Aerye App · Arcandel, LLC · Effective July 10, 2026 · v2.4

Aerye Privacy Policy

Aerye is built privacy-first: the app is fully usable without an account, almost everything lives on your device, and we collect the minimum needed to run the features you use. This policy explains exactly what data exists, where it lives, and what control you have.

1. What We Collect — and Where It Lives

On your device — and, if you have an account, backed up to it

  • Bookmarks, likes, and watchlist entries.
  • Learning and game progress: XP, streaks, levels, quiz history, achievements, lab and game progress, and Ciphers.

Without an account, this data lives only on your device and is never sent to us — deleting the app erases it. If you create an account, this data is also backed up to your account so it follows you across devices (see “If you create an optional account,” below). This is the only way to keep your progress when you switch or reset a phone.

Stored only on your device (never sent to us)

  • Your selected interests, theme, and app settings.
  • The local news archive (cached headlines/summaries from public feeds).
  • Biometric app-lock preference (Face ID / Touch ID is evaluated entirely by iOS; Aerye never sees or stores your biometric data).

You can erase all on-device data at any time by deleting the app.

Anonymous, aggregate usage signal

When you open a news article in Aerye, the app sends a single anonymous event containing only the article’s identifier — no account ID, no device ID, no name, no precise location. We use these aggregate counts for one purpose: ranking the “Top Stories” section by what Aerye readers are actually reading. Counts are de-duplicated on your device (one count per article per device), cannot be tied back to you, and are not used for advertising or profiling.

If you create an optional account

Accounts are optional. If you create one, we store: your email address, authentication credentials (handled by our backend provider with industry-standard hashing — we only ever hold a hash, never your actual password), your reserved handle (the unique “@name” that identifies you), and any profile data you choose to set (display name, avatar selection, a short bio, and appearance customizations such as name colors, profile-ring colors, avatar frames, banners, titles, and pinned badges). If you choose to add one, we also store an optional recovery email address on our servers, used solely for account recovery. If you enable multi-factor authentication, we store your MFA configuration data (for example, authenticator enrollment status) so we can verify your sign-ins.

Your public profile. Your handle, display name, avatar, bio, appearance customizations, and headline progression stats (tier, level, XP, games played, and accuracy) are visible to other users of the app — for example alongside your community posts and comments, and, when leaderboard features are available, on leaderboards. You can opt out of appearing on leaderboards. Your progress backup itself stays private to your account; only the profile fields listed here are public.

Push notifications (only if you enable them). If you turn on push notifications, we store the push token Apple assigns your device so our servers can deliver notifications to it. You can turn push notifications off at any time in iOS Settings.

Referrals (only if you use them). If you share or redeem a referral code, we store the code and the referrer–referred relationship to grant rewards and prevent abuse.

With an account, we also store a backup of your progress so it follows you across devices — your XP, levels, streaks, achievements, quiz history, lab and game progress, your saved bookmarks/likes/watchlist, and your Ciphers balance. (Ciphers, our in-app currency, are stored only on our servers and tied to your account.) When you sign in on a new device, this data is restored to it. This synced progress data is access-scoped to your account, so no other user can read it.

Community content (if you use the community)

If you post, comment, or join communities, we store that content and activity on our backend: the posts and comments you create, the communities you join, and the engagement counts on your content. Community posts and comments are public — they are shown to other users of the app alongside your handle and any display name and avatar you set. Please do not post anything you would not want others to see, and do not post other people’s private information.

When another member interacts with your content — for example, replies to you or marks your post valuable — we store that activity notice in your account inbox so we can show it to you. You can delete these notices at any time, and they are removed with your account.

To keep the community safe, we also store content you report (what you reported and why) and users you block (so we can hide their content from you). We screen the text of posts, comments, and handles against a list of prohibited terms to filter slurs, sexual/exploitative content, and similar material before it is published; this screening is automated and is used only for safety and moderation.

Payments

Subscriptions and credit purchases are processed entirely by Apple through the App Store. Arcandel never receives or stores your payment card details.

What we deliberately do NOT collect

No advertising identifiers, no third-party analytics or tracking SDKs, no contact lists, no precise location, no cross-app tracking. Aerye contains no ads.

2. Network Requests You Should Know About

  • News feeds: the app fetches headlines directly from each publisher’s public RSS feed. Those publishers’ servers see a standard web request from your IP, the same as visiting their site. Where a publisher includes article images in its feed, those images also load directly from the publisher’s servers — Aerye does not copy, host, or modify them.
  • Security data: CVE, CISA, and FBI/IC3 data come from public government APIs (NVD, cisa.gov, ic3.gov).
  • Threat-activity and market snapshots: threat-intelligence summaries and security-sector market quotes are assembled and cached on our backend from public sources (including the Open Threat Exchange and Finnhub). Your device only talks to our backend for these; none of your data is sent to those sources.
  • Arcandel backend: threat-intel summaries, account features, the community, and the anonymous read counter run on our backend (hosted on Supabase). Like any internet server, it transiently processes your IP address to deliver responses; we do not log it against your identity.
  • All connections use TLS, and connections to our backend additionally use certificate pinning.

3. How We Use Data

To operate the app’s features (feeds, rankings, sync, and the community), to rank Top Stories by aggregate readership, to keep the community safe (automated content filtering, acting on reports, and enforcing the Terms), and to maintain security. Purpose limitation applies: data collected for one purpose is not silently reused for another.

4. Sharing

We do not sell, rent, or trade your data. The community content you post is shared publicly with other users of the app by design (see §1). Otherwise we share data only with: (a) our infrastructure provider (Supabase) acting as a processor under contract, (b) Apple, for payments you initiate, and (c) authorities if legally compelled or, in the case of content that exploits or endangers minors, as required by law. No data brokers, no advertisers.

5. Retention

  • On-device data: retained until you delete it or the app; the news archive self-prunes after 90 days (bookmarked stories are kept until you remove the bookmark).
  • Anonymous read counts: retained as aggregate counts; individual events are not needed and may be pruned at any time.
  • Community content: your posts and comments are retained until you delete them or your account; reports and block records are retained as long as needed for safety, moderation, and audit purposes.
  • Account data: retained while your account is active. To avoid keeping data longer than necessary, we may delete accounts that remain inactive for an extended period and are not covered by an active subscription, along with their synced data, with advance email notice where possible. Active accounts, and accounts with an active subscription, are not deleted for inactivity. You can also delete your account and all of its server-side data yourself at any time (see §6).

6. Your Rights & Controls

  • Use the app fully without any account.
  • Create an account to back up your progress and restore it on any device you sign into.
  • Delete your own posts and comments at any time, and report or block other users in the community.
  • Delete your account (and all of its server-side data, including your community content) from Settings → Account, or by contacting us.
  • Erase all local data by deleting the app.
  • EU/UK (GDPR) and California (CCPA/CPRA) residents have rights of access, deletion, correction, and portability — contact us to exercise them. We honor these rights for all users regardless of region.

7. Age — Adults Only

Aerye is intended for adults and is not directed to anyone under 18. You must be 18 or older to use Aerye. We do not knowingly collect personal information from anyone under 18; if we learn that we have, we will delete it.

8. Security

Encryption in transit (TLS, with certificate pinning to our backend) and at rest, ephemeral networking sessions (no persistent cookies), optional biometric app lock, and row-level security on all backend tables — so your synced account data is access-scoped to your account and cannot be read by other users, while community posts and comments are readable by signed-in members by design. Your password is never stored; only a salted hash held by our authentication provider.

9. International Transfers

Our backend is hosted in the United States. If you use Aerye from outside the US, your data is processed in the US under the safeguards described here.

10. Changes to This Policy

We will update the effective date and, for material changes, notify you in the app before they take effect. Prior versions are available on request.

11. Contact

Arcandel, LLC — privacy@arcandel.com