Aerostack
Aerostack
Legal

Privacy Policy

Last updated: March 10, 2026  ·  Effective: March 10, 2026

Aerostack Inc. ("Aerostack," "we," "us," or "our") operates the developer platform at aerostack.dev and related services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, share, and protect information when you access or use the Platform, including our API gateway, AI infrastructure, edge functions, marketplace, and admin dashboard.

By using the Platform you agree to this Privacy Policy. If you do not agree, please do not use the Platform.

1. Information We Collect

1.1 Account & Identity Information

When you register for an Aerostack account we collect:

  • Name and email address
  • Password (hashed with PBKDF2; never stored in plaintext)
  • Profile avatar (stored in Cloudflare R2)
  • Optional: GitHub or Google OAuth identity linked to your account

1.2 Usage & Technical Data

As you use the Platform we automatically collect:

  • API request logs (endpoint, method, response code, latency, timestamp)
  • IP address and approximate geographic region (derived from Cloudflare headers)
  • Browser type, operating system, and referrer for dashboard sessions
  • Usage metrics: request counts, token consumption, storage used, realtime connections
  • Error traces and performance telemetry sent to our observability pipeline

1.3 Project & Content Data

Data you create or upload through the Platform:

  • Projects, API configurations, schema definitions, and environment variables
  • Community listings: functions, MCP servers, skills, and agents you publish
  • Files, media, and documents stored in project R2 buckets
  • Database records stored in project-scoped D1 databases
  • AI knowledge base documents indexed for retrieval-augmented generation (RAG)

1.4 Payment & Billing Information

Subscription payments are processed by Stripe. We do not store full credit card numbers. We retain Stripe customer IDs, subscription status, billing interval, and invoice history for accounting and support purposes.

1.5 Communications

If you contact us via email or Discord, we retain the contents of those communications to respond and improve support quality.

2. How We Use Your Information

  • Operate the Platform — authenticate users, route API requests, enforce quotas, and deliver edge function results.
  • Billing & Subscriptions — process payments, issue invoices, manage plan upgrades and cancellations.
  • Security & Fraud Prevention — detect abuse, apply rate limits, investigate suspicious activity.
  • Product Improvement — analyze aggregated usage patterns to prioritize features and fix performance bottlenecks.
  • Communications — send transactional emails (OTP codes, billing receipts, important service notices). We do not send marketing emails without explicit consent.
  • Legal Compliance — respond to lawful requests and enforce our Terms of Service.

We do not sell your personal information. We do not use your project data or API traffic to train AI models without your explicit opt-in consent.

3. Data Sharing & Third-Party Processors

We share data only as described below:

ProcessorPurposeData Shared
CloudflareInfrastructure, CDN, D1, R2, KV, WorkersAll Platform data — processed on Cloudflare's edge
StripePayment processingName, email, billing address, payment method tokens
ResendTransactional email deliveryEmail address, message content (OTP, receipts)
Azure OpenAI / other AI providersAI Gateway inference (when you use AI features)Prompts and model parameters you submit
GitHub / GoogleOAuth login (optional)OAuth token; we store only your profile name and email

We require all sub-processors to maintain appropriate security safeguards and process data only on our behalf under binding data protection agreements.

4. Cookies & Local Storage

The Platform uses minimal browser storage:

  • Strictly necessary cookies — session tokens required for authentication. No tracking cookies.
  • Local storage — theme preference (light/dark) and dashboard UI state. No personal data.

We do not use third-party advertising cookies or behavioral tracking pixels.

5. Data Retention

  • Account data — retained while your account is active. Deleted within 30 days of account closure, except where required by law.
  • API request logs — retained for 90 days on the Standard tier; configurable retention on Pro and above.
  • Billing records — retained for 7 years for tax and accounting compliance.
  • D1 database data (your project data) — retained until you delete the project or close your account. Cloudflare Time Travel (30-day point-in-time restore) applies.
  • Backups — encrypted backups retained for up to 30 days.

6. Data Security

We implement industry-standard safeguards including:

  • Passwords hashed with PBKDF2 (600,000 iterations); automatic re-hash on login to latest standards
  • Authentication tokens hashed with SHA-256 before storage
  • All data in transit encrypted with TLS 1.2+
  • Data at rest encrypted by Cloudflare (AES-256)
  • JWT short-lived access tokens (15 min) with rotating refresh tokens
  • OTP rate limiting: 3 attempts per window; 60-minute lockout on failure
  • Cloudflare DDoS protection and WAF on all API endpoints

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@aerostack.dev.

7. International Data Transfers

Aerostack is incorporated in the United States. The Platform runs on Cloudflare's global edge network. By using the Platform, you acknowledge that your data may be processed in any country where Cloudflare operates data centers.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for cross-border transfers.

8. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update inaccurate or incomplete information via the dashboard or by contacting us.
  • Deletion — request deletion of your account and associated personal data.
  • Portability — export your project data (databases, files, configurations) in standard formats.
  • Objection / Restriction — object to or restrict certain processing activities.
  • Withdraw Consent — where processing is based on consent (e.g., marketing emails), withdraw at any time.

To exercise any right, email privacy@aerostack.dev. We will respond within 30 days.

9. Children's Privacy

The Platform is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at privacy@aerostack.dev and we will delete it promptly.

10. Third-Party Links & Marketplace

The Platform includes an API Marketplace and community listings created by third-party developers. Aerostack is not responsible for the privacy practices of third-party APIs or services you connect to through the marketplace. Review each provider's privacy policy before use.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-dashboard notice at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or requests:

Aerostack Inc.

Privacy Team

Email: privacy@aerostack.dev

Website: aerostack.dev