Legal

Privacy Policy

Last updated: May 2026

1. Information We Collect

We collect the following categories of information when you use AECARO:

Account Information

When you create an account, we collect your name, email address, and authentication provider identifiers (via Clerk). If you sign up as an agency partner, we additionally collect your agency name, website URL, and billing address.

API Usage Data

We collect metadata about your usage of the platform: agent execution counts, tokens consumed, connector connections, and feature usage patterns. This data is used for service improvement, billing calculations, and infrastructure scaling. We do not inspect or store the content of agent-to-LLM conversations beyond transient execution logs (retained 30 days).

Billing Data

Payment processing is handled by Stripe. We receive from Stripe your billing status, plan tier, and payment history. Full payment card numbers are never transmitted to or stored by AECARO servers. Stripe's privacy policy applies to data they process.

Technical Data

We automatically collect IP addresses, browser user-agent strings, and session activity timestamps for security monitoring and fraud prevention. This data is retained for 90 days.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the AECARO platform
  • Process billing and manage subscriptions
  • Monitor for abuse, unauthorized access, and security threats
  • Send service-related communications (billing notices, security alerts, product updates)
  • Respond to support requests and troubleshoot issues
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use your agent execution data or API key outputs to train models or improve third-party AI services.

3. Data Storage & Security

All data transmitted between your browser and AECARO is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Our infrastructure is hosted on Vercel (Edge Network) with primary data storage on Neon (PostgreSQL), which provides encryption at rest and automated backups.

API keys you provide are encrypted at rest and decrypted only at runtime within isolated execution containers. AECARO engineers do not have direct access to decrypted API keys. Access to production databases is restricted, logged, and requires multi-factor authentication.

Backups are performed daily and retained for 7 days on the Pro plan, 14 days on the Team plan. Point-in-time recovery is available as an add-on.

4. Third-Party Services

AECARO integrates with the following third-party services. Each service processes data according to its own privacy policy:

Stripe

Payment processing. Receives plan type, billing amount, and payment method token.

Neon

PostgreSQL database hosting. Stores account information, settings, and execution metadata.

Clerk

Authentication and user management. Handles sign-in, MFA, and session management.

OpenAI / Anthropic / Google

LLM inference providers. Agent prompts and responses are sent to the provider you have configured. AECARO does not log full conversation content beyond transient execution traces.

Vercel

Application hosting and edge network. Manages CDN, serverless functions, and deployment.

Resend

Transactional email delivery (billing receipts, account notifications).

5. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
  • Export: Request a machine-readable export of your data (JSON format)
  • Correction: Update inaccurate information through your account settings
  • Objection: Object to processing of your data for legitimate interest purposes
  • Withdraw consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@aecaro.com. We will respond within 30 days. Account deletion is processed immediately; residual data in backups is purged within 30 days.

Data Retention

We retain your personal data for as long as your account is active. After account deletion, we retain minimal data for legal compliance (billing records retained for 7 years as required by tax law; aggregate analytics with no personal identifiers retained indefinitely).

6. Cookies

AECARO uses essential cookies for authentication and session management. These are required for the platform to function. We also use optional analytics cookies to understand how users interact with the platform and to improve the user experience.

You can control cookie preferences through the cookie banner displayed on first visit. Third-party cookies are not used for advertising or tracking across sites. Stripe may set cookies necessary for payment processing fraud detection.

For more details, see our full Cookie Policy available on request.

7. Contact

For privacy-related inquiries, data subject requests, or questions about this policy:

Email: privacy@aecaro.com

Data Protection: dpo@aecaro.com

Response time: Within 30 days

If you are located in the European Economic Area (EEA) or the UK, you have the right to lodge a complaint with your local data protection supervisory authority.

← Back to home