Section 1

§1 Overview

Our Core Data Promise
  • We do not sell your personal data to third parties — ever
  • We do not use your conversations to train AI models
  • We do not share your data with advertisers
  • We collect only what is necessary to operate the Service
  • You can delete your account and all data at any time

This Privacy Policy explains how Aelius AI ("we," "us," "our") collects, uses, stores, and protects your personal information when you use the Aelius AI Service. It also describes your rights regarding that information.

By using the Service, you agree to the collection and use of information in accordance with this Policy. This Policy is incorporated by reference into our Terms of Service.

This Service operates an uncensored AI model. Your conversations may contain sensitive, explicit, or otherwise private content. Please read §3 (Chat Data Storage) carefully to understand exactly how your conversations are stored and protected.

Section 2

§2 Data We Collect

We collect the minimum data necessary to operate the Service. Here is a complete breakdown:

Account Information
Username, email address, hashed password (bcrypt), unique account ID, account creation date, email verification status. We never store your password in plain text.
Chat & Message History
All conversations you have with the AI, including your messages, AI responses, timestamps, and chat titles. Stored to enable persistent conversation history. See §3 for full details.
API Keys
A unique API key generated for your account to authenticate API requests. Stored securely and associated with your account.
Usage Data
Usage patterns monitored for policy compliance and service improvement. This includes general interaction patterns, not detailed behavioral profiling.
Uploaded Files
Files and images uploaded during chat sessions are temporarily processed to extract content for AI context. They are not permanently stored after session processing.
Email Tokens
Temporary verification and password reset tokens associated with your email. These expire after use or after a time limit and are then deleted.

2.1 Data We Do NOT Collect

We explicitly do not collect the following:

  • Payment information (we do not currently process payments directly)
  • Government-issued identification or age verification documents (beyond checkbox confirmation)
  • Precise geolocation data
  • Device fingerprints or hardware identifiers beyond standard web session data
  • Social media profile data or third-party OAuth tokens
  • Biometric data of any kind
Section 3

§3 Chat Data Storage

Important — Uncensored Conversations Are Stored

Because Aelius AI operates an uncensored AI, your conversations may contain explicit, sensitive, or otherwise private content. This content is stored in our database to provide persistent conversation history. Please read this section carefully before sharing sensitive personal information in the chat interface.

3.1 What Is Stored

When you use the chat interface, the following data is stored in our database:

  • Every message you send — including the full text content
  • Every AI response — including the full text content generated by the Model
  • Chat metadata — title, creation timestamp, last updated timestamp
  • Association with your account — each chat and message is linked to your user ID

3.2 Why It Is Stored

Chat history is stored to allow you to:

  • Resume conversations across sessions and devices
  • Review and reference past AI responses
  • Manage your conversation history (rename, delete individual chats)

3.3 Who Can Access Your Chats

Your chat history is private to your account. We implement access controls to prevent other users from accessing your conversations. Aelius AI operators may access chat data only in the following circumstances:

  • In response to a valid legal order, warrant, or subpoena from law enforcement
  • To investigate a reported violation of our Terms of Service
  • To comply with mandatory CSAM reporting obligations under federal law
  • For security incident investigation with your consent, or where required by law

3.4 How to Delete Your Chat History

You can delete individual chats at any time through the chat interface using the delete option on any conversation. Deleting a chat permanently and irreversibly removes all messages in that chat from our database. You can also delete your entire account (see §9), which removes all associated chat history.

3.5 Sensitive Information Warning

Do not share information in the chat that you would not want stored in a database, such as: full Social Security/National Insurance numbers, complete payment card numbers, passwords, or highly sensitive personal secrets. While we secure your data, no digital storage system is immune to risk.

Section 4

§4 How We Use Your Data

We use the data we collect exclusively for the following purposes:

  1. Providing the Service: Processing your prompts, delivering AI responses, and maintaining your conversation history.
  2. Account Management: Creating and managing your account, verifying your email, and handling password resets.
  3. Authentication & Security: Verifying your identity when you log in and protecting your account from unauthorized access.
  4. Policy Compliance Monitoring: Reviewing usage patterns to detect violations of our Terms of Service.
  5. Service Communications: Sending email verification links, password reset links, and material policy update notifications.
  6. Legal Compliance: Fulfilling mandatory reporting obligations (e.g., CSAM to NCMEC) and responding to valid legal requests.
  7. Service Improvement: Analyzing aggregate, anonymized usage patterns to improve the Service.
What We Will Never Do With Your Data
  • Sell, rent, or trade your personal data to any third party
  • Use your conversations to train AI models
  • Share your data with advertisers or data brokers
  • Use your data for purposes beyond those listed in §4
  • Build individual behavioral profiles for commercial purposes
Section 5

§5 Data Sharing & Disclosure

5.1 No Commercial Sharing

We do not share, sell, rent, or otherwise disclose your personal data to any third party for commercial purposes.

5.2 Service Providers

We may share limited data with carefully selected service providers who assist us in operating the Service, including email delivery (SMTP). These providers are contractually obligated to use your data only for the purpose of providing services to us and to maintain appropriate security standards. Current key providers:

  • Email delivery: Gmail (Google) — used for transactional email (verification, password reset). Subject to Google's privacy policy for outbound email transmission only.

5.3 Legal Disclosure

We may disclose your data where required by law or in good faith belief that such disclosure is necessary to:

  • Comply with a legal obligation, court order, warrant, or subpoena
  • Fulfill our mandatory CSAM reporting obligations to NCMEC under 18 U.S.C. § 2258A
  • Protect and defend the rights or property of Aelius AI
  • Prevent or investigate potential wrongdoing in connection with the Service
  • Protect the personal safety of users of the Service or the public

Where legally permitted, we will attempt to notify you of a legal data request before complying. We cannot guarantee such notice in all cases.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of the transaction. We will notify you via email or prominent notice on the Service of any change in ownership or uses of your personal data.

Section 6

§6 Data Retention

We retain data only for as long as necessary for the purposes described in this Policy or as required by law.

Data Type Retention Period Deletion Trigger
Account Information Until account deletion, plus any legally required retention period Account deletion request
Chat History & Messages Until manually deleted by user, or until account deletion User-initiated chat/account deletion
Uploaded Files Duration of upload processing only — not permanently retained Immediately after processing
Email Verification Tokens Until used or expired (typically 24–72 hours) Token use or expiry
Password Reset Tokens 1 hour from creation Token use or expiry
API Keys Until account deletion or key regeneration Account deletion or user-initiated key reset
Legal Compliance Data As required by applicable law (varies by jurisdiction) Expiry of legal retention obligation
CSAM-Related Reports Retained as required by federal law and law enforcement direction Direction from law enforcement / legal expiry
Section 7

§7 Security Measures

7.1 Technical Safeguards

We implement industry-standard security measures to protect your data:

  • Password hashing: Passwords are hashed using bcrypt with appropriate work factor — never stored in plain text
  • API key security: API keys are generated using cryptographically secure random number generation
  • Email token security: Verification and reset tokens are generated using secrets.token_urlsafe() (CSPRNG)
  • Database access controls: Database access is restricted to the application layer; no direct public database access
  • Transport security: Data transmitted between your browser and our servers is protected by TLS/HTTPS encryption
  • Session management: Session tokens are managed securely with appropriate expiry

7.2 Limitations

No System Is Perfectly Secure

Despite our security measures, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee the absolute security of your data. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

7.3 Your Role in Security

You are responsible for maintaining the security of your account credentials. Use a strong, unique password and do not share your login details with anyone. Enable any security features we may offer. Contact us immediately if you suspect unauthorized access to your account.

7.4 Data Breach Response

In the event of a data breach, we will: (a) investigate promptly; (b) notify affected users via email within the timeframe required by applicable law (typically 72 hours under GDPR, where applicable); (c) notify relevant supervisory authorities as required; and (d) take appropriate steps to contain and remediate the breach.

Section 8

§8 Cookies & Tracking Technologies

8.1 What We Use

We use a minimal set of cookies and browser storage technologies:

  • Session cookies: Strictly necessary cookies that maintain your logged-in state. These are deleted when you close your browser.
  • Flask session cookies: Used to maintain application state and authentication between page loads. These contain a session identifier, not personal data.
  • localStorage (browser): We use browser localStorage to store your TOS agreement state (so you are not prompted to agree on every visit after first acceptance). This data is stored on your device, not our servers.

8.2 What We Do NOT Use

  • Third-party advertising cookies or trackers
  • Analytics cookies from services like Google Analytics
  • Social media tracking pixels
  • Cross-site tracking technologies

8.3 Cookie Control

You can control cookies through your browser settings. Note that disabling session cookies will prevent you from logging in to the Service. Clearing localStorage will reset your TOS agreement state and require re-acceptance on next visit.

Section 9

§9 Your Rights & Controls

Regardless of your jurisdiction, we respect the following data rights:

Access
Request a copy of the personal data we hold about you.
Correction
Request correction of inaccurate personal data associated with your account.
Deletion
Request deletion of your account and all associated personal data.
Portability
Request your data in a machine-readable format where technically feasible.
Objection
Object to processing of your personal data where we rely on legitimate interests.
Restriction
Request restriction of processing of your personal data in certain circumstances.

To exercise any of these rights, contact us at the address in §16. We will respond within 30 days, or within the timeframe required by applicable law. We may need to verify your identity before processing your request.

Section 10

§10 GDPR — EU / EEA Users

European Users

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to our processing of your personal data. This section describes your specific GDPR rights and our legal basis for processing.

10.1 Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)): Processing your account data and chat history to provide the Service you have contracted for
  • Legal obligation (Art. 6(1)(c)): Complying with mandatory reporting laws (e.g., CSAM reporting)
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement
  • Consent (Art. 6(1)(a)): Where you have provided explicit consent, including agreement to these Terms at registration

10.2 GDPR Rights

Under GDPR, EU/EEA users have the rights described in §9, plus:

  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting lawfulness of prior processing
  • Right to lodge a complaint — you have the right to lodge a complaint with your national data protection supervisory authority
  • Automated decision-making — we do not make decisions about you solely by automated means that produce legal or similarly significant effects

10.3 International Transfers

If your data is transferred outside the EU/EEA, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions. See §13 for details.

10.4 Data Protection Authority

You have the right to lodge a complaint with your national data protection supervisory authority if you believe our processing of your personal data violates GDPR. A list of EU supervisory authorities is available at edpb.europa.eu.

Section 11

§11 CCPA — California Residents

California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information.

11.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information: identifiers (name, email, account ID), internet/network activity (usage data), and content you provide (chat messages).

11.2 Purposes of Collection

Personal information is collected and used for the business purposes described in §4 of this Policy.

11.3 "Do Not Sell or Share My Personal Information"

We do not sell or share your personal information with third parties for cross-context behavioral advertising. You do not need to opt out because we do not engage in this practice.

11.4 Your CCPA Rights

  • Right to Know: Request disclosure of personal information collected, used, disclosed, or sold about you
  • Right to Delete: Request deletion of personal information we have collected about you
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: (We do not sell or share — this right is already honored)
  • Right to Limit Sensitive PI Use: Request that we limit use of sensitive personal information to only what is necessary to provide the Service
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at the address in §16. We will respond within 45 days (with a possible 45-day extension when reasonably necessary).

Section 12

§12 Children's Privacy

Strict Age Restriction

This Service is strictly for users aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. The uncensored nature of our AI Model makes it entirely inappropriate for minors.

If we discover or are notified that we have inadvertently collected personal information from a minor, we will:

  • Immediately terminate the associated account
  • Delete all personal data associated with the account
  • Report to relevant authorities if required by applicable child protection law

If you are a parent or guardian and believe your child has created an account on this Service, please contact us immediately at the address in §16.

This Service is not subject to COPPA (Children's Online Privacy Protection Act) in the context of deliberate child-directed collection, because we do not direct the Service at children. However, we comply with COPPA's requirements regarding inadvertent collection from minors under 13.

Section 13

§13 International Data Transfers

The Service is operated from [Jurisdiction]. If you are located outside of [Jurisdiction], your personal data will be transferred to, stored in, and processed in [Jurisdiction]. The data protection laws in [Jurisdiction] may differ from those in your country.

For users in the EU/EEA or UK, where we transfer personal data internationally, we will ensure appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where the recipient country has been deemed adequate
  • Other lawful transfer mechanisms under applicable data protection law

By using the Service, you consent to the transfer of your personal data as described in this section.

Section 14

§14 Third-Party Links & Services

The Service may contain links to third-party websites, services, or resources. This Privacy Policy applies only to the Aelius AI Service. When you click on a link to a third-party site, you are subject to that third party's privacy policy, which we encourage you to review.

We have no control over and accept no responsibility for the content, privacy policies, or practices of any third-party sites or services.

The AI Model may reference or discuss third-party services, products, or websites in its responses. These references are not endorsements by Aelius AI, and we take no responsibility for the privacy practices of any services mentioned by the AI.

Section 15

§15 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes:

  • Material changes will be notified via email to your registered address at least 30 days before taking effect, where reasonably practicable
  • The "Last Revised" date at the top of this Policy will be updated
  • For significant changes, we may require you to re-confirm your acceptance

We encourage you to review this Policy periodically. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated Policy.

Section 16

§16 Contact Us — Privacy Inquiries

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us:

Privacy Contact

Email: [email protected]
Subject line for access/deletion requests: Privacy Request — [Your Username]
Subject line for GDPR requests: GDPR Request — [Your Name]
Subject line for CCPA requests: CCPA Request — [Your Name]

We will respond to privacy inquiries within 30 days, or within the legally required timeframe for your jurisdiction. For urgent matters relating to children's data or security incidents, please mark your email as urgent.

Questions About Your Data?

We take privacy seriously. If you have any concerns, reach out and we'll respond promptly.

Contact Us