1. Introduction

Aeolian ("the Service," "we," "us") takes your privacy seriously. This Privacy Policy is intended to help you understand what information we collect, how we use it, and your rights regarding that information.

As a tool that converts personal cloud storage into Podcast Feeds, our core privacy principle is Data Minimization. We act as a "Processor" for your podcast media files and a "Custodian" for your account profile data.

2. Information We Collect

To provide the Service, we need to collect and process the following categories of information:

2.1 Information You Provide Directly

• Account Information: When you register or update your profile, we collect your Email Address and User ID. If you use third-party login (e.g., Google/GitHub), we may reference the nickname or avatar URL provided by that third party in read-only mode for interface display purposes only. We do not independently save or process any custom avatar files on our servers.
• Cloud Drive Credentials (Encrypted): To connect your OneDrive, AWS S3, or WebDAV, we need to store corresponding authentication information (e.g., OAuth Refresh Tokens, Access Keys, Endpoint URLs, Username/Password).
• Key Security Statement: All sensitive credentials are encrypted using high-strength encryption algorithms (e.g., AES-256) before being stored in the database. We cannot directly view your plaintext passwords or keys.
• Payment Information: If you subscribe to a paid plan, our payment processing partners (e.g., Stripe/Paddle) will process your payment data. We do not directly store your credit card numbers or bank account information.

2.2 Information We Automatically Collect (Metadata)

When you use the Service to generate a Podcast Feed, we read and temporarily cache file metadata from your specified cloud folders, including:

• Filename
• File size
• File type (MIME type)
• Modification time
• File download direct link (used to generate RSS Enclosure)

Please Note: We never download, store, or analyze the actual content of your audio/video files. Podcast file streams are transmitted directly from your personal cloud drive to your podcast client or via our stateless proxy.

2.3 Usage and Log Data

To maintain service stability and security, our servers automatically record certain access logs, including:

• Your IP Address (for abuse prevention and regional compliance)
• Browser/Client Type (User-Agent)
• Access Time
• API Call Status (Success/Failure)

3. How We Use Your Information

We only use the collected information for the following specific purposes:

1. Providing Core Services: Verifying your identity, connecting your cloud drive, and generating usable RSS Feed XML.
2. Generating and Maintaining Feeds: Your Feed URL needs to include a specific Access Token to correctly extract cloud drive data.
3. AI Features (Pro/Ultra Users Only): If you use AI features, we will send relevant file metadata or partial content (limited to the part you request to process) to third-party AI service providers (e.g., OpenAI/Anthropic) for summary or tag generation.
   • AI Model Training Disclaimer: We use enterprise/API interfaces of third-party AI service providers to process your data. According to their privacy policies, data submitted via API will not be used to train their foundational models. Aeolian also promises not to use your User Content to train any internal generative AI models.
4. Customer Support: Using log data for troubleshooting when you report issues.
5. Notifications: Sending you necessary emails regarding service changes, security updates, or subscription status.

4. Data Storage and Security

4.1 Storage Location and Method

• Your Business Data: Your account information, encrypted credentials, and configuration data are stored on secure servers provided by our cloud infrastructure partners (e.g., Supabase and AWS S3).
• Your Podcast Content: Please note again, your podcast audio/video files always remain in your own cloud storage (OneDrive/S3/WebDAV); we do not host them.

4.2 Security Measures

• Encrypted Transmission: All data transmission between you, us, and third-party cloud drives is encrypted via SSL/TLS.
• Encryption at Rest: Sensitive cloud drive access keys implement encryption at rest at the database level.
• Access Control: Only authorized system processes can decrypt your credentials to perform tasks requested by you.

4.3 Data Retention

• We retain your data as long as your account is active.
• If you delete your account, we will immediately delete all your personal information, cloud drive credentials, and Feed configurations.
• Even if you delete your account, partially anonymized system logs (containing no personal information) may be retained for a period for security auditing purposes.

5. Information Sharing and Disclosure

We do not sell your personal information to any third parties. We share data only under the following circumstances:

1. Third-Party Service Providers: To operate the Service, we need to share necessary data with infrastructure providers (e.g., Supabase, AWS, Cloudflare, OpenAI). These providers are bound by strict Data Processing Agreements (DPAs).
2. Legal Requirements: We may disclose necessary information if required by law (e.g., subpoenas) or to protect our rights, property, or security.
3. Business Transfers: If Aeolian undergoes a merger, acquisition, or asset sale, user information may be part of the transferred assets.

6. Your Rights (GDPR & CCPA)

Regardless of your location, we respect and guarantee your following rights:

• Right to Access and Export: You have the right to request an export of all data we store about you.
• Right to Rectification: You have the right to update your cloud drive connection configurations in the settings page. Since the Service does not store custom personal profiles, if you need to change your nickname or avatar, please do so directly at your linked third-party identity provider (e.g., Google or Microsoft) or register a new account.
• Right to Deletion (Right to be Forgotten): You can click "Delete Account" in your account settings. Once confirmed, all your data (including Access Tokens, Keys) will be physically deleted and cannot be recovered.
• Revocation of Authorization: You can revoke authorization for Aeolian at any time within your cloud storage provider's settings (e.g., Microsoft account settings).

Special Notice for California Residents (CCPA/CPRA)

• No Sale/Sharing: Pursuant to the California Consumer Privacy Act (CCPA), we declare that in the past 12 months, we have not "sold" or "shared" your personal information with third parties for cross-context behavioral advertising purposes.
• Sensitive Personal Information: We use your sensitive personal information (i.e., credentials to connect cloud drives) only to the extent absolutely necessary to provide the Service, so no "Limit Use" option is required.

7. Children's Privacy

The Service is not intended for children under the age of 13 (or the similar minimum age defined in your jurisdiction). We do not knowingly collect personal information from children. If you discover that your child has provided us with personal information without your consent, please contact us immediately at support@aeolian.cloud, and we will take steps to delete such data and terminate the account.

8. Third-Party Links and Services

RSS Feeds generated by the Service may be imported into various podcast clients (e.g., Apple Podcasts, Pocket Casts). This Privacy Policy does not apply to these third-party clients. Additionally, the cloud storage services you link (OneDrive, AWS, WebDAV) are governed by their respective privacy policies.

9. Changes to Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email or in-app pop-up. Continuing to use the Service constitutes your acceptance of the updated policy.

10. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us via:

• Email: support@aeolian.cloud