Privacy Policy

Datenschutzerklärung — Last updated: March 31, 2026

1. Controller / Verantwortlicher

2. Overview

Aurora AI Solutions Studio UG ("Aurora," "we," "us") operates multiple AI-powered software products under the domain helloaurora.ai. This privacy policy applies to all Aurora products: VeritasX, ReForge, ClientPulse, and AgentForge, as well as the Aurora company website.

We process personal data in compliance with the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG), and the German Telemedia Act (TMG/TTDSG).

3. What Data We Collect

3.1 Account Data

When you create an account, we collect: email address, hashed password (via Supabase Auth), and account creation timestamp. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.2 Usage Data

We track: number of analyses performed (for free-tier usage enforcement), which features you use, and timestamps of usage. Legal basis: Art. 6(1)(b) GDPR — necessary for service delivery and tier enforcement.

3.3 Content You Submit

When you use our AI-powered tools, we process the text content you submit (e.g., tweets, posts, threads). This content is sent to AI providers (Anthropic, xAI) for analysis. We store analysis results and AI-generated rewrites in our database to provide you with analysis history. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.4 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We receive from Stripe: subscription status, plan type, customer ID, and payment timestamps. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.5 X (Twitter) Account Data

If you connect your X account via OAuth 2.0 (available in VeritasX), we receive: your X username, display name, profile image URL, and an access/refresh token pair. We use this data to enable X-dependent features (performance tracking, posting time optimization). You can disconnect your X account at any time. Legal basis: Art. 6(1)(a) GDPR — your explicit consent.

3.6 Voice Profile Data

If you use VeritasX's Voice Fingerprint feature, we build a writing style profile from your past analyses. This profile includes vocabulary patterns, tone preferences, hook styles, and sentence structure — it does not include biometric voice data. Legal basis: Art. 6(1)(b) GDPR — necessary for the personalized service you requested.

3.7 Server Logs

Our hosting providers automatically collect: IP address, browser type, referring URL, pages visited, and access timestamps. This data is used for security monitoring and abuse prevention. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security.

4. Data Processors & Third-Party Services

We use the following third-party services to operate our products. All US-based processors either participate in the EU-US Data Privacy Framework (DPF) or are bound by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Service	Purpose	Location	Products
Supabase Inc.	Database, authentication, row-level security	US (AWS us-east-2)	All Products
Vercel Inc.	Web hosting, edge functions, CDN	US (Global CDN)	All Products
Cloudflare Inc.	DNS, DDoS protection, email routing	US (Global)	All Products
Anthropic PBC	AI analysis, content generation (Claude API)	US	All Products
Stripe Inc.	Payment processing, subscriptions, invoicing	US	VeritasX ReForge
xAI Corp.	Bot detection (Grok API), X OAuth	US	VeritasX
OpenAI Inc.	Text embeddings (text-embedding-3-small)	US	ReForge
X Corp. (Twitter)	OAuth 2.0 authentication, user profile data	US	VeritasX
Railway Corp.	Backend API hosting (FastAPI)	US	AgentForge
Langfuse GmbH	AI observability, tracing	EU (Berlin)	AgentForge
GitHub Inc.	Source code hosting, CI/CD	US	All Products

Financial infrastructure (mentioned for transparency): Funds received via Stripe are deposited into our business bank account at Qonto (France/EU) and multi-currency account at Wise (EU/Global). These institutions act as independent data controllers under banking regulations and are not data processors under this policy.

5. International Data Transfers

The majority of our data processors are based in the United States. We ensure lawful data transfers through the following mechanisms:

• EU-US Data Privacy Framework (DPF): For processors certified under the DPF (Stripe, Cloudflare, Vercel, GitHub, OpenAI).
• Standard Contractual Clauses (SCCs): For processors not certified under DPF, we rely on the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
• Supplementary measures: We implement additional technical safeguards including encryption in transit (TLS 1.3), encryption at rest, and row-level security policies in our databases.

6. How AI Processes Your Data

When you use our AI-powered features, the text you submit is sent to AI providers (Anthropic Claude, xAI Grok, OpenAI) via their APIs. Important details:

• Anthropic, xAI, and OpenAI do not use data submitted via their APIs to train their models (per their current API data usage policies).
• Your submitted content is processed in real time and not permanently stored by the AI provider.
• AI-generated results (rewrites, scores, analysis) are stored in our Supabase database and linked to your account.
• Voice Fingerprint profiles are derived solely from your stored analyses and do not include any biometric data.

7. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR. To exercise any of these rights, contact us at privacy@helloaurora.ai.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request restricted processing of your data.
• Right to data portability (Art. 20): Receive your data in a machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time (e.g., X OAuth connection) without affecting prior lawful processing.

We will respond to your request within 30 days. If we need more time, we will notify you within the initial 30-day period.

8. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• Analysis history: Retained for the duration of your account. You can delete individual analyses at any time.
• Voice profiles: Deleted immediately when you reset your profile or delete your account.
• Payment records: Retained for 10 years as required by German tax law (§ 147 AO, § 257 HGB).
• Server logs: Automatically purged after 90 days.
• X OAuth tokens: Deleted immediately when you disconnect your X account or delete your Aurora account.

9. Data Security

We implement the following technical and organizational measures to protect your data:

• All data transmitted via HTTPS/TLS 1.3 encryption.
• Row-Level Security (RLS) on all database tables — users can only access their own data.
• Passwords hashed using bcrypt (via Supabase Auth).
• API keys and secrets stored in encrypted environment variables (never in source code).
• OAuth tokens encrypted at rest in the database.
• Regular security audits and dependency vulnerability scanning.

10. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for Aurora is:

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page reflects the most recent revision.