Privacy Policy

1. Introduction

Welcome to Aviary ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email campaign management platform at aviary.cloud (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

• Register for an account
• Use our Service to create and send email campaigns
• Subscribe to our newsletter or marketing communications
• Contact us for support

This information may include:

• Name and email address
• Account credentials
• Payment information (processed securely through Stripe)
• Campaign content and recipient email lists
• Communication preferences

2.2 Automatically Collected Information

When you access our Service, we automatically collect certain information, including:

• Device information (IP address, browser type, operating system)
• Usage data (pages visited, time spent, features used)
• Email engagement metrics (opens, clicks, bounces, deliveries)
• Cookies and similar tracking technologies

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Process your email campaigns and deliver them to your recipients
• Process payments and manage subscriptions
• Send you technical notices, updates, and support messages
• Respond to your inquiries and provide customer support
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address technical issues and fraud
• Enforce our Terms of Service and Acceptable Use Policy
• Review content for compliance with our policies (see Section 3.1)
• Investigate and respond to abuse reports
• Comply with legal obligations and enforce our terms

3.1 Content Review and Monitoring

To maintain the integrity of our Service, protect our sending reputation, and comply with legal obligations, we may review, monitor, and analyze User Content. This includes:

• Automated Scanning: We use automated systems to detect spam patterns, malware, phishing attempts, and content that may violate our policies
• Algorithmic Analysis: We analyze sending patterns, bounce rates, and complaint rates to identify potential policy violations
• Manual Review: Accounts flagged for suspicious activity or reported for abuse may be subject to manual content review
• Third-Party Reports: We review content in response to abuse reports from recipients, ISPs, or other third parties

While we reserve the right to monitor content, we do not pre-screen all User Content before it is sent. You remain responsible for ensuring your content complies with our Terms of Service and applicable laws.

4. Third-Party Services

We work with trusted third-party service providers to operate our Service:

4.1 Supabase

We use Supabase for database hosting and authentication. Your account data, campaign information, and recipient lists are stored securely with Supabase. Data is encrypted at rest and in transit.

4.2 Resend

We use Resend as our email delivery service provider. When you send email campaigns, recipient email addresses and campaign content are transmitted to Resend for delivery. Resend tracks delivery metrics (opens, clicks, bounces) on our behalf.

4.3 Stripe

We use Stripe for payment processing. Your payment information is processed directly by Stripe and is not stored on our servers. Stripe's privacy policy governs the use of your payment information.

4.4 Vercel

Our Service is hosted on Vercel's infrastructure. Vercel may collect certain technical information about your use of the Service for hosting and performance purposes.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• With Service Providers: We share information with third-party vendors who perform services on our behalf (as described in Section 4)
• For Legal Reasons: We may disclose information if required by law or in response to valid legal requests
• To Protect Rights: We may disclose information to protect the rights, property, or safety of Aviary, our users, or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred
• With Your Consent: We may share information with your explicit consent

5.1 Law Enforcement and Legal Compliance

We will cooperate with law enforcement agencies, regulatory bodies, and court orders requiring disclosure of User Content or account information. We may proactively report suspected illegal activity to appropriate authorities without prior notice to you, including but not limited to:

• Child exploitation material (reported to NCMEC and law enforcement)
• Credible threats of violence
• Terrorism-related content
• Human trafficking
• Other serious criminal activity

When legally permitted, we will notify you of law enforcement requests for your data unless doing so would jeopardize an investigation or pose a risk of harm.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request access to your personal information
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal information
• Data Portability: Request a copy of your data in a portable format
• Opt-Out: Opt out of marketing communications
• Restriction: Request restriction of processing your information

To exercise these rights, please contact us at support@aviary.cloud.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Row-level security (RLS) to ensure data isolation between users
• Regular security audits and updates
• Access controls and authentication mechanisms
• Secure password storage using industry-standard hashing

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, regulatory, or security purposes.

Campaign data and analytics may be retained in aggregated, anonymized form for analytical purposes.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We take steps to ensure that your information receives an adequate level of protection in accordance with applicable laws.

10. Children's Privacy

Our Service is not intended for children under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some features of our Service.

12. Email Campaign Recipients

When you use our Service to send email campaigns, you are responsible for obtaining proper consent from your recipients and complying with applicable anti-spam laws (CAN-SPAM, GDPR, CASL). We process recipient email addresses and engagement data solely on your behalf as a data processor.

Recipients of your campaigns should contact you directly regarding their data rights. We may assist you in responding to such requests.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For specific concerns:

15. GDPR Compliance (EEA Residents)

If you are located in the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR):

• The right to access, update, or delete your personal information
• The right to rectification
• The right to object to processing
• The right to restriction of processing
• The right to data portability
• The right to withdraw consent

The legal basis for our processing of your personal information depends on the purpose for which it is used. We process your information based on your consent, to fulfill our contract with you, to comply with legal obligations, or for our legitimate business interests.

16. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

To exercise your CCPA rights, please contact us at support@aviary.cloud.