Aura
Sign inJoin Aura

Privacy Policy

Version 2026-05-03

Pre-launch draft. Substantive draft prepared for review by counsel under Mexican Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), the EU General Data Protection Regulation (GDPR) for visitors from the EEA, the California Consumer Privacy Act (CCPA), and parallel laws.

1. Who is the data controller

The data controller for personal data processed via Aura is the entity identified on our contact page. You can reach our data protection officer at privacy@aura.app.

2. What we collect

Account data (when you sign up)

  • Email address (mandatory for email/password and Google sign-in; optional for Sign-In With Ethereum users)
  • Password hash (bcrypt; we never see your plaintext password)
  • Handle and display name
  • Optional bio, avatar, and banner images
  • Wallet address (when you connect a wallet via SIWE or to subscribe)
  • Country code, where provided or inferred from IP

Age and identity verification

  • If your jurisdiction requires age verification (e.g., Texas HB 1181, UK Online Safety Act 2025), we use a third-party verifier such as Yoti. The verifier returns to us only a yes/no result and an opaque reference ID. We do not see or store your government ID.
  • Creators undergo know-your-customer verification (KYC) for payout eligibility. Same data minimization: only result + reference ID stored. The verifier's privacy policy applies to the data they collect from you directly.

Content and consent records

  • For each post you publish as a creator, we store the post itself, associated media, and a consent record containing your IP address, user agent, and timestamp at the moment of upload, along with your attestations (AI-generated, no real persons, no celebrities, no minors).

Subscriptions and transactions

  • Records of subscriptions, tips, and pay-per-view unlocks, including on-chain transaction hashes, fan and creator wallet addresses, and split amounts. On-chain data is public by nature; off-chain we store the same data tied to your account ID.

Usage analytics

  • Page views, request paths, response times, broad geographic region (country level), device class. We do not use third-party advertising trackers.
  • Optional: if you accepted analytics cookies, we may aggregate this with first-party usage events (e.g., feature engagement). You can change this preference at any time from the cookie banner or cookie policy page.

Cookies and similar

  • Strictly necessary: session token, age-gate confirmation, security/CSRF cookies. These are set without consent because they are required to provide the Service you requested.
  • Analytics: only if you accept. Stored on your device (localStorage) and our servers (aggregated).
  • We do not use marketing or advertising cookies.

3. What we never collect

  • Plaintext passwords (we hash on submission and discard the plaintext)
  • Credit card or bank account numbers (Aura uses on-chain USDC; we never receive payment instruments)
  • Government ID images (the third-party verifier handles those; we receive only the verification result)
  • Third-party advertising tracker data; we do not use Google Analytics, Meta Pixel, or similar

4. Why we process this data (legal bases)

  • Contract (GDPR Art. 6(1)(b), LFPDPPP Art. 10): account creation, payment processing, subscription delivery
  • Legal obligation (Art. 6(1)(c), LFPDPPP Art. 10 fr. IV): consent records under 18 USC § 2257, takedown response, NCMEC reporting, KYC for payouts
  • Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, analytics on aggregated usage
  • Consent (Art. 6(1)(a), LFPDPPP Art. 8): optional analytics cookies, marketing emails. You can withdraw at any time.

5. How we share data

  • With service providers strictly necessary to operate the Service: Neon (Postgres hosting), Cloudflare R2 (media storage), Resend (email delivery), Yoti (age/identity verification), Coinbase (wallet UX via OnchainKit), Thorn (CSAM scanning). Each is bound by data-processing terms.
  • With law enforcement only when legally compelled (subpoena, court order) or in response to a credible imminent threat to life. See our Law Enforcement Guidelines.
  • With NCMEC and equivalent national hotlines when our scanners detect CSAM, as required by 18 USC § 2258A.
  • We do not sell your personal data. We do not share it with advertisers or data brokers.

6. Where data is stored

Aura is a global Service. We process data primarily in the United States (Neon Postgres in us-east-1, Cloudflare global edge). For EEA visitors, we rely on appropriate safeguards (Standard Contractual Clauses with our sub-processors).

7. How long we retain

  • Account data: while the account is active, plus the legally required retention after deletion (typically 7 years for tax records, 5 years for AML records, longer for 2257-style consent records in jurisdictions where applicable)
  • Consent records: retained indefinitely for legal defense, with PII minimized after content removal
  • Logs and analytics: 12 months
  • Backups: 30 days, after which the original deletion propagates

See our Retention Policy for full schedule.

8. Your rights

You can exercise the following rights at any time by emailing privacy@aura.app or via the in-app /settings:

  • Access: a copy of your personal data. The fastest path is the self-serve export at /api/me/export (signed in).
  • Correction (rectification): fix inaccurate data. Most fields you can update directly in /settings.
  • Deletion (erasure): ask us to remove your data. We will delete within 30 days, except where we must retain by law (transaction records, consent records, KYC).
  • Portability: receive your data in a machine-readable format. The export at /api/me/export delivers JSON.
  • Restriction / objection: tell us to stop processing for specific purposes (e.g., analytics).
  • Opt-out of sale (CCPA): we do not sell, but you can confirm this status with us.
  • Withdraw consent: for any processing that relied on consent.

For Mexican users: you have ARCO rights (Acceso, Rectificación, Cancelación, Oposición) under LFPDPPP. We respond within 20 working days. If unsatisfied, you may file a complaint with INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, home.inai.org.mx).

For EEA users: GDPR rights as above. You may also lodge a complaint with your national data protection authority.

For California residents: CCPA rights as above. We do not discriminate against users who exercise rights. You may designate an authorized agent.

9. Security

  • HTTPS for all connections (TLS 1.2+); HTTP is redirected by our reverse proxy.
  • Passwords stored as bcrypt hashes (cost factor 13).
  • Session tokens issued by Auth.js v5; short-lived; httpOnly + secure cookies.
  • Database access scoped to least-privilege roles; backups encrypted at rest by Neon.
  • Content stored in Cloudflare R2 with bucket-level access controls; presigned URLs with short expiry for uploads.
  • Production secrets stored in environment variables managed by the deployment provider; never committed.
  • No third-party advertising or analytics scripts on Aura.

10. Children

Aura is for adults. We do not knowingly collect data from anyone under 18. If we learn that we have inadvertently collected data from a minor, we will delete it. If you believe we have such data, contact privacy@aura.app immediately.

11. International transfers

For EEA-to-US transfers, we rely on Standard Contractual Clauses with our processors. Mexican-to-US transfers are governed by LFPDPPP's data transfer rules; we have adequate-level safeguards in place with each processor.

12. Changes

We may update this Policy. The current version is identified at the top of this page. For material changes, we will notify you in-app and by email (where available) at least 30 days before they take effect.

Contact

Privacy questions: privacy@aura.app. Data protection officer contact required by GDPR/LFPDPPP available on request.