Æ AetherLabs

Privacy Policy

Effective Date: November 4, 2025
Legal Entity: AetherLabs Inc. (“AetherLabs”, “we”, “us”, “our”)
Contact: privacy@aetherlabs.art
Registered Address: [Insert company address]
Data Protection Contact (DPO/Privacy Lead): privacy@aetherlabs.art

This Privacy Policy explains how we collect, use, disclose, and safeguard information across our website, web and mobile apps, NFC-enabled features, marketplace, survey and waitlist forms, and any other services that link to this policy (collectively, the “Services”). By using the Services, you agree to this Privacy Policy.

1) Information We Collect

1.1 You Provide

  • Account data: name, email, password (hashed), profile details, role (artist/gallery/collector), organization.
  • Transactions & billing: plan tier, invoice details, limited card metadata via our payment processor (we never store full card numbers).
  • Content you upload: images, artwork metadata, certificates of authenticity (COAs), provenance records, listings, comments.
  • Support & feedback: messages, attachments, satisfaction ratings.
  • Surveys & research: non-PII by default; may optionally include contact info if you choose to share it.

1.2 Collected Automatically

  • Usage & device data: pages viewed, app events, app version, browser/device type, OS, anonymized crash reports.
  • Log data: IP address (short-lived for security/abuse prevention), timestamps, referrers.
  • Cookies/local storage: strictly necessary cookies for authentication; optional analytics cookies if you consent.

1.3 From Third Parties

  • Single Sign-On (optional): name, email, avatar from your identity provider.
  • Payments: limited billing metadata from our processor (e.g., Stripe).
  • Referrals/UTM: campaign parameters used to attribute traffic.

2) How We Use Information

  • Provide & improve the Services: account creation, secure login, feature delivery (COAs, inventory, marketplace), troubleshooting.
  • Security & abuse prevention: detect fraud, spam, unauthorized access.
  • Research & analytics: aggregate, de-identified insights to guide product decisions.
  • Communications: transactional emails (receipts, alerts), product updates and marketing (with consent).
  • Legal compliance: tax, accounting, and regulatory obligations.

Lawful bases (EU/UK GDPR, PIPEDA): consent, contract performance, legitimate interests (product security, analytics), legal obligations.

3) Sharing & Disclosures

We do not sell personal data. We share information only with:

  • Service providers (sub-processors): e.g., hosting (Vercel/AWS), database (Supabase), forms (Typeform), email (Resend/SES), analytics (Plausible or equivalent), payments (Stripe). Bound by contracts and used solely to provide the Services.
  • Other users (at your direction): public profiles, portfolios, marketplace listings you publish.
  • Legal & safety: to comply with laws, court orders, or enforce our Terms; to protect rights, safety, and security.
  • Business transfers: in a merger, acquisition, or asset sale, your data may transfer subject to this Policy.

We maintain a current list of material sub-processors at /legal/subprocessors (or upon request).

4) Data Retention

  • Account data: kept while your account is active and for a reasonable period after closure for legal/operational purposes.
  • Content (artwork, COAs, records): retained until you delete it or your account is deleted, subject to backups and legal holds.
  • Waitlist/surveys: anonymous by default; if you share an email, retained until you unsubscribe or request deletion.
  • Logs: typically 30–180 days unless required longer for security/legal reasons.

5) Security

We use encryption in transit and at rest, access controls, least-privilege policies, and continuous monitoring. No method of transmission or storage is 100% secure; we strive to protect your data with commercially reasonable safeguards.

6) Your Rights & Choices

Subject to your jurisdiction, you may have the right to access, correct, delete, port, or object/restrict processing of your personal data. You can:

  • Manage profile and content in-app
  • Unsubscribe from marketing in any email
  • Request data access/deletion: privacy@aetherlabs.art

We will verify requests and respond within required timelines.

7) International Transfers

We may process data in Canada, the United States, and the EU. Where required, we use appropriate safeguards (e.g., SCCs) for international transfers.

8) Children’s Privacy

Our Services are for individuals 18+. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to delete it.

9) Cookies & Similar Technologies

  • Strictly necessary: auth/session, fraud protection.
  • Analytics (optional): privacy-preserving analytics; disabled unless you consent (where required). See our Cookie Notice at /legal/cookies for details and controls.

10) Third-Party Links

Our Services may link to third-party sites. Their privacy practices are governed by their own policies.

11) Changes to This Policy

We may update this Policy. We will post the new version with an updated “Last Updated” date and, if changes are material, we’ll provide additional notice.

12) Contact

Questions or requests: privacy@aetherlabs.art
If unresolved, you may contact your local data protection authority.