Privacy Policy

Datenschutzerklärung — Last updated: 11 June 2026

1. Controller / Verantwortlicher

2. Overview

Aurora AI Solutions Studio UG ("Aurora," "we," "us") operates Aurora CapacityOS under the domain helloaurora.ai — a managed service in which software agents perform operational work for service firms under human approval. This privacy policy applies to Aurora CapacityOS, the Aurora company website, and the legacy products VeritasX and AgentForge (retained data only; no longer offered). For continuity: the Campaign Desk and Retention Desk of Aurora CapacityOS (formerly offered as ContentPulse and ClientPulse) continue the processing previously described for those products; the descriptions in this policy apply to them under their new names.

In Aurora CapacityOS, agents work with data from the customer's own systems and — where an end-client grants delegated access (manager or partner account links, user roles, OAuth) — from the end-client's systems, always for the purpose of performing the operations the customer has contracted, with human approval gates on outward actions and evidence logs of what was done.

We process personal data in compliance with the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG), and the German Telemedia Act (TMG/TTDSG).

3. What Data We Collect

3.1 Account Data

When you create an account, we collect: email address, hashed password (via Supabase Auth), and account creation timestamp. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.2 Usage Data

We track: number of analyses and agent runs performed (for usage enforcement), which features you use, and timestamps of usage. Legal basis: Art. 6(1)(b) GDPR — necessary for service delivery and usage enforcement.

3.3 Content You Submit

When you use our AI-powered tools, we process the text content you submit (e.g., source articles, transcripts, posts, threads, client communications). This content is sent to AI providers (Anthropic, OpenAI, Google, and — for legacy VeritasX usage — xAI) for analysis or generation. We store the inputs, generated outputs, and rewrite history in our database so you can review, edit, re-run, and export your work. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.4 Payment Data

Payment processing is handled entirely by Stripe (once billing is enabled). We do not store credit card numbers or bank account details. We receive from Stripe: engagement/billing status, customer ID, and payment timestamps. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.5 Connected & Delegated Accounts (publishing, advertising, workspace systems)

Aurora CapacityOS works inside systems that the customer — or the customer's end-client — connects via platform-native delegation: OAuth 2.0 connections, manager or partner account links, or user roles. No passwords are shared, every connection is attached to a specific client record, and the granting party can revoke it at any time. For publishing and social connections we receive, for example:

• X (Twitter) OAuth 2.0 PKCE: username, display name, profile image URL, and an access/refresh token pair. Used for profile context, performance tracking (legacy VeritasX), and direct publishing of Campaign Desk-generated posts to the authenticated account.
• LinkedIn OAuth 2.0: member ID, name, profile image URL, and an access token. Used solely to publish Campaign Desk-generated posts to the authenticated account. We do not read your feed or your connections.
• WordPress (self-hosted or WordPress.com REST API): the site URL and Application Password / OAuth credential you supply. Used solely to publish Campaign Desk-generated posts as drafts or published articles on the site you authorise. We do not read posts, comments, users, or settings beyond what is required to create the new content.
• Delegated advertising and analytics access (e.g. Google Ads, Meta, Google Analytics 4 — where granted): account identifiers, campaign and performance metrics, and the scope/permission level of the grant. These platforms remain the granting party's own accounts; Aurora accesses only what the grant covers, to perform the contracted operations, and outward changes (e.g. budget or campaign changes) pass a human approval gate first.

Tokens are stored encrypted at rest and are scoped to the minimum permissions required for the contracted work. You (or the granting end-client) can disconnect any integration at any time, which triggers token deletion within 30 days. Legal basis: Art. 6(1)(a) GDPR — explicit consent of the granting party; Art. 6(1)(b) GDPR — performance of the service contract.

3.6 Voice Profile Data (writing-style profiles / brand-voice engine)

If your workspace uses the Campaign Desk's brand-voice engine (or the legacy VeritasX Voice Fingerprint feature), we build a writing-style profile from content you submit or approve. The profile includes vocabulary patterns, tone preferences, hook styles, sentence structure, and platform-specific variants. It does not include biometric voice data (no audio voiceprints, no physiological identifiers); the term "voice" refers to writing style.

The profile is supported by three layers: (1) a style-guide summary, (2) performance-learning signals derived from your approvals, rejections, and edits, and (3) a pgvector retrieval-augmented generation (RAG) index of short stylistic samples ("voice_samples") stored in our EU Supabase database. Samples are text-only, scoped to your workspace by row-level security, and never shared across accounts. Legal basis: Art. 6(1)(b) GDPR — necessary for the personalised service you requested.

3.7 Server Logs

Our hosting providers automatically collect: IP address, browser type, referring URL, pages visited, and access timestamps. This data is used for security monitoring and abuse prevention. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security.

3.8 Agent Runs & AI Processing in Aurora CapacityOS

Aurora CapacityOS uses software agents that run named skills (e.g. draft a save playbook, prepare a campaign brief, build an ad-copy variant) using a Large Language Model (LLM). LLM processing runs under Aurora's own agreements with its model providers — currently Anthropic (primary) and OpenAI (fallback) — listed on our public Sub-processor list. Where a workspace has configured its own provider API key (a legacy bring-your-own-key option carried over from the earlier product line), those calls run directly under that key and the provider's own data-handling terms; the credential is stored encrypted (pgsodium ciphertext on profiles.operator_credential), decrypted just-in-time per invocation, and never persisted in plaintext.

What we store about agent runs:

• Run metadata: for every skill invocation we record an audit row in operator_runs (skill id, skill version, started/finished timestamps, input signal reference, status, USD cost, output reference). We do not persist the raw prompt sent to the LLM provider or the raw completion returned, beyond the structured output the skill emits to its sink (e.g. a pitch row, a campaign brief, an email draft).
• Approval and evidence logs: because outward actions require human approval, we record the approval decision (who approved or rejected, when, and what was approved) and the supporting evidence shown to the reviewer. These logs are part of the contracted service and are available to the customer.
• Spend tracking: we sum per-run costs against our own audit rows to enforce any configured monthly spend cap.

When an agent skill calls an LLM, the contents of the prompt (which may include client names, recent signal context, voice-profile snippets) are transmitted to that provider under the applicable data-handling terms — see the provider DPA links in §4 and on our public Sub-processor list. Legal basis: Art. 6(1)(b) GDPR — performance of the contracted service.

3.9 AI-Disclosure Banner (Article 50 EU AI Act)

Because the agents in Aurora CapacityOS are AI systems that interact directly with natural persons, Article 50(1) of the EU AI Act (Regulation (EU) 2024/1689) requires us to disclose this clearly. Agent surfaces in Aurora CapacityOS display a persistent notice that you are interacting with an AI system and that output may need human review before use. No agent output is auto-sent to a client without explicit human approval (see §6/§6a/§6b on approval gates).

3.10 Signals Pipeline (Campaign Desk ↔ Retention Desk)

The Campaign Desk and Retention Desk of Aurora CapacityOS share a unified signals pipeline covering 20+ signal kinds — including client_amber/red transitions, renewal_window_60d/30d/14d, payment_cadence_drift, save_play_in_flight, pitch_expansion_opp, ad_burn_no_results, and others. Signals are produced by signal generators in one desk and consumed by skill subscribers in the other; they remain inside your Aurora workspace (Supabase EU Frankfurt) under row-level security and are never shared across accounts. A complete list of current signal kinds and consumers is available on request from privacy@helloaurora.ai.

4. Data Processors & Third-Party Services

We use the following third-party services to operate our products. All US-based processors either participate in the EU-US Data Privacy Framework (DPF) or are bound by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Service	Purpose	Location	Products
Supabase Inc.	Database, authentication, row-level security	EU (AWS eu-central-1, Frankfurt)	Aurora CapacityOS VeritasX (legacy)
Supabase Inc.	Database, authentication, row-level security	US (AWS us-east-2)	AgentForge
Vercel Inc.	Web hosting, edge functions, CDN	Compute: Frankfurt (fra1) for Aurora CapacityOS and legacy VeritasX. Compute: Washington DC (iad1) for AgentForge. CDN edge: globally distributed via Vercel's anycast network.	All Products
Cloudflare Inc.	DNS, DDoS protection, email routing	US (Global)	All Products
Resend Inc.	Transactional email delivery (signup confirmations, password resets, account notifications). Sub-processor: Amazon Web Services EMEA SARL (EU operator of SES).	EU (AWS eu-west-1, Ireland)	All Products
Anthropic PBC	AI analysis, content generation (Claude API)	US	All Products
Stripe Inc.	Payment processing, billing, invoicing (once billing is enabled)	US	Aurora CapacityOS VeritasX (legacy)
xAI Corp.	Bot detection (Grok API), X OAuth	US	VeritasX
OpenAI Inc.	LLM processing (fallback provider); text embeddings (text-embedding-3-small); audio transcription via Whisper (Retention Desk meeting recordings uploaded for transcription)	US	Aurora CapacityOS
AssemblyAI, Inc.	Speech-to-text transcription of user-uploaded podcast/video audio files for Campaign Desk content repurposing (legacy fallback). Per AssemblyAI's API terms as of April 2026, uploaded audio and transcripts are not used to train their models.	US	Aurora CapacityOS
Inngest, Inc.	Background job orchestration (transcription dispatch, multi-stage content generation pipeline, scheduled publishing, learning-loop rebuilds, signal-fanout, agent skill runs). Jobs carry content IDs and generation context; the underlying content remains in our Supabase EU database.	US	Aurora CapacityOS
Sentry (Functional Software, Inc.)	Error monitoring and application performance tracing. Captures stack traces, request context, and breadcrumbs; configured to scrub user-input fields and authentication headers before transmission.	US (SCCs)	Aurora CapacityOS
Google LLC — Gemini API	Legacy bring-your-own-key model option (Gemini family). Used only where a workspace has configured Google as its own LLM provider. Prompts and completions are exchanged directly under the customer's own API key, per Google's API terms; Aurora retains only run metadata, not raw prompts/responses.	US (DPF-certified)	Aurora CapacityOS
Deepgram, Inc.	Primary speech-to-text transcription for user-uploaded podcast/video audio files (Campaign Desk). Per Deepgram's API terms, uploaded audio is not used to train their models.	US (SCCs)	Aurora CapacityOS
LinkedIn Corporation	LinkedIn OAuth 2.0 authentication; REST Publishing API (post Campaign Desk-generated content to the authenticated LinkedIn account on your instruction).	US (DPF-certified)	Aurora CapacityOS
WordPress sites (your chosen destinations)	When you connect a WordPress site for direct publishing, the site operator acts as an independent controller for content you publish. Aurora CapacityOS transmits generated posts to the site URL and credentials you provide.	Site-operator-dependent	Aurora CapacityOS
Google LLC	Google OAuth 2.0 authentication; Gmail API (read/analyze inbound & outbound client communications where the user grants read access); Google Calendar API (read/sync events for meeting intelligence and client context); delegated Google Workspace / Google Ads / Analytics access where the customer or their end-client grants it. Only authorized accounts and scopes are accessed; scopes are minimised and revocable at any time.	US (DPF-certified)	Aurora CapacityOS
Zoom Video Communications, Inc.	Zoom OAuth 2.0 authentication; Recordings & Transcripts APIs (retrieve cloud recordings and meeting metadata for Meeting Intelligence). Access is limited to meetings the authenticated user participates in and can be revoked at any time.	US (DPF-certified)	Aurora CapacityOS
X Corp. (Twitter)	OAuth 2.0 authentication, user profile data	US	VeritasX
Railway Corp.	Backend API hosting (FastAPI)	US	AgentForge
Langfuse GmbH	AI observability, tracing	EU (Berlin)	AgentForge
GitHub Inc.	Source code hosting, CI/CD	US	All Products
Calendly LLC	Appointment scheduling for Aurora KI-Beratung consulting calls. Calendly receives name, email, selected time slot, timezone, optional invitee notes, and technical metadata when a visitor books a call via a Calendly-embedded widget or page on helloaurora.ai/consulting. A DPA is in place via Calendly's standard terms. Visitors may alternatively email sasa@helloaurora.ai to schedule without using Calendly.	US (SCCs)	Aurora KI-Beratung (consulting flow)

Financial infrastructure (mentioned for transparency): Funds received via Stripe are deposited into our business bank account at Qonto (France/EU) and multi-currency account at Wise (EU/Global). These institutions act as independent data controllers under banking regulations and are not data processors under this policy.

5. International Data Transfers

The majority of our data processors are based in the United States. We ensure lawful data transfers through the following mechanisms:

• EU-US Data Privacy Framework (DPF): For processors certified under the DPF (Stripe, Cloudflare, Vercel, GitHub, OpenAI, Anthropic, Resend, Google, Zoom, LinkedIn, Calendly).
• Standard Contractual Clauses (SCCs): For non-DPF US-incorporated processors and as a backup safeguard, we rely on the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
• Supplementary measures: Encryption in transit (TLS 1.3), encryption at rest (AES-256), row-level security policies enforced at the database layer, and data residency in EU regions where supported (Supabase eu-central-1 for all products except AgentForge; Resend eu-west-1; Vercel fra1 for all products except AgentForge).

6. How AI Processes Your Data

When agents in Aurora CapacityOS perform AI processing, the relevant text is sent to AI providers via their APIs. Aurora's current stack:

• Aurora-managed processing (the default): Anthropic Claude (primary LLM), OpenAI (LLM fallback, plus embeddings and Whisper transcription on uploaded media), and xAI Grok (legacy VeritasX only). Aurora pays for these calls under our own provider accounts.
• Legacy bring-your-own-key configurations: where a workspace has configured its own provider API key (Anthropic, OpenAI, or Google), prompts flow directly from our application to that provider under that key; Aurora does not see or store the raw prompt/completion.
• Anthropic, OpenAI, Google, and xAI do not use data submitted via their APIs to train their models (per their API data usage policies as of May 2026). We monitor changes to these policies and will update users via email if a provider changes its training opt-out posture.
• Your submitted content is processed in real time and not permanently stored by the AI provider.
• AI-generated results (scores, drafts, repurposes, playbooks, pitches, ad copy, campaign briefs) are stored in our Supabase EU database and linked to your account, together with the approval decisions and evidence logs that document the work.
• Voice Profile data is derived solely from text you submit and does not include any biometric data.
• Human approval before outward effect: AI involvement in the service is disclosed, and outputs are reviewed and approved by a human before they take effect outside the workspace.

EU AI Act Article 50 transparency (effective 2 December 2026). Aurora is a downstream user of General-Purpose AI (GPAI) models. All AI-generated outputs produced through our Services are surfaced to you with a visible "AI-assisted" or "Generated by Aurora" footer (see Article 50(2)). Where the output is media (image, audio, video), Aurora additionally embeds C2PA-compatible provenance metadata. For text outputs (pitches, ad copy, campaign briefs, client reports, social posts, blog drafts), Aurora embeds an HTML <meta name="ai-generated" content="aurora-operator"> tag or a structured JSON sidecar where the publishing target supports it. When you re-distribute Aurora output to your own audience or to your end-clients, you remain responsible for any further disclosure obligations applicable to your audience's jurisdiction (see Terms §10.1).

6b. Campaign Desk Processing (Aurora CapacityOS)

The Campaign Desk performs marketing-campaign operations. When your workspace uses it, we process the following data categories for the purposes listed. Legal basis: Art. 6(1)(b) GDPR — performance of the service contract; Art. 6(1)(a) GDPR — the granting party's explicit consent for each connected or delegated integration.

• Source content you submit: Long-form text, blog posts, transcripts, and user-provided URLs (e.g., podcast or YouTube links) are ingested and segmented to produce platform-specific derivatives.
• Uploaded audio/video files: If you upload a podcast or video file, it is stored temporarily in our Supabase EU (Frankfurt) Storage "media" bucket, transcribed via Deepgram (or AssemblyAI / OpenAI Whisper as fallback), and then processed by the generation pipeline. Raw uploaded media is retained only as long as required to complete transcription and the immediate repurposing pipeline, and is purged within 30 days of upload; the resulting transcript is retained with the linked record.
• Delegated advertising and analytics data (where granted): Campaign and ad-account metrics (spend, pacing, performance) from the end-client's own advertising and analytics accounts, accessed under the delegated grant described in §3.5, are processed to prepare and report on campaign work. Changes to a client's ad account pass a human approval gate before execution.
• Generated outputs: The Campaign Desk produces platform-optimised content derivatives, campaign briefs, ad-copy variants, and reports. These are stored in our Supabase EU database linked to your workspace and subject to row-level security.
• Brand-voice data: As described in §3.6, the Campaign Desk maintains voice profiles, voice samples (text only), voice corrections, and learning signals derived from approvals, rejections, and edits. These are used exclusively to improve generation quality for your own workspace and are never shared across accounts.
• Publishing connections: Where X/Twitter, LinkedIn, or WordPress is connected (see §3.5), generated posts are sent to those destinations only on explicit instruction or a schedule the customer (or, where so configured, the end-client) has approved. No automated publishing occurs without that prior action.
• Background job processing (Inngest): Transcription dispatch, multi-stage generation, evaluation, publishing, and learning-loop rebuilds run as background jobs. Job payloads reference internal content IDs; the content itself stays in our Supabase EU database.
• Human review of AI outputs: All Campaign Desk-generated content passes through a review queue. The designated reviewer can edit, approve, reject, or delete any item before publishing. No item is automatically posted to a third-party platform without explicit approval or an approved schedule. This supports your Art. 22 GDPR right not to be subject to solely automated decision-making.
• Anti-distillation note: Aurora does not expose your raw voice profile, voice samples, or learning signals to any third party, and does not use one workspace's clients' voice data to train models available to other accounts.

6a. Retention Desk Processing (Aurora CapacityOS)

The Retention Desk performs renewal, client-health, and reporting operations. When connected to third-party systems (Gmail, Google Calendar, Zoom, Stripe, Slack, CRM systems where supported), we process the following data categories for the purposes listed. Each integration is authorized by the granting party via OAuth 2.0 or platform-native delegation and can be revoked at any time; revocation triggers deletion of stored tokens and associated derivative data within 30 days.

• Email content and metadata (Gmail, user-authorized mailboxes): Subject lines, sender/recipient, timestamps, and message bodies are analysed to produce client-health signals (response latency, sentiment shifts, escalation risk). Raw email bodies are stored only when required for downstream agent processing and are purged after 180 days or on integration revocation, whichever is sooner.
• Calendar events (Google Calendar, user-authorized calendars): Event titles, participants, start/end times, and descriptions are used to build client-meeting cadence and upcoming-engagement context. Full event bodies are not retained beyond the rolling 90-day context window.
• Meeting recordings and transcripts (Zoom cloud recordings): Audio files retrieved from Zoom are transcribed using OpenAI Whisper and analysed by Anthropic Claude for sentiment, talk-time ratios, commitment/action-item extraction, and client-health signals. Transcripts are retained for 365 days for product functionality (trend analysis, learning loops); raw audio files are discarded immediately after transcription. Users may delete any individual meeting record on demand.
• CRM and client records (where a CRM connection is granted): Client/contact records, deal or policy records, and activity history relevant to the contracted retention work. These remain scoped to the workspace and the granting party's authorization.
• Payment/billing data (Stripe Connect, optional): Invoice status, recurring-revenue figures, payment-failure events, and billing lifecycle events are ingested to produce financial-health signals (late payments, downgrade risk, expansion signals). No card or bank-account numbers are retrieved or stored.
• Workspace messages (Slack, optional, channels the user explicitly connects): Channel messages relevant to client work are ingested for context and health scoring. Direct messages are never ingested.
• Derived outputs: The Retention Desk produces health scores, risk predictions, suggested actions, learning snapshots, and brief summaries. These derivatives are stored in our Supabase EU (Frankfurt) database, linked to your workspace, and subject to the same access controls (RLS) as your other data.
• Human review of AI outputs: All Retention Desk AI outputs are informational or suggestive; they do not execute binding actions on third-party systems without explicit human approval. Reviewers can review, correct, or reject any AI-generated suggestion. This supports your Art. 22 GDPR right not to be subject to solely automated decision-making.

7. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request restricted processing of your data.
• Right to data portability (Art. 20): Receive your data in a machine-readable format (CSV / JSON / ZIP archive).
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right not to be subject to a solely automated decision (Art. 22): Aurora's Human-in-the-Loop (HITL) gate is the operative safeguard — no client-facing outbound action (email, report, pitch, campaign send) is dispatched without your explicit human approval. See §6a/§6b for the per-product detail.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time (e.g., X OAuth connection, a delegated-access grant, a legacy bring-your-own-key configuration, transcription consent) without affecting prior lawful processing.

How to exercise these rights.

• Self-serve (preferred — in-app, recommended for routine access/export/delete): from your Aurora CapacityOS workspace settings use Settings → Account → Download my data (Art. 15 + Art. 20) or Settings → Account → Delete my account (Art. 17). The export job is async and emails you a signed download link once ready. Deletion uses a confirm-twice flow with a 30-day soft-delete grace before permanent erasure.
• By email: for everything else (rectification, restriction, objection, formal Art. 15 SAR), write to privacy@helloaurora.ai. We will respond within 30 days. If we need more time, we will notify you within the initial 30-day period.

8. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• Analysis history: Retained for the duration of your account. You can delete individual analyses at any time.
• Voice profiles: Deleted immediately when you reset your profile or delete your account.
• Payment records: Retained for 10 years as required by German tax law (§ 147 AO, § 257 HGB).
• Server logs: Automatically purged after 90 days.
• X OAuth tokens: Deleted immediately when you disconnect your X account or delete your Aurora account.
• LinkedIn and WordPress publishing credentials (Campaign Desk): Deleted within 30 days when you disconnect the integration or delete your Aurora account.
• Uploaded media (audio/video, Campaign Desk): Raw uploads in the Supabase Storage "media" bucket are retained only as long as required to complete transcription and the immediate repurposing pipeline, and are purged within 30 days of upload. Transcripts and generated derivatives are retained with the linked record for the duration of your workspace account.
• Voice samples, voice corrections, and learning signals (Campaign Desk): Retained for the duration of your workspace account and deleted when you reset your voice profile or delete your Aurora account.
• OAuth and delegated-access tokens (Gmail, Google Calendar, Zoom, Stripe, Slack, advertising/analytics grants): Deleted within 30 days when the granting party disconnects the integration or the Aurora account is deleted. Revocation is also propagated to the provider via their OAuth revocation endpoint where supported.
• Meeting transcripts (Retention Desk): Retained for 365 days from creation, then automatically purged. Users may delete individual transcripts on demand.
• Email content (raw bodies, Retention Desk): Retained for 180 days from ingestion, then automatically purged. Derived signals (health scores, sentiment deltas) are retained for the duration of the workspace account.
• Calendar events (full bodies, Retention Desk): Rolling 90-day context window, then purged. Event metadata used for trend analysis is retained for the duration of the workspace account.
• Raw audio from Zoom recordings (Retention Desk): Discarded immediately after transcription; never persisted.
• Approval and evidence logs: Retained for the duration of the workspace account as part of the contracted service record, then deleted with the account (subject to statutory retention obligations).

9. Data Security

We implement the following technical and organizational measures to protect your data:

• All data transmitted over HTTPS / TLS 1.3.
• AES-256 encryption at rest for database storage (Supabase EU Frankfurt) and object storage (Supabase Storage media bucket).
• Row-Level Security (RLS) enforced at every database table — users can only access data scoped to their own agency workspace.
• Passwords hashed using bcrypt (via Supabase Auth); BYOK API keys stored using pgsodium symmetric encryption in profiles.operator_credential — plaintext is never persisted.
• OAuth tokens (Gmail, Google Calendar, Zoom, Slack, LinkedIn, WordPress, X) encrypted at rest.
• API keys and secrets stored in encrypted environment variables (never in source code).
• Audit logging on every sensitive route: every agent skill invocation records to operator_runs; every signal generation event records to the signals outbox; every client-facing report send records to the report send log; approval decisions on outward actions are recorded in the evidence log.
• EU data residency: Supabase eu-central-1 (Frankfurt) for Aurora CapacityOS application data; Vercel fra1 for compute; Resend AWS eu-west-1 for transactional email; Stripe Payments Europe (Ireland) for payment processing. LLM calls leave the EU only to the model providers listed on our Sub-processor list (or, for legacy bring-your-own-key configurations, to the customer-chosen provider under the customer's own contract).
• Regular security audits and dependency vulnerability scanning.

10. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for Aurora is:

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page reflects the most recent revision.

Change note (11 June 2026): Updated to reflect the consolidation of our offerings into Aurora CapacityOS.