AURA PROTOCOL PRIVACY NOTICE FOR LIKENESS SCANS AND BIOMETRIC PROCESSING Effective Date: June 1, 2026 Version: 2026-06-01.v1 Contact: hello@joinauraprotocol.com 1. Overview AURA Protocol helps individuals identify public web locations where their own likeness may appear. This Privacy Notice explains how AURA collects, uses, discloses, retains, and deletes personal information when you use AURA’s likeness scan, likeness monitoring, identity rights, or related services. This Notice is intended to provide information required under privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, the EU General Data Protection Regulation, the UK GDPR, and applicable biometric privacy laws. 2. Who Controls Your Personal Information Controller / Business: AURA Protocol Email: hello@joinauraprotocol.com AURA determines the purpose and means of processing personal information used for the AURA likeness scan and related services. 3. What We Collect AURA may collect the following categories of personal information: A. Identifiers email address; account ID; username or account profile data; contact information submitted by you; request ID or support ticket ID. B. Biometric and Sensitive Personal Information uploaded photo; face geometry; face template; faceprint; facial embedding, vector, or similar mathematical representation; similarity scores; match confidence scores; biometric scan metadata. C. Internet, Device, and Technical Data IP address; device identifiers; browser type; operating system; user agent; timestamps; event logs; consent version; security logs; fraud prevention signals. D. Public Web Result Data candidate public image URLs; source page URLs; public metadata associated with candidate results; thumbnail or image cache where temporarily needed to produce the report; result confidence score; review status. E. Commercial and Account Information membership status; subscription status; billing status; service choices; support history. F. Communications emails you send to AURA; privacy requests; deletion requests; support messages; user feedback. G. Compliance Records consent records; withdrawal records; deletion logs; audit logs; security incident records; legal hold records. 4. Sources of Personal Information AURA collects personal information from: you, when you submit a photo, email address, account information, privacy request, or support message; your device or browser; public web sources and search or image sources; AURA service providers; security, fraud prevention, and infrastructure tools. 5. Why We Use Personal Information AURA uses personal information for the following purposes: to provide the likeness scan you requested; to compare your submitted photo against candidate public web images; to generate a report showing public URLs where your likeness may appear; to provide ongoing likeness monitoring where you become a Member; to verify consent and document your request; to verify identity before displaying sensitive results; to prevent fraud, misuse, impersonation, stalking, unauthorized scans, and abuse; to provide account, subscription, and support services; to respond to privacy rights requests; to maintain security and service integrity; to comply with legal obligations; to resolve disputes and enforce our terms. 6. Legal Bases for EU and UK Users For users in the European Economic Area, United Kingdom, or other GDPR style jurisdictions, AURA relies on the following legal bases: A. Explicit Consent AURA relies on your explicit consent to process biometric data for the likeness scan and likeness monitoring services. B. Contract AURA processes account, membership, billing, and service information to provide services you request. C. Legitimate Interests AURA processes limited technical, security, fraud prevention, compliance, and audit data to protect AURA, users, and the integrity of the service. D. Legal Obligation AURA processes certain records to comply with laws, regulatory inquiries, valid legal process, user rights requests, and security obligations. You may withdraw consent at any time. Withdrawal will stop future biometric processing based on that consent, but it will not affect processing that occurred before withdrawal. 7. Sensitive Personal Information AURA may process biometric information that is considered sensitive personal information under California law and special category data under GDPR where used to identify or compare an individual. AURA uses sensitive personal information only for the purposes disclosed in this Notice, the biometric consent flow, and AURA’s Biometric Data Retention and Destruction Policy. AURA does not use sensitive personal information to infer characteristics unrelated to the service you requested. 8. Service Providers and Processors AURA may disclose personal information to service providers and processors that help provide, secure, maintain, or support the service. These may include providers of: cloud infrastructure; image analysis; biometric comparison; data storage; security monitoring; logging; customer support; email delivery; payments; identity verification; privacy request management. AURA requires service providers and processors to process personal information only for authorized purposes and under contractual restrictions. 9. No Sale or Sharing for Cross Context Behavioral Advertising AURA does not sell biometric data. AURA does not sell scan results. AURA does not share biometric data for cross context behavioral advertising. If AURA later engages in activities that qualify as a sale or sharing under California law, AURA will provide the legally required notice and opt out method before doing so. 10. Retention AURA retains personal information only for as long as reasonably necessary for the purposes disclosed in this Notice, the applicable consent flow, AURA’s Biometric Data Retention and Destruction Policy, or as required for legal, security, fraud prevention, audit, or dispute purposes. Current retention rules for the likeness scan are: Nonmember uploaded photo and face template: deleted within 30 days after scan completion. Member uploaded photo and face template: retained only while needed to provide the requested likeness monitoring service, then deleted within 30 days after account closure, consent withdrawal, monitoring disablement, or another applicable deletion trigger. Temporary processing files: targeted for deletion within 72 hours after processing. Public URL results and similarity scores: retained for report access, account functionality, legal review, or user requested services, subject to deletion rights and disclosed retention criteria. Consent, withdrawal, deletion, audit, security, and compliance records: retained as limited records for compliance, fraud prevention, security, legal defense, and regulatory response. AURA follows the shortest applicable legal destruction period where biometric law imposes a stricter rule. 11. Your California Privacy Rights California residents may have the following rights: Right to know what personal information AURA collects, uses, discloses, sells, or shares; Right to access personal information; Right to delete personal information, subject to legal exceptions; Right to correct inaccurate personal information; Right to opt out of sale or sharing of personal information; Right to limit use and disclosure of sensitive personal information; Right to non discrimination for exercising privacy rights; Right to use an authorized agent where permitted by law. To submit a request, email hello@joinauraprotocol.com or use the privacy request form in your account. AURA may need to verify your identity before completing a request. For requests involving biometric data or scan results, AURA may apply heightened verification to protect against unauthorized access or deletion. 12. Your GDPR and UK GDPR Rights Depending on your location, you may have the right to: access your personal data; correct inaccurate personal data; delete your personal data; restrict processing; object to processing; receive a portable copy of your data; withdraw consent; complain to a data protection authority. To exercise these rights, email hello@joinauraprotocol.com or use the privacy request form in your account. 13. Identity Verification for Rights Requests AURA may request information needed to confirm that the person making the request is the person connected to the account, photo, scan, or report. AURA may deny, delay, or limit a request where it cannot reasonably verify identity, where the request appears fraudulent, or where an exception applies. 14. International Transfers AURA may process personal information in the United States and other countries where AURA or its service providers operate. For transfers from the EEA, UK, or Switzerland, AURA will use transfer mechanisms recognized under applicable law where required, such as standard contractual clauses or another lawful transfer mechanism. 15. Security AURA uses administrative, technical, and physical safeguards designed to protect personal information, including biometric data. Safeguards include encryption, access controls, logging, role based permissions, monitoring, and vendor controls. No system can be guaranteed to be perfectly secure. AURA works to reduce risk through layered controls and incident response procedures. 16. Children AURA’s likeness scan is intended for adults at least 18 years old. AURA does not knowingly collect biometric data from minors through this feature. If AURA learns that a minor’s biometric data was submitted, AURA will delete it unless legally required to retain it. 17. Automated Processing AURA uses automated image analysis and biometric comparison to generate similarity scores and possible public URL matches. AURA’s likeness scan does not make employment, credit, housing, insurance, public benefit, or other legally significant decisions about you. Results may contain false positives or false negatives. A result means only that a public image may resemble you. 18. Changes to This Notice AURA may update this Notice from time to time. If AURA materially changes how it collects, uses, discloses, or retains biometric data, AURA will provide updated notice and request updated consent where required by law. 19. Contact AURA Protocol Privacy and Security hello@joinauraprotocol.com