Sign InStart Free →

Privacy Policy

Our privacy policy and how we use your data

Last updated: March 29, 2026

Aforo, Inc. ("Aforo," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, APIs, website, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information. When you register, we collect your name, email address, company name, job title, and password or authentication credentials (via Google OAuth or email-based authentication).
  • Workspace Information. Organization name, team member details (names, emails, roles), and workspace configuration preferences.
  • Billing Information. Payment method details, billing address, and tax identification numbers. Credit card information is processed directly by our PCI-compliant payment processor (Stripe) and is never stored on our servers.
  • Onboarding Information. Company size, industry, use case, and product preferences you provide during account setup.
  • Communications. Messages you send to our support team, feedback, survey responses, and correspondence.

1.2 Information Collected Automatically

  • Usage Data. Pages visited, features used, actions taken, timestamps, session duration, and interaction patterns within the Service.
  • Device and Browser Data. IP address, browser type and version, operating system, device type, screen resolution, and referring URLs.
  • Log Data. Server logs including API requests, error reports, and performance metrics.
  • Cookies and Similar Technologies. See our Cookie Policy for details on how we use cookies, local storage, and similar technologies.

1.3 Customer Data (Processed on Your Behalf)

As a billing and metering platform, we process data that you submit about your End Customers, including:

  • Usage events (API calls, token consumption, compute usage, data transfer volumes)
  • End Customer identifiers, subscription details, and billing records
  • Invoice data, payment status, and transaction histories
  • Storefront interactions and self-service portal activity

We process this Customer Data solely on your behalf as a data processor. You remain the data controller and are responsible for obtaining appropriate consents from your End Customers.

1.4 Financial Data Processing

As a monetization platform, Aforo processes transactional data including usage events, pricing metadata, rate plan configurations, and billing records. We maintain strict logical isolation of this data at the tenant level — separate database schemas, separate cache keys, and separate event streams per workspace. Aforo acts as a Data Processor for your monetization data. We do not sell, share, or monetize individual transaction data with third parties for marketing or any other purpose.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — authenticate your identity, operate your workspace, process usage events, generate invoices, and power your Storefront
  • Process payments — charge subscription fees, calculate usage-based charges, and manage billing cycles
  • Improve the Service — analyze usage patterns, identify bugs, optimize performance, and develop new features
  • Communicate with you — send transactional emails (invoices, security alerts, password resets), product updates, and, with your consent, marketing communications
  • Ensure security — detect and prevent fraud, abuse, and unauthorized access to the Service
  • Comply with legal obligations — respond to legal processes, enforce our Terms of Service, and meet regulatory requirements
  • AI Cost Intelligence — analyze your AI provider usage data (with your authorization) to provide cost optimization recommendations

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We share information with third-party service providers that perform services on our behalf, including:

  • Payment processing: Stripe (for subscription billing and payment collection)
  • Cloud infrastructure: AWS, Google Cloud (for hosting and data storage)
  • Authentication: Supabase (for identity management)
  • Email delivery: Transactional email providers (for system notifications)
  • Analytics: Aggregated usage analytics (with your consent via cookie preferences)

All service providers are contractually bound to use your information only for the purposes of providing services to us and are subject to appropriate data protection obligations.

3.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect our rights or property; (c) prevent fraud or security threats; or (d) protect the safety of our users or the public.

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.

3.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so, such as when you enable integrations with third-party services (payment gateways, accounting systems, API gateways).

4. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-tenant data isolation with workspace-level access controls
  • Role-based access control (RBAC) for team member permissions
  • Regular security audits and vulnerability assessments
  • Secure API authentication using industry-standard protocols
  • Audit logging of administrative actions and data access events

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your information for as long as necessary to:

  • Provide the Service and maintain your Account
  • Comply with legal obligations (e.g., tax and financial reporting requirements)
  • Resolve disputes and enforce our agreements
  • Meet audit and compliance requirements for billing and payment records

When your Account is terminated, we retain your Customer Data for 30 days to allow for export. After this period, data is permanently deleted except where retention is required by law. Billing records and invoices may be retained for up to 7 years to comply with financial reporting obligations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

6.1 For All Users

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Data Export: Export your data in a machine-readable format
  • Opt-out: Unsubscribe from marketing communications at any time

6.2 For EEA, UK, and Swiss Residents (GDPR)

In addition to the rights above, you have the right to:

  • Restrict processing of your personal data in certain circumstances
  • Data portability — receive your data in a structured, commonly used format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local data protection authority

Our legal bases for processing under GDPR include: (a) performance of a contract (providing the Service); (b) legitimate interests (security, fraud prevention, service improvement); (c) consent (marketing communications, optional cookies); and (d) legal obligations (financial reporting, compliance).

6.3 For California Residents (CCPA/CPRA)

  • Right to know what personal information we collect, use, and disclose
  • Right to delete your personal information
  • Right to opt-out of the sale or sharing of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your privacy rights

7. International Data Transfers

Our Service is hosted primarily in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States or other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required by GDPR.

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@aforo.io.

9. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party services (payment processors, cloud providers, accounting systems). This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through the platform.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Data Protection Officer

For inquiries related to data protection and privacy, please contact our Data Protection Officer:

Aforo, Inc.
Data Protection Officer
Email: privacy@aforo.io
Website: https://aforo.io

We aim to respond to all privacy-related requests within 30 days. In some cases, we may need to verify your identity before processing your request.