Privacy Policy
What we collect, why, how long we keep it, and what you can demand back. Written plainly. No tracking dark patterns.
§ 01 Who is the data controller
The data controller responsible for personal data processed through the Aether services (AetherCode API, the public website at aetherlang.com, and the NOUS project pages at nous-lang.org) is:
| Controller | Hlias Staurou — sole proprietor (individual operator) |
| Tax ID (AFM) | 102607797 |
| Jurisdiction | Athens, Greece |
| Contact | support@nous-lang.org |
| Supervisory authority | Hellenic Data Protection Authority (HDPA) — dpa.gr |
§ 02 What we collect
We process the minimum data needed to operate a cryptographically attested code-execution API. Categories:
| Identification | API key (issued by RapidAPI), subscription tier |
| Contact | Email address — held by RapidAPI, not by us directly, unless you write to support |
| Request content | The prompt body you send to /v1/chat/completions. This includes whatever code, comments, or text you put in it. |
| Response content | The output generated, briefly held to sign the AetherProof receipt |
| Technical | IP address, request timestamp, model used, tokens consumed, ATLAS gate outcomes |
| Billing | Handled entirely by RapidAPI. We see aggregate request counts, not card data. |
§ 03 Why we process it (legal basis)
Each processing purpose has a specific legal basis under GDPR Article 6:
- Performance of contract (Art. 6(1)(b)). Routing your request to the LLM upstream, running ATLAS gates, signing the receipt, returning the response.
- Legal obligation (Art. 6(1)(c)). Greek tax recordkeeping for revenue received via RapidAPI.
- Legitimate interest (Art. 6(1)(f)). Security logging (IP, timestamp, anomaly flags) to detect abuse and protect the service. You can object — see § 07.
We do not use your prompts or responses to train any model. We do not sell data. We do not run advertising.
§ 04 Who else sees your data
Your request body necessarily transits through third parties to reach the LLM that generates the response. We disclose them up front:
| RapidAPI | API key issuance, subscription billing, customer email. Their privacy policy. |
| Cloudflare | Edge routing, DNS, email forwarding (support@nous-lang.org → operator inbox), DDoS protection. |
| Anthropic / other LLM providers | Receive prompt body for inference. Subject to their privacy terms. Data residency: typically United States. |
| Sigstore (Rekor) | Receives the cryptographic hash of each AetherProof receipt (no personal data, no prompt content). Public transparency log. |
| Hetzner Online GmbH | Server hosting (Frankfurt, Germany — EU/EEA). |
International transfers to the United States (Anthropic, Sigstore) rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable.
§ 05 How long we keep it
| Request prompts | Not retained after the response is signed and returned. Discarded within minutes. |
| AetherProof receipts | 90 days, then deleted from our database. The Sigstore log entry (a hash, not your data) persists publicly indefinitely. |
| Technical logs (IP, timestamps) | 30 days, for abuse detection. |
| Billing-related records | 10 years, per Greek tax law (mandatory). |
| Email correspondence | Up to 3 years from last contact, then deleted. |
§ 06 Your rights
Under GDPR you can exercise the following rights against us:
- Access — confirm what data we hold about you and obtain a copy.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — subject to overriding obligations (e.g. tax records).
- Restriction — pause processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Objection — to processing based on legitimate interest (§ 03), including profiling.
- Complaint — file with the Hellenic Data Protection Authority at dpa.gr at any time.
To exercise any right, email support@nous-lang.org. We respond within 30 days as required by Art. 12(3).
§ 07 Automated decision-making
ATLAS, the five-gate verifier, evaluates each response mechanically (syntax parse, static analysis, sandbox execution, schema match, determinism). It does not produce decisions about you. It evaluates code, not identity. There is no profiling or automated decision with legal effect within the meaning of GDPR Art. 22.
§ 08 Cookies and tracking
The landing page (aetherlang.com) is served as a static HTML file behind Cloudflare. It uses no analytics, no third-party trackers, and no cookies. Cloudflare sets a minimal session cookie required for DDoS protection and bot detection — this is necessary for the site to operate securely and falls under the strictly-necessary exemption to ePrivacy consent requirements.
§ 09 Security
We use Ed25519 cryptographic signatures, RFC 8785 JSON Canonicalization, and transparency-log anchoring (Sigstore Rekor) to make our outputs verifiable independently of us. Our signing keys are not stored in environment variables; they are loaded at process start from access-controlled file paths. Hardening drop-ins (NoNewPrivileges, PrivateTmp, PrivateDevices) are applied at the systemd layer.
If you discover a security issue, email support@nous-lang.org with subject "security". We acknowledge within 48 hours.
§ 10 Changes to this policy
We may update this policy as the service evolves or as the controller status changes (notably, upon incorporation). Material changes will be announced on the landing page at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Last reviewed 16 June 2026 by the controller. Next scheduled review: upon incorporation, or 16 June 2027, whichever comes first.