Privacy Policy

This Privacy Policy explains how Aetherya collects, uses, shares and protects your personal data, and the rights you have under the GDPR and other applicable privacy laws.

Last updated: June 14, 2026 · Effective: June 14, 2026

1. Controller & Contact

Aetherya SRL, a company incorporated in Romania with registered office at Intrarea Gheorghe Simionescu, Nr. 19, Ap. B26, Sector 1, Municipiul București, Romania, Trade Register No. J2026009029004, registration code 53864466, is the data controller for personal data processed in connection with our website and the Aetherya platform (the “Services”), except where we act as a processor on your behalf for content you submit (see Section 9).

This policy is designed to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Romanian data-protection framework (Law 190/2018), the UK GDPR and Data Protection Act 2018, the ePrivacy rules on cookies, the EU AI Act, and, where applicable, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”) and other US state privacy laws.

2. The Data We Collect

We collect the following categories of personal data:

  • Identity & account data — name, email address, username, and authentication identifiers (managed via Clerk).
  • Organization & profile data — company name, job title, and preferences you provide.
  • Billing data — subscription tier, transaction history, and billing details. Card data is collected and stored by Stripe; we do not store full card numbers.
  • Content & usage data — prompts, files, URLs, simulation inputs/outputs, personas, campaigns, audits, and chat messages you create, plus feature-usage and quota metrics.
  • Technical data — IP address, device/browser information, log data, and approximate location derived from IP.
  • Cookies & similar technologies — see Section 8.
  • Communications — messages you send to support, sales, or via forms.

We do not intentionally collect special-category data and ask that you do not submit it. The personas Aetherya generates are synthetic and do not describe real, identifiable individuals.

3. How & Why We Use Your Data (Legal Bases)

Under the GDPR we rely on the following legal bases (Art. 6 GDPR):

PurposeLegal basis
Provide, operate and maintain the Services; deliver simulations and AI outputs you requestPerformance of a contract (Art. 6(1)(b))
Account management, authentication, billing and payment processingContract (Art. 6(1)(b)); legal obligation for invoicing/tax (Art. 6(1)(c))
Securing the Services, preventing fraud and abuse, debuggingLegitimate interests (Art. 6(1)(f))
Improving and developing features using aggregated/de-identified dataLegitimate interests (Art. 6(1)(f))
Product, marketing and newsletter communicationsConsent (Art. 6(1)(a)) or legitimate interests for existing customers, with opt-out
Non-essential cookies and analyticsConsent (Art. 6(1)(a))
Complying with legal obligations and responding to lawful requestsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have balanced those interests against your rights and you may object at any time (Section 7). We do not use your content to train foundation models.

4. AI Processing & Automated Decisions

The Services use large language models and other AI systems to generate synthetic personas, audience simulations, audits and recommendations. These outputs are probabilistic estimates and do not constitute decisions about real, identified individuals.

We do not use your personal data to make decisions producing legal or similarly significant effects about you solely by automated means within the meaning of Article 22 GDPR. In line with the EU AI Act, you are informed here that you are interacting with AI-generated content, and AI outputs should be reviewed by a human before being relied upon. Prompts and inputs are processed by our AI infrastructure providers under contractual confidentiality and are not used by them to train their models for other customers where such controls are available.

5. Sharing & Sub-Processors

We do not sell your personal data and we do not “share” it for cross-context behavioural advertising as those terms are defined under US state privacy laws. We disclose personal data only to:

  • Sub-processors who process data on our behalf under Art. 28 GDPR contracts, including:
ProviderPurposeRegion
Microsoft AzureCloud hosting, database, storage, compute (incl. EU regions)EU (North/West Europe)
ClerkAuthentication & identity managementUSA
StripePayment processingEU / USA
VercelFrontend hosting & deliveryGlobal edge
Third-party AI infrastructure providersLLM inference for simulationsEU / USA

A current sub-processor list is available on request at privacy@aetherya.ai. We may also disclose data to comply with law, court orders, or lawful requests; to protect our rights and safety; and to a successor in connection with a merger, acquisition or asset sale (with notice where required).

6. International Transfers

We aim to host and process personal data within the EU/EEA. Where data is transferred to a country outside the EEA that has not been recognized by the European Commission as providing adequate protection, we put in place appropriate safeguards under Chapter V GDPR — primarily the European Commission’s Standard Contractual Clauses (SCCs), supplemented by technical and organisational measures (including encryption) and, where relevant, transfer impact assessments. You may request a copy of the relevant safeguards at privacy@aetherya.ai.

7. Your Rights

Subject to applicable law, you have the right to:

  • Access — obtain confirmation and a copy of your personal data;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion (“right to be forgotten”) where applicable;
  • Restriction — limit processing in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Object — object to processing based on legitimate interests and to direct marketing at any time;
  • Withdraw consent — at any time, without affecting prior lawful processing;
  • Not be subject to solely automated decisions with legal/significant effect (Art. 22 GDPR);
  • Complain to a supervisory authority.

US residents (e.g., California): you also have rights to know, access, correct, delete, and to opt out of sale/sharing and certain profiling, and not to be discriminated against for exercising them. We do not sell or share personal data as defined under those laws.

To exercise any right, email privacy@aetherya.ai. We will respond within the timeframes required by law (generally one month under the GDPR). You may complain to the Romanian supervisory authority, Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), or to the authority in your country of residence.

8. Cookies & Similar Technologies

We use strictly necessary cookies to operate the Services (e.g., authentication, security, preview access and session state). With your consent, we may use analytics and preference cookies to understand usage and improve the product. Non-essential cookies are only set after you consent, and you can withdraw consent or adjust your choices at any time via your browser settings or our cookie controls where provided. We honour Global Privacy Control (GPC) signals where required by law.

9. When We Act as a Processor

When you use the Services to process personal data about your own end users (e.g., within prompts or uploaded content), you are the controller and we act as your processor. We process such data only on your documented instructions, as set out in our Data Processing Agreement (Art. 28 GDPR), available on request at privacy@aetherya.ai. You are responsible for having a valid legal basis and for providing required notices to your end users.

10. Data Retention

We retain personal data only as long as necessary for the purposes described, to comply with legal, tax and accounting obligations (invoicing records are typically retained for the statutory period under Romanian law), to resolve disputes, and to enforce our agreements. Account and content data are deleted or anonymized within a reasonable period after account closure (typically within 30 days, subject to legal retention requirements and backup cycles). Aggregated or de-identified data may be retained indefinitely.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls and least-privilege, network isolation for internal services, secure cloud infrastructure, monitoring, and regular review. See our Security page for details. No method of transmission or storage is completely secure; in the event of a personal-data breach likely to result in a risk to your rights, we will notify the competent supervisory authority and affected individuals as required by Articles 33–34 GDPR.

12. Children's Privacy

The Services are intended for business users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@aetherya.ai and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date and, for material changes, provide additional notice (e.g., by email or in-product). Your continued use after the effective date constitutes acceptance of the updated policy.

14. Contact

To contact us about privacy or to exercise your rights: