Aura
Sign inJoin Aura

Law Enforcement Guidelines

Version 2026-05-03

Aura cooperates with valid law-enforcement requests and complies with applicable mandatory reporting laws. This page explains how we handle requests, what data we have, and how to send a properly-scoped legal process.

Mandatory reports we make

  • CSAM: on detection (via automated scanners or human review), we report to NCMEC under 18 USC § 2258A within 24 hours, with content, account, and connection metadata. We also report to equivalent national hotlines for Mexican users (Cybertip México) and other jurisdictions where required.

What data we have

We minimize what we collect (see Privacy Policy). Data we may have on a given account includes:

  • Email address, password hash (never plaintext password)
  • Display name, handle, bio, avatar
  • Account creation timestamp; last login timestamp
  • Posts, captions, media, and consent records (with IP/UA at upload time)
  • Subscription, tip, and PPV transaction records (including on-chain tx hashes — these are public on the blockchain regardless)
  • Wallet address (when connected) and email (when set)
  • For creators: KYC reference ID (we do not have the underlying ID image; that is held by our verification provider)
  • IP and user-agent of the upload, sign-in (last login), and consent attestation events

We do not have:

  • Plaintext passwords (bcrypt hash only)
  • Government ID images (held by our verification provider; subpoena them directly)
  • Credit card numbers (Aura uses on-chain USDC; no payment instruments touch us)
  • Private keys or wallet seed phrases (those are with the user's wallet provider, e.g., Coinbase Smart Wallet uses passkeys)
  • Real-time location data or precise device fingerprints

What process we accept

  • Subpoena (US): for non-content basic subscriber information (name on file, email, account creation, last login IP), per 18 USC § 2703(c)(2).
  • Court order (US): for limited content metadata (e.g., post timestamps) per 18 USC § 2703(d).
  • Search warrant (US): for content (post bodies, media, private messages if any).
  • Mexican judicial order: for any disclosure of personal data of Mexican users, per LFPDPPP and Federal Law on Telecommunications.
  • MLAT request from a foreign jurisdiction routed through US Department of Justice or Mexican Attorney General as applicable.

What we will not do

  • Disclose user data based on informal requests (phone calls, emails without a legal basis), regardless of urgency claims.
  • Disclose content data on a subpoena alone — that requires a court order or warrant.
  • Notify the user of a request when we are subject to a non-disclosure order or where notification would impede an active investigation involving CSAM or imminent harm.
  • Provide future surveillance / wiretap capabilities. We have no real-time interception infrastructure and will not build one without compelled judicial order.

How to send process

Email legal@aura.app with the legal process attached as PDF. Include:

  • The full legal document (subpoena, court order, warrant, MLAT)
  • Officer name, badge/ID, agency, contact phone for verification
  • The Aura account identifier (email, wallet address, handle, post URL, or post UUID)
  • The specific data sought and the time range
  • Any non-disclosure / preservation requirements

We may verify the requesting officer's identity by contacting their agency through publicly listed channels. We will respond within reasonable time given the scope; emergency requests (imminent threat to life) we will triage within 24 hours.

Preservation requests

Under 18 USC § 2703(f), US law enforcement may request 90-day data preservation pending a court order. Send to legal@aura.app with subject PRESERVATION REQUEST.

Emergency disclosure

18 USC § 2702(b)(8) and parallel laws permit voluntary disclosure when we believe in good faith there is an emergency involving imminent danger of death or serious physical injury. Send the request via the channel above with subject EMERGENCY and we will treat it as the highest priority. Provide your contact phone for callback verification.

User notification

Our default policy is to notify users when their data is requested by law enforcement, unless prohibited by a court order, gag order, or where notification would create a meaningful risk of harm to the investigation or to another person. We treat each request individually.

Costs

We may charge reasonable cost-recovery fees for compliance with non-emergency requests, per 18 USC § 2706 and similar.

Contact

legal@aura.app — primary channel for all law-enforcement matters. PGP key on request.