Aerlon

Privacy Policy

Last updated: April 28, 2026

This policy describes what personal information we collect when you use the Aerlon website and apps, how we use it, who we share it with, your rights, and how to contact us. By creating an account or using Aerlon, you agree to the practices described here. Aerlon Junior has additional protections — see the Aerlon Junior Privacy Notice.

Who we are

Aerlon is operated by Work Task Flow LLC in Missouri, USA. You can reach us at hello@aerlon.io.

What we collect

Account information

  • Email address
  • Password (stored as a one-way hash; we never see plaintext)
  • Display name (optional, you choose)
  • Audience preference (Adult vs. Junior)

Subscription information (only if you subscribe)

  • Stripe customer ID and subscription state. Card numbers never reach our servers — they're entered into Stripe's hosted checkout.

Activity data

  • Lessons completed, questions answered, XP earned, streak count, gems, sparks
  • Per-question response time (anonymized, used for difficulty scaling)
  • Last login time, timezone (derived from browser, used for quiet-hours notifications)

Technical data

  • IP address (for rate limiting and fraud prevention; retained ~30 days)
  • Browser user agent
  • Cookies and similar identifiers — see Cookies Notice for details

Push notification data (only if you opt in)

  • Push subscription endpoint and encryption keys, used to deliver streak / lesson reminders to your browser

We do not collect: real names, photos, voice recordings, location data, social media handles, contacts, or anything not listed above.

How we use your information

  • Provide the service — run lessons, track progress, deliver subscriptions
  • Authenticate you — log you in, reset passwords
  • Send transactional emails — account verification, streak reminders, comeback nudges. You can opt out of non-essential emails at any time.
  • Improve the product — aggregate, anonymized analytics on which lessons are working
  • Operational — fraud prevention, debugging, customer support
  • Legal compliance — when required by law

We do not use your information for advertising, do not sell your data, and do not share it with advertising or marketing partners.

Who we share with

We share information only with sub-processors that help us run the service:

  • Supabase — database and authentication hosting
  • Stripe — subscription billing
  • Vercel — application hosting
  • Resend — transactional email delivery
  • Google Cloud Text-to-Speech — generating narrated audio for kids lessons (lesson text only, no user identifiers)

We may also share information when required by law (subpoena, court order) or to protect the rights, safety, or property of Aerlon, our users, or others.

How long we keep it

  • Account data: while your account is active and for ~30 days after deletion (to allow restore)
  • Lesson activity: same as account data
  • IP addresses in request logs: 30 days, then truncated
  • Email delivery logs (via Resend): ~90 days
  • Subscription records (via Stripe): per Stripe's policy

When you delete your account, we delete or anonymize your personal information within 30 days. Some records may be retained longer for legal or financial reasons (e.g., tax-required transaction history).

Your rights

You can:

  • Access — see what data we have about you. Email hello@aerlon.io and we'll send a copy.
  • Correct — update your profile from your account settings.
  • Delete— close your account from your account settings. We'll delete or anonymize your data within 30 days.
  • Export — request a JSON copy of your data via hello@aerlon.io.
  • Opt out of non-essential email — every email has an unsubscribe link.
  • Withdraw consent for push notifications— disable in your browser's site settings, or use the toggle in your account.

If you live in California, the EU, or another jurisdiction with specific privacy laws, you may have additional rights. Email us and we'll honor them within 30 days.

Security

  • Data is encrypted in transit (HTTPS) and at rest (Postgres encryption via Supabase)
  • Passwords are stored only as one-way hashes
  • Database access is restricted to authenticated requests, enforced via row-level security
  • Card numbers never reach our servers (handled by Stripe)
  • We don't claim perfect security — no system is impenetrable. We follow industry-standard practices.

Children

Aerlon has a separate kids product, Aerlon Junior, with additional protections. See the Aerlon Junior Privacy Notice for details on how we handle data from children under 13. The general Aerlon Pro service is not directed at children under 13.

Changes

We may update this policy. We'll notify you of material changes via email and update the "Last updated" date above. Continued use of the service after changes means you accept the updated policy.

Contact

hello@aerlon.io
Work Task Flow LLC
1123 Locust St, #143, St. Louis, MO 63101