HomeSchoolsVisionPricingAbout
legal
Terms, Privacy & Legal

Transparency.
No small print.

Everything you need to know about how AerEthos works, how we handle data, and what your rights are — written to be understood, not to confuse.

Last updated 18 March 2026
Data Processing Addendum (DPA)
The formal controller–processor agreement for schools. Legally binding.
View DPA →
You are viewing the Schools version of this policy.
This version explains AerEthos's role as your data processor, your obligations as data controller, and the full technical and legal framework governing our relationship.
01

Introduction & Scope

In plain English
These are the rules that govern how AerEthos operates. By working with us — as a school, a student, or a parent — you are agreeing to these terms. We've tried to write them so they're actually readable.

These Terms & Policies govern the provision of all services by AerEthos, including yearbook design and production, the AerEthos Vision platform, graduation products, and any related services (collectively, the "Services"). They apply to all schools, students, parents, and other individuals who engage with AerEthos in any capacity.

These policies are compliant with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Data Protection Acts 1988–2018 (Ireland), and applicable Irish and EU consumer and commercial law.

Where AerEthos acts as a data processor on behalf of a school (the data controller), the applicable controller–processor terms are set out in the separate Data Processing Addendum. These Terms operate alongside, and do not replace, the DPA.

These policies should be read in their entirety. The "In plain English" summaries are provided for convenience and do not constitute legal advice. The full text of each section governs.
02

Who We Are

In plain English
AerEthos is run by Nathan Sfendji, based in Waterford, Ireland. We are pre-registration but fully operational. All contracts with us are valid.

AerEthos is a memory publishing company providing yearbook design, production, and digital memory platform services to schools and educational institutions in Ireland and internationally.

Principal contact: Nathan Sfendjinathan@aerethos.com

Registration status: AerEthos is currently operating prior to formal company registration. A registered address and company number have not yet been assigned. All agreements and obligations are fully valid and enforceable regardless of registration status.

Jurisdiction: Ireland / European Union. These policies are governed by Irish law. Any disputes arising from the use of AerEthos services are subject to the exclusive jurisdiction of the Irish courts, without prejudice to any mandatory consumer protection rights you may have in your country of residence.

03

Services, Contracts & Payment

In plain English
A school becomes a client by paying the onboarding fee. Students buy their own books directly. We design everything — you just approve the final result before we print.

A binding service agreement between AerEthos and a school is formed when the school pays the onboarding fee and receives written confirmation from AerEthos. The onboarding fee (from €299, as agreed in writing) is non-refundable and confirms the school's place for that academic year.

AerEthos undertakes to: design and produce the yearbook to a professional publication standard; manage the student submission and content collection process; provide staged design previews; deliver a complete watermarked proof for school approval; manage print production and delivery to the school.

The school undertakes to: provide a student list and main contact person within five working days of onboarding; communicate deadlines to students when requested; review and approve the final watermarked PDF proof within the agreed timeframe; not engage a competing yearbook service for the same year group during the contract period.

Students purchase their yearbooks directly from AerEthos. Pricing per student is set out in the current pricing schedule (available at aerethos.com/pricing) and confirmed in writing at the time of school onboarding. Prices are fixed for the duration of the academic year once confirmed.

Payment is collected from students via AerEthos's payment system. The school does not handle student payments and bears no financial liability for student non-payment.

Student book purchases are non-refundable once the book has entered print production. AerEthos may, at its discretion, offer credit or replacement in cases of production defect.

A school may cancel its agreement with AerEthos prior to the design commencement date (typically four to six weeks after onboarding). In this case, the onboarding fee is forfeited but no further charges apply.

Cancellation after design has commenced will result in a cancellation fee proportional to the design work completed at the date of cancellation. AerEthos will provide a written breakdown of this fee.

AerEthos reserves the right to terminate an agreement if a school: fails to provide required materials within thirty (30) days of the agreed deadline; engages in conduct that is unlawful, defamatory, or harmful to AerEthos or its staff; or materially breaches these Terms and fails to remedy the breach within fourteen (14) days of written notice.

AerEthos operates as a fully custom design service. Each yearbook is created specifically for one school and cannot be repurposed or resold. Accordingly:

  • The school onboarding fee is non-refundable in all circumstances.
  • Student book payments are non-refundable once print production has commenced.
  • In the event of a production defect attributable to AerEthos, we will replace affected copies at no charge.
  • AerEthos does not offer refunds on the grounds of dissatisfaction where the delivered product matches the approved proof.

These terms do not affect your statutory rights under Irish consumer law where applicable.

04

Personal Data We Process

In plain English
We collect student names, photos, quotes, and songs to make the yearbook. We collect school staff contact details to manage the project. We don't sell any of it, ever.

When acting as your data processor, AerEthos processes personal data strictly on the school's documented instructions. Categories of personal data processed include:

  • Student full names, year group, and class affiliation
  • Student portrait photographs and additional personal photographs
  • Student-authored text content (quotes, memories, future plans, achievements)
  • Student music preferences (track titles and artists)
  • School staff contact details (name, email, role)
  • Device and browser technical metadata (IP address, user agent, access timestamps) — collected during use of digital services only
  • Payment and billing data — processed by Stripe on AerEthos's behalf; AerEthos does not store card data

Special category data: AerEthos does not intentionally collect special category data (health, religion, ethnicity, etc.). Content submitted by students may incidentally contain such data. AerEthos processes this only as strictly necessary to deliver the agreed service and applies data minimisation throughout.

The school, as data controller, is responsible for ensuring appropriate consents and transparency are provided to students and parents before data is shared with AerEthos. AerEthos provides a template consent notice and Data Processing Addendum for this purpose.

05

AerEthos Vision — Data Architecture & Privacy

In plain English
The Vision platform is the online hub that opens when you tap your NFC yearbook. It hosts videos, photos, and your class playlist permanently. Here's exactly what data it processes and how.
This section contains detailed technical and legal information about the AerEthos Vision platform. It is intended for schools, data protection officers, and IT administrators who need to understand the full data architecture before approving Vision integration.

AerEthos Vision is a web-based memory archive platform. Each school is provisioned with a unique hub accessible via a permanent URL. Access is facilitated by either a QR code or NFC chip embedded in the physical yearbook. The hub is hosted by AerEthos on Vercel's global edge network.

The hub URL is non-indexed — it does not appear in search engine results. Access is by URL only. No authentication is required to view hub content. Schools may request additional access controls (e.g. URL-based access restriction) on request.

When a Vision hub URL is accessed (whether via NFC tap, QR scan, or direct URL entry), AerEthos's hosting infrastructure automatically logs:

  • IP address — used for security, abuse prevention, and geographic load balancing. Not used for user tracking or profiling.
  • User agent string — browser and device type. Used for compatibility monitoring and technical support.
  • Timestamp — date and time of access. Retained for security audit purposes.
  • Page/content identifier — which hub or section was accessed. Used for content delivery and basic analytics (aggregate page views only).
  • Referrer URL — where the request came from, if available. Standard HTTP header; not stored long-term.

AerEthos does not set tracking cookies on Vision hubs by default. No cross-site tracking, behavioural profiling, or third-party advertising scripts are deployed on Vision pages.

Student content hosted on Vision hubs includes: videos (uploaded by AerEthos after school events), photographs (uploaded by AerEthos from school-submitted materials), and metadata (student names, quotes, song titles) derived from the printed yearbook.

Retention commitment: AerEthos guarantees a minimum thirty (30) year hosting term for all Vision hubs, commencing from the date the hub first goes live. This commitment is contractual and forms part of the school service agreement. In the event AerEthos ceases to operate, reasonable steps will be taken to transfer hub hosting to a successor entity or return all content to the school.

Content removal: Any student or parent may request removal of their specific content from a Vision hub at any time by contacting nathan@aerethos.com. Requests will be actioned within fourteen (14) days. Removal of content from the hub does not affect the physical yearbook.

AerEthos Vision NFC uses passive NFC chips (NTAG213 or equivalent) embedded in the yearbook cover. These chips:

  • Contain only a static URL — no personal data is stored on the chip itself
  • Are read-only — they cannot be written to, modified, or cloned by third parties using standard consumer devices
  • Do not transmit data to AerEthos — a tap simply opens a URL in the browser, exactly equivalent to typing the URL manually
  • Have an effective read range of approximately 4cm — accidental or covert reads are not a practical concern
  • Are compliant with ISO/IEC 14443-A and NFC Forum Type 2 Tag standards

The data implications of NFC access are therefore identical to QR code access — both result in a standard HTTP request to the hub URL, triggering the server-side logging described above.

The Class Playlist feature on Vision hubs links to Spotify and Apple Music. These are outbound links only — clicking them opens the respective platform in a new tab. AerEthos does not share user data with Spotify or Apple Music, and does not have access to your accounts on those platforms.

Vision hubs do not embed third-party analytics (e.g. Google Analytics), social media widgets, or advertising scripts. The only third-party infrastructure involved in hub delivery is Vercel (hosting and CDN), for which AerEthos maintains appropriate data processing agreements.

The following sub-processors are engaged in the delivery of AerEthos Vision:

Vercel, Inc.
Hosting, edge network, CDN
United States
EU–US Data Privacy Framework, SCCs
Cloudflare, Inc.
DDoS protection, DNS
United States
EU–US Data Privacy Framework, SCCs
GitHub, Inc.
Source code repository
United States
EU–US Data Privacy Framework, SCCs

AerEthos will notify schools of any material changes to sub-processors with reasonable advance notice.

06

Lawful Bases for Processing

In plain English
Under GDPR, we need a legal reason to use your data. For most of what we do, the reason is 'we have a contract with you'. For some things it's 'we have a legitimate interest'. We never rely on consent for the core service.
Contract
Article 6(1)(b) GDPR
The primary lawful basis for processing student and school data is the performance of the service agreement. Processing student names, photos, quotes, and content is necessary to produce the yearbook. Processing school staff contact details is necessary to manage the project.
Legitimate Interests
Article 6(1)(f) GDPR
AerEthos relies on legitimate interests for: service security and fraud prevention (including technical logging on Vision hubs); communications with prospective schools; business administration and record-keeping; and aggregate analytics (page view counts). A Legitimate Interests Assessment (LIA) has been conducted for each of these purposes and is available on request.
Legal Obligation
Article 6(1)(c) GDPR
AerEthos retains billing and payment records in compliance with Irish accounting and tax law obligations. Retention periods are determined by applicable statutory requirements.
Consent
Article 6(1)(a) GDPR
AerEthos does not rely on consent as the lawful basis for any core service processing. Consent may be sought for optional activities such as the use of student content in AerEthos marketing materials — this is strictly opt-in and managed via a separate consent process. Withdrawal of consent for optional activities does not affect the core yearbook service.
07

Cookies & Tracking

In plain English
We use strictly necessary cookies only. We don't track you across the web and we don't serve ads. The only third-party cookie is from Stripe when you make a payment.

AerEthos uses only strictly necessary cookies on its website and Vision platform. No analytics, advertising, or tracking cookies are set by default.

CookiePurposeProviderDurationCategory
sessionSession management and securityAerEthosSessionNecessary
__stripe_midPayment fraud preventionStripe1 yearNecessary
__stripe_sidPayment session identificationStripe30 minutesNecessary

Non-essential cookies (analytics, marketing) will only be set with your explicit consent via a cookie banner. By default, only the cookies listed above are active.

08

Security Measures

In plain English
We use encryption, access controls, and professional infrastructure. If we ever have a data breach that affects you, we'll tell you and the Data Protection Commission without delay.
  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced across all AerEthos domains)
  • Data at rest is encrypted by our hosting provider (Vercel) using AES-256
  • Access to production systems is restricted to authorised personnel; multi-factor authentication is enabled on all administrative accounts
  • Source code is stored in private repositories with access logging
  • Payment data is processed exclusively by Stripe (PCI DSS Level 1 certified); AerEthos does not store card numbers or CVVs
  • Security patches are applied to dependencies on an ongoing basis

In the event of a personal data breach, AerEthos will:

  • Notify the Data Protection Commission (DPC) within 72 hours of becoming aware of the breach, where required under Article 33 GDPR
  • Notify affected schools (as data controllers) without undue delay, providing: the nature of the breach; the categories and approximate number of individuals affected; likely consequences; measures taken or proposed to address the breach
  • Notify affected individuals directly where required under Article 34 GDPR
  • Document all breaches in an internal breach register, regardless of whether notification is required
09

Retention & Deletion

In plain English
We keep your data for as long as we need it for the purpose we collected it. Vision content is kept for 30 years minimum. Everything else is deleted when it's no longer needed.
Yearbook design files & student submissions
Until delivery + 12 months
Support, corrections, reprints
AerEthos Vision hosted content
Minimum 30 years from hub launch
Permanent memory archive — contractual commitment
Server & access logs (Vision)
90 days
Security and troubleshooting
School staff contact details
Duration of relationship + 3 years
Account management, support, legal records
Billing & payment records
7 years
Irish Revenue/accounting obligations
Email correspondence
3 years from last contact
Business record-keeping
Marketing consent records
Until consent withdrawn + 1 year
Compliance evidence
10

International Data Transfers

In plain English
Our servers are run by US companies (Vercel, Stripe) that operate in Europe under EU-approved legal frameworks. Your data is protected to EU standard wherever it goes.

AerEthos uses sub-processors based in the United States. Where personal data is transferred outside the European Economic Area, AerEthos relies on one or more of the following transfer mechanisms:

  • EU–U.S. Data Privacy Framework (DPF): where the recipient is certified under the DPF (applicable to Vercel, Stripe, and GitHub)
  • Standard Contractual Clauses (SCCs): European Commission-approved clauses (2021/914/EU) incorporated into data processing agreements with sub-processors, together with any required Transfer Impact Assessment (TIA) and supplementary measures

Documentation of transfer mechanisms for each sub-processor is available to schools on request. AerEthos monitors the legal landscape regarding international transfers on an ongoing basis and will update transfer mechanisms as required.

11

Your Rights Under GDPR

In plain English
You have the right to see, correct, or delete your data. You can also object to how we use it. These rights are real and we will respond to any request within one month.
Right of Access
Art. 15
Request a copy of all personal data AerEthos holds about you. We will respond within one month.
Right to Rectification
Art. 16
Request correction of inaccurate or incomplete data. Corrections to yearbook content are subject to production timeline constraints.
Right to Erasure
Art. 17
Request deletion of your data. Applies where data is no longer necessary, consent is withdrawn, or processing was unlawful. Subject to legal retention obligations.
Right to Restriction
Art. 18
Request that we limit processing of your data while a dispute about accuracy or lawfulness is resolved.
Right to Portability
Art. 20
Receive a copy of your data in a structured, machine-readable format (where processing is based on consent or contract and carried out by automated means).
Right to Object
Art. 21
Object to processing based on legitimate interests. AerEthos will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

To exercise any of these rights, contact: nathan@aerethos.com. Requests will be acknowledged within 72 hours and fulfilled within one calendar month (extendable by two further months for complex requests, with notice).

Where AerEthos acts as a data processor for a school, data subject requests should be directed to the school as data controller in the first instance. AerEthos will assist schools in fulfilling their obligations under Article 28(3)(e) GDPR.

12

Children & Under-18s

In plain English
Most of our students are under 18. We take this seriously. Schools are responsible for getting the right permissions from parents before sharing student data with us.

AerEthos processes personal data relating to minors (persons under 18 years of age) in the course of providing yearbook services. This processing occurs solely on the instruction of the school as data controller, and is limited to what is strictly necessary for the yearbook and Vision services.

Responsibility of schools: As data controller, the school is responsible for ensuring that appropriate notices are provided to students (and, where required, their parents or guardians) before student data is shared with AerEthos. AerEthos provides a template privacy notice and consent form for this purpose on request.

Direct processing by AerEthos: AerEthos does not knowingly collect data directly from individuals under 16 without school mediation. The student submission system is accessed through a school-issued link — it is not publicly accessible. AerEthos does not create accounts for students under 16.

Marketing: AerEthos does not direct marketing communications to individuals under 18 and does not use student data submitted through yearbook production for any marketing purpose without separate, explicit consent from the student (and parent/guardian where required).

If you are a parent or guardian and believe your child's data has been processed without appropriate consent, please contact nathan@aerethos.com immediately. We will investigate and respond within 72 hours.
13

Changes to These Policies

In plain English
If we make important changes, we'll let you know. Minor updates (like fixing typos) happen without notice. The date at the top of the page always shows the last update.

AerEthos reserves the right to update these policies at any time. The "Last updated" date at the top of this page reflects the date of the most recent material change.

For material changes (those that meaningfully affect how we process personal data or the rights of data subjects), AerEthos will: provide at least 30 days' notice to active school partners via email; update this page with a summary of changes; and, where required by GDPR, seek fresh consent or update the Data Processing Addendum.

Continued use of AerEthos services after the effective date of a policy change constitutes acceptance of the updated terms. Schools may terminate the service agreement without penalty if they object to material policy changes, provided written notice is given within 30 days of the change notice.

14

Contact & Complaints

In plain English
Email Nathan. If you're not happy with how we handle your data, you also have the right to complain to the Irish Data Protection Commission — we'll tell you how.
Privacy contact
Nathan Sfendji
nathan@aerethos.com
Response within 72 hours
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
dataprotection.ie

You have the right to lodge a complaint with the Data Protection Commission (DPC) at any time if you believe your data protection rights have been infringed. We would however ask that you contact us in the first instance so we have the opportunity to address your concern directly.

Need the Data Processing Addendum?
View DPA →
Change log
18 Mar 2026
Full rebuild — expanded Vision data architecture section, NFC technical detail, sub-processor table, children's data provisions, and international transfers framework. Added DPA cross-reference. Schools/Students toggle retained.
14 Mar 2026
Initial publication.