AETHER AI
Aether Cloud

Protocol Family

AETHER PROTOCOL-LAETHER PROTOCOL-CAETHER PROTOCOL-T

Defense Stack

AETHER-PREDATORAETHER-SCRAMBLER
Contact

Privacy Policy

Effective Date: 2026-05-27 · Last Updated: 2026-05-27

Aether AI LLC ("Aether," "we," "us," "our") operates aethersystems.net, app.aethersystems.net, and the AetherCloud desktop and API products (collectively, the "Service"). This Privacy Policy describes what personal information we collect, how we use and store it, and what rights you have over it. It is written to comply with applicable US federal and state privacy laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").

1. Data We Collect

We collect only what is necessary to provide and secure the Service:

  • Account data: email address (required), optional display name, and a marketing-communications opt-in flag.
  • Authentication credentials: Supabase-issued JWT and refresh tokens stored client-side; password hash stored by Supabase Auth (we never see your plaintext password).
  • Billing identifiers: Stripe customer ID, subscription ID, and payment-method reference. We do not store raw card numbers, CVCs, or bank-account numbers. These remain inside Stripe's PCI-DSS Level 1 environment.
  • Usage metrics: UVT (Universal Value Token) consumed per request, request count, and per-model spend, all keyed to your Supabase auth.uid().
  • Product analytics: PostHog events (page view, button click, conversion). For unauthenticated visitors we use an anonymous distinct_id that is upgraded to your user id only after you sign in.
  • Network metadata: IP address and user-agent for rate limiting and abuse detection. IP addresses are not retained beyond 24 hours in our application logs.

2. Data We Do Not Collect

  • Social Security Numbers, driver's licenses, or government-issued IDs.
  • Bank account numbers or routing numbers.
  • Raw payment-card numbers (handled entirely by Stripe).
  • Biometric identifiers or precise geolocation.

3. How We Use Your Data

  • Provide, operate, and improve the Service.
  • Authenticate sessions and enforce per-tier UVT quotas.
  • Process payments and prevent fraud (via Stripe).
  • Send transactional email (receipts, security alerts, account changes) via Resend.
  • Send marketing email only if you opted in; you may withdraw consent at any time from /platform/account.
  • Detect abuse, rate-limit traffic, and protect the Service from attack.

4. Storage, Security, and Row-Level Security (RLS)

All application data is stored in a Postgres database hosted by Supabase in a United States region. Row-Level Security (RLS) is enabled on every table containing user-scoped data, with policies enforcing the predicate auth.uid() = auth_user_id. This means a row belonging to user A is mathematically unreadable by user B's JWT, regardless of network path or client library. RLS is evaluated by Postgres itself, not by application code, which makes it resistant to application-layer bypass.

Service-role database access (used by edge functions for elevated operations like webhook ingestion) is logged in a dedicatedaudit_log table with the actor, action, and timestamp.

5. OWASP Top 10 (2021) Controls

Our security posture maps to the OWASP Top 10 (2021) as follows:

  • A01 Broken Access Control: Postgres RLS as described above; JWT Bearer authentication on every account and billing endpoint.
  • A02 Cryptographic Failures: TLS 1.2+ everywhere; secrets stored in environment variables and rotated quarterly and on suspected incident.
  • A03 Injection: Parameterized SQL via asyncpg (Python backend) and the Supabase JS client (frontend). No string concatenation in queries.
  • A04 Insecure Design: Threat modeling and least-privilege service roles; idempotent webhook ingestion.
  • A05 Security Misconfiguration: Hardcoded CORS allowlist (no wildcards); restrictive Content-Security-Policy.
  • A06 Vulnerable Components: Dependabot/Renovate monitoring; npm audit and pip-audit gates.
  • A07 Identification & Auth Failures: Supabase Auth (email + password with minimum length, Google OAuth); Cloudflare Turnstile bot challenge on the public signup form.
  • A08 Software & Data Integrity: Stripe webhook signatures verified via constructEventAsync (HMAC-SHA256); UNIQUE (stripe_event_id) replay-protection constraint on billing events.
  • A09 Logging & Monitoring: Centralized audit log and PostHog event capture; Cloudflare and Supabase logs.
  • A10 SSRF: No user-supplied URLs are fetched server-side from authenticated contexts.

6. Subprocessors

  • Supabase — managed Postgres + authentication (US region).
  • Stripe — payment processing and subscription billing.
  • Resend — transactional and marketing email delivery.
  • PostHog — product analytics.
  • Cloudflare — Turnstile bot challenge, CDN, and DDoS protection.
  • Vercel — hosting for app.aethersystems.net.
  • Cloudflare Pages — hosting for aethersystems.net.

7. Retention

  • Account data: retained for the lifetime of your account plus thirty (30) days after a verified deletion request.
  • Billing audit rows (uvt_topup_events, user_subscription_events): retained seven (7) years to satisfy US tax and financial recordkeeping requirements.
  • IP addresses in application logs: rotated out within 24 hours.
  • PostHog telemetry: subject to PostHog's default retention policy.

8. Account Deletion

You may request deletion from /platform/security. If you have an active paid subscription you must cancel it first; this is to prevent silent loss of service that you are paying for. Deletion is irreversible. Your data is purged from the primary store within thirty (30) days of the request. Billing-audit rows are retained for seven (7) years as described above.

9. California Residents — CCPA / CPRA Rights

If you reside in California, you have the following rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act:

  • Right to Know what personal information we collect, the purposes of collection, and the categories of subprocessors with whom we share it.
  • Right to Delete personal information we have collected from you, subject to the retention exceptions in Section 7 above.
  • Right to Correct inaccurate personal information.
  • Right to Opt Out of the sale or sharing of personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination — we will not deny service, charge a different price, or provide a lesser quality of service because you exercised a privacy right.

We do not sell, and we do not share, personal information for cross-context behavioral advertising as defined by the CPRA.

To exercise any of these rights, email [email protected]from the address associated with your account. We will respond within forty-five (45) days as required by statute.

10. Children (Under 18) — COPPA and Age Restriction

The Service is not directed to children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will terminate the account and delete the data. Parents or guardians who believe their child has provided us with information may contact [email protected]. Account creation requires an affirmative checkbox acknowledging that you are 18 years of age or older.

11. International Users

The Service is operated from the United States. If you access it from outside the US, you understand that your information will be transferred to, stored, and processed in the United States.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be announced by email to registered users and reflected in the "Last Updated" date above.

13. Contact

Privacy and data-access requests: [email protected].

This page does not constitute legal advice. Contact [email protected] with questions.