The controller.
AERIONN operates aerionn.com and its private backer dashboard at aerionn.com/backers. We design and manufacture the Aerionn Forma — a titanium carry-on.
For the purposes of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), AERIONN is the data controller and the business responsible for the personal information described in this notice.
Contact: contact@aerionn.comThree sources.
From you, directly. The email on your pledge; any message you write through the private correspondence channel on the dashboard; any preference you set in your session.
From Kickstarter and PledgeBox. Your name, Kickstarter backer number, reward tier, pledge total, shipping address and country, phone number if provided, and fulfilment status. We receive this because you elected, in your pledge, to be delivered an Aerionn Forma.
Generated by the site itself. A signed session identifier (an HttpOnly cookie); ephemeral login attempts for rate-limiting; a one-way salted hash of your IP address stored alongside those attempts. We do not store raw IP addresses.
To deliver what you backed.
We use your data to honour our contract with you as a backer: to authenticate you to your dashboard; to fulfil the Forma carry-on; to maintain the correspondence thread between you and the atelier; to issue warranty and custody records once the shell is in your hands; and to communicate updates about your pledge.
We also use a minimal amount of technical data to keep the site operationally secure — to detect and slow abuse, and to recover from incidents.
Why we are allowed to.
- Performance of a contract — GDPR Art. 6(1)(b). Fulfilling your pledge, operating your dashboard, handling warranty.
- Legitimate interest — Art. 6(1)(f). Securing the service against abuse, maintaining operational logs, improving the atelier experience.
- Consent — Art. 6(1)(a). Where we specifically ask for it, e.g., future marketing emails outside the pledge relationship. You may withdraw consent at any time.
- Legal obligation — Art. 6(1)(c). Where we must retain records for tax, customs, or compliance.
CCPA · CPRA.
We collect the categories of personal information described in N°02. Under CCPA these map to: identifiers (name, email, IP hash), commercial information (pledge data), geolocation (shipping country), and electronic activity (login attempts).
We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
California residents may request to know, to delete, to correct, to limit the use of sensitive personal information, and to opt-out of any sale or share should that ever occur. Write to contact@aerionn.com. We will not discriminate against you for exercising these rights, and we will respond within the statutory period.
Equivalent rights are honoured for residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Delaware, and other U.S. states with comprehensive privacy laws.
A short list.
- Kickstarter, Inc. — your pledge passes through the Kickstarter platform; their privacy policy governs that relationship.
- PledgeBox — collects your shipping details and reward options on our behalf; their policy governs your survey response.
- Operational processors — a small, curated set of partners for hosting, database, and transactional email delivery, each bound by a data processing agreement. A current list is available on request to contact@aerionn.com.
- Shipping carriers — once fulfilment begins, the carrier delivering your Forma receives the name, address, and contact details strictly necessary to deliver.
- Professional advisers — legal, accounting, and compliance advisers, under obligations of confidentiality.
- Public authorities — only where compelled by a valid legal request.
We do not sell data. We do not share data for advertising.
As long as the custody lasts.
- Backer records — for the lifetime of the Aerionn custody relationship, through delivery, warranty, and ordinary support thereafter, and for the minimum period required by applicable tax and consumer-protection law.
- Correspondence — retained for the same period, so the thread remains intact and auditable.
- Login attempts and rate-limit records — 24 to 72 hours.
- Session cookies — 12 to 24 hours, depending on the role.
When a retention period ends, data is erased or irreversibly anonymised.
Out of the EEA.
If your personal data is transferred outside the European Economic Area — for instance, where an operational processor is located in the United States — the transfer is made under appropriate safeguards. Typically this means the European Commission's Standard Contractual Clauses, supplemented by additional technical measures (encryption in transit and at rest, minimisation at source, salted IP hashing).
A copy of the relevant safeguards is available on request.
Plain English.
- Access — ask us what we have about you.
- Rectification — correct anything that is wrong.
- Erasure — ask us to delete it.
- Restriction — ask us to pause processing while we sort something out.
- Objection — object to processing based on legitimate interest.
- Portability — receive a machine-readable copy.
- Withdraw consent — at any time, for anything processed on consent.
- Complain — to your national or local data protection authority (the supervisory authority of your EU/EEA member state, or the equivalent regulator in your country of residence).
To exercise any right, write to contact@aerionn.com with enough detail to identify you and process the request. We respond within one calendar month under GDPR, or the statutory period under applicable U.S. state law.
One essential cookie.
When you sign in to the backer dashboard, we set a signed session cookie — aerionn_backer_session — that is HttpOnly, Secure, and SameSite=Lax, signed with a server-side secret, and valid for 24 hours. The atelier admin channel uses an equivalent cookie for 12 hours.
That is the full list. No third-party tracking cookies. No advertising cookies. No analytics cookies. No fingerprinting. If this changes, the cookie notice at the foot of the site will be updated and your consent will be sought where required.
You may refuse all cookies through your browser settings. Refusing the session cookie means you cannot sign in to the dashboard; the public pages remain accessible.
Minimum entropy for the attacker.
All traffic runs over HTTPS with HSTS preload. We do not store passwords — authentication uses single-use, SHA-256-hashed magic-link tokens with a 15-minute validity window. IP addresses are salted and hashed before storage. Sensitive data (shipping address, phone number) is stored but is never rendered on the backer dashboard. Rate limits are applied to login attempts. The site has strict Content Security Policies on its authenticated surfaces.
No system is perfectly secure. If we suffer a personal-data breach that is likely to result in a high risk to your rights, we will notify you and the relevant supervisory authority under GDPR Art. 33 / 34.
Adults only.
The Aerionn site and the backer dashboard are intended for adults. We do not knowingly collect data from individuals under 16 (or the equivalent age under applicable local law). If you believe a minor has provided personal data, write to contact@aerionn.com and we will remove it.
When this notice moves.
If we update this notice materially, we will post a prominent notice on the backer dashboard and at the top of this page, and update the last reviewed date above. Your continued use of the site after the posted date constitutes acceptance of the updated notice, subject to your rights under applicable law.
Write to us.
contact@aerionn.comFor EU/EEA data subjects, details of any GDPR Art. 27 representative (where appointed) are available on request.