Privacy Policy

Last updated: May 29, 2026

AirCam is operated by Entheos LLC, a limited liability company organized under the laws of the State of Indiana, USA ("we", "us"). Entheos LLC is the data controller for personal information processed through the AirCam mobile app and website (the "Service"). This Privacy Policy explains what we collect, why, who we share it with, and your rights. By using the Service you agree to this policy.

Information we collect

  • Account information: email address, display name, and password (stored hashed). Optional profile photo.
  • User content: photos, videos, albums, notes, and library metadata you create or upload.
  • Sharing data: library memberships, invite codes, and guest session identifiers.
  • Device & diagnostic data: basic device info, IP address, app version, and error logs used to keep the Service running.
  • Usage data: high-level information about how you interact with the Service (pages viewed, features used, session duration) used to understand product performance.

Analytics and error monitoring

With your consent where required, we use a small number of first- and third-party tools to understand how the Service is used and to detect errors:

  • PostHog — product analytics (feature usage, anonymized event counts, basic device/locale info). Form inputs are masked by default.
  • Sentry — crash and error reporting. Captures stack traces, device/OS, and the URL where the error occurred.

Non-essential analytics are activated only after you give consent (where required by your jurisdiction). You can withdraw consent at any time from the cookie banner or by contacting us.

How we use your information

  • Provide and operate the Service (storage, sync, sharing).
  • Authenticate you and protect your account.
  • Deliver media via our content delivery network.
  • Diagnose problems and improve reliability and performance.
  • Communicate service-related notices (e.g. password resets).

We do not sell your personal information, and we do not use your photos or videos to train AI models or for advertising.

Purpose and legal basis

Where applicable law (e.g. GDPR / UK GDPR) requires a legal basis, we rely on the following bases, by purpose:

  • Providing the Service (account, storage, sharing, service-related communication): performance of a contract (Art. 6(1)(b)).
  • Security, abuse prevention, and product improvement (logs, diagnostics, fraud prevention): legitimate interests (Art. 6(1)(f)).
  • Analytics and marketing (where applicable): your consent (Art. 6(1)(a)). You may withdraw consent at any time.
  • Legal compliance (tax, accounting, responding to lawful requests): legal obligation (Art. 6(1)(c)) or legitimate interests.

Cookies and similar technologies

We use a small number of essential cookies required to operate the Service — for example session and authentication cookies. These do not require consent because the Service cannot function without them.

Non-essential cookies and local storage (used by the analytics tools listed above) are only activated after you give consent. We do not use advertising or cross-site tracking cookies.

How we share your data

We share personal data only with the categories of recipients below, and only as needed to operate the Service. All processors are bound by data processing agreements.

  • Service providers / subprocessors — Supabase (authentication, database, file storage), Bunny.net (video processing and CDN), Cloudflare (application hosting and edge network), PostHog (analytics), Sentry (error monitoring).
  • Payments provider (Merchant of Record). Our payments provider handles payments, subscription management, tax compliance, invoicing, and related customer service for purchases, and processes payment data as an independent controller under its own privacy notice.
  • Professional advisers — legal, accounting, and compliance advisors where reasonably required.
  • Authorities — where required by law, court order, or to protect rights, property, or safety.

International transfers

Entheos LLC is based in the United States, and our service providers operate globally. Where personal data is transferred out of the UK or EEA, we rely on appropriate safeguards such as the Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent mechanisms.

Data retention

We retain personal data only as long as necessary for the purposes it was collected:

  • Account data: retained for the lifetime of your account. After deletion (from Profile → Danger zone → Delete account) we remove personal data from live systems within 30 days, except where retention is required by law.
  • Photos and videos: deleted immediately when you remove them from the Service or when your account is deleted. Backups are purged within 30 days.
  • Product analytics (PostHog): retained for up to 12 months, then anonymized or deleted.
  • Error reports (Sentry): retained for up to 90 days.
  • Server and access logs: retained for up to 90 days for security and debugging.
  • Billing and tax records: retained as required by applicable tax and accounting law (typically 7 years).

Your rights

Depending on where you live (e.g. EEA, UK, California), you may have rights to access, correct, export, restrict, or delete your personal information, to object to certain processing, and to withdraw consent where processing is based on consent. You can exercise most of these directly in the app, or contact us using the details below. We respond within 30 days.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority — for example the UK Information Commissioner's Office or your EU member-state authority listed by the European Data Protection Board.

Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22).

Children

The Service is not directed to children under 13 (or the higher minimum age required by your country, e.g. 16 in parts of the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

Security

We use industry-standard measures including encryption in transit (HTTPS), encryption at rest, hashed passwords, and row-level access controls. No system is perfectly secure; please use a strong, unique password.

Data breach notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you without undue delay.

Changes to this policy

We may update this policy from time to time. For material changes we will give at least 30 days' notice in the app or by email before they take effect. The "Last updated" date at the top reflects the latest revision.

Contact

Questions or requests? Email support@aircam.me.