Privacy Policy

Datenschutzerklärung — Last updated: May 24, 2026

1. Controller / Verantwortlicher

2. Overview

Aurora AI Solutions Studio UG ("Aurora," "we," "us") operates multiple AI-powered software products under the domain helloaurora.ai. This privacy policy applies to all Aurora products: VeritasX, ContentPulse, ClientPulse, and AgentForge, as well as the Aurora company website.

We process personal data in compliance with the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG), and the German Telemedia Act (TMG/TTDSG).

3. What Data We Collect

3.1 Account Data

When you create an account, we collect: email address, hashed password (via Supabase Auth), and account creation timestamp. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.2 Usage Data

We track: number of analyses performed (for free-tier usage enforcement), which features you use, and timestamps of usage. Legal basis: Art. 6(1)(b) GDPR — necessary for service delivery and tier enforcement.

3.3 Content You Submit

When you use our AI-powered tools, we process the text content you submit (e.g., source articles, transcripts, posts, threads, client communications). This content is sent to AI providers (Anthropic, OpenAI, Google, and — for legacy VeritasX usage — xAI) for analysis or generation. We store the inputs, generated outputs, and rewrite history in our database so you can review, edit, re-run, and export your work. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.4 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We receive from Stripe: subscription status, plan type, customer ID, and payment timestamps. Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.5 Connected Publishing Accounts (X, LinkedIn, WordPress)

If you connect a third-party publishing or social account via OAuth 2.0 — available in VeritasX (X) and ContentPulse (X/Twitter, LinkedIn, WordPress) — we receive the following for each connection:

• X (Twitter) OAuth 2.0 PKCE: username, display name, profile image URL, and an access/refresh token pair. Used for profile context, performance tracking (VeritasX), and direct publishing of ContentPulse-generated posts to your authenticated account.
• LinkedIn OAuth 2.0: member ID, name, profile image URL, and an access token. Used solely to publish ContentPulse-generated posts to your authenticated account. We do not read your feed or your connections.
• WordPress (self-hosted or WordPress.com REST API): the site URL and Application Password / OAuth credential you supply. Used solely to publish ContentPulse-generated posts as drafts or published articles on the site you authorise. We do not read posts, comments, users, or settings beyond what is required to create the new content.

Tokens are stored encrypted at rest and are scoped to the minimum permissions required for publishing. You can disconnect any integration at any time from the in-app settings, which triggers token deletion within 30 days. Legal basis: Art. 6(1)(a) GDPR — your explicit consent; Art. 6(1)(b) GDPR — performance of the publishing contract.

3.6 Voice Profile Data (Voice Fingerprint / ContentPulse Brand Voice Engine)

If you use VeritasX's Voice Fingerprint feature or ContentPulse's Brand Voice Engine, we build a writing-style profile from content you submit or approve. The profile includes vocabulary patterns, tone preferences, hook styles, sentence structure, and — for ContentPulse — platform-specific variants. It does not include biometric voice data (no audio voiceprints, no physiological identifiers); the term "voice" refers to writing style.

For ContentPulse specifically, the profile is supported by three layers: (1) a style-guide summary, (2) performance-learning signals derived from your approvals, rejections, and edits (the "Recursive Learning Loop"), and (3) a pgvector retrieval-augmented generation (RAG) index of short stylistic samples ("voice_samples") stored in our EU Supabase database. Samples are text-only, scoped to your workspace by row-level security, and never shared across accounts. Legal basis: Art. 6(1)(b) GDPR — necessary for the personalised service you requested.

3.7 Server Logs

Our hosting providers automatically collect: IP address, browser type, referring URL, pages visited, and access timestamps. This data is used for security monitoring and abuse prevention. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security.

3.8 Aurora Operator (BYOK AI Agent)

Both ClientPulse and ContentPulse embed Aurora Operator, an AI agent that runs named skills (e.g. draft a save playbook, create a pitch deck, build an ad-copy variant) using a Large Language Model (LLM). Aurora Operator follows a "Bring Your Own Key" (BYOK) model: the agency owner provides their own API key for Anthropic (Claude), OpenAI (GPT) or Google (Gemini), and all LLM calls are made directly under that key — Aurora does not proxy, broker, or markup the call. Costs flow to the customer's own provider account.

What we store about your Operator use:

• Your BYOK credential: the chosen provider, the encrypted API key (pgsodium ciphertext on profiles.operator_credential), your preferred model, and your monthly spend cap. The plaintext API key is never persisted — it is decrypted just-in-time per invocation and discarded.
• Run metadata: for every skill invocation we record an audit row in operator_runs (skill id, skill version, started/finished timestamps, input signal reference, status, USD cost, output reference). We do not persist the raw prompt sent to the LLM provider or the raw completion returned, beyond the structured output the skill emits to its sink (e.g. a pitch row, a campaign brief, an email draft).
• Spend cap enforcement: we sum per-run costs to enforce the agency's monthly cap; this is computed against our own audit rows, not pulled from the LLM provider.

When an Operator skill calls your chosen LLM, the contents of your prompt (which may include client names, recent signal context, voice-profile snippets) are transmitted to that provider under their data-handling terms — see the provider DPA links in §4 and on our public Sub-processor list. Legal basis: Art. 6(1)(b) GDPR — performance of the Operator service you opted into; Art. 6(1)(a) GDPR — your explicit consent when configuring BYOK.

3.9 Aurora Operator AI-Disclosure Banner (Article 50 EU AI Act)

Because Aurora Operator is an AI system that interacts directly with a natural person (you, the agency owner), Article 50(1) of the EU AI Act (Regulation (EU) 2024/1689) requires us to disclose this clearly. Whenever you open the Operator slide-over in either ClientPulse or ContentPulse, a persistent banner displays: "Aurora Operator is an AI assistant. Output may need human review before use." No skill output is auto-sent to a client without your explicit human approval (see §6/§6a/§6b on HITL gates).

3.10 Expanded Signals Pipeline (CP ↔ CTP)

ClientPulse and ContentPulse now share a unified signals pipeline covering 20+ signal kinds — including client_amber/red transitions, renewal_window_60d/30d/14d, payment_cadence_drift, save_play_in_flight, pitch_expansion_opp, ad_burn_no_results, and others. Signals are produced by signal generators in either product and consumed by skill subscribers in the other; they remain inside your Aurora workspace (Supabase EU Frankfurt) under row-level security and are never shared across accounts. A complete list of current signal kinds and consumers is maintained on the public ContentPulse Model Card and ClientPulse Model Card.

4. Data Processors & Third-Party Services

We use the following third-party services to operate our products. All US-based processors either participate in the EU-US Data Privacy Framework (DPF) or are bound by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Service	Purpose	Location	Products
Supabase Inc.	Database, authentication, row-level security	EU (AWS eu-central-1, Frankfurt)	VeritasX ContentPulse ClientPulse Aurora-Core
Supabase Inc.	Database, authentication, row-level security	US (AWS us-east-2)	AgentForge
Vercel Inc.	Web hosting, edge functions, CDN	Compute: Frankfurt (fra1) for VeritasX, ContentPulse, ClientPulse, Aurora-Core. Compute: Washington DC (iad1) for AgentForge. CDN edge: globally distributed via Vercel's anycast network.	All Products
Cloudflare Inc.	DNS, DDoS protection, email routing	US (Global)	All Products
Resend Inc.	Transactional email delivery (signup confirmations, password resets, account notifications). Sub-processor: Amazon Web Services EMEA SARL (EU operator of SES).	EU (AWS eu-west-1, Ireland)	All Products
Anthropic PBC	AI analysis, content generation (Claude API)	US	All Products
Stripe Inc.	Payment processing, subscriptions, invoicing	US	VeritasX ContentPulse ClientPulse
xAI Corp.	Bot detection (Grok API), X OAuth	US	VeritasX
OpenAI Inc.	Text embeddings (text-embedding-3-small); audio transcription via Whisper (ClientPulse meeting recordings uploaded for transcription)	US	ContentPulse ClientPulse
AssemblyAI, Inc.	Speech-to-text transcription of user-uploaded podcast/video audio files for ContentPulse content repurposing. Per AssemblyAI's API terms as of April 2026, uploaded audio and transcripts are not used to train their models.	US	ContentPulse
Inngest, Inc.	Background job orchestration (transcription dispatch, multi-stage content generation pipeline, scheduled publishing, learning-loop rebuilds, signal-fanout, Aurora Operator skill runs). Jobs carry content IDs and generation context; the underlying content remains in our Supabase EU database.	US	ContentPulse ClientPulse
Sentry (Functional Software, Inc.)	Error monitoring and application performance tracing. Captures stack traces, request context, and breadcrumbs; configured to scrub user-input fields and authentication headers before transmission.	US (SCCs)	ContentPulse ClientPulse
Google LLC — Gemini API	Aurora Operator BYOK option (Gemini family). Used only when the agency owner selects Google as their BYOK provider on the Operator settings page. Prompts and completions are exchanged directly under the agency's own API key, per Google's API terms; Aurora retains only run metadata, not raw prompts/responses.	US (DPF-certified)	ClientPulse ContentPulse
Deepgram, Inc.	Primary speech-to-text transcription for user-uploaded podcast/video audio files in ContentPulse. Per Deepgram's API terms, uploaded audio is not used to train their models.	US (SCCs)	ContentPulse
LinkedIn Corporation	LinkedIn OAuth 2.0 authentication; REST Publishing API (post ContentPulse-generated content to your authenticated LinkedIn account on your instruction).	US (DPF-certified)	ContentPulse
WordPress sites (your chosen destinations)	When you connect a WordPress site to ContentPulse for direct publishing, the site operator acts as an independent controller for content you publish. ContentPulse transmits generated posts to the site URL and credentials you provide.	Operator-dependent	ContentPulse
Google LLC	Google OAuth 2.0 authentication; Gmail API (read/analyze inbound & outbound client communications where the user grants read access); Google Calendar API (read/sync events for meeting intelligence and client context). Only metadata and user-authorized mailboxes/calendars are accessed; scopes are minimised and revocable at any time.	US (DPF-certified)	ClientPulse
Zoom Video Communications, Inc.	Zoom OAuth 2.0 authentication; Recordings & Transcripts APIs (retrieve cloud recordings and meeting metadata for Meeting Intelligence). Access is limited to meetings the authenticated user participates in and can be revoked at any time.	US (DPF-certified)	ClientPulse
X Corp. (Twitter)	OAuth 2.0 authentication, user profile data	US	VeritasX
Railway Corp.	Backend API hosting (FastAPI)	US	AgentForge
Langfuse GmbH	AI observability, tracing	EU (Berlin)	AgentForge
GitHub Inc.	Source code hosting, CI/CD	US	All Products
Calendly LLC	Appointment scheduling for Aurora KI-Beratung consulting calls. Calendly receives name, email, selected time slot, timezone, optional invitee notes, and technical metadata when a visitor books a call via a Calendly-embedded widget or page on helloaurora.ai/consulting. A DPA is in place via Calendly's standard terms. Visitors may alternatively email sasa@helloaurora.ai to schedule without using Calendly.	US (SCCs)	Aurora KI-Beratung (consulting flow)

Financial infrastructure (mentioned for transparency): Funds received via Stripe are deposited into our business bank account at Qonto (France/EU) and multi-currency account at Wise (EU/Global). These institutions act as independent data controllers under banking regulations and are not data processors under this policy.

5. International Data Transfers

The majority of our data processors are based in the United States. We ensure lawful data transfers through the following mechanisms:

• EU-US Data Privacy Framework (DPF): For processors certified under the DPF (Stripe, Cloudflare, Vercel, GitHub, OpenAI, Anthropic, Resend, Google, Zoom, LinkedIn, Calendly).
• Standard Contractual Clauses (SCCs): For non-DPF US-incorporated processors and as a backup safeguard, we rely on the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
• Supplementary measures: Encryption in transit (TLS 1.3), encryption at rest (AES-256), row-level security policies enforced at the database layer, and data residency in EU regions where supported (Supabase eu-central-1 for all products except AgentForge; Resend eu-west-1; Vercel fra1 for all products except AgentForge).

6. How AI Processes Your Data

When you use our AI-powered features, the text you submit is sent to AI providers via their APIs. Aurora supports a multi-provider stack:

• Aurora-managed default (legacy products + non-Operator surfaces): Anthropic Claude (default), xAI Grok (legacy VeritasX), and OpenAI (embeddings + Whisper transcription on uploaded media). Aurora pays for these calls under our own provider accounts.
• Aurora Operator BYOK (ClientPulse + ContentPulse skill execution): Anthropic Claude, OpenAI GPT, or Google Gemini — your choice, your API key. Prompts flow directly from our application to your chosen provider under your key; Aurora does not see or store the raw prompt/completion.
• Anthropic, OpenAI, Google, and xAI do not use data submitted via their APIs to train their models (per their API data usage policies as of May 2026). We monitor changes to these policies and will update users via email if a provider changes its training opt-out posture.
• Your submitted content is processed in real time and not permanently stored by the AI provider.
• AI-generated results (scores, drafts, repurposes, playbooks, pitches, ad copy, campaign briefs) are stored in our Supabase EU database and linked to your account.
• Voice Fingerprint / Voice Profile data is derived solely from text you submit and does not include any biometric data.

EU AI Act Article 50 transparency (effective 2 December 2026). Aurora is a downstream user of General-Purpose AI (GPAI) models. All AI-generated outputs produced through our Services are surfaced to you with a visible "AI-assisted" or "Generated by Aurora" footer (see Article 50(2)). Where the output is media (image, audio, video), Aurora additionally embeds C2PA-compatible provenance metadata. For text outputs (pitches, ad copy, campaign briefs, client reports, social posts, blog drafts), Aurora embeds an HTML <meta name="ai-generated" content="aurora-operator"> tag or a structured JSON sidecar where the publishing target supports it. When you re-distribute Aurora output to your own audience or to your end-clients, you remain responsible for any further disclosure obligations applicable to your audience's jurisdiction (see Terms §10.1).

6b. ContentPulse-Specific Processing

ContentPulse is an AI Content Repurposing Studio. When you use ContentPulse, we process the following data categories for the purposes listed. Legal basis: Art. 6(1)(b) GDPR — performance of the ContentPulse service contract; Art. 6(1)(a) GDPR — your explicit consent for each connected publishing integration.

• Source content you submit: Long-form text, blog posts, transcripts, and user-provided URLs (e.g., podcast or YouTube links) are ingested and segmented by the Content Intelligence pipeline to produce platform-specific derivatives.
• Uploaded audio/video files: If you upload a podcast or video file, it is stored temporarily in our Supabase EU (Frankfurt) Storage "media" bucket, transcribed via AssemblyAI (and/or OpenAI Whisper), and then processed by our Generation Agent. Raw uploaded media is retained only as long as required to complete transcription and the immediate repurposing pipeline, and is purged within 30 days of upload; the resulting transcript is retained with the linked repurpose record.
• Generated outputs (repurposes): ContentPulse produces up to 50+ platform-optimised derivatives per source across 19+ platforms (X/Twitter, LinkedIn, Blog, Substack, Threads, Instagram captions, Facebook, TikTok captions, Reddit, Bluesky, Medium, short-form video scripts, email sequences, podcast show notes, etc.). These derivatives are stored in our Supabase EU database linked to your workspace and subject to row-level security.
• Brand Voice Engine data: As described in §3.6, ContentPulse maintains voice profiles, voice samples (text only), voice corrections, and recursive-learning signals derived from your approvals, rejections, and edits. These are used exclusively to improve generation quality for your own workspace and are never shared across accounts.
• Publishing connections: Where you connect X/Twitter, LinkedIn, or WordPress (see §3.5), ContentPulse sends generated posts to those destinations only on your explicit instruction (manual publish or scheduled publish that you have configured). No automated publishing occurs without your prior action.
• Background job processing (Inngest): Transcription dispatch, multi-stage generation, QA-Agent evaluation, publishing, and learning-loop rebuilds run as background jobs. Job payloads reference internal content IDs; the content itself stays in our Supabase EU database.
• Human review of AI outputs: All ContentPulse-generated content passes through a Kanban review queue. You can edit, approve, reject, or delete any item before publishing. No item is automatically posted to a third-party platform without your explicit approval or a schedule you have configured. This supports your Art. 22 GDPR right not to be subject to solely automated decision-making.
• Anti-distillation note: ContentPulse does not expose your raw voice profile, voice samples, or recursive-learning signals to any third party, and does not use your Agency-tier clients' voice data to train models available to other accounts.

6a. ClientPulse-Specific Processing

ClientPulse is an AI Client Health Intelligence product for agencies. When you connect ClientPulse to third-party systems (Gmail, Google Calendar, Zoom, Stripe, Slack), we process the following data categories for the purposes listed. Each integration is user-authorized via OAuth 2.0 and can be revoked at any time from the in-app Integrations settings; revocation triggers deletion of stored tokens and associated derivative data within 30 days.

• Email content and metadata (Gmail, user-authorized mailboxes): Subject lines, sender/recipient, timestamps, and message bodies are analysed to produce client-health signals (response latency, sentiment shifts, escalation risk). Raw email bodies are stored only when required for downstream agent processing and are purged after 180 days or on integration revocation, whichever is sooner.
• Calendar events (Google Calendar, user-authorized calendars): Event titles, participants, start/end times, and descriptions are used to build client-meeting cadence and upcoming-engagement context. Full event bodies are not retained beyond the rolling 90-day context window.
• Meeting recordings and transcripts (Zoom cloud recordings): Audio files retrieved from Zoom are transcribed using OpenAI Whisper and analysed by Anthropic Claude for sentiment, talk-time ratios, commitment/action-item extraction, and client-health signals. Transcripts are retained for 365 days for product functionality (trend analysis, learning loops); raw audio files are discarded immediately after transcription. Users may delete any individual meeting record on demand.
• Payment/subscription data (Stripe Connect, optional): Invoice status, MRR, payment-failure events, and subscription lifecycle events are ingested to produce financial-health signals (late payments, downgrade risk, expansion signals). No card or bank-account numbers are retrieved or stored.
• Workspace messages (Slack, optional, channels the user explicitly connects): Channel messages relevant to client work are ingested for context and health scoring. Direct messages are never ingested.
• Derived outputs: ClientPulse produces health scores, risk predictions, suggested actions, recursive-learning snapshots, and Monday Brief summaries. These derivatives are stored in our Supabase EU (Frankfurt) database, linked to your agency workspace, and subject to the same access controls (RLS) as your other data.
• Human review of AI outputs: All ClientPulse AI outputs are informational or suggestive; they do not execute binding actions on third-party systems without explicit user approval. Users can review, correct, or reject any AI-generated suggestion. This supports your Art. 22 GDPR right not to be subject to solely automated decision-making.

7. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request restricted processing of your data.
• Right to data portability (Art. 20): Receive your data in a machine-readable format (CSV / JSON / ZIP archive).
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right not to be subject to a solely automated decision (Art. 22): Aurora's Human-in-the-Loop (HITL) gate is the operative safeguard — no client-facing outbound action (email, report, pitch, campaign send) is dispatched without your explicit human approval. See §6a/§6b for the per-product detail.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time (e.g., X OAuth connection, Aurora Operator BYOK, transcription consent) without affecting prior lawful processing.

How to exercise these rights.

• Self-serve (preferred — in-app, recommended for routine access/export/delete): from your account settings in ClientPulse or ContentPulse use Settings → Account → Download my data (Art. 15 + Art. 20) or Settings → Account → Delete my account (Art. 17). The export job is async and emails you a signed download link once ready. Deletion uses a confirm-twice flow with a 30-day soft-delete grace before permanent erasure.
• By email: for everything else (rectification, restriction, objection, formal Art. 15 SAR), write to privacy@helloaurora.ai. We will respond within 30 days. If we need more time, we will notify you within the initial 30-day period.

8. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• Analysis history: Retained for the duration of your account. You can delete individual analyses at any time.
• Voice profiles: Deleted immediately when you reset your profile or delete your account.
• Payment records: Retained for 10 years as required by German tax law (§ 147 AO, § 257 HGB).
• Server logs: Automatically purged after 90 days.
• X OAuth tokens: Deleted immediately when you disconnect your X account or delete your Aurora account.
• ContentPulse LinkedIn and WordPress publishing credentials: Deleted within 30 days when you disconnect the integration or delete your Aurora account.
• ContentPulse uploaded media (audio/video): Raw uploads in the Supabase Storage "media" bucket are retained only as long as required to complete transcription and the immediate repurposing pipeline, and are purged within 30 days of upload. Transcripts and generated derivatives are retained with the linked repurpose record for the duration of your workspace account.
• ContentPulse voice samples, voice corrections, and learning signals: Retained for the duration of your workspace account and deleted when you reset your voice profile or delete your Aurora account.
• ClientPulse OAuth tokens (Gmail, Google Calendar, Zoom, Stripe, Slack): Deleted within 30 days when you disconnect the integration or delete your Aurora account. Revocation is also propagated to the provider via their OAuth revocation endpoint where supported.
• ClientPulse meeting transcripts: Retained for 365 days from creation, then automatically purged. Users may delete individual transcripts on demand.
• ClientPulse email content (raw bodies): Retained for 180 days from ingestion, then automatically purged. Derived signals (health scores, sentiment deltas) are retained for the duration of the workspace account.
• ClientPulse calendar events (full bodies): Rolling 90-day context window, then purged. Event metadata used for trend analysis is retained for the duration of the workspace account.
• ClientPulse raw audio from Zoom recordings: Discarded immediately after transcription; never persisted.

9. Data Security

We implement the following technical and organizational measures to protect your data:

• All data transmitted over HTTPS / TLS 1.3.
• AES-256 encryption at rest for database storage (Supabase EU Frankfurt) and object storage (Supabase Storage media bucket).
• Row-Level Security (RLS) enforced at every database table — users can only access data scoped to their own agency workspace.
• Passwords hashed using bcrypt (via Supabase Auth); BYOK API keys stored using pgsodium symmetric encryption in profiles.operator_credential — plaintext is never persisted.
• OAuth tokens (Gmail, Google Calendar, Zoom, Slack, LinkedIn, WordPress, X) encrypted at rest.
• API keys and secrets stored in encrypted environment variables (never in source code).
• Audit logging on every sensitive route: every Aurora Operator skill invocation records to operator_runs; every signal generation event records to the signals outbox; every client-facing report send records to the report send log.
• EU data residency: Supabase eu-central-1 (Frankfurt) for ClientPulse + ContentPulse application data; Vercel fra1 for compute; Resend AWS eu-west-1 for transactional email; Stripe Payments Europe (Ireland) for payment processing. Operator BYOK LLM calls leave the EU only to the customer-chosen provider under the customer's own contract.
• Regular security audits and dependency vulnerability scanning.

10. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for Aurora is:

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page reflects the most recent revision.