA) — California residents may opt out of any sale or sharing of personal information, though we do not sell personal information.
To exercise any of these rights, email us at privacy@aetherhq.dev or follow the steps in Section 9 (User Data Deletion). We will respond within 30 days.
9. User Data Deletion
You can request deletion of personal data we hold about you at any time. Meta Platform Terms and applicable privacy laws (including GDPR) require us to provide a clear way to do this. The options below depend on what you want removed.
Option A — Disconnect a social account
To stop Aether from accessing a connected Facebook Page, Instagram account, Threads profile, or other platform:
- Sign in to the Aether dashboard.
- Go to Profiles and open the account you want to remove.
- Click Disconnect and confirm.
This immediately deletes the OAuth access and refresh tokens for that account. We will no longer fetch new data from that platform on your behalf. Previously stored posts, analytics, and inbox messages for that account remain until you delete your organization or submit a full deletion request below.
Option B — Remove Aether from your Meta account
If you connected Facebook, Instagram, or Threads through Meta's platform, you can also revoke access directly with Meta:
- Go to Facebook Settings → Apps and Websites.
- Select the Aether app and click Remove.
- When prompted, choose Send Request to ask us to delete the data Meta shared with us about your account.
We process Meta-initiated deletion requests within 30 days. You may also email privacy@aetherhq.dev with subject line Meta Data Deletion Request and include the email address associated with your Aether account so we can locate your records.
Option C — Delete your organization and all data
To permanently delete your Aether organization and all associated data — including connected social accounts, scheduled and published posts, inbox messages, analytics, API keys, and team member access:
- Email support@aetherhq.dev or privacy@aetherhq.dev from the address registered to your account.
- Use the subject line Organization Deletion Request.
- Include your organization name and the email of the account owner.
We will verify your identity and confirm deletion within 30 days. Billing records may be retained for up to 7 years where required by law; all other personal data is deleted or anonymized in line with Section 6.
What we delete
Upon a confirmed deletion request, we remove or anonymize, as applicable:
- Your account profile (name, email) and authentication credentials
- Encrypted OAuth tokens and connected social account metadata
- Post content, media references, and scheduling data stored in Aether
- Inbox messages, comments, and related platform data cached in our systems
- Analytics and usage data attributable to your organization
- API keys and webhook configurations
Data already published to social platforms (for example, a post live on Instagram) remains on those platforms until you delete it there directly. Disconnecting or deleting your Aether account does not remove content from third-party networks.
Timeline
We acknowledge deletion requests within 5 business days and complete processing within 30 days, unless a longer period is required by law or technical constraints (in which case we will notify you). For urgent requests, contact privacy@aetherhq.dev.
10. Cookies and Tracking
This section describes how we use cookies, local storage, and similar technologies across Aether's websites and applications. We do not use cookies or pixels for third-party advertising or to sell your browsing data.
Aether Dashboard and API
The developer dashboard (where you manage accounts, posts, and API keys) uses strictly necessary cookies to keep you signed in after authentication. These session cookies are required for the Service to function and cannot be disabled while you are logged in. The dashboard also uses local storage to remember UI preferences (such as sidebar state). We do not run PostHog, Google Analytics, or advertising trackers inside the dashboard.
Marketing Website (aetherhq.dev)
Our public marketing site — including pages such as pricing, documentation links, blog, and this Privacy Policy — uses the following analytics tools to understand how visitors use the site and to improve our content:
- PostHog — product analytics that records page views, page exits, referring URL, browser type, device type, and approximate location derived from IP address. PostHog may store identifiers in cookies or local storage. Our PostHog project is hosted in the EU. See the PostHog Privacy Policy.
- Google Analytics 4 (GA4)— when enabled, Google Analytics collects page views, interactions, device and browser information, and approximate geographic location via cookies. See Google's Privacy Policy and Google Analytics Opt-out Browser Add-on.
Analytics on the marketing site is used only for measuring traffic and improving our website — not for advertising profiles and not to track your activity inside the dashboard or API after you sign in.
Managing Cookies
You can block or delete cookies through your browser settings. Blocking strictly necessary dashboard cookies will prevent you from staying signed in. Blocking analytics cookies on the marketing site will not affect your use of the Service.
If you are in the EEA, UK, or another jurisdiction with cookie consent requirements and wish to opt out of marketing-site analytics, adjust your browser cookie settings, use the Google opt-out add-on linked above, or contact privacy@aetherhq.dev.
11. Children's Privacy
The Service is intended for users aged 18 and older and is not directed at children. If you believe a child has provided us with personal information, contact us at privacy@aetherhq.dev and we will delete it promptly.
12. International Transfers
Aether HQ is operated from the United States. If you are located in the EEA, UK, or Switzerland, your data is transferred to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
14. Contact
For privacy-related questions or requests, contact Aether HQ at privacy@aetherhq.dev.