We collect what we need to run Aveiro — your account, your sites, billing, and product usage. We do not sell your personal data. You can export or delete your account from Settings. If you use Aveiro to collect emails on your site, you are responsible for telling your visitors — we process that data on your behalf.
Who we are
Aveiro ("we", "us", "our") is a platform for building websites, managing audiences, sending email campaigns, and viewing analytics. We operate the service at aveiro.app.Questions about privacy? Email us at support@aveiro.app or use our contact page.This Privacy Policy explains how we handle personal data when you use Aveiro as a platform user (account holder). It also explains how we process data on published Aveiro sites on behalf of our customers — in that case, the site owner is usually the data controller and Aveiro acts as a processor.
Two roles worth knowing
When you have an Aveiro account, we decide why and how your account data is used. That makes us the data controller for that information.When someone visits a site you built on Aveiro — or subscribes to your newsletter through an Aveiro form — you decide why their data is collected. You are the controller for that visitor or subscriber data. We host and process it so your site and email tools work. You must provide your own privacy notice to your visitors and subscribers.
What we collect
Account and profile
When you sign up or log in, we may collect:
Email address and password (or sign-in via Google or GitHub)
Display name, username, bio, and profile photo
Organization name, membership, and role
Invite codes used during closed beta signup
Notification preferences (in-app and email)
If you join our waitlist during closed beta, we collect your email (and optional name) through the same signup forms we offer on published sites, tagged for the waitlist segment.
Billing
If you subscribe to a paid plan, Stripe processes payments. We store your Stripe customer ID and subscription status — not your full card number.
Your content and product usage
To provide the service, we store and process:
Sites, pages, media, and settings you create in the editor
Email subscribers, segments, campaigns, and delivery statistics you manage
Sender domains and DNS records you connect
Optional custom email provider credentials (BYOK) if your plan includes it — stored encrypted
Version history and organization activity needed to run the product
AI features
When you use AI in the site editor or campaign tools, we send your prompts and relevant context (such as page content or attachments you include) to our AI infrastructure so the model can respond. AI usage is metered against your plan credits.
Analytics on published sites
Sites you publish can include Aveiro's cookieless analytics. For visitors to those sites, we may collect:
Page path, referrer domain, and event type (pageview, click, or custom event)
Browser, operating system, device type, and screen size
A hashed visitor identifier derived from IP address, user agent, and date — we do not store raw IP addresses in analytics records
An optional country derived from IP at the time of the event
A session identifier stored in the visitor's sessionStorage (not a cookie)
We filter common bots and do not use third-party advertising trackers in this analytics product.
Email sending and tracking
When you send campaigns through Aveiro:
We process recipient email addresses and message content to deliver mail
Open tracking may use a small pixel; click tracking may rewrite links — you control this when sending campaigns. The IP address of the opening or clicking device is used only to record the event and is stored hashed (salted SHA-256), never in raw form
Delivery, bounce, and complaint events from our email provider are recorded so sending stays reliable. A hard bounce or a spam complaint suppresses that recipient from future campaigns
From these events we may compute per-subscriber engagement — for example open rate, click rate, and an engagement status such as engaged, active, dormant, or cold. This is a form of profiling that helps you understand and segment your audience; it is not used for automated decisions producing legal or similarly significant effects
If location insights are enabled, we derive an approximate city and country from the opening or clicking device's IP at the time of the event. We store only the last-seen city and country — not a location history — and never the raw IP address
Recipients can unsubscribe via our unsubscribe page, and may object to engagement profiling
Because you are the controller for your subscribers (see "Two roles worth knowing"), you must reflect this open/click tracking, engagement profiling, and approximate-location processing in your own privacy notice to your subscribers, choose an appropriate legal basis (typically legitimate interests, balanced against their rights), and honour their right to object.Platform transactional emails (verification, password reset, waitlist approval, etc.) are sent through our email provider on our behalf.
Referrals and invites
If you arrive via an invite or affiliate link, we set short-lived httpOnly cookies (invite_code or aff, up to 60 days) so we can attribute signup correctly. These cookies are not used for advertising.
Technical logs and security
We process server logs, request metadata, and rate-limiting data (including IP addresses) to keep the platform secure and reliable. Rate limiting may use Upstash Redis.
How we use your data
We use personal data to:
Create and maintain your account and organizations
Host, publish, and back up your sites
Deliver email, analytics, and AI features you request
Process subscriptions, invoices, and usage credits
Send service messages (security alerts, billing, product updates you opted into)
Run closed beta, waitlist, invite, and affiliate programs
Prevent abuse, fraud, and spam
Improve and debug the service
We do not sell your personal information.
Legal bases (EEA, UK, and similar regions)
Where GDPR or similar laws apply, we rely on:
Contract — to provide the service you signed up for
Legitimate interests — security, fraud prevention, product improvement, and referral attribution, balanced against your rights
Consent — where you opt in to marketing emails or OAuth providers load their own cookies
Legal obligation — when we must retain or disclose data by law
Who we share data with
We use trusted service providers ("processors") who only handle data on our instructions:
Supabase — authentication, database, and file storage
Stripe — payments and billing portal
Resend — email delivery (platform default)
Vercel — application hosting, custom domains, and AI gateway
Upstash — rate limiting
Google / GitHub — OAuth sign-in, only if you choose it
AI model providers (via Vercel AI Gateway) — AI chat responses
If you connect your own email provider (BYOK), that provider receives the data needed to send your campaigns.We may also disclose data if required by law, to protect rights and safety, or in connection with a merger or acquisition — with notice where we are legally allowed.
Cookies and similar technologies
Supabase auth cookies (cookie) — keep you logged in; duration is session-based or as set by Supabase
invite_code (httpOnly cookie) — attribute invite at signup; up to 60 days
aff (httpOnly cookie) — attribute affiliate referral; up to 60 days
_magic_sid (sessionStorage on published sites) — analytics session; until the browser tab closes
OAuth buttons (Google, GitHub) may set cookies on their domains only after you click them.You can control cookies through your browser settings. Blocking auth cookies will prevent login.
Your choices and rights
Depending on where you live, you may have the right to:
Access a copy of your personal data
Correct inaccurate data in your profile settings
Delete your account — Settings → Security → Delete account (password confirmation required for email accounts)
Export your personal data — Settings → Security → Export personal data (JSON download of account, profile, memberships, invites, and affiliate data tied to you as an individual)
Object to or restrict certain processing
Withdraw consent where processing is consent-based
Lodge a complaint with your local data protection authority
Exports cover your personal data, not organization-owned content (sites, subscriber lists, campaign content). Organization admins manage that data separately.For marketing emails from Aveiro, use the unsubscribe link in the message. For emails you send to your audience through Aveiro, your subscribers use the unsubscribe flow on your campaigns.To exercise rights not available in the app, email support@aveiro.app. We may need to verify your identity.
Data retention
We keep your data while your account is active and as needed to provide the service, comply with law, resolve disputes, and enforce our agreements. When you delete your account, we soft-delete associated records and begin removing or anonymizing data according to our internal schedules, except where we must retain information for legal or security reasons.Analytics and email logs may be retained for reporting periods configured in the product.
International transfers
We and our processors may process data in countries outside your own, including the United States. Where required, we use appropriate safeguards such as standard contractual clauses.
Children
Aveiro is not directed at children under 16 (or the minimum age in your country). We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.
Changes
We may update this policy from time to time. We will post the new version on this page and update the "Last updated" date. Material changes may also be communicated by email or in-product notice.
This policy is written to be clear and accurate for Aveiro's current product. It is not legal advice. If you operate in regulated industries or specific jurisdictions, consider reviewing it with qualified counsel.
Build your online presence without wrestling with design or code with Aveiro.