Privacy Policy
Last updated: July 2026
1. Who we are
Aelaro is a trading name of Saxon Growth Ltd, a company registered in England and Wales (“we”, “us”, “our”). Saxon Growth Ltd is the data controller for personal information processed through the Aelaro service. Our registered address is available on request. Questions about this policy: privacy@aelaro.app.
2. Personal information we collect
We collect the following categories of personal information:
- Identity and contact data: email address, display name, and account credentials (passwords are stored hashed — never readable by us).
- Special category data — religious beliefs: your faith tradition, denomination, and the spiritual topics you choose to explore. Under UK GDPR, religious beliefs are special category data and we handle them with heightened care. This information is used solely to personalise your experience and is never used for advertising or shared with third parties beyond those required to operate the service.
- Special category data — personal communications: the content of your conversations with Aelaro, which may include matters of grief, mental health, spiritual struggle, or personal circumstance.
- Financial data: subscription tier, billing history, and Stripe customer reference. We never store card numbers — all payment data is handled by Stripe.
- Usage data: message counts, timestamps, and general usage patterns used to enforce plan limits and maintain service quality.
- Memory data: a rolling AI-generated summary drawn from your conversations, used to make the companion more contextually relevant over time.
3. Legal basis for processing (UK GDPR)
We process your personal information on the following legal bases:
- Contract: processing necessary to provide the Service you have subscribed to, including managing your account, delivering AI responses, and processing payments.
- Explicit consent: for special category data (religious beliefs and conversation content). You provide this consent when you sign up and use the Service. You may withdraw consent at any time by deleting your account.
- Legitimate interests: detecting and preventing fraud, abuse, and automated misuse, where those interests are not overridden by your rights.
- Legal obligation: where we are required to process data to comply with applicable law.
4. How we use your information
- To provide and personalise the Aelaro companion experience.
- To maintain conversation memory across sessions.
- To process payments and manage your subscription.
- To send transactional emails (account confirmation, billing receipts, daily verses if opted in). We do not send marketing emails without your explicit consent.
- To detect and prevent fraud, abuse, or automated misuse.
- To comply with legal obligations.
5. We do not sell your information
We do not sell, rent, trade, or share your personal information — including your religious beliefs and conversation content — with third parties for their own marketing or commercial purposes.
We share data only with the sub-processors required to operate the service:
- Supabase — database and authentication (SOC 2 certified).
- Stripe — payment processing (PCI DSS Level 1 certified).
- OpenRouter — AI model routing. Your messages are transmitted to language model providers to generate responses. No conversation content is used to train third-party models under our agreement.
- Vercel — web hosting and CDN.
- Resend — transactional email delivery.
Where sub-processors are located outside the UK, we ensure appropriate safeguards are in place (such as UK adequacy decisions or standard contractual clauses) in accordance with UK GDPR Chapter V.
6. Special category data — additional protections
Religious beliefs and personal spiritual content are special category data under UK GDPR Article 9. We apply the following protections:
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Conversation content is not reviewed by human staff except where required by law or to investigate specific misuse reports.
- Special category data is never used for targeted advertising or profiling for third parties.
- We do not use your religious beliefs or conversation content to infer characteristics about you beyond what is necessary to personalise the companion.
If a message indicates a risk to life, Aelaro provides crisis resources and may flag the conversation for internal safety review. This is a welfare measure, not routine monitoring.
7. Children's privacy
Aelaro is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, contact privacy@aelaro.app and we will delete the account promptly.
8. Your rights
UK and EEA residents (UK GDPR / EU GDPR)
You have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
- Restriction — request that we restrict processing of your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — withdraw consent for special category processing at any time (by deleting your account).
- Lodge a complaint — complain to the Information Commissioner's Office (ICO) at ico.org.uk or your local EEA supervisory authority.
US residents (CCPA / state privacy laws)
California residents and users in other US states with comprehensive privacy laws have rights to know, delete, correct, and opt out of sale or sharing of personal information. We do not sell or share personal information, so the opt-out right is satisfied by default. We honour equivalent rights for all US users regardless of state.
To exercise any right: email privacy@aelaro.app. We respond within 30 days (one calendar month for UK GDPR requests).
9. Data retention
Your data is retained for as long as your account is active. If you delete your account, your personal data and conversation history are deleted within 30 days. Anonymised, non-identifiable usage statistics may be retained indefinitely. Billing records are retained for 7 years as required by UK tax law.
10. Cookies
Aelaro uses only strictly necessary cookies — session tokens required to keep you signed in. We do not use tracking, analytics, or advertising cookies. No cookie consent banner is required because we do not set non-essential cookies.
11. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email at least 14 days before they take effect. Continued use of Aelaro after the effective date constitutes acceptance of the updated policy.
Aelaro is a trading name of Saxon Growth Ltd, registered in England and Wales. Saxon Growth Ltd is the data controller under UK GDPR. This policy is also intended to satisfy applicable US state privacy laws including CCPA/CPRA and COPPA. To contact us or the ICO: privacy@aelaro.app · ico.org.uk.