Respira mejor. Vive con inteligencia.^®

Terrestream Indoor Air Quality Sensor

Privacy Policy

Effective June 1, 2026 · Version 1.0 · Aerodyne Inc. d/b/a Terrestream

§P1. About This Policy

P1.1 Who we are

Terrestream is a brand of Aerodyne Inc., a Delaware corporation. In this Privacy Policy, “Terrestream,” “we,” and “us” refer to Aerodyne Inc. doing business as Terrestream. Terrestream acts as the “business” or “controller” where those terms apply under US state privacy laws; the organization accountable for Personal Information under Canadian privacy laws; and the person responsible or enterprise where those terms apply under Quebec privacy law.

P1.2 Privacy Officer (Accountability)

Terrestream has designated a Privacy Officer accountable for compliance with this Privacy Policy and applicable privacy law. The Privacy Officer is the point of contact for all privacy inquiries, requests to exercise Data Subject Rights under §P7, and complaints. This designation is intended to support Terrestream’s accountability obligations under Quebec Law 25 and PIPEDA.

terrestream.com/contact?dept=privacy

P1.3 Scope

This Privacy Policy applies to Personal Information collected through (a) the Device, (b) the Mobile App, (c) the Web Dashboard at terrestream.com and its subdomains, (d) the Terrestream marketing website, and (e) Terrestream customer support channels.

P1.4 Out of scope

This Privacy Policy does not govern (a) Third-Party Platforms once Personal Information is transmitted at your direction, (b) the Apple App Store, Google Play, or other app distribution platforms, or (c) content you choose to publish publicly.

P1.5 Effective date and version

The current version is published at terrestream.com/legal/privacy. Prior versions are archived at terrestream.com/legal/archive. Effective date and version number appear at the top of the Policy.

P1.6 Plain-language summary

A plain-language summary is available at terrestream.com/legal/summary (Appendix A). The summary is informational only; this Privacy Policy controls.

P1.7 Definitions

Capitalized terms used and not defined here have the meanings given in T&C §1. Personal Information, Sensitive Personal Information, sale, share, targeted advertising, Deidentified Data, Aggregate Data, AI Training, Applicable Privacy Law, Customer Personal Data, Service Provider, Sub-Processor, and Data Subject Rights carry the meanings given in T&C §1, the DPA §1, or by applicable law, and are used as defined in the section where they first appear. This Privacy Policy controls over T&C §18 in case of conflict.

Universal definition. Regardless of jurisdiction- specific definitions, Terrestream treats data relating to an identified or identifiable individual as Personal Information for purposes of this Policy, no matter where the individual lives.

§P2. Personal Information We Collect

P2.1 Categories of Personal Information

Terrestream collects the following categories of Personal Information, organized by the categories used in the CCPA/CPRA, Cal. Civ. Code § 1798.140 (“§ 1798.140”):

Category	What we collect
Identifiers	Name, email, account identifier, Device serial number, IP address.
Customer records	Billing address and a payment processor token. Terrestream does not retain full payment card numbers; full card data is handled by the payment processor under §P5.2.
Commercial information	Tier status (Free Tier, Pro Trial Period, or paid Pro Subscription ), trial-start and renewal dates, Pro Subscription history, purchase history.
Internet or other electronic network activity	Mobile App and Web Dashboard usage logs, feature interactions, dashboard views, session metadata, push-notification engagement.
Geolocation	Approximate location derived from IP address. Precise geolocation is collected only with your explicit opt-in for weather and outdoor air-quality features.
Audio or visual information	None. The Device has no microphone or camera. The Mobile App may use your phone’s camera for one-time QR-code provisioning of the Device; that image is processed on-device only and is not transmitted to or retained by Terrestream. Camera access is optional, can be revoked through Your phone’s OS settings, and manual entry of the Device serial number is available as an alternative.
Professional or employment information	Organizational role for Commercial User account administrators.
Inferences	AI Outputs derived from Telemetry Data, including composite air-quality scores, mold-risk indicators, ventilation recommendations, occupancy estimates, and trend analyses.
Telemetry Data	Environmental measurements as defined in T&C §1 (the “Telemetry Data” entry): CO2, temperature, humidity, barometric pressure, IAQ index, VOC index, NOx index, particulate matter (PM 1.0/2.5/4.0/10.0), ambient light (lux), with timestamps, Device identifiers, and firmware version.
Network metadata	Wi-Fi SSID, BSSID, RSSI for provisioning and diagnostics, IP address, connection timestamps, and firmware version.

Retention of each category is governed by §P11.

P2.2 Sensitive Personal Information

Some of the Personal Information above may qualify as Sensitive Personal Information under § 1798.140(ae) and analogous state statutes. Terrestream treats the following as Sensitive Personal Information and applies the safeguards described below regardless of strict legal classification:

Precise geolocation, collected only with your explicit opt-in for weather and outdoor-air-quality integration. You may withdraw consent in Mobile App or Web Dashboard settings.
Account login credentials, stored only as salted cryptographic hashes. Terrestream does not store plaintext passwords.
Health-adjacent inferences, mold-risk indicators, respiratory-irritant indicators, and similar AI Outputs that may bear on occupant health. Terrestream treats these under Sensitive Personal Information safeguards.
Behavioral inferences, sleep-stage IAQ correlation, occupancy and presence estimates, daily routines, smoking or cooking-frequency inferences, pet-presence inferences, and aging-in-place patterns. Terrestream treats these under Sensitive Personal Information safeguards regardless of strict statutory classification, and the SPI-limit right in §P7.1 (CCPA § 1798.121 and CTDPA § 42-518) applies to them.

Use. Terrestream uses Sensitive Personal Information only for the purposes in §P4 and does not use it to infer characteristics about you beyond environmental insights.

Right to limit use. California residents under § 1798.121 and Connecticut residents under the Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq. (“CTDPA”), may direct Terrestream to limit the use of Sensitive Personal Information to purposes permitted by those statutes. Exercise per §P7.

Washington My Health My Data Act. For Washington consumers (identified by IP geolocation or account address) and inferences expressly tied to physical health status (for example, respiratory-irritant indicators), Terrestream applies the protections of the Washington My Health My Data Act, RCW ch. 19.373 (“MHMDA”): affirmative opt-in consent before any third-party share; no sale of consumer health data; honoring withdrawal of consent at any time; and honoring the right to deletion on request per §P7.

P2.3 Sources

Terrestream collects Personal Information (a) directly from you when you create an account, configure the Device, contact support, complete a purchase, or submit a privacy request; (b) from the Device in Connected Mode ( Telemetry Data and network metadata); (c) from third parties (payment confirmations from payment processors, with no card data retained, and weather and outdoor-air-quality feeds based on geographic queries only); and (d) from your browser or device (cookies, SDKs, and IP address) as described in §P3.

§P3. Cookies and Tracking Technologies

P3.1 Web Dashboard and marketing site cookies

The Web Dashboard and the Terrestream marketing site use:

Strictly necessary cookies for authentication, session management, security, and load balancing. These cannot be disabled without breaking core functionality.
Functional cookies for preferences, language, accessibility settings, and saved dashboard configurations.
Analytics cookies, Google Analytics, configured with IP truncation enabled, advertising features disabled, IDFA/AAID disabled, and no cross-site or cross-app tracking signals. You may opt out through the cookie preference center, the Google Analytics opt-out browser add-on, or your browser settings.

P3.2 Mobile App SDKs

The Mobile App uses software development kits (“SDKs”) for authentication, crash reporting, push notifications, and analytics. Active SDKs are listed in the live Sub-Processor list referenced in §P5.2. SDKs are configured to disable advertising identifiers and cross-app tracking by default. Terrestream does not engage in cross-app tracking and does not access the Apple Identifier for Advertisers (“IDFA”) or the Google Advertising ID (“AAID”) absent your consent through Apple’s App Tracking Transparency framework or the equivalent Android prompt.

P3.3 Global Privacy Control

Terrestream honors Global Privacy Control (“GPC”) signals as a valid universal opt-out mechanism (see §P5.4).

§P4. How We Use Personal Information

P4.1 Purposes

Terrestream uses Personal Information for the following purposes:

Operating the Cloud Services when the Device is in Connected Mode, including data ingestion, dashboards, push notifications, the home-automation API, and over-the-air updates.
Generating AI Outputs and improving model accuracy, subject to the AI Training boundaries in §P6.
Account administration, billing, subscription management, and customer support.
Sending transactional and service notifications (firmware updates, security alerts, subscription expiration, account security).
Sending commercial electronic messages where you have provided separate, affirmative consent under Canada’s Anti-Spam Legislation, S.C. 2010, c. 23 (“CASL”), and the CAN-SPAM Act, 15 U.S.C. § 7701 et seq.
Security, fraud prevention, abuse detection, and protection of Terrestream and User systems.
Legal compliance, response to lawful requests, and protection of legal rights.
Creating and using Aggregate Data and Deidentified Data as described in §P6.
Conducting privacy impact assessments, audits, and other internal compliance activities.

Data minimization. Terrestream collects only the Personal Information necessary for the purposes listed above and does not collect Personal Information for purposes not disclosed in this Policy.

P4.2 Legal bases

Canadian Users (PIPEDA, Quebec Law 25, BC Personal Information Protection Act, S.B.C. 2003, c. 63 (“PIPA-BC”), and Alberta Personal Information Protection Act, S.A. 2003, c. P-6.5 (“PIPA-AB”)). Terrestream relies on (a) your express or implied consent in accordance with PIPEDA Principles 3 and 4 and analogous provincial requirements, (b) performance of the contract formed by the Terms, (c) legitimate business interest where permitted by applicable provincial law, and (d) legal obligation.

US Users. Terrestream relies on contract performance, legitimate business operations, legal compliance, and your consent for Sensitive Personal Information uses where required by §P2.2 or applicable state law.

Quebec. Terrestream obtains granular consent under Quebec Law 25 § 12 for purposes that require it, including secondary uses such as health-adjacent inferences and AI model training based on identified accounts. Each consent request describes the Personal Information collected, the purposes, the categories of recipients, and the duration of processing, in clear and simple language as required by Law 25 § 8.

P4.3 Tier offerings and data treatment

The Free Tier and Pro Subscription described in T&C §8.1 are core service offerings. Data processing is the same across tiers; no different data treatment is conditioned on tier selection. The Pro Trial Period is a no-charge, no-credit-card trial that ends in the Free Tier and is not characterized as a financial incentive under Cal. Civ. Code § 1798.125(b). Aggregate Data licensing under T&C §18.2 and PP §P6 applies identically to Free Tier and Pro Subscriber accounts.

P4.4 Purposes mapped to Personal Information categories

The following table maps each purpose in §P4.1 to the categories of Personal Information from §P2.1 that Terrestream uses for that purpose. Use of a category for a purpose not listed below requires Your separate consent or another legal basis under §P4.2.

Purpose (§P4.1)	Personal Information used (§P2.1)
Operating the Cloud Services in Connected Mode	Identifiers; Telemetry Data; Network metadata; Customer records (subscription state)
Generating AI Outputs and improving model accuracy	Aggregate Data and Deidentified Data; public reference datasets; synthetic data only (per §P6.4, no training on raw Personal Information of identified Users)
Account administration, billing, subscription management, support	Identifiers; Customer records; Commercial information; Internet activity (support session context)
Transactional and service notifications	Identifiers; Internet activity; Commercial information (subscription/renewal state)
Commercial electronic messages (with affirmative consent)	Identifiers; Internet activity
Security, fraud prevention, abuse detection	Identifiers; Telemetry Data; Network metadata; Internet activity
Legal compliance and lawful requests	All categories as required by applicable law
Creating and using Aggregate Data / Deidentified Data	Telemetry Data (then deidentified under §P6) and inferences
Privacy impact assessments, audits, and internal compliance	All categories under controlled access on a need-to-know basis

P4.5 Limited human review of identifiable Telemetry Data

In the ordinary course of operating the Cloud Services, Terrestream does not subject identifiable Telemetry Data of individual Users to routine human review by Terrestream personnel or Sub-Processors. Identifiable Telemetry Data may be reviewed by authorized Terrestream personnel only for: (a) responding to a support request initiated by the affected User; (b) investigating a Security Incident or suspected abuse of the Services under this Policy or T&C §13; (c) responding to lawful process or regulatory inquiry under §P5; (d) the privacy-impact assessments, audits, and compliance reviews described in §P4.1(9); or (e) any other purpose for which You have provided separate, purpose-specific consent. Model training and routine analytics use only Aggregate Data, Deidentified Data, synthetic data, and public reference datasets, as described in §P6.4.

§P5. How We Share and Transfer Personal Information

P5.1 We do not sell or share for cross-context behavioral advertising

Terrestream does not:

sell Personal Information for monetary or other valuable consideration within the meaning of CCPA/CPRA § 1798.140(ad) (“§ 1798.140(ad)”);
share Personal Information for cross-context behavioral advertising within the meaning of § 1798.140(ah) or analogous provisions of the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq. (“VCDPA”), the Colorado Privacy Act, C.R.S. § 6-1-1303 et seq. (“CPA”), the CTDPA, or the Oregon Consumer Privacy Act, ORS § 646A.570 et seq. (“OCPA”); or
engage in targeted advertising as defined by those statutes.

Terrestream’s commercial transfers of Aggregate Data described in §P6 are transfers of deidentified information and are not “sales” or “shares” of Personal Information under § 1798.140(m) or analogous state laws.

P5.2 Service Providers, Processors, and Sub-Processors

Terrestream engages Service Providers, processors, and Sub-Processors to perform business functions on its behalf. Each is bound by a written agreement that limits use of Personal Information to services performed for Terrestream, prohibits sale or sharing of Personal Information, requires confidentiality and security commitments, and obligates the recipient to assist with Data Subject Rights requests. These agreements are intended to support Service Provider status and written-mandate requirements governing communication of Personal Information to a Service Provider. Commercial Users that require a separately executed processor or controller-to- processor agreement may countersign Terrestream’s standard Data Processing Agreement at terrestream.com/legal/dpa, which addresses processing instructions, Sub-Processor approvals, audit cooperation, breach notification, and return and deletion of data. Regulated health, education, and Quebec-specific mandates require a separately executed addendum described in T&C §7.9. Functions performed in-house by Aerodyne (including customer support, tax calculation and remittance, and DSAR identity verification) are not separately listed; the table below lists third-party processors only.

Function	Provider
Cloud infrastructure	Amazon Web Services (AWS, US)
Analytics	Google Analytics (IP truncation enabled; advertising features disabled; no IDFA/AAID without ATT consent; no cross-site tracking)
Payment processing	Amazon (Amazon channel); Stripe (web shop); Apple App Store, Google Play (in-app)
Email delivery	Mailgun
Push notifications	Apple APNs, Google FCM
AI Output inference (Discovery cards, climate letter, Wrapped)	Third-party large-language-model API providers per the live Sub-Processor list. Prompt content is deidentified and coarsened per §P6.7.
Weather / outdoor AQI feed	Per live Sub-Processor list (geographic location only, not Personal Information )
Authentication, crash reporting, others	Per live Sub-Processor list at terrestream.com/legal/sub-processors
Legal and regulatory disclosure	Courts, regulators, and law enforcement under lawful process
Corporate transactions	Successor entity in any merger, acquisition, financing, reorganization, or asset sale (notice to affected Users where required by law)

The current Sub-Processor list is maintained at terrestream.com/legal/sub-processors (Appendix E). For Commercial Users, Terrestream provides at least 30 days’ advance notice of material additions or replacements, by Privacy Policy update or in-app notice, before the new Sub-Processor processes your Personal Information.

Partner-side data recombination. Third-Party Platforms enabled by You under T&C §9 (Apple HomeKit, Google Home, Amazon Alexa, Home Assistant, Samsung SmartThings, IFTTT) may combine the Personal Information Terrestream discloses to them with other data they have collected about You through their own services. Once data leaves Terrestream’s cloud, the platform’s privacy policy governs that processing.

P5.3 Cross-border transfers

All Personal Information is processed and stored on infrastructure located in the United States. By using the Device or Cloud Services, Canadian Users acknowledge transfer of their Personal Information to the United States for processing.

For Canadian Users, Terrestream maintains contractual safeguards with each Service Provider, data processing agreements, confidentiality, security commitments, and audit or assessment rights, designed to provide protection consistent with PIPEDA, PIPA-BC, and PIPA-AB.

For Quebec residents, Terrestream has conducted the privacy impact assessment required by Quebec Law 25 § 17 before communicating Personal Information outside Quebec, and has documented contractual safeguards with each recipient. Detail on the § 17 assessment is in §P8.

US data protection laws differ from Canadian and Quebec frameworks, including with respect to government access. Personal Information stored or processed in the United States may be accessible to US government authorities under lawful process, including the Stored Communications Act, 18 U.S.C. § 2701 et seq., and the Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713 (“CLOUD Act”). Onward transfers from US Service Providers to non-US Sub-Processors are subject to analogous safeguards. Breach notification commitments are at §P10.

P5.4 Marketing opt-out and Global Privacy Control

Terrestream honors GPC signals as a valid opt-out under CCPA/CPRA and applicable state laws that recognize a universal opt-out mechanism, including the CPA, CTDPA, and OCPA. When Terrestream detects a GPC signal from your browser, Terrestream treats it as a valid opt-out for that browser or device.

You may opt out of marketing communications at any time by (a) using the unsubscribe link in any commercial electronic message, (b) adjusting marketing preferences in your account settings, or (c) emailing terrestream.com/contact?dept=privacy. Unsubscribe requests are processed within ten (10) business days, as required by CASL § 11(3). Quebec Users may withdraw consent for non-essential processing through the Privacy Officer (see §P1.2). Detail on the mechanics of rights requests, including timing and verification, is at §P7.

§P6. Aggregate Data, Deidentified Data, and AI Training

This section governs Terrestream’s creation, use, and licensing of Aggregate Data and Deidentified Data, including for AI model training.

P6.1 Definition and statutory tracking

Aggregate Data and Deidentified Data mean Telemetry Data or Personal Information that Terrestream has processed using technical and organizational measures — including removal of direct identifiers and application of statistical disclosure controls — such that re-identification of any specific User, Device, household, or location is not reasonably possible. The two terms are used together to refer to this processed-information category and carry the same operational scope under this Policy and T&C §1.

Terrestream’s deidentification standard is designed to meet applicable US state and Canadian privacy-law requirements (including CCPA/CPRA § 1798.140(m), the Colorado Privacy Act, Connecticut Data Privacy Act, Oregon Consumer Privacy Act, and Quebec Law 25) before data is treated as outside the personal-information framework.

P6.2 Safeguards

Terrestream applies the following safeguards to Aggregate Data and Deidentified Data:

Removal of direct identifiers and linkage, account identifiers, Device serial numbers, precise geolocation, IP addresses, and email addresses are removed or transformed before aggregation. Terrestream does not maintain a production key, mapping, or linkage table designed to permit re-association with a specific User, Device, or location after deidentification is complete.
Aggregation methodology, Terrestream applies documented re-identification-risk controls appropriate to the data set, which may include minimum cell sizes, suppression of small cells and outliers, generalization, or perturbation where warranted by the sensitivity of the underlying data. Methodology and thresholds may be adjusted based on fleet size, product changes, periodic risk assessments, and current regulatory guidance.
Staff prohibition, Terrestream personnel and contractors are contractually and operationally prohibited from attempting re-identification, except for risk-assessment purposes performed under controlled conditions.
Periodic risk assessment, Terrestream conducts periodic re-identification risk assessments and adjusts safeguards based on results, fleet size and distribution, and current regulatory guidance.
Public commitment, as required by § 1798.140(m) and analogous laws, Terrestream publicly commits to maintain and use Aggregate Data and Deidentified Data only in deidentified form and not to attempt re-identification.
Recipient obligations, third-party recipients are contractually prohibited from re-identification, required to maintain the data in deidentified form, and bound by flow-down obligations to their personnel and subcontractors.

P6.3 Permitted uses

Subject to the §P6.2 safeguards, Terrestream may use Aggregate Data and Deidentified Data for: (a) product improvement and feature development; (b) AI model training and algorithm improvement, subject to §P6.4; (c) academic and scientific research, including with universities and research institutions; (d) educational publications; (e) marketing materials, including the publication of statistics on indoor environmental trends; and (f) licensing or disclosure to third-party recipients in categories such as building-systems, urban-planning, research, and standards-setting. The current list of recipient categories and (where applicable) named recipients is maintained at terrestream.com/legal/aggregate-licensees. Health-adjacent inferences (mold-risk indicators, respiratory-irritant indicators, and similar outputs) derived from a Washington-resident’s Personal Information are excluded from §P6.3(f) (licensing or disclosure) consistent with the no-sale commitment in §P2.2 under the Washington My Health My Data Act. Aggregate Data derived from Devices deployed in (i) educational or daycare settings, (ii) healthcare or patient-care settings, (iii) employee-only areas of a workplace, (iv) tenant dwelling units in a multi-unit residential building, or (v) real-estate showings of an occupied home is also excluded from §P6.3(f) unless separately authorized in writing by the account holder.

The license granted to Terrestream to create, use, license, and sell Aggregate Data and Deidentified Data, as set out in T&C §18.2, is perpetual, irrevocable, worldwide, and royalty-free, and survives termination of the account, deletion of Personal Information, and termination of any subscription. Retention is per §P11.

P6.4 AI Training Data Sources

Terrestream trains AI models that produce AI Outputs using the following data sources only:

Aggregate Data and Deidentified Data derived from Telemetry Data under §P6.1 and §P6.2;
public reference datasets, including outdoor air-quality data published by the US Environmental Protection Agency and weather data from public providers; and
synthetic data generated by Terrestream.

Terrestream does not train its production AI models on the raw Personal Information of identified Users without Your express opt-in consent obtained through a separate, purpose-specific notice that identifies the data used, the model being trained, the categories of recipients, and the duration of processing (as required by Quebec Law 25 § 12 for Quebec residents and as a matter of policy elsewhere). Absent such consent, the data sources listed above, Aggregate Data and Deidentified Data, public reference datasets, and synthetic data, are the only training inputs for production AI Outputs.

P6.5 Automated decision-making notice

AI Outputs are advisory environmental telemetry only. Terrestream does not use AI Outputs to make decisions that produce legal or similarly significant effects about You under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Oregon Consumer Privacy Act, or Quebec Law 25 Article 12.1, and the Free Tier and Pro Subscription operate identically with respect to automated decision-making. Any operational, health, or occupancy decision made after viewing the data is the sole, independent action of the user. AI Outputs must not be relied on for decisions that would ordinarily require professional judgment or certified instrumentation; T&C §5 governs in detail.

Quebec Law 25 § 12.1. If Terrestream uses Personal Information to render a decision based exclusively on automated processing, you have the right to be informed of the Personal Information used and the principal factors and parameters that led to the decision, and to submit observations for review by Terrestream personnel. Terrestream does not use AI Outputs to render such decisions. Exercise rights per §P7. The Quebec § 17 cross-border assessment is summarized at §P8.

State profiling rights. Colorado residents under CPA § 6-1-1306, Connecticut residents under CTDPA § 42-518, and Oregon residents under OCPA § 646A.572 may opt out of profiling in furtherance of decisions producing legal or similarly significant effects. Terrestream processes member-specific inferences for the Pro Subscription features identified in T&C §8.8 (for example, Wellbeing lens and Sleep-stage IAQ correlation), which may constitute “profiling” under those statutes; however, as stated above, Terrestream does not use those inferences to make decisions producing legal or similarly significant effects about You. You may opt out by contacting the Privacy Officer or through the self-service portal in §P7.2; opting out disables the affected AI Output features but will not affect core monitoring functionality.

P6.6 Model updates

Terrestream documents material AI model versions and material changes at terrestream.com/legal/ai-models (Appendix G). For material changes, Terrestream provides in-app notification.

P6.7 Third-party LLM inference and prompt-content minimization

Some AI Outputs are produced by calling third-party large-language-model (“ LLM ”) API providers at inference time, including without limitation the natural-language phrasing of Discovery cards (§P6.6) and the generation of annual climate letters and multi-year Wrapped narratives. The set of LLM providers Terrestream may use is maintained at terrestream.com/legal/sub-processors; each LLM provider is bound by a written data-processing agreement under §P5.2, and Terrestream verifies that each provider’s no-training-by-default opt-out is configured at the account level before that provider is placed in production.

Prompt-content minimization. The content sent to an LLM provider at inference time is deidentified under §P6.2 and additionally minimized at the prompt boundary as follows:

Direct identifiers stripped. Account email, account holder name, account or Device serial identifier, full street address, full Canadian postal code (LDU level), precise GPS coordinates, and any payment-instrument metadata are not included in the prompt.
Location coarsened. Where location is included in the prompt at all, it is coarsened to city or municipality plus, where useful, US 5-digit ZIP code or Canadian Forward Sortation Area (FSA, first three characters of the postal code). Full Canadian postal codes (LDU level), precise GPS coordinates, and street-level addresses are not sent.
Timing aggregated. Where timing is included in the prompt, it appears as an aggregate (annual, monthly, weekly, day-of-week pattern, or time-of-day pattern), not as a per-minute timestamp.
Distinctive-pattern review. The prompt-generation pipeline applies cell-size suppression at the population unit defined by the coarsened geography, and the prompt-template registry is reviewed at design time so that no prompt carries a pattern that, in combination with the coarsened geography, plausibly singles out a single household.

The four rules above are operationalized in a documented internal runbook owned by the Privacy Officer (§P12.2), reviewed annually and on material change. The runbook is producible on request to the Commission d’accès à l’information du Québec and to other competent privacy regulators as evidence of these commitments.

The content sent to an LLM provider under this §P6.7 is deidentified for practical purposes, not anonymized: the structured inputs to a prompt are derived from a User’s Telemetry Data and remain theoretically re-linkable if combined with Terrestream’s production database. The LLM provider, however, does not have access to Terrestream’s production database and is contractually prohibited from re-identification under §P5.2. This §P6.7 supplements §P6.4 (training inputs); the two sections together cover both the training of Aerodyne’s in-house AI models and the inference-time use of third-party LLM APIs.

§P7. Your Privacy Rights

Non-discrimination commitment. You have the right not to be treated in a discriminatory way or to receive a lesser degree of service from Terrestream for exercising any privacy right under this Policy, except where Terrestream is permitted to vary service based on Your tier selection (Free Tier vs. Pro Subscription) as described in T&C §8, or where applicable law permits the differentiation.

P7.1 Rights by jurisdiction

Uniform U.S. baseline. Terrestream extends the full set of Data Subject Rights listed below, know/access, delete, correct, portability, opt-out of sale/share/targeted advertising, limit use of Sensitive Personal Information, opt-out of profiling, non-discrimination, and appeal of a denied request, to all United States residents, regardless of the state in which You reside, and regardless of whether Your state has enacted a comprehensive consumer privacy law that grants the specific right. This baseline does not displace any stronger rights granted by the law of Your state.

Canadian Users have the rights provided by PIPEDA, Quebec Law 25, the British Columbia Personal Information Protection Act, and the Alberta Personal Information Protection Act, as applicable; the provincial-rights framework is preserved as enacted and is not displaced by the U.S. baseline above.

The table below lists the statutory source of each right by jurisdiction. Where Terrestream does not engage in the underlying activity (for example, sale, sharing, or targeted advertising), the right is preserved but inapplicable in practice.

Right	Jurisdictions
Know / access	CA, VA, CO, CT, UT, TX, OR, WA (MHMDA), federal Canada (PIPEDA), Quebec (Law 25), BC (PIPA), Alberta (PIPA)
Delete	All of the above
Correct	CA, VA, CO, CT, TX, OR, Quebec, federal Canada (challenge accuracy)
Portability	CA, VA, CO, CT, OR, Quebec (Law 25 §27)
Opt out of sale / sharing / targeted advertising	CA, VA, CO, CT, TX, OR (Terrestream does not sell or share, N/A in practice)
Limit use of SPI	CA, CT
Opt out of profiling / automated decisions	CA (limited), CO, CT, OR, Quebec (Law 25 §12.1)
Non-discrimination	CA, CO, CT
Appeal denied request	VA, CO, CT, TX, OR

The statutes recognized include the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”); the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq.; the Colorado Privacy Act, C.R.S. § 6-1-1301 et seq.; the Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq.; the Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq.; the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.001 et seq.; the Oregon Consumer Privacy Act, ORS § 646A.570 et seq.; the Washington My Health My Data Act, RCW ch. 19.373; the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”); the Act Respecting the Protection of Personal Information in the Private Sector, CQLR c. P-39.1 (the “LPRPSP”) (as amended notably by the Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25 (“Law 25”)); and the British Columbia and Alberta Personal Information Protection Acts (“BC PIPA” and “Alberta PIPA”).

P7.2 How to exercise

You may submit a privacy request through any of these channels:

Self-service privacy portal, terrestream.com/privacy/data. The portal handles access, deletion, correction, portability, and SPI-limit requests. Identity verification happens automatically through Your authenticated account session. Request status, expected completion date, and any data export are returned through the portal. Available in English and French.
Web form: terrestream.com/contact?dept=privacy. Use this channel if You cannot access Your account or prefer email. Identity verification may require additional documentation; see §P7.3.
Postal mail. Aerodyne Inc., Attn: Privacy Officer, 8 The Green, Ste A, Dover, DE 19901, USA.
Authorized agent or Quebec representative. See §P7.3.

The portal is the fastest path; email, mail, and authorized-agent channels are equivalent for legal purposes.

P7.3 Verification, timing, and agents

Identity verification. Terrestream will verify Your identity before responding. The standard is risk-based and proportionate to the sensitivity of the data and the nature of the request. Deletion requests, requests involving Sensitive Personal Information, and requests for specific pieces of Personal Information require additional verification.

Response timing. Terrestream targets initial acknowledgment of substantive requests within seven (7) business days. The statutory response windows that apply to the substantive response are: for United States requests, forty-five (45) days, extendable once by an additional forty-five (45) days where reasonably necessary, with notice to You; for Canadian requests under PIPEDA and Quebec requests under Law 25, thirty (30) days. The first request in any twelve (12)-month period is free; Terrestream may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests, as permitted by law.

Authorized agents (California). You may designate an authorized agent. The agent must provide written authorization signed by You, submit to identity verification, and provide a signed declaration of authority, in accordance with CCPA Regulations § 7063.

Quebec representative. Where required, Terrestream will identify a representative for Quebec residents per Law 25 § 32.

Family Circle requests. Family Circle members under T&C §8.8 may submit individual privacy requests on their own behalf. Where multiple members of the same Family Circle each submit a request, Terrestream responds to each independently; the account owner’s request controls only the owner’s Personal Information and does not extend to the Personal Information of other Family Circle members. The owner’s separate rights as account holder include the ability to remove a Family Circle member under T&C §8.8 and to delete the account under T&C §20.2.

P7.4 Appeal

If Terrestream denies Your request in whole or in part, You may appeal that decision. Terrestream will provide a written response describing its decision and the reasoning behind it. If You remain dissatisfied, You may complain to the applicable regulator (see §P12.3).

P7.5 Limits

Your rights are subject to statutory exceptions, including those preserving Terrestream’s ability to comply with legal obligations, prevent fraud, protect security, complete transactions reasonably anticipated by You, exercise or defend legal claims, or serve a compelling public interest.

Aggregate Data and Deidentified Data processed under §P6 are not subject to access, correction, deletion, or portability once safeguarded. Once deidentified to the standards in §P6, Terrestream cannot reasonably re-identify the data to Your account, and the law treats it as outside the scope of the rights above.

§P8. Quebec, PIPEDA, and Provincial Disclosures

P8.1 Designated Privacy Officer

Terrestream has designated a Privacy Officer accountable for privacy compliance under Law 25 § 3.1, PIPEDA Principle 1 (Accountability), and equivalent obligations. Designation, contact details, and scope of authority are at §P1.2. The Privacy Officer is the point of contact for inquiries, Data Subject Rights requests under §P7, and complaints under §P12.3.

P8.2 Quebec Law 25

Quebec residents enjoy the protections of Law 25 in addition to those described elsewhere in this Privacy Policy. The following disclosures address Law 25 specifically.

Granular purposes and consent (Law 25 arts. 8 and 14). Terrestream identifies the specific purposes for which Personal Information is collected, used, or communicated, and obtains consent at the appropriate level of granularity. Consent is sought separately, in clear terms, for each purpose not necessary to operate the Services. In accordance with art. 14 of the Act respecting the protection of personal information in the private sector, consent must be clear, free, informed, and given for specific purposes.

Cross-border transfer assessment (Law 25 § 17). Personal Information about Quebec residents is transferred to and processed in the United States. Terrestream has conducted the privacy impact assessment required by Law 25 § 17, considering sensitivity, purposes, protective measures (including contractual safeguards), and the legal regime in the destination jurisdiction. Documented safeguards are at §P5.3.

Automated decision-making (Law 25 § 12.1). Terrestream’s position, including the right to be informed of the Personal Information used and the principal factors that led to an AI Output, is at §P6.5. You may exercise this right through the channels in §P7.2.

Retention and destruction (Law 25 § 23). Retention and destruction practices are at §P11.

Confidentiality incident notification (Law 25 § 3.5). If a confidentiality incident presents a risk of serious injury, Terrestream will promptly notify the Commission d’accès à l’information du Québec (“CAI”) and affected individuals, take reasonable measures to reduce risk and prevent recurrence, and record the incident in an internal incident register.

Privacy impact assessments (Law 25 § 3.3). Terrestream conducts privacy impact assessments before deploying new technologies that involve Personal Information, before launching new AI Outputs, and before transferring Personal Information outside Quebec.

P8.3 PIPEDA and provincial compliance

For Users elsewhere in Canada, Terrestream applies the ten PIPEDA fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

Form of consent. Terrestream obtains express consent for sensitive uses, including precise geolocation, health-adjacent inferences, and commercial electronic messages under the Canadian Anti-Spam Legislation, S.C. 2010, c. 23 (“CASL”). For routine processing expected as part of the Services (for example, transmitting Telemetry Data in Connected Mode ), Terrestream relies on implied consent, consistent with PIPEDA guidance.

Withdrawal of consent. You may withdraw consent at any time, subject to legal or contractual restrictions and on reasonable notice, by contacting terrestream.com/contact?dept=privacy. Withdrawal may affect the Services; for example, withdrawing consent to processing of Telemetry Data will cause the Device to revert to Standalone Mode.

Data minimization. Terrestream limits collection to what is necessary for the purposes in §P4 and does not retain Personal Information longer than necessary (see §P11).

Provincial laws. BC PIPA and Alberta PIPA apply to Users in those provinces and substantially correspond to PIPEDA. Provincial complaint paths are at §P12.3.

§P9. Children’s Privacy

The Services are not directed to, or intended for use by, children under thirteen (13) in the United States, under fourteen (14) in Quebec (art. 14 of the Quebec Act respecting the protection of personal information in the private sector ), or under the applicable provincial age of digital consent in other Canadian provinces.

Account eligibility. Account creation requires affirmative attestation that You are at least eighteen (18) years old (or the local age of majority, whichever is higher), consistent with T&C §2.2.

No knowing collection. Terrestream does not knowingly collect Personal Information from children. If Terrestream becomes aware that Personal Information has been collected from a child without verifiable parental consent, Terrestream will promptly delete that information.

Devices in environments with children. The Device may be deployed in homes, classrooms, daycare facilities, and similar environments where children are present. In those settings the account holder is the User for purposes of this Privacy Policy. The Device measures environmental conditions of the physical space; it does not collect Personal Information that is identifiable to any specific child occupant. The Device has no microphone or camera, as confirmed in §P2.1.

Family Circle minors. When an account owner adds a Family Circle member under the age of majority through the Pro Subscription feature described in T&C §8.8, the account owner represents that the member is at least thirteen (13) years old (fourteen (14) years in Quebec, art. 14 LPRPSP) and that the owner is the parent or legal guardian or has obtained parental consent for the member to be added. Terrestream does not collect Personal Information directly from Family Circle members beyond the account information the owner provides and the home-level Telemetry the account already generates. Member-specific Pro features (Wellbeing lens, Sleep-stage IAQ correlation) are scoped to the member who configured them and are not exposed to other Family Circle members. Children under thirteen (13) (under fourteen (14) in Quebec) cannot be added to Family Circle; if Terrestream becomes aware that a Family Circle member is under this age, Terrestream will remove that member’s access promptly and delete any Personal Information collected about that child.

Schools and educational deployments. Educational institutions deploying the Device must independently comply with child-privacy, student-record, and education privacy laws that apply to their use. Institutions should be aware that occupancy estimates and AI Outputs, if combined with class schedules or student records, could enable indirect identification of students, and the institution must assess and mitigate that risk. Institutions requiring tailored data processing arrangements should contact terrestream.com/contact?dept=privacy.

Parental review and deletion. A parent or legal guardian who believes that a child has provided Personal Information to Terrestream may contact terrestream.com/contact?dept=privacy to review and request deletion of that information. Terrestream will respond as set out in §P7.3.

§P10. Security and Breach Notification

P10.1 Technical and organizational measures

Terrestream maintains a written information security program designed to provide controls appropriate to the sensitivity of Personal Information processed. The program is designed to include controls such as:

Encryption in transit designed to provide TLS 1.2 or higher between the Device, Mobile App, Web Dashboard, and Terrestream’s cloud;
Encryption at rest designed to provide AES-256 or equivalent for Personal Information in Terrestream’s cloud and in Sub-Processor storage where Personal Information is held on Terrestream’s behalf;
Access controls based on role-based access control and least-privilege principles, with multi-factor authentication for administrative access;
Logging, monitoring, and intrusion-detection capabilities across production systems;
Periodic penetration testing and vulnerability scanning by qualified testers; and
Secure-software-development-lifecycle practices such as code review, dependency scanning, and pre-release security testing.

The specific implementation of each control evolves as part of the program; the current configuration is documented internally and is subject to periodic review.

P10.2 Vendor diligence

Terrestream conducts a security review of each Service Provider and Sub-Processor before onboarding and re-reviews critical providers periodically. Diligence considers technical safeguards, contractual commitments, certifications, incident history, and jurisdiction.

P10.3 Breach notification commitments

Terrestream will provide notice of confidentiality incidents and security breaches affecting Personal Information in accordance with applicable law. This includes:

United States state breach notification laws. Terrestream notifies affected individuals and applicable regulators as required by applicable state law. Statutory notification periods run from the date Terrestream confirms a reportable confidentiality incident has occurred, subject to the good-faith reasonable necessities of investigation contemplated by Cal. Civ. Code § 1798.82(a) and analogous state statutes.
Healthcare privacy. Terrestream is not a healthcare provider, health plan, healthcare clearinghouse, or business associate merely by providing the consumer Device and Services, and the Device is not a regulated medical device.
PIPEDA. Where a breach of security safeguards creates a real risk of significant harm, Terrestream will report to the Office of the Privacy Commissioner of Canada and notify affected individuals “as soon as feasible,” and will maintain records of breaches as required by PIPEDA.
Quebec Law 25 § 3.5. Where a confidentiality incident presents a risk of serious injury, Terrestream will notify the CAI and affected individuals promptly and will record the incident in its internal incident register (see §P8.2).
British Columbia and Alberta. Terrestream will provide notice as required by BC PIPA and Alberta PIPA (which mandates notice to the Alberta Information and Privacy Commissioner where there is a real risk of significant harm).

P10.4 Disclaimer

No method of electronic transmission or storage is one hundred percent secure. Terrestream’s obligation is one of commercial reasonableness, not absolute security (see T&C §18.4). Terrestream cannot guarantee that unauthorized third parties will never defeat its measures.

§P11. Data Retention

Terrestream retains Personal Information only for as long as necessary for the purposes identified in §P4 and for the periods set out below. On expiry, Personal Information is: (i) deleted; (ii) deidentified in accordance with §P6 and art. 12 LPRPSP (in which case the information remains subject to the law); or (iii) anonymized under a process compliant with art. 23 LPRPSP and the Regulation respecting the anonymization of personal information (in force May 30, 2024; once anonymized, the information ceases to be subject to the law).

Category	Retention
Account and identifier data (account profile, identifiers, customer records)	Duration of the account + 12 months; longer where a legal hold, tax-record requirement, or statutory minimum applies
Telemetry Data	Processed while the account is active in either the Free Tier or the Pro Subscription. On account deletion or cessation of Cloud Services under T&C §8.7, retained for thirty (30) days from the deletion or cessation date for download/export, then removed from active Cloud Services and permanently deleted from encrypted backups as backup rotations cycle through. Aggregate Data derived under §P6 survives this deletion.
Aggregate / Deidentified Data	Indefinite
Payment / billing records	7 years
Marketing consent records (CASL)	3 years from withdrawal
Support tickets and logs	24 months
Security logs	12 to 24 months
Encrypted backups	30 to 90 day rotation
Account deletion request fulfillment	Substantive response and removal from active Cloud Services within the statutory window in §P7.3 (45 days for U.S. requests, 30 days for Canadian/Quebec requests); residual deletion from encrypted backups completes within ninety (90) days as backup rotations cycle through; legal-hold or statutory-retention exceptions apply where required by law.
Legal hold	Override, retained until resolved

Deletion requests are reflected in subsequent backup rotation cycles. Statutory minimums (for example, tax recordkeeping) and legal holds override the table above to the extent required by law.

Why Telemetry Data is retained for the account lifetime. Long-horizon Telemetry Data is required to deliver core product features: the annual climate letter and hot-day counter; the Pro Subscription’s “Air Ghosts” multi-year replay and annual Wrapped; cross-season anomaly detection that tells You when this year’s indoor air differs from prior years; seasonal calibration of the deterministic recommender; and the Free Tier’s rolling 90-day history. Retaining Telemetry Data only for short periods would degrade or remove these features. The thirty (30) day post-deletion download window provides time to export Your data before removal from active Cloud Services; full backup-purge completes within ninety (90) days as backup rotations cycle through. Thereafter the Telemetry Data is permanently deleted and only Aggregate Data derived under §P6 survives.

Deceased Users. Personal Information of deceased account holders is handled per T&C §20.2. Surviving spouses, executors, and authorized estate administrators may submit requests through terrestream.com/contact?dept=privacy or the self-service portal in §P7.2 with the documentation required by §20.2. Quebec residents are subject to Articles 40.1 and 122 of the Civil Code of Québec.

§P12. Changes and Contact

P12.1 Changes to this Policy

The current Privacy Policy is published at terrestream.com/legal/privacy. Prior versions are archived at terrestream.com/legal/archive.

Material changes: including new categories of Personal Information, new cross-border Sub-Processors, changes to Your rights, or expansion of permitted uses, take effect no earlier than thirty (30) days after notice. Notice is delivered by email to the address associated with Your account, by in-app notification, and by banner on the Web Dashboard. Non-material changes take effect on posting with an updated effective date.

Where a change introduces processing that exceeds the scope of Your original consent, Terrestream will request renewed consent before that processing begins, as required by Law 25 and PIPEDA.

P12.2 Privacy Officer contact

The Privacy Officer’s contact details are set out in §P1.2. Primary channels for privacy requests are listed in §P7.2.

P12.3 Right to complain

You may complain to the regulator with jurisdiction over Your Personal Information without first contacting Terrestream, although Terrestream encourages You to raise concerns with the Privacy Officer first so they may be addressed directly.

United States. California Privacy Protection Agency (“CPPA”), state attorneys general, and the Federal Trade Commission.
Canada (federal). Office of the Privacy Commissioner of Canada, priv.gc.ca, 1-800-282-1376.
Quebec. Commission d’accès à l’information du Québec, cai.gouv.qc.ca.
British Columbia. Office of the Information and Privacy Commissioner for British Columbia.
Alberta. Office of the Information and Privacy Commissioner of Alberta.

P12.4 Internal escalation

If You are dissatisfied with the Privacy Officer’s response, You may request escalation by submitting terrestream.com/contact?dept=privacy with the subject “Privacy Escalation.” A senior officer of Aerodyne Inc. not involved in the initial decision will review and provide a written response.