Privacy Policy

Aperture Robotics, LLC, a Delaware limited liability company (“Company”, “we”, “us”), operates Spacewave (“Service”). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

Spacewave is a client-side-first platform. Most data processing happens in your browser, not on our servers. All content you create, upload, or store using the Service (“User Content,” as defined in the Terms of Service) - whether stored in cloud storage or transmitted directly between devices - is end-to-end encrypted using keys derived from your credentials on your device. The Company does not hold decryption keys and cannot access the plaintext content of your data. This policy explains what data we do handle server-side and why.

2.1 Account Information

When you create an account, we collect:

• Email address - required for account verification, billing, and service communications (billing receipts, security alerts, Terms updates).
• Authentication credentials - for passkey and OAuth users, we store the server-side credential data necessary for authentication. For email/password users, your password is processed client-side via scrypt key derivation; we receive only the derived cryptographic public key, never your password.
• Billing information - payment details are processed directly by Stripe and are not stored on our servers. We receive only transaction confirmations and subscription status from Stripe.

2.2 Usage Data

We collect diagnostic and usage-related data (“Usage Data”) solely for system quality-of-service monitoring, billing, and maintaining the operation of the Service. For paid-tier users who use cloud storage, this includes:

• Storage volume - total bytes stored in your cloud allocation
• Operation counts - number of read/write operations for billing purposes
• Timestamps - when operations occur (for billing cycle calculation)

We do not use Usage Data for advertising, profiling, or any purpose other than those stated above.

2.3 Technical Data

When you connect to our services, we may collect:

• IP address - for rate limiting and abuse prevention
• User agent - browser type and version
• Connection metadata - timestamps, request counts

We do not use tracking cookies, analytics scripts, or third-party tracking pixels. We do not use your data for advertising. The Service may use strictly necessary cookies or local storage for authentication and session management only; these are essential for the Service to function and cannot be opted out of.

2.4 Data We Do NOT Collect

Spacewave’s client-side architecture means we do not collect:

• Content of your locally stored data (free tier)
• Content of direct device-to-device communications
• Browsing history within Spacewave applications
• Keystroke or interaction telemetry
• Precise geolocation data
• Device identifiers beyond user agent

2.5 Artificial Intelligence Features

The Service may include features that use artificial intelligence or machine learning technology (“AI Features”) as described in the Terms of Service. When you use AI Features, the input you provide and any resulting output may be processed by the AI Feature to generate a response. We do not use your input to AI Features or any AI-generated output to train artificial intelligence or machine learning models. AI Feature processing is subject to the same data protections described in this Privacy Policy.

We use collected information solely to:

• Provide, maintain, and operate the Service
• Process payments and manage subscriptions
• Send service communications (billing, security, Terms updates)
• Prevent abuse, enforce our Terms of Service, and maintain security
• Comply with applicable legal obligations
• Monitor system quality of service and billing accuracy

We do not sell, rent, or share your personal information for advertising or marketing purposes. We do not use your information for profiling or automated decision-making that produces legal or similarly significant effects.

4.1 Cloud Storage (Paid Tier)

Paid-tier cloud data is stored on Cloudflare R2 infrastructure. All User Content is end-to-end encrypted on your device before transmission; the Company does not hold decryption keys and cannot access the plaintext content of your cloud-stored data. Data is additionally encrypted in transit (TLS) and Cloudflare provides encryption at rest for R2 storage.

Because User Content is end-to-end encrypted, we are technically unable to inspect, read, or review the plaintext content of your cloud-stored data. If we have reason to believe that your use of the Service violates our Terms of Service (including prohibited content restrictions), we may suspend or terminate your access to the Service and remove the encrypted data from our infrastructure. We may also disclose encrypted data in response to valid legal process, though we are unable to decrypt such data.

4.2 Client-Side Data

Data stored locally in your browser (free tier or local mode) is under your control. We have no access to locally stored data.

4.3 Direct Device-to-Device Data

Data transmitted via direct device-to-device connections is end-to-end encrypted and passes directly between devices. We do not relay, intercept, or store direct device-to-device traffic. When using the optional paid cloud relay feature, data passes through Cloudflare infrastructure in transit only, remains end-to-end encrypted, and is not stored. The Company cannot access the plaintext content of direct device-to-device communications in any case.

4.4 Security Measures

We implement security measures including end-to-end encryption of all User Content, TLS encryption for all connections, secure authentication (scrypt key derivation, passkey support), and access controls. Encryption keys are derived on your device and are never transmitted to or stored on our servers. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

4.5 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you by email to the address associated with your account and, where required by applicable law, the relevant supervisory authorities, within the timeframes required by applicable law. Such notification will describe the nature of the breach and the steps we are taking in response.

We share your information only with:

• Stripe - payment processing (governed by Stripe’s Privacy Policy)
• Cloudflare - infrastructure provider for cloud storage and data relay (governed by Cloudflare’s Privacy Policy). The Service also uses Cloudflare Turnstile for bot detection and abuse prevention, which is subject to the Cloudflare Turnstile Privacy Policy
• Law enforcement or government authorities - only when required by valid legal process (subpoena, court order, or equivalent). We will notify you of such requests unless prohibited by law or court order.

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. We do not share personal information with data brokers.

• Account data - retained while your account is active. Deleted within thirty (30) days of account closure or voluntary cancellation.
• Cloud-stored data - retained while your subscription is active. Upon voluntary cancellation, available for export for thirty (30) days, then permanently deleted. Upon termination by the Company for convenience, available for export for thirty (30) days from the effective date of termination, then permanently deleted. Upon termination for cause, may be immediately and permanently deleted without an export period. During suspension for non-payment, data will be preserved for thirty (30) days from the date of suspension, after which it may be permanently deleted.
• Billing records - retained as required by applicable tax and accounting law (typically seven (7) years).
• Server logs - retained for up to ninety (90) days for abuse prevention, security, and debugging, then deleted.
• Backup copies - residual copies in backup or archival systems may be retained for a commercially reasonable period after deletion of the primary data.

You have the right to:

• Access - request a copy of personal data we hold about you
• Correction - request correction of inaccurate personal data
• Deletion - request deletion of your account and associated personal data
• Export - export your cloud-stored data at any time through the Service
• Opt-out of communications - unsubscribe from non-essential communications

To exercise these rights, contact privacy@aperture.us. We will respond to verified requests within thirty (30) days or such shorter period as required by applicable law. We will not discriminate against you for exercising any of these rights.

7.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”):

Categories of personal information we collect: identifiers (email address, IP address), commercial information (billing and subscription status), and internet or other electronic network activity information (usage data, user agent, connection metadata).

Sources: directly from you (account creation, payment) and automatically from your use of the Service (technical data, usage data).

Business purpose for collection: providing and maintaining the Service, processing payments, security and abuse prevention, and legal compliance.

Third parties with whom we share: Stripe (payment processing) and Cloudflare (infrastructure), as described in Section 5.

Your CCPA rights:

• Right to know what personal information we collect, use, and disclose
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt-out of the sale or sharing of personal information - we do not sell or share (as defined by the CCPA) your personal information
• Right to non-discrimination for exercising your privacy rights
• Right to limit use and disclosure of sensitive personal information - we do not use sensitive personal information for purposes beyond those permitted by the CCPA

To exercise these rights, contact privacy@aperture.us or submit a request through your account settings.

7.2 EU/EEA and UK Residents (GDPR/UK GDPR)

Data controller: Aperture Robotics, LLC is the data controller for personal data processed in connection with the Service. For data protection inquiries, contact privacy@aperture.us.

Legal bases for processing:

• Contract performance (GDPR Art. 6(1)(b)) - processing of account information, billing information, and cloud-stored data, as necessary to provide the Service you requested
• Legitimate interest (GDPR Art. 6(1)(f)) - processing of technical data (IP address, user agent, connection metadata) for abuse prevention, security, and system quality-of-service monitoring. We have balanced our interests against your rights and have determined that our processing is proportionate and does not override your fundamental rights
• Legal obligation (GDPR Art. 6(1)(c)) - retention of billing records as required by tax and accounting law

Your additional GDPR rights:

• Right to data portability
• Right to restrict processing
• Right to object to processing based on legitimate interests
• Right to withdraw consent (where processing is based on consent)
• Right to lodge a complaint with your local data protection authority

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects concerning you.

Some browsers transmit “Do Not Track” (DNT) signals. We do not use tracking cookies, third-party analytics, or advertising trackers, so our practices are consistent with a DNT preference regardless of whether the signal is received.

Spacewave is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, contact privacy@aperture.us.

Your data may be processed in the United States and other countries where Cloudflare operates infrastructure. For transfers of personal data from the EU/EEA or United Kingdom to the United States or other countries that have not received an adequacy determination, we rely on Cloudflare’s data processing agreements incorporating the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable. You may request a copy of the applicable transfer safeguards by contacting privacy@aperture.us.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to the address associated with your account when the updated policy takes effect. Non-material changes (such as clarifications or formatting updates) may be made without advance notice. The “Last Updated” date at the bottom of this policy indicates when it was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

For privacy-related questions or requests: