Plain-language summary: Aether collects only what is necessary to operate the service. We never sell your data and never use it for advertising. You have full rights to access, correct, export, and delete your information at any time. This document explains what we collect, why, and how.
1. Data Controller
The data controller responsible for your personal information is Aether ("we", "us", "our"), the operator of the Aether mobile application and associated web services. For all data-related inquiries, contact us at support@aether.app.
2. Data We Collect
2.1 Account Information
- Email address — required for account creation and authentication via Firebase Authentication. Used to send account-related communications.
- Username and display name — chosen by you; displayed publicly on your profile and content.
- Profile picture and bio — optional; displayed on your public or private profile.
- Password — stored as a salted hash by Firebase Authentication. We never have access to your plaintext password.
2.2 Content You Create
- Posts — photos, captions, hashtags, tagged users, music metadata, and optional location (place name only, not GPS coordinates).
- Reels — short-form videos you upload, including associated captions and audio.
- Stories — photos and videos shared ephemerally; automatically and permanently deleted 24 hours after creation.
- Highlights — curated collections of expired Stories that you choose to preserve.
- Comments, likes, and saves — interactions with other users' content.
- Direct messages — text and media sent to other users. Messages are end-to-end encrypted using AES-256-GCM. We cannot read the content of your messages.
2.3 Activity & Technical Data
- Follow/unfollow actions, content view counts, and notification interactions.
- Search queries — used only to return results in the current session; not stored long-term.
- Crash and diagnostic reports via Firebase Crashlytics — anonymised and not linked to your identity.
- Firebase Authentication session tokens — used to maintain your logged-in state.
2.4 Third-Party Integration Data (Optional)
- Spotify — if you connect your Spotify account, we receive your Spotify display name and access token to enable music selection on posts and Reels. We never receive or store your Spotify password. You may disconnect Spotify at any time via Settings.
- ZegoCloud — processes real-time audio/video call session data to establish peer connections. We do not record calls. Call session metadata (duration, participants) may be logged by ZegoCloud per their privacy policy.
- Google Gemini — your AI chat messages are transmitted to Google's Gemini API to generate responses. We do not store your AI chat history beyond the active session. Google's data practices apply to their processing.
3. Device Permissions
| Permission | Purpose | Required? |
|---|
| Camera | Capture photos and videos for Posts, Reels, and Stories | Optional |
| Microphone | Record audio for Reels, Stories, and voice calls | Optional |
| Photo / Media Library | Upload existing photos and videos from your device | Optional |
| Location (coarse) | Tag posts with a place name; GPS coordinates are never stored | Optional |
| Notifications | Alert you to likes, comments, follows, and messages | Optional |
| Face ID / Biometrics | App lock — biometric data is processed entirely on-device by the OS and never transmitted to us | Optional |
| Contacts | Suggest people you may know — accessed only when you tap "Find Contacts" and not stored | Optional |
All permissions are requested at the time they are first needed, not on launch. You may revoke any permission at any time through your device settings.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
| Processing Activity | Legal Basis |
|---|
| Providing and operating the app (account, feed, content, messages) | Contract performance — Art. 6(1)(b) GDPR |
| Sending notifications about account activity | Contract performance — Art. 6(1)(b) GDPR |
| Improving the app, fixing bugs, analytics | Legitimate interests — Art. 6(1)(f) GDPR |
| Responding to support requests | Legitimate interests — Art. 6(1)(f) GDPR |
| Complying with legal obligations (e.g., court orders) | Legal obligation — Art. 6(1)(c) GDPR |
| Optional features (Spotify, Gemini AI) | Consent — Art. 6(1)(a) GDPR; withdrawable at any time |
5. How We Use Your Data
- To create and maintain your account and authenticate your identity.
- To display your profile, posts, Reels, and Stories to other users in accordance with your privacy settings.
- To power the home feed, explore page, and content recommendations.
- To deliver push notifications for interactions (likes, comments, follows, messages).
- To enable direct messaging and audio/video calls.
- To operate the AI chat assistant when you initiate a conversation.
- To detect abuse, enforce our Terms of Service, and protect the safety of the community.
- To diagnose crashes and improve the reliability and performance of the app.
- To respond to your support requests and communications.
We do not sell your data, share it with advertisers, use it for targeted advertising, or build advertising profiles. Aether is not ad-supported.
6. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We may share your data only in the following limited circumstances:
- With other users — content you post publicly (posts, Reels, public profile) is visible to all users. Private account content is visible only to approved followers.
- With service providers — Google Firebase (infrastructure), ZegoCloud (calls), and Google Gemini (AI) process data on our behalf under contractual data processing agreements. They may not use your data for their own purposes.
- For legal compliance — we may disclose data if required by applicable law, court order, or government authority, or to protect the rights, property, or safety of Aether, our users, or the public.
- Business transfers — if Aether undergoes a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data is subject to a different privacy policy.
- With your consent — for any other purpose, only with your explicit consent.
7. Storage & Security
- All data is stored on Google Firebase (Firestore, Cloud Storage, Firebase Authentication) — ISO 27001-certified, SOC 2 Type II infrastructure.
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted by Firebase using AES-256.
- Direct messages are end-to-end encrypted with AES-256-GCM — we cannot read your message content.
- Production database access is restricted to authorised administrators via Firebase IAM with two-factor authentication.
- We conduct periodic security reviews and apply security patches promptly.
⚠
No system is 100% secure. While we apply industry-standard measures, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at
support@aether.app.
8. Data Retention
| Data Type | Retention Period | Basis |
|---|
| Account dataEmail, username, profile | Until account deletion | Contract performance |
| Posts, Reels, HighlightsUser-created content | Until deleted by user or account deletion | Contract performance |
| Stories | 24 hours from creation, then permanently deleted | Product design |
| Direct messages | Until deleted by user or account deletion | Contract performance |
| Anonymised crash reports | 90 days (Firebase Crashlytics default) | Legitimate interests |
| Backup / disaster recovery copies | Up to 30 days after deletion request | Legitimate interests (data integrity) |
| Legal hold data | As required by applicable law or legal process | Legal obligation |
When you delete your account, we initiate deletion within 24 hours. All personal data is permanently removed within 30 days, except anonymised crash reports and data subject to a legal hold.
9. Your Rights
Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, contact us at support@aether.app or use the in-app controls listed below.
Access
Request a copy of the personal data we hold about you. We will respond within 30 days.
Rectification
Correct inaccurate data via Edit Profile in the app, or by contacting us.
Portability
Request an export of your data in a machine-readable format. Contact us at support@aether.app.
Restriction
Request that we restrict processing of your data while a dispute is being resolved.
Objection
Object to processing based on legitimate interests. We will cease unless we have compelling grounds.
Withdraw Consent
For processing based on consent (e.g., Spotify integration), withdraw at any time via Settings.
Lodge a Complaint
You may lodge a complaint with your local data protection authority if you believe we have violated your rights.
We will respond to all requests within 30 days. We may need to verify your identity before fulfilling a request.
10. Third-Party Services
| Service | Purpose | Data Processed | Privacy Policy |
|---|
| Google Firebase | Auth, database, file storage, crash reporting | Account data, content, crash logs | View → |
| Spotify | Music integration (optional) | Display name, access token | View → |
| ZegoCloud | Real-time audio/video calls | Call session metadata | View → |
| Google Gemini | AI chat assistant | AI chat messages (session only) | View → |
These services are our sub-processors. We have Data Processing Agreements in place where required. We are not responsible for their independent data collection practices outside of our integration.
11. International Data Transfers
Your data is stored and processed on Google Firebase infrastructure, which operates globally including in the United States. If you are located in the EEA, UK, or Switzerland, your data may be transferred to a country that does not have equivalent data protection laws.
Such transfers are safeguarded by:
- Google's Standard Contractual Clauses (SCCs) approved by the European Commission, and
- Google's compliance with the EU-U.S. Data Privacy Framework.
12. Children's Privacy
Aether is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has created an account, contact us immediately at support@aether.app and we will delete the account and all associated data without delay.
Users aged 13–17 must have obtained parental or guardian consent before using the Service. By using the Service, users in this age range confirm that such consent has been obtained.
13. California Residents — CCPA / CPRA
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and any third parties with whom it was shared.
- Right to Delete — request deletion of your personal information, subject to certain exceptions.
- Right to Correct — request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing — we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required.
- Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.
To exercise your California rights, contact us at support@aether.app with the subject "California Privacy Request". We will respond within 45 days.
Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosures of personal information to third parties for their own direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you via in-app notification and/or email if the changes significantly affect your rights.
Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you must stop using the Service and may delete your account.
For privacy-related questions, requests, or concerns:
