Aeon
Sign in

Legal

Privacy Policy

Last updated: May 6, 2026 · Effective: May 6, 2026

This Privacy Policy describes how Aeon, Inc. (“Aeon”, “we”, “our”, or “us”) collects, uses, shares, and protects information about you when you visit our marketing site, create an account, use the Aeon dashboard or APIs, or otherwise interact with our services (collectively, the “Services”). This policy applies to data we process as a controller. When we process data on behalf of our customers (e.g., listing photographs uploaded by an agent), we act as a processor and the customer is the controller.

1. Information We Collect

We collect the following categories of information:

  • Account information. Name, email address, brokerage or company name, display name, and optional branding assets (wordmark, accent colour) that you provide when you create or maintain an account.
  • Authentication tokens. Magic-link tokens and session identifiers issued by our authentication system.
  • Customer Content. Photographs, scans, floor plans, panoramas, and other materials you upload to generate AI-staged outputs, plus the AI-generated outputs themselves and the metadata we attach to them (including disclosure metadata).
  • Listing metadata. Property addresses, descriptions, agent attributions, listing slugs, and structured-data fields you submit or that we infer from the materials you upload.
  • Payment information. Stripe processes payments on our behalf. Aeon does not store full credit card numbers; we receive a tokenized reference, the last four digits of the card, and the expiration date from Stripe.
  • Usage and device data. IP address, user-agent string, approximate geographic location (derived from IP), pages visited, features used, timestamps of generation requests, error events, and similar telemetry. We log this in our application and edge-cache layers.
  • Communications. Emails you send us, support tickets, Slack/iMessage threads with our team, and any feedback you submit.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Services, including generating AI-staged outputs from your Customer Content and serving public listing pages.
  • Process payments, manage subscriptions, and reconcile quotas.
  • Send you transactional email (magic links, receipts, account notifications, security alerts) and, where you have opted in, marketing or product-update email.
  • Monitor service health, detect abuse, prevent fraud, and enforce these Terms and our usage limits.
  • Improve the Services, including evaluating model quality and tuning prompts. We do not use your Customer Content to train third-party generative models without your explicit written consent.
  • Comply with legal obligations, respond to lawful requests, and protect our rights and the rights of others.

3. How We Share Information

We share information with the following categories of recipients only as necessary to operate the Services:

3.1 Subprocessors

We engage third-party service providers (“Subprocessors”) under contract to process information on our behalf. The current Subprocessors are:

  • Stripe, Inc. — payment processing, invoicing, and customer-portal billing management.
  • Resend, Inc. — transactional email delivery (magic-link sign-in, receipts, account notifications).
  • Decor8AI — AI image generation for same-room virtual staging.
  • Blockade Labs — equirectangular panorama generation for virtual tours.
  • Replicate, Inc. — model hosting for depth estimation and supplemental image generation.
  • fal.ai — model hosting (FLUX, Schnell, depth) used as a fallback inference path.
  • Runway — generated walkthrough video and Empty → Staged transition video (where used).
  • ElevenLabs — text-to-speech voiceover narration (where used).
  • Cloudflare, Inc. — CDN, edge caching (Cloudflare Workers), DNS, and R2 object storage for generated assets.
  • Supabase — managed Postgres database hosting plus authentication infrastructure.
  • Upstash, Inc. — managed Redis used for idempotency keys and short-TTL caches.
  • Render, Inc. and Vercel, Inc. — application hosting for our gateway API and Next.js front-end, respectively.

Each Subprocessor is contractually obligated to protect your information consistent with this policy. We update this list as Subprocessors change; material changes will be reflected here.

3.2 Service of process and law enforcement

We may disclose information to comply with legal process, a valid law-enforcement request, or to protect the rights, property, or safety of Aeon, our customers, or the public. We will give you notice of any such request unless prohibited by law.

3.3 Business transfers

If Aeon is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will give you notice and an opportunity to delete your data before any such transfer.

4. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Services and remember your preferences. Strictly necessary cookies (e.g., authentication session identifiers) cannot be disabled. We do not currently use third-party advertising cookies. Your browser may allow you to refuse cookies; if you do so, parts of the Services may not function correctly.

5. Data Retention

We retain account information for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. Customer Content is retained while your account is active and for 90 days after deletion (the R2 bucket lifecycle window) before being permanently deleted. Aggregated telemetry may be retained indefinitely in a form that does not identify you.

6. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Access. The right to request a copy of the information we hold about you.
  • Correction. The right to request correction of inaccurate or incomplete information.
  • Deletion. The right to request deletion of your information, subject to legal retention obligations.
  • Portability. The right to receive your information in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Objection / restriction. The right to object to certain processing, including direct marketing, or to restrict processing in certain circumstances.
  • Withdrawal of consent. Where we rely on consent, the right to withdraw it at any time (without affecting the lawfulness of processing before withdrawal).
  • Opt-out of sale or sharing. California residents have the right under the CCPA/CPRA to opt out of the “sale” or “sharing” of personal information. Aeon does not sell or share personal information for cross-context behavioural advertising as those terms are defined in the CPRA.
  • Non-discrimination. We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email us at privacy@aeon.example from the address associated with your account. We may need to verify your identity before responding.

7. Children’s Privacy

The Services are not directed to children under 13 (or under 16 in the EEA / UK), and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@aeon.example and we will delete it.

8. International Transfers

Aeon is based in the United States and our Subprocessors may be located in the United States or elsewhere. By using the Services you consent to the transfer of your information to the United States and to other countries that may not provide the same level of data protection as your home country. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

9. Security

We implement reasonable technical and organizational measures to protect your information, including encryption in transit (TLS), encryption at rest for stored Customer Content, scoped database access, and access logging. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the address on file or by a prominent notice in the Services. The “Last updated” date at the top of this page reflects the most recent revision. Your continued use of the Services after a revised version becomes effective constitutes acceptance of the revised policy.

11. Contact

For questions or concerns about this Privacy Policy or our data practices, email us at privacy@aeon.example or write to us at the address listed in our Terms of Service.