Aedison Privacy Policy

Last updated: 21 May 2026

Thank you for choosing Aedison ("Company", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose and safeguard your information when you visit aedison.io and any related sub-domains (collectively, the "Site"), or use any of our products or services (together, the "Services").

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and other applicable privacy laws worldwide. (See §14 regarding U.S. California law.)


1 Who We Are (Data Controller)

  • Legal entity: Wawa Llama Ltd. (Company No. 10740635)
  • Registered address: 6 Norfolk Street, Whitstable, Kent CT5 4HB, United Kingdom
  • VAT numbers: GB 447 3405 93 (UK) · EU 372 0730 01 (EU OSS)
  • Contact email: hello@aedison.io

2 Scope of This Policy

This policy applies to anyone, anywhere in the world, who:

  • visits our publicly available Site;
  • creates a free or paid account to use the Aedison app;
  • purchases a subscription or credit pack processed by Stripe;
  • receives transactional or marketing emails from us; or
  • interacts with advertising, analytics or social-media pixels embedded in the Site.

3 The Data We Collect

CategoryExamplesPurposeLawful Basis*
Account DataEmail address, password (hashed)Create & manage your accountContract
Profile DataDisplay preferences, default visual style, font defaultsPersonalise your experienceContract / Legitimate interest
Generated ContentTopic queries you submit; idea, script, carousel and text-reel content produced from those queries; saved favourites; uploaded video clipsDeliver the ServiceContract
Purchase DataStripe customer ID, last 4 card digits, billing country, VAT ID (handled by Stripe; we store the customer ID only)Process payments & issue invoicesContract / Legal obligation
Support DataMessages via emailRespond to enquiriesLegitimate interest
Log & Usage DataIP address, browser, device IDs, pages visited, generation events, credit usageSecurity, billing accuracy, fraud preventionLegitimate interest
Diagnostic DataError stack traces, browser/OS, performance traces, session recordings (form inputs masked)Find and fix bugs, monitor performanceLegitimate interest (error tracking) / Consent (replay & traces, in UK/EEA)
Marketing & Analytics DataGoogle Analytics 4, Meta PixelMeasure marketing performanceConsent (UK/EEA) / Legitimate interest (elsewhere)
Email Engagement DataOpen/click tracking within emails sent via LoopsImprove email communicationsConsent / Legitimate interest

* See §7 for details.


4 How We Collect Data

  • Directly from you – when you create an account, submit a topic query, generate content, upload a video clip, make a purchase or communicate with us.
  • Automatically – via cookies, server logs and similar technologies (see §6).
  • From our payment provider – Stripe sends us confirmation of payment status, billing country, and fraud signals. We do not see or store your full card number.

We do not buy personal data from data brokers, nor do we enrich profiles from external marketing databases.


5 Why We Use Your Data

  1. To register you as an account holder and give you access to the Service.
  2. To deliver the Service — turning the topics you submit into ideas, scripts, carousels and text reels via the AI subprocessors listed in §8.
  3. To process payments, subscriptions and statutory taxes via Stripe (and to issue tax-compliant invoices via Quaderno).
  4. To send transactional emails (account confirmations, password resets, receipts, render-complete notifications) via Loops.
  5. To send optional marketing emails and newsletters via Loops — only after you explicitly opt in. You can opt in or out at any time under Settings → Privacy → Newsletter in your account.
  6. To deliver, measure and improve advertising campaigns on Meta/Facebook and Google.
  7. To maintain the security, performance and accurate billing of our Service (fraud detection, abuse prevention, cap enforcement, debugging).
  8. To find and fix bugs via diagnostic tooling (error stack traces always; session recordings and performance traces only when you have given consent).
  9. To comply with legal obligations (accounting, tax, consumer protection, dispute resolution).

6 Cookies & Similar Technologies

Our Site uses first- and third-party cookies, web beacons and analytics SDKs for sign-in, payment, performance measurement and advertising.

6.1 Consent Banner & Choices

Visitors from the United Kingdom and European Economic Area (EEA) are shown a cookie consent banner on first visit. It presents three equal-weight choices:

  • Accept all – analytics and marketing cookies load immediately.
  • Reject all – we block non-essential cookies (analytics, marketing). Strictly necessary cookies and basic error tracking remain on as they are required to operate the Service.
  • Manage preferences – granular toggles for Analytics & Performance and Marketing.

Your choice is stored in a first-party cookie called aedison-consent. You can withdraw or change your cookie consent at any time via Settings → Privacy in your account.

Visitors outside the UK/EEA are not shown the banner; cookies are on by default but can still be turned off via Settings → Privacy at any time, or via your browser settings.

6.2 Key Cookies / SDKs

ServicePurposeCategoryProvider countryOpt-out
Supabase AuthSecure login session managementStrictly necessaryEUCannot be disabled — required to use the Service
Stripe CheckoutPayment & fraud signals during checkoutStrictly necessaryUS (DPF certified)Cannot be disabled during payment
Sentry (error tracking)Capture uncaught errors so we can fix bugsStrictly necessaryUSCannot be disabled (legitimate interest, no personal data attached)
Sentry (session replay & performance traces)Replay recordings (form inputs masked) and performance tracesAnalytics & performanceUSVia banner or Settings → Privacy
Google Analytics 4Traffic analyticsAnalytics & performanceUSVia banner or Settings → Privacy
Meta/Facebook PixelAd attributionMarketingUSVia banner or Settings → Privacy
LoopsEmail delivery tracking (opens/clicks)Marketing / EmailUSUnsubscribe link in every email

6.3 Other Ways to Control Cookies

In addition to the banner, you can delete or block cookies in your browser settings, use privacy-focused browsers (e.g. Brave) or install extensions such as uBlock Origin. Disabling strictly necessary cookies may affect Site functionality, including your ability to log in or complete a purchase.


7 Legal Bases for Processing (UK/EU GDPR)

PurposeLegal basisExplanation
Account registration & paid accessContractWe need your details to deliver the service you request.
Payment & tax processingContract / Legal obligationRequired to fulfil purchases and comply with tax laws.
Delivering AI-generated contentContractWe must transmit your topic queries and idea metadata to AI subprocessors (Anthropic, OpenAI) in order to produce the output you have requested.
Transactional emailsLegitimate interestEssential to operate the service and keep you informed.
Marketing emails / newsletterConsentWe send newsletters only if you actively opt in.
Analytics & ads trackingConsent (UK/EEA) / Legitimate interest (elsewhere)Non-essential cookies load only after consent in the UK/EEA; outside those regions we rely on legitimate interest.
Error trackingLegitimate interestWe strip IP addresses and replace user identifiers with a salted one-way hash before any error is sent to Sentry. No personal data leaves our servers.
Session replay & performance tracesConsent (UK/EEA) / Legitimate interest (elsewhere)Recordings have form inputs masked. Loaded only after consent in the UK/EEA.
Security & fraud preventionLegitimate interestNecessary to protect our Site, our users and our business.

8 Who We Share Your Data With (Processors)

ProcessorRoleCountrySafeguards
Vercel Inc.Application hostingUSSCCs; EU–US Data Privacy Framework
Supabase, Inc.Database, authentication, file storage (EU region)US (data hosted EU)EU data residency; SCCs
Anthropic PBCAI text generation (Claude API)USSCCs; Anthropic does not train its models on API Customer Content (Anthropic Commercial Terms §B, eff. 17 June 2025). DPA auto-executed via the Commercial Terms.
OpenAI, LLCAI image generation (gpt-image-2)USSCCs; OpenAI does not use API data to train its models by default. DPA auto-executed via OpenAI's Business Terms.
Stripe Payments UK Ltd & Stripe, Inc.Payments & Stripe TaxUK / USPCI-DSS; SCCs; EU–US Data Privacy Framework
Quaderno OS LtdTax-compliant invoicingSpainSCCs
Loops, Inc.Email (transactional & marketing)USSCCs; EU–US Data Privacy Framework
Sentry (Functional Software Inc.)Error tracking, performance traces, session replayUSSCCs; IPs stripped, user identifiers hashed before transmission, form inputs masked in replays
Upstash, Inc.Job queue (QStash) and rate-limit / cache store (Redis)US (region selectable; we use us-east-1)SCCs; only opaque job IDs and rate-limit counters held — no personal data persisted
Bright Data LtdPublic-web data collection (Reddit listings only)IsraelSCCs; only the subreddit URL and sort parameters are sent — no personal data of yours is shared with Bright Data
Google LLCAnalytics (Google Analytics 4)USSCCs; EU–US Data Privacy Framework
Meta Platforms Ireland LtdAd attribution (Meta Pixel)Ireland (EU)SCCs; EU–US Data Privacy Framework

8.1 Note on Reddit Source Data

To deliver the Service, Aedison reads publicly available content from Reddit. Collection is performed on our behalf by Bright Data Ltd, a public-web data collection provider. We only read content that is already public; we never write to Reddit on your behalf or use credentials you hold there. The Reddit posts and snippets surfaced inside the app are owned by their original creators — Aedison does not claim any rights over that source material. Bright Data receives only the subreddit URL and sort parameters needed to perform the collection; no personal data about you is shared with them.

We may also disclose data when required by applicable law. We never sell your personal data.


9 International Transfers

Because several of our providers are US-based, your data may be transferred outside the UK/EEA. All such transfers are protected by one or more of:

  • Standard Contractual Clauses (SCCs);
  • the UK International Data Transfer Addendum (UK IDTA); and/or
  • vendor participation in the EU–US & UK–US Data Privacy Frameworks.

Where possible, we have chosen EU-region hosting (Supabase database, Meta's Irish entity) to minimise international transfers.


10 Data Retention

Data categoryRetention period
Active accounts and generated content (ideas, scripts, carousels, text reels)Retained until you delete your account or request erasure via Settings in the app.
Purchase & tax recordsMinimum 6 years (HMRC statutory requirement).
Marketing email listsUntil you unsubscribe or withdraw consent.
Server logs & analytics events26 months (Google Analytics default), or sooner if you clear cookies.
Loops email engagement dataUntil you unsubscribe or request deletion.
Sentry error events & session replays90 days (errors) / 30 days (replays), per Sentry's default plan retention.
Upstash cache / queueJob IDs deleted after processing; cache entries expire automatically within minutes to hours.
OpenAI API inputs/outputsUp to 30 days for abuse monitoring, then deleted unless OpenAI is legally required to retain them. Not used to train OpenAI models.
Anthropic API inputs/outputsRetained for a limited period under Anthropic's Data Processing Addendum and then deleted. Not used to train Anthropic's models. Exception: content flagged by their safety review may be retained longer and used to improve their safety classifiers — a standard provision applied across major AI vendors.

11 Security Measures

  • HTTPS/TLS on all pages and API endpoints.
  • Passwords hashed using industry-standard algorithms (bcrypt, via Supabase Auth).
  • Row-level security enforced at the database layer (Supabase RLS policies) so users can only read and write their own data.
  • User-uploaded video clips are held in a private storage bucket; access is granted per-user via short-lived signed URLs.
  • Personally identifying information is stripped before error events are forwarded to Sentry — raw email and IP are never sent; user identifiers are replaced with a salted one-way hash before transmission.
  • Access to personal data limited to the founder, lead developer and authorised staff.
  • Formal breach-response plan: we will notify the ICO and affected users within 72 hours of becoming aware of a qualifying breach.

12 Your Rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccuracies in your data;
  • Erase your data ("right to be forgotten") – you can request this directly from Settings → Delete account inside the app, or by emailing us;
  • Export your data to another provider – request a JSON archive from Settings → Export data;
  • Restrict or object to certain processing;
  • Port your data to another provider; and
  • Withdraw consent for marketing emails at any time via the unsubscribe link in any email, or via Settings → Privacy → Newsletter in your account. You can also opt back in from the same place if you change your mind.

To change or withdraw your cookie preferences, go to Settings → Privacy in your account.

To exercise any other right, email hello@aedison.io. We will respond within 30 days (UK/EU GDPR).


13 Complaints

If you believe we have not handled your data properly, please contact us first at hello@aedison.io. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local supervisory authority if you are based in the EEA.


14 California Privacy Notice (CCPA/CPRA)

We are a UK company with global customers. At present we do not meet the revenue or data-volume thresholds that make the CCPA/CPRA mandatory for us. Nevertheless, for transparency:

  • We do not sell personal information for monetary consideration.
  • We share certain identifiers (e.g. hashed email, IP address) with advertising partners (Meta, Google) for cross-context behavioural advertising.
  • California residents may request disclosure or deletion of their personal information by emailing hello@aedison.io.

15 Children

Our Services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.


16 Changes to This Policy

We may update this policy from time to time. If changes are material, we will:

  • post the new version here with a revised "Last updated" date; and
  • display an in-app notification to logged-in members.

Continued use of the Site or app after any update constitutes acceptance of the revised policy.


17 Contact Us

Questions or requests? Email hello@aedison.io or write to the address in §1.

Thank you for choosing Aedison.