Last updated · May 15, 2026
Privacy Policy
Aviato Media Server is designed to run on your hardware and stay there. This page explains what data it handles, what reaches Ato, and how we treat it.
Who we are
Aviato Media Server, the official Aviato apps, the aviato.media website, and the Aviato Afterburner subscription service are built and operated by Ato LLC, a New Hampshire limited liability company. References to “Ato” below mean Ato LLC.
Scope
This policy applies to the Aviato Media Server software, the official Aviato mobile and web apps, the Aviato plugin marketplace, the Aviato Afterburner subscription service, and the aviato.media website. References to “Aviato” below cover all of these.
Default behavior
By default, Aviato Media Server does not collect, transmit, or share information about your server, library, or activity:
- Aviato Media Server includes no telemetry, no analytics SDKs, and no background “phone home” mechanisms.
- Library content, playback history, watch state, and the local Aviato users you create on your server remain on your server. Ato has no access to them.
- The official Aviato mobile and web apps connect to your server, not to Ato. They do not include third-party analytics or advertising identifiers.
- The aviato.media website includes no advertising pixels, cross-site trackers, or third-party analytics SDKs. The privacy-respecting analytics it does use are described below.
Website analytics
The aviato.media website uses a self-hosted instance of Umami, an open-source, privacy-focused analytics tool, to understand aggregate traffic. Analytics data stays on Ato-operated infrastructure and is not sent to any third party. The setup is cookieless, sets no client-side identifiers, does not store IP addresses (used transiently to derive country, then discarded), and records only page, referrer, browser and OS family, screen size, and country. None of this is tied to an identity, shared with advertisers, or used for profiling.
Because the integration is server-side and loads no tracking script, client-side blockers cannot filter it. To opt out, enable “Do Not Track” (DNT) in your browser. aviato.media honors DNT and will not record visits when it is present. The Aviato apps and server software include no analytics SDK.
Cookies
The aviato.media website does not set cookies. The Aviato Tower dashboard at tower.aviato.media, where Afterburner subscriptions are purchased and managed, uses cookies that are strictly necessary to keep you signed in to your account. No advertising, cross-site tracking, or third-party analytics cookies are set on either site.
Crash reports (opt-in)
Crash reporting is disabled by default. When you enable it, Aviato transmits an error report to Ato when it encounters an unexpected error. A report contains:
- A randomly generated server identifier so related errors can be correlated. The identifier is generated locally and cannot be used to identify you.
- Stack traces and surrounding error context.
- The names of plugins, libraries, and (when relevant) the specific library item being processed when the error occurred.
- The Aviato version.
Crash reports do not include your IP address or other personally identifying information. Library item names may include the titles of media in your library; if this is a concern, leave crash reporting disabled.
Plugin marketplace
Each plugin install is recorded as a single increment to that plugin’s aggregate install counter. Ato does not record who installed a plugin, does not maintain per-server install histories, and does not link installs across plugins or sessions.
Like any internet service, the marketplace endpoint observes the source IP of the install request at the network level for the duration of that request. Ato does not store these IP addresses and does not use them for analytics or profiling.
Aviato Afterburner
Aviato Afterburner is a licensed software subscription, sold on a monthly or annual basis. It unlocks paid features of the Aviato Media Server software you run on your own hardware, and it also makes a small number of optional cloud services operated by Ato available to your server. Each cloud service is off by default and transmits data to Ato only after you enable it from your server’s settings.
Subscribing requires creating an Aviato Tower account. Apart from the optional cloud features described below (such as Dynamic DNS), this is the only context in which Aviato collects information that directly identifies you. Ato collects only what is needed to administer the subscription:
- Name and email address, used to issue licenses, deliver receipts, and respond to billing inquiries.
- Subscription and license records, including billing cadence, renewal status, and the servers on which each license has been activated. These records are used to administer billing and to enforce per-server licensing.
Payments
Payment information (including the card or other payment method retained for recurring billing) is collected and stored by a PCI-compliant third-party payment processor, not by Ato. The processor’s privacy notice will be linked at checkout and governs its handling of that information.
Avia.to Dynamic DNS (opt-in)
Avia.to Dynamic DNS is an optional Afterburner cloud service that publishes a stable hostname on the avia.to domain pointing at your server’s current public IP, so you can reach your server by name as your home or office IP changes. The feature is disabled by default and is only used when you turn it on for a server.
While enabled, your Aviato Media Server periodically reports its current public (WAN) IP to Ato so that the avia.to DNS record can be updated. The avia.to records are served by AWS Route 53 on Ato’s behalf. Ato uses your reported IP solely to provide the dynamic DNS service, stores only the current active IP for your server (not a history of past IPs), and overwrites it with each new report.
If a server stops reporting in for an extended period, its active IP is scrubbed from Ato’s records and its avia.to hostname stops resolving until the server comes back online and checks in again. Disabling the feature, or deleting the hostname from your account, removes the active IP from Ato’s records.
How Ato shares data
Ato does not sell personal data and does not share personal data for advertising, marketing, or profiling.
Ato shares limited data with vendors that operate parts of the Afterburner service on Ato’s behalf (currently cloud hosting, payment processing, transactional email, and authoritative DNS via AWS Route 53), under contracts that restrict those vendors to providing the service to Ato.
Ato may disclose information when legally required to do so, including in response to a valid subpoena, court order, or other legal process. Where permitted, Ato will notify the affected account holder and will resist overbroad or improper requests.
Retention and security
Data sent to Ato is stored on infrastructure operated by Ato or by the vendors described above, encrypted in transit (TLS) and at rest, and is processed in the United States. Access is limited to Ato personnel and authorized vendor personnel who require it.
Retention windows:
- Crash reports: up to 90 days, then deleted.
- Plugin marketplace install counters: aggregated; raw events are not retained.
- Avia.to Dynamic DNS records: only the current active IP is stored per server, with no history. Inactive servers are scrubbed after a period of no check-ins and re-populated when they come back online.
- Afterburner account and license records: retained while your account is active and for up to seven years after closure to satisfy tax and accounting record-keeping obligations, then deleted.
Your rights
If you have an Aviato Tower account, you may:
- Request a copy of the personal data Ato holds about you.
- Ask Ato to correct inaccurate personal data.
- Ask Ato to close your account and delete the personal data tied to it, subject to retention obligations under applicable tax, accounting, or other law.
- Opt out of non-essential email.
To exercise these rights, email legal@ato.software. Ato responds within 30 days.
If you reside in the European Economic Area, the United Kingdom, or California, the rights granted to you by the GDPR or the CCPA apply to your interactions with Ato regardless of where Ato is based.
Children’s privacy
Aviato is not directed at children under 13 (or under 16 in the European Economic Area and the United Kingdom), and Ato does not knowingly collect personal data from them. If you believe a child has provided Ato with personal data, email legal@ato.software and Ato will delete it.
Changes to this policy
Ato may update this policy from time to time. The “Last updated” date above will reflect any change. Material changes will, where reasonable, be communicated to Afterburner subscribers by email or through the Aviato apps. Continued use of Aviato after a change becomes effective constitutes acceptance of the updated policy.
Contact
Privacy questions and requests: legal@ato.software.