AURA
← Back to home

AURA — Privacy Policy

Status: DRAFT — interim policy pending counsel review (Davis Wright Tremaine, Week 5–6). Not legal advice. Standard Stripe-Atlas SaaS skeleton with AURA addenda merged at their marked insertion points. [LLC LEGAL NAME] is filled by Felix before public launch.

Last updated: Day 30 (interim draft)

1. Introduction

This Privacy Policy explains what we collect, how we use it, and your rights. It applies to the AURA platform ("the Service").

The data controller during beta is [LLC LEGAL NAME — Felix to fill]. Upon formation of AURA Protocol Inc. (Delaware C-Corporation, expected Week 5–6), controllership and all stored data transfer to AURA Protocol Inc. We will notify you by email before the transfer.

2. Information We Collect

Account data (email, name), profile data you provide, subscription/billing identifiers from our payment processor, and the biometric information described in Addendum A.

ADDENDUM A — Biometric Information

A.1 What. Face images, voice samples, and motion video you submit to build your identity vault, plus the non-reversible embeddings derived from them.

A.2 Processing principle. Where supported, biometric capture is processed on-device; the platform is designed so that raw biometric media is not persisted in unencrypted form on our servers. We retain derived embeddings plus a content-addressed integrity hash, not raw media for reuse.

A.3 Encryption & location. All retained biometric material is encrypted at rest with AWS KMS-managed keys and stored in AWS S3, region `us-west-2` (United States). A hash/IPFS integrity receipt is retained for tamper-evidence.

A.4 Legal basis & purpose. We process biometrics solely to provide the identity-credential, detection, and enforcement services you subscribe to — never for advertising or third-party model training. Processing is on the basis of your explicit consent (and contract performance). You may withdraw consent via a deletion request (Addendum D).

A.5 State biometric laws. We aim to honor applicable biometric-privacy laws including the Illinois Biometric Information Privacy Act (BIPA), Texas CUBI, and Washington HB 1493 — including consent-before-collection and a published retention/destruction schedule (Addendum C).

3. How We Use Information

To provide and operate the Service, process payments, verify identity, perform detection and enforcement at your direction, and communicate with you. We do not sell personal information.

ADDENDUM B — Third-Party Sub-Processors

We share the minimum data necessary with the following processors:

  • Stripe — Payments, subscriptions — Email, billing info, customer/subscription IDs
  • Persona — Government-ID identity verification — Selfie, ID document, verification result
  • Amazon Web Services (S3 + KMS) — Encrypted storage of vault & verified selfie — Encrypted biometric samples, embeddings
  • Google Cloud Vision — Web likeness detection — Submitted scan photo, derived match queries
  • Resend — Transactional & onboarding email — Email address, name
  • Pinata / IPFS — Content-addressed integrity receipts & AIC metadata — Non-PII hashes / CIDs, AIC metadata JSON
  • Anthropic — AI agents (onboarding, verification review, licensing, detection triage) — Contextual text; not raw biometrics
  • Polygon network — On-chain AIC + estate records (public ledger) — Wallet address, metadata CID (public, immutable)

We do not sell personal information. Blockchain entries are public and immutable by nature; do not treat on-chain data as private.

4. Cookies

We use strictly necessary cookies for authentication and session management. We do not use cross-context behavioral advertising cookies.

5. Security

We use encryption at rest and in transit, KMS-managed keys for biometric material, signed webhooks, and access controls. No system is perfectly secure; we cannot guarantee absolute security.

ADDENDUM C — Data Retention

  • Biometric vault & embeddings: retained while your subscription is active and your AIC is in use; destroyed within 90 days of a verified deletion request or account closure, except where an active enforcement matter or legal hold requires retention.
  • Persona verification artifacts: retained per identity-verification compliance need, then destroyed on the same 90-day cycle.
  • Payment records: retained as required by tax/accounting law (typically 7 years) — these are financial records, not biometrics.
  • On-chain AIC/estate data: immutable and cannot be deleted from the blockchain; we can sever the off-chain linkage on request.

ADDENDUM D — Your Rights: GDPR & CCPA/CPRA

D.1 Rights. Subject to GDPR (EEA/UK) and CCPA/CPRA (California), you may request: access, correction, deletion, portability, restriction of processing, and objection. We do not sell or "share" (cross-context behavioral advertising) personal information, so no opt-out of sale is required.

D.2 How to exercise. Email privacy@joinauraprotocol.com (or the in-app data-request control). We verify identity before acting on biometric-deletion requests to prevent malicious deletion.

D.3 Timelines. Acknowledgement within 10 days; substantive response within 30 days (extendable once by 30 days for complex requests, with notice). Biometric destruction completes within the 90-day window in Addendum C.

D.4 On-chain limitation. We will delete off-chain personal data and sever vault linkage, but cannot erase immutable blockchain records. This limitation is disclosed at signup.

D.5 No retaliation / appeals. We will not deny service for exercising privacy rights (beyond functionality that genuinely requires the data). You may appeal a denied request via the same contact.

ADDENDUM E — International Transfers

Data is processed and stored in the United States. For EEA/UK users, transfers rely on Standard Contractual Clauses with our processors. By using the platform you acknowledge processing in the United States.

6. Children

The Service is not directed to children under the age of majority; we do not knowingly collect their data.

7. Changes

We may update this Policy. Material changes will be notified by email or in-app.

8. Contact

Privacy contact: privacy@joinauraprotocol.com. Controller of record: [LLC LEGAL NAME — Felix to fill].