Privacy Policy

1. Information We Collect

• Account data — your email address, display name, and hashed password when you register.
• Project content — the scenes, text, images, and settings you create in the Studio.
• Guest-list data — names you upload for the Event tier bouncer gate; stored only for your gift.
• Payment data — processed entirely by Stripe. We store only a Stripe Customer ID reference; no card numbers are held by Aevaia.
• Usage data — AI credit usage counts and request timestamps for billing and abuse prevention.
• Support messages — your email and message when you contact us via the support form.
• Technical data — device type, browser, and IP address logged automatically for security and debugging.

2. How We Use Your Data

• To operate and personalise your Studio experience.
• To enforce the bouncer gate so only invited guests can view your gift.
• To process payments and fulfil tier upgrades via Stripe.
• To track AI credit consumption and prevent abuse.
• To respond to support inquiries.
• To improve platform stability, performance, and security.

We do not sell your personal data to third parties, and we do not use it for advertising.

3. Cookies & Local Storage

Aevaia uses Clerk for authentication. Clerk sets httpOnly, Secure session cookies to maintain your login state; these are managed automatically and expire with your session.

Gift viewer pages use a short-lived cookie (hc_gift_{id}) to remember that you have passed the bouncer gate on that device. No analytics or advertising cookies are set.

4. Data Sharing

We share your data only with the following sub-processors, each under their own privacy terms:

• Supabase — secure PostgreSQL database hosting (EU region).
• Stripe — payment processing.
• OpenRouter / Google / OpenAI — AI text generation (your prompts are sent to generate responses; they are not used to train third-party models under current agreements).

5. Data Retention

Account and project data is retained for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days. Support ticket records are retained for 12 months for audit purposes.

6. Your Rights

Under applicable data-protection law (including GDPR where relevant), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data via the Settings page.
• Request deletion of your account and all associated data.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact us via the support form.

7. Security

All data is transmitted over TLS. Passwords are hashed with bcrypt (cost factor 12) and never stored in plain text. Payment data never transits Aevaia servers. We review and update our security practices regularly.

8. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Aevaia after changes constitutes acceptance.