Privacy Policy

Last updated: May 13, 2026

Effective: May 13, 2026

This Privacy Policy describes how Aethyr Research LLC ("Aethyr," "we," "us," or "our") collects, uses, and protects information when you use the Aethyr application, website, and related services (collectively, the "Services"). We built Aethyr on the principle of data sovereignty — you own your data, and we designed our architecture to keep it that way.

Aethyr Research LLC is located at 133 W 2500 S, Bountiful, UT 84010, USA.

1. Information We Collect

We collect only what is necessary to provide the Services. The table below aligns with our App Store privacy declarations and describes exactly what we collect, what we do not collect, and why.

2. Data Sovereignty and Storage

Aethyr is built for sovereignty. Your data stays under your control by architecture, not just by policy.

• Tenant data is stored in per-tenant SQLCipher-encrypted databases on your device.
• In sovereign and on-premises deployments, Aethyr Research LLC has no access to tenant data.
• Encryption keys are derived from device hardware — Secure Enclave on iOS, StrongBox on Android — meaning only your physical device can unlock your data.
• Data is encrypted both in transit (TLS 1.3) and at rest (XChaCha20-Poly1305).

3. Post-Quantum Cryptography

Aethyr uses post-quantum cryptography to protect your data against both current and future threats, including attacks from quantum computers. We disclose this for export-control transparency under EAR classification 5D992.c, with license exception eligibility under §740.17(b)(1).

Our cryptographic stack includes:

• NIST FIPS 203 (ML-KEM-768) — post-quantum key encapsulation for secure key exchange
• NIST FIPS 204 (ML-DSA-65) — post-quantum digital signatures for identity verification
• BLAKE3 — cryptographic hashing
• XChaCha20-Poly1305 — authenticated symmetric encryption for data at rest

Post-quantum cryptography means that even if large-scale quantum computers become available, your encrypted data remains secure. This is a forward-looking protection: data encrypted today with classical-only algorithms could be harvested now and decrypted later by a quantum adversary. Our PQ stack prevents this.

4. Voice Processing and Microphone Access

Aethyr may request microphone permission for voice commands. Here is exactly what happens with your audio:

• Audio is processed locally on hardware you control. Speech-to-text (Whisper STT) runs on your GPU or your self-hosted voice server.
• Audio is never transmitted to Aethyr servers.
• Audio is never sent to third-party cloud services.
• You can revoke microphone permission at any time through your device settings.

5. Account Deletion

You can delete your account at any time. Deletion is permanent and cannot be undone.

How to delete your account

In the Aethyr app: Settings → Account → Delete Account, then confirm twice.

What happens when you delete

• Your account is permanently deleted.
• Your device identity (DID) is revoked.
• All local encrypted data is wiped from your device.
• Server-side personally identifiable information (PII) is anonymized.
• Anonymized audit logs are retained for 7 years for security and compliance purposes. These logs contain no PII.

In-app deletion is always available. You can also email privacy@aethyrresearch.com to request account deletion.

6. Children's Privacy

Aethyr is not directed at children under 17. The app carries a 17+ age rating on the App Store. We do not knowingly collect personal information from anyone under 13.

If you are a parent or guardian and believe your child has provided personal information to Aethyr, please contact us at privacy@aethyrresearch.com and we will promptly delete that information.

7. Your Rights by Region

GDPR (European Union / EEA)

If you are located in the EU or EEA, we process your personal data under the following lawful bases: performance of a contract (providing the Services you signed up for) and consent (where applicable). You have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate personal data.
• Request erasure of your personal data.
• Request data portability (receive your data in a structured, machine-readable format).
• Restrict or object to processing of your personal data.
• Lodge a complaint with your local supervisory authority.

To exercise these rights, contact privacy@aethyrresearch.com. We will respond within 30 days.

CCPA / CPRA (California)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Request deletion of your personal information.
• Request correction of inaccurate personal information.
• Opt out of the sale or sharing of personal information — we do not sell or share your personal information, so there is nothing to opt out of.
• Non-discrimination for exercising your rights.

Aethyr does not sell personal information. Aethyr does not share personal information with third parties for advertising or cross-context behavioral advertising. Your deletion rights are available through the in-app account deletion flow described above.

PIPEDA (Canada)

Canadian users have the right to access their personal information, request corrections, and withdraw consent. We obtain meaningful consent before collecting, using, or disclosing personal information and limit collection to what is necessary for the stated purposes.

U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have rights similar to those described above, including the right to access, delete, and correct personal information, and to opt out of targeted advertising (which we do not engage in). Contact privacy@aethyrresearch.com to exercise any of these rights.

HIPAA

Aethyr Research LLC is not a covered entity under HIPAA. If Aethyr is used by a HIPAA-regulated entity (such as a healthcare provider or health plan), a separate Business Associate Agreement (BAA) is required. Contact legal@aethyrresearch.com to discuss BAA requirements.

Federal and Defense Customers

Federal and defense customers operate Aethyr under separate contractual terms (including DFARS and applicable federal acquisition regulations). This privacy policy does not supersede those agreements.

8. Third Parties

We minimize third-party data sharing. The following are the only third parties that may receive limited data in connection with the Services:

• Apple (App Store) — standard App Store receipt and purchase verification data. Governed by Apple's privacy policy.
• Infrastructure providers — Aethyr Console hosting uses infrastructure where data is encrypted in transit and at rest. In sovereign/on-prem deployments, no data leaves your environment.

We do not use analytics SDKs, advertising SDKs, or third-party trackers of any kind.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) or through an in-app notification before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.

10. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights: