Privacy Policy

Effective date: April 27, 2026 · Last updated: June 10, 2026

This Privacy Policy explains how Aerlux ("Aerlux," "we," "us," or "our") collects, uses, and shares information when you use our mobile app and website at aerlux.app (together, the "Service"). We've tried to write this in plain English. If anything is unclear, contact us using the details at the bottom.

Short version: we collect what we need to run the app — your email, the model collection you build, and (if you use the marketplace) the payment details required to complete a sale. We don't sell your data. You can delete your account and all your data at any time — instantly from inside the app (Profile → Delete Account), or by emailing us.

1. Who we are

Aerlux is operated by Donovan Deming from Washington State, United States. We are a mobile app for diecast and scale model aircraft collectors.

2. How to contact us about your data

Email: support@aerlux.app (general data questions, deletion requests, copy-of-my-data requests)
Mailing address: Contact us via email and we will provide a physical address upon request.

3. What information we collect

3.1 Information you give us directly

Waitlist signup (aerlux.app): if you join the pre-launch waitlist on our website, we collect your email address and, if you choose to provide it, your first name. We use these solely to send you a single announcement when Aerlux opens and any essential updates about the launch. To protect the signup form from abuse, we also store a one-way hashed (irreversibly anonymized) version of the network address the signup came from; it cannot be converted back into your address. To be removed from the waitlist at any time, email support@aerlux.app and we will delete your entry.
Account information: email address, password (stored hashed — we never see your actual password), and the display name you choose.
Authentication via Apple or Google (optional): if you choose Sign in with Apple or Sign in with Google, we receive your email address and a unique account identifier from that provider. We do not receive your Apple/Google password.
Your collection data: the model entries you create — including aircraft name, brand, scale, registration, condition, item number/SKU, released date, material, tags, notes, purchase price, and any photos you upload.
Marketplace listings (if you sell): asking price, listing description, and shipping information you choose to share with a buyer.
Payment information (if you buy or sell): processed entirely by Stripe (see Section 5). Aerlux never sees, stores, or has access to your full credit card or bank account numbers.
Communications: if you email us or contact support, we keep that correspondence to help you.

3.2 Information collected automatically

Device information: basic device type (iOS or Android), operating system version, and app version. Used to diagnose crashes and ensure compatibility.
Local storage: the app stores your preferences, recently viewed models, and (if you've used the website) certain settings on your device using browser localStorage. This data does not leave your device.
Log data: when something goes wrong, our backend (Supabase) may log error details to help us debug. Logs do not include your password or payment information.

3.3 Information we do not collect

We do not collect your precise location.
We do not access your contacts, calendar, or other apps' data.
We do not access your camera roll except to import specific photos you choose to upload.
We do not sell your data. Ever.

4. How we use your information

We use the information above to:

Run the Service — store your collection, sync across your devices, generate PDF exports, deliver marketplace listings.
Authenticate you when you sign in.
Process marketplace transactions (with Stripe).
Send transactional emails — password reset confirmations, sale notifications, listing replies, and important account or service announcements. We do not send marketing emails or newsletters at this time. If we add marketing emails in the future, you will opt in separately.
Send waitlist members the one-time launch announcement they signed up for.
Diagnose problems, fix bugs, and improve the app.
Comply with legal obligations and respond to lawful requests.

5. Who we share information with

We share data only with service providers who help us run Aerlux. These providers are bound by contract to use your data only for the purposes we've authorized.

Current third-party services

Supabase (database + storage + authentication) — stores your account, collection data, and photos. Hosted on Amazon Web Services in the United States. supabase.com/privacy
Stripe / Stripe Connect (payments) — processes all marketplace transactions. Aerlux receives a record of completed payments (amount, status), but Stripe handles all card data directly. stripe.com/privacy
Apple Sign-in (optional authentication) — apple.com/legal/privacy
Google Sign-in (optional authentication) — policies.google.com/privacy
Apple App Store and Google Play Store (app distribution) — these stores collect their own download and crash data per their own policies.

Services we may add in future updates

We're transparent about what's coming. The following may be added in future versions; if and when they are, we will update this Privacy Policy and notify users in the app:

Analytics tools (e.g., Mixpanel, PostHog, or similar) — to understand how people use the app and improve it. We will name the specific provider in this policy before enabling any analytics.
AI photo identification (Google Cloud Vision API or similar) — to auto-detect aircraft details from photos you choose to upload.
Cloud document import (OpenAI API or similar) — to extract aircraft data from PDF or Word documents you choose to upload.

We do not sell or rent your data

We have never sold or rented user data and have no plans to. We do not share data with advertisers.

Legal disclosure

We may disclose information if required by valid legal process (subpoena, court order, etc.) or when necessary to protect our rights, your safety, or the safety of others.

6. How long we keep your data

Account data: kept while your account is active.
Account deletion: deleting your account from within the app (Profile → Delete Account) removes your account, your entire collection, and your photos immediately. (A deletion requested by email is completed within 30 days.) We may retain only records we are legally required to keep — such as completed sales records for tax purposes — for up to 7 years.
Backups: deleted data may persist in encrypted backups for up to 60 days after deletion before being overwritten.

7. Your rights and choices

All users

Access: request a copy of the data we have about you.
Correction: update or correct your account information any time within the app.
Deletion: delete your account and all associated data instantly from within the app (Profile → Delete Account), or by emailing us. In-app deletion is immediate and permanent; email requests are processed within 30 days.
Portability: export your collection at any time using the built-in PDF or (when available) CSV export.

If you live in the European Union, UK, or European Economic Area (GDPR)

You have the right to access, correct, delete, restrict, object to, and port your personal data.
You can withdraw consent at any time where consent is the legal basis for processing.
You can lodge a complaint with your local data protection authority.
The legal bases we rely on: contract (to provide the Service you signed up for), legitimate interest (running and improving the Service, preventing fraud), and consent (where required, e.g., for any future marketing).

If you live in California (CCPA / CPRA)

You have the right to know what personal information we collect, use, and disclose.
You have the right to delete your personal information.
You have the right to correct inaccurate personal information.
You have the right to opt out of the "sale" or "sharing" of personal information — note: Aerlux does not sell or share personal information for cross-context behavioral advertising.
You have the right not to be discriminated against for exercising these rights.
To exercise any of these rights, email us using the contact details above.

8. Children's privacy

Aerlux's catalog and PDF export features are open to users of all ages globally. Marketplace features (buying and selling) are restricted to users 18 years of age or older, because the law in most jurisdictions does not permit minors to enter binding sales contracts.

We do not knowingly collect personal information from children under 13 in the United States (per the Children's Online Privacy Protection Act, "COPPA"), or under 16 in the EU/EEA (per GDPR), without verifiable parental consent. If we learn we have collected such information, we will delete it.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us so we can take appropriate action.

9. International users and data transfers

Aerlux is operated from the United States. Our backend (Supabase) is hosted in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. By using the Service, you consent to this transfer.

We rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers of personal data from the EU/EEA, UK, or Switzerland to the United States, where required by law.

10. Cookies and local storage

The Aerlux mobile app stores preferences and cached data locally on your device using your operating system's standard mechanisms. The aerlux.app website may use minimal cookies and browser localStorage to remember settings you choose. We do not use third-party advertising or tracking cookies.

11. Security

We take reasonable steps to protect your information:

All connections between your device and our servers use HTTPS/TLS encryption.
Passwords are stored hashed by Supabase Auth — we never see your actual password.
Payment data is handled entirely by Stripe and never touches our servers.
Access to user data is restricted to authorized personnel and audited.

No system is 100% secure. If we ever discover a breach affecting your data, we will notify you and, where required by law, the appropriate authorities, without undue delay.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, give you notice within the app or by email before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact us

If you have any questions about this Privacy Policy or about how we handle your data:

Email: support@aerlux.app
Operator: Aerlux — operated by Donovan Deming