The short version is on this page. The legal version is in our privacy policy and terms of service.
Account email and password hash, customer and school configuration, source URLs (encrypted at rest), internal streaming-path metadata, and viewer-session telemetry (timestamps, IP, user agent) for analytics and security. Mirrored from our privacy policy in plain English.
We do not run third-party advertising on the platform. We do not sell personal data. We do not embed third-party trackers on the parent portal or the operator console. Any analytics on this marketing site is privacy-respecting — no cookies, no cross-site fingerprinting.
Camera credentials are encrypted at rest with industry-standard authenticated AES before they hit the database. All playback to parents and operators goes over TLS. Internal traffic between our streaming nodes runs on a secure private network not reachable from the public internet.
Authentication is JWT-based with short-lived access tokens and refresh tokens. Roles separate platform admins, customer owners, customer operators, and parents — each role's permissions are enforced server-side on every request. Every operator action is recorded in an audit log.
Our primary database is hosted in India. We do not transfer parent or stream metadata outside India in normal operation.
Hosting and CDN: a single Indian-region hosting provider plus a global CDN for static assets. Email: a transactional email provider for password resets and notifications. We do not list specific vendor names publicly; current and prospective customers can request the full subprocessor list on a call.
Email security@aeye.cam with details. We don't run a paid bug bounty yet, but we acknowledge in writing and credit responsible disclosure in our changelog.
We've answered most of them before — happy to walk you through the long version.