This Privacy Policy describes how Aeolian CMS ("Aeolian," "we," "us," or "our") collects, uses, stores, and protects personal information through the Aeolian CMS platform ("Platform"), including the application hosted at admin.aeoliancms.com and all associated services.

The Platform operates as a multi-tenant e-commerce and content management system. This policy covers data practices for both Merchants (store operators) and Customers (end users of Merchant storefronts).

By using the Platform, you consent to the data practices described in this policy.

2.1 Aeolian CMS as Data Controller

We act as a data controller for information we collect directly from Merchants, including account information, store configurations, and usage data.

2.2 Aeolian CMS as Data Processor

We act as a data processor for Customer data that Merchants collect through their storefronts. Merchants are the data controllers for their Customer data and are responsible for lawful collection and processing.

2.3 Merchant Responsibilities

Merchants are responsible for publishing their own privacy policies on their storefronts, obtaining necessary consents from Customers, and complying with all applicable data protection laws for the data they collect.

3.1 Merchant Account Information

When you create an account, we collect the following through our third-party authentication provider:

• Email address
• Name
• Profile photograph
• Account identifiers

3.2 Store Configuration Data

When you create and configure stores, we collect:

• Store name and branding (logos, colors, favicons)
• Contact email addresses
• Business hours and operational settings
• Custom domain configurations
• Shipping zones, rates, and delivery policies
• Tax configurations by country
• Currency preferences and exchange rate settings
• SEO metadata (page titles, descriptions, images)
• Email domain configurations and verification records

3.3 Product and Content Data

We store content you create on the Platform, including:

• Product listings (names, descriptions, pricing, images, variants, inventory)
• Collections and categories
• Pages, menus, and navigation structures
• Uploaded media files (images, videos, audio)
• Site customization variables and their change history
• Email templates and configurations

3.4 Customer Data (Collected by Merchants)

When Customers interact with Merchant storefronts, the following data may be collected and stored on the Platform:

• Email addresses
• First and last names
• Phone numbers
• Shipping addresses (street, city, state/province, postal code, country)
• Billing addresses
• Order history (items purchased, quantities, prices, order status)
• Contact form submissions

3.5 Payment Information

Full payment card details (card numbers, CVV, expiration dates) are never stored on our servers. Payment processing is handled entirely by PCI-DSS compliant third-party payment processors. We store only:

• Transaction reference identifiers
• Payment status and amount
• Last four digits of the payment card (for display purposes)
• Card brand (e.g., Visa, Mastercard)
• Payment processor receipt references

3.6 Team Member Data

When Merchants invite team members, we collect:

• Email addresses (for invitation delivery)
• Role and permission assignments
• Invitation status and timestamps
• Account identifiers from our authentication provider

3.7 API and Technical Data

• API key metadata (creation date, last used, key prefix)
• IP addresses (for rate limiting and security purposes)
• Error and diagnostic data (for stability and debugging)

We use the information we collect for the following purposes:

4.1 Platform Operation

• Providing, maintaining, and improving the Platform
• Processing and fulfilling Merchant and Customer transactions
• Enabling store creation, configuration, and management
• Facilitating team collaboration and access control
• Delivering transactional emails (order confirmations, invitations, contact form responses)

4.2 Security and Fraud Prevention

• Authenticating users and verifying account access
• Detecting and preventing fraud, abuse, and unauthorized access
• Enforcing rate limits and usage policies
• Monitoring for security incidents

4.3 Service Improvement

• Diagnosing technical issues and errors
• Analyzing usage patterns to improve features and performance
• Developing new features and services

4.4 Communication

• Sending system notifications (DNS issues, platform updates, security alerts)
• Responding to support inquiries
• Providing service-related announcements

5.1 Infrastructure

Data is stored on secure, professionally managed cloud infrastructure. We use industry-standard security practices including:

• Encryption of sensitive data at rest (payment provider credentials are encrypted using authenticated encryption with AES-256-equivalent standards)
• Encryption of data in transit via TLS/HTTPS
• Secure credential hashing for API keys (SHA-256 with timing-safe comparison)
• Input validation and sanitization to prevent injection attacks
• File type and size validation for uploads
• Role-based access controls enforced at both application and API levels

5.2 Multi-Tenancy Isolation

Each store on the Platform operates as an isolated tenant. Data belonging to one store is not accessible to other stores. Access controls ensure that only authorized users with appropriate permissions can access store data.

5.3 Media Storage

Uploaded files (images, videos, audio) are stored on third-party cloud object storage. Files are validated for type, size, and content before storage. We do not scan uploaded files for content beyond format validation.

We do not sell personal information. We share data with third parties only in the following circumstances:

6.1 Service Providers

We use third-party service providers to operate the Platform, including providers for:

• User authentication and identity management
• Payment processing
• Email delivery
• File and media storage
• Address validation and autocomplete
• Currency exchange rate data
• Error tracking and monitoring

These providers process data on our behalf and are contractually obligated to protect your information.

6.2 Merchant Access

Merchants have access to Customer data collected through their stores, including order information, contact details, and communication history. Merchants and their authorized team members can view, export, and manage this data through the Platform.

6.3 Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, safety, or property, or the rights, safety, or property of others.

7.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide services. Store data is retained while the store exists on the Platform, including deactivated stores (to allow reactivation).

7.2 Deleted Data

When you delete content (products, pages, customers, etc.), the data is removed from our active databases. Some data may persist in backups for a limited retention period.

7.3 Account Closure

Upon account closure, we retain certain data as required by law (e.g., transaction records for tax and accounting purposes) or for legitimate business interests (e.g., fraud prevention). All other data is deleted within a reasonable timeframe.

7.4 Audit Trails

Certain operations (such as changes to store variables and configurations) are logged with timestamps and user identifiers for audit purposes. These logs are retained for the lifetime of the store.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you.

8.2 Right to Rectification

You have the right to request correction of inaccurate personal information. You can update most information directly through the Platform.

8.3 Right to Erasure

You have the right to request deletion of your personal information, subject to legal retention requirements. Merchants can delete Customer data through the Platform's management tools.

8.4 Right to Data Portability

You have the right to receive your data in a structured, commonly used format. The Platform provides export tools for products, content, and configuration data.

8.5 Right to Object

You have the right to object to processing of your personal information in certain circumstances.

8.6 Right to Restrict Processing

You have the right to request restriction of processing of your personal information in certain circumstances.

8.7 Exercising Your Rights

To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within the timeframe required by applicable law (typically 30 days).

If you are a Customer of a Merchant store and wish to exercise your rights regarding data collected by that Merchant, please contact the Merchant directly. Merchants are the data controllers for Customer data collected through their storefronts.

Your data may be processed and stored in countries other than your country of residence. Where personal information is transferred outside of Australia, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the Australian Privacy Principles (APPs) and applicable data protection laws, including through standard contractual clauses or other approved transfer mechanisms.

The Platform uses cookies and similar technologies for:

• Authentication and session management
• Security and fraud prevention
• Remembering user preferences and settings

We do not use cookies for advertising or cross-site behavioral tracking. Our third-party authentication provider may set additional cookies necessary for secure authentication.

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will take steps to remove such information.

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). Where applicable, we will also notify relevant authorities in other jurisdictions as required by law.

Notification will include the nature of the breach, the data affected, and steps taken to address the breach.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a revised "Last updated" date. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

Aeolian CMS is an Australian entity and complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Under the APPs:

• We only collect personal information that is reasonably necessary for our functions and activities
• We collect personal information by lawful and fair means, and directly from individuals where reasonable and practicable
• We take reasonable steps to ensure personal information is accurate, up-to-date, complete, and relevant
• We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure
• You may request access to, or correction of, your personal information at any time
• You may lodge a complaint with the OAIC if you believe we have breached the APPs

For complaints or inquiries regarding your privacy, please contact us at the email address below. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

If you are located in the European Economic Area, our legal bases for processing your personal information include:

• Contract performance: Processing necessary to provide the Platform services
• Legitimate interests: Processing for security, fraud prevention, and service improvement
• Legal obligation: Processing required to comply with applicable laws
• Consent: Where you have provided explicit consent for specific processing activities

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal. You also have the right to lodge a complaint with your local data protection authority.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

support@aeoliancms.com