Aether ("we", "our", or "us") operates a unified social media API platform. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our services, website, and API (collectively, the "Service").
By using the Service you agree to the practices described in this policy. If you do not agree, please discontinue use.
1. Information We Collect
Account and Contact Information
When you register we collect your name, email address, and a hashed password. If you invite team members we store their email addresses and the role you assign them.
Payment Information
Billing is handled by Stripe. We store only Stripe customer and subscription identifiers — we never see or store raw card numbers. Stripe's privacy policy governs how they handle payment data.
Connected Social Accounts
When you connect a social media account through our OAuth flow we receive and store encrypted OAuth access and refresh tokens, the platform account identifier, username, and profile picture URL. We use these solely to perform actions you request (publishing posts, reading inbox messages, fetching analytics).
Usage and Technical Data
We automatically collect IP addresses, browser and device information, API request logs (endpoint, timestamp, response code), and error traces. We use this data to operate, secure, and improve the Service.
Analytics Events
Post performance metrics (impressions, likes, comments, shares) fetched from social platforms on your behalf are stored and attributed to your organization to power the analytics dashboard.
2. How We Use Your Information
- Provision and operation of the Service
- Authentication and authorization
- Publishing and scheduling content on connected social accounts
- Sending transactional emails (receipts, team invites, alerts)
- Detecting and preventing fraud, abuse, and security incidents
- Improving product features through aggregated, anonymized usage analysis
- Responding to support requests
- Complying with legal obligations
We do not use your data to train machine-learning models or sell it to advertisers.
3. Legal Bases for Processing (GDPR)
For users in the European Economic Area and United Kingdom we rely on the following lawful bases:
- Contract performance — processing necessary to provide the Service you signed up for.
- Legitimate interests — security monitoring, fraud prevention, and service improvement, where those interests are not overridden by your rights.
- Legal obligation — retaining records required by law.
- Consent — marketing communications, where applicable.
4. Information Sharing
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
- Social platforms— content and tokens are transmitted to Instagram, Facebook, TikTok, LinkedIn, YouTube, Threads, and Reddit when you request it, subject to each platform's own terms.
- Infrastructure providers— we use Cloudflare (CDN & edge), AWS (media storage via R2), MongoDB Atlas (database), and Redis (queues). Each operates under a data processing agreement.
- Analytics — Tinybird processes aggregated event data for our analytics pipeline.
- Payment processor — Stripe processes billing information.
- Legal requirements — we may disclose information if required by law, court order, or to protect the rights and safety of Aether or others.
- Business transfers — in the event of a merger, acquisition, or asset sale, your data may be transferred with appropriate notice.
5. Data Retention
We retain account data for the duration of your subscription plus 90 days after account closure, at which point personal information is anonymized or deleted. Post content and analytics data are retained for up to 24 months. Billing records are retained for 7 years to meet legal requirements. OAuth tokens are deleted immediately upon account disconnection.
6. Security
OAuth tokens are encrypted at rest using AES-256-GCM with per-token keys. Data is transmitted over TLS 1.2+. We perform regular security reviews and limit employee access to production data on a need-to-know basis. Despite these measures, no system is completely secure — please report vulnerabilities to security@aetherhq.dev.
7. Your Rights
Depending on your jurisdiction you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure— request deletion of your data ("right to be forgotten").
- Portability — receive your data in a machine-readable format.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Opt-out of sale / sharing (CCPA) — California residents may opt out of any sale or sharing of personal information, though we do not sell personal information.
To exercise any of these rights, email us at privacy@aetherhq.dev. We will respond within 30 days.
8. Cookies and Tracking
We use strictly necessary cookies for authentication sessions. We do not use third-party advertising or tracking cookies. The dashboard uses local storage to cache UI preferences.
9. Children's Privacy
The Service is intended for users aged 18 and older and is not directed at children. If you believe a child has provided us with personal information, contact us at privacy@aetherhq.dev and we will delete it promptly.
10. International Transfers
Aether is operated from the United States. If you are located in the EEA, UK, or Switzerland, your data is transferred to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
12. Contact
For privacy-related questions or requests, contact us at privacy@aetherhq.dev.