Privacy Policy
We store the minimum needed to make your training work. We don't sell your data, we don't show your activity to other users, and we don't track you across other apps.
What we collect and why
- Email and display name — to sign you in and address you. (Legal basis: performance of our contract with you.)
- Password — stored only as a bcrypt hash, never in plain text. (Contract.)
- Date of birth — to verify you meet the 16+ age requirement. (Legal obligation / legitimate interest.)
- Timezone — so “today’s challenge” and streaks roll over at your local midnight. (Contract.)
- Challenge activity (completed / failed / skipped, felt difficulty, timing) — powers Aura, levels, streaks, and adaptive difficulty. (Contract.)
- Reflection notes (optional) — your private training journal, never shown to other users. (Contract / your consent.)
- Product events (e.g. “app opened”) — first-party analytics to improve the app; no third-party analytics SDK. (Legitimate interest.)
Who processes data for us (subprocessors)
We don't sell or rent your data and we don't share it with other users. We use a small set of vendors purely to run the service, each under a data-processing agreement:
- Render — application hosting and database (where your account and history live).
- Cloudflare — DNS and content delivery for the website.
- Resend — sending transactional email such as password-reset links.
- Anthropic — only if you attach a reflection note: the note is sent to Anthropic’s Claude API to check plausibility and (if you use it) generate your private debrief. Per Anthropic’s commercial API terms, this data is not used to train their models.
- Apple / Google (and a billing provider such as RevenueCat) — if you subscribe, to process the purchase; card details go to the store, not to us.
AI-assisted features
If you attach a note to a completed challenge, an AI model may assess whether it plausibly describes the challenge (protecting everyone's training data) and, on request, write a short private coaching reply. Notes are sent to the AI provider only for these purposes. You can simply not add notes if you prefer no AI processing.
How long we keep it
We keep your data while your account is active. When you delete your account, your training data is removed and analytics events are anonymized. You can delete at any time from Profile → delete account.
Your rights
Depending on where you live (including under the EU/UK GDPR and California's CCPA), you have rights to access, correct, export, delete, and object to certain processing of your data, and to withdraw consent. You can exercise access and deletion directly in the app, or email hello@auramative.com and we'll help. We don't sell personal information or use it for cross-context behavioral advertising.
Children
Auramative is for people 16 and older. We don't knowingly collect data from anyone under 16. If you believe a younger person created an account, email hello@auramative.com and we will delete it.
Security
Passwords are hashed with bcrypt; traffic is encrypted in transit (HTTPS); on phones your sign-in token is stored in the device keychain/keystore. No system is perfectly secure, but we hold the service to current best practices and review it regularly.
International transfers
Our vendors may process data in countries other than yours (for example, the United States). Where required, transfers rely on appropriate safeguards such as the vendors' standard contractual clauses.
Changes and contact
We'll update this page and the date above if our practices change. Questions or requests: hello@auramative.com.