AURA

LEGAL

Privacy Policy

Last updated: March 10, 2026

1. Information We Collect

Account Information

  • Email address and display name (provided during registration)
  • Hashed password (we never store passwords in plaintext)
  • Subscription plan and billing status

Usage Data

  • Number of API calls, token counts, and model usage per request
  • Compression ratios, cache hit rates, and routing decisions
  • Cost calculations and savings metrics

Technical Data

  • IP address, browser type, and operating system
  • Request timestamps and response latency
  • Error logs (without prompt content)

2. How We Use Your Information

  • Service delivery — to provide, maintain, and improve the AURA platform
  • Billing — to process subscriptions and send payment-related notifications
  • Usage alerts — to notify you when you approach plan limits or when anomalies are detected
  • Analytics — to analyze aggregate, anonymized usage patterns to improve routing algorithms and compression quality
  • Support — to respond to your requests and provide technical assistance

3. Data We Do NOT Collect

We take your privacy seriously. AURA explicitly does not:

  • Store the content of your prompts or AI model responses
  • Sell, rent, or share your personal data with third parties for marketing
  • Use your data to train AI models
  • Track your activity across other websites
  • Build advertising profiles based on your usage

Prompts pass through our compression and routing layer in-memory only and are never persisted to disk or logs.

4. API Keys Storage

When you store API keys for third-party providers (BYOK model):

  • Keys are encrypted at rest using AES-256 encryption
  • Keys are transmitted only over HTTPS/TLS connections
  • Keys are never logged, cached in plaintext, or exposed in error messages
  • Keys are decrypted only at the moment of forwarding your request to the provider
  • You can view, update, or delete your stored keys at any time from your cabinet

5. Data Sharing

We share data only with the following third parties, strictly as needed to operate the Service:

  • Paddle (paddle.com) — payment processing. Paddle receives your email and billing information. See Paddle's Privacy Policy.
  • Hosting provider (infrastructure only) — servers process requests in-memory; no prompt data is stored by the provider

We do not share your data with any other third parties. We may disclose information if required by law or to protect our legal rights.

6. Data Retention

  • Account data — retained while your account is active, plus 30 days after account deletion to allow for recovery
  • Usage metrics — aggregated, anonymized data retained for up to 12 months for analytics purposes
  • API keys — deleted immediately upon your request or within 24 hours of account deletion
  • Server logs — automatically purged after 14 days

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or other jurisdictions with similar data protection laws, you have the following rights:

  • Right to access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your personal data ("right to be forgotten")
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to the processing of your data for certain purposes
  • Right to restrict processing — request that we limit how we use your data

To exercise any of these rights, contact us at privacy@aura-api.com. We will respond within 30 days.

8. Cookies & Local Storage

  • Session cookies — used solely for authentication (JWT tokens). Strictly necessary for the Service to function.
  • localStorage — used to store your theme preference (dark/light), language selection, and session tokens

We do not use:

  • Third-party tracking cookies
  • Advertising or remarketing cookies
  • Analytics cookies (e.g., Google Analytics)

9. Security

We implement industry-standard security measures to protect your data:

  • HTTPS/TLS for all communications between your browser/client and our servers
  • AES-256 encryption for API keys stored at rest
  • Bcrypt hashing for passwords — never stored in plaintext
  • Rate limiting — protection against brute-force and DDoS attacks
  • Regular security reviews and dependency audits

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We encourage you to use strong, unique passwords and to enable any available two-factor authentication.

10. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us: