Privacy Policy
Last updated: 2026-04-15
This Privacy Policy describes what personal data Aura collects, how we use it, and what control you have over it.
1. What we collect
Account data
- Email address, username, password hash (if using email signup) or Google OAuth identifier (if using Google sign-in).
- Account tier, usage counters, age verification timestamp, timezone.
Content you create
- Companion configurations: names, personalities, appearance choices, language preferences, knowledge-base text (for business agents).
- Conversation messages (yours and the AI's replies), images you upload, images the AI generates, extracted memories.
Integration credentials
- If you connect Telegram, we store the bot token you paste (encrypted at rest) and the auto-generated webhook secret.
- If you connect WhatsApp (business agents only), we store phone number ID, business account ID, and access token (encrypted).
Technical data
- IP address, user agent, and request logs for abuse prevention.
- A session cookie (httpOnly, SameSite=Lax) to keep you signed in.
2. How we use it
- To operate the Service — sending your messages to AI models, generating and storing images and replies, routing Telegram / WhatsApp messages to your companions.
- To enforce usage limits per account tier and rate-limit abuse.
- To improve the Service (aggregated, anonymized usage analytics — no conversation content leaves the platform for analytics).
- For billing (when applicable) — processing payments through our payment processor.
We do NOT train AI models on your conversations. Your messages are sent to our self-hosted Qwen and diffusion models for inference only. They are not used for fine-tuning any model.
3. Third-party services
- Cloudflare — DNS, TLS, content delivery.
- Telegram Bot API — only when you explicitly connect a bot. Your messages transit Telegram's infrastructure per their terms.
- Meta / WhatsApp Cloud API — only for business agents that you explicitly connect.
- Payment processor (Stripe, CCBill, or equivalent) — only when you make a purchase. They receive billing information, not chat content.
- Google OAuth — only if you sign in with Google; we receive your email and Google ID.
We self-host the AI models. Your conversations do NOT go to OpenAI, Anthropic, Google, or any third-party AI provider.
4. How long we keep it
- Account data and conversations: while your account is active, plus up to 90 days after deletion for backup safety.
- Payment records: retained per tax law (typically 5-7 years) even after account deletion.
- Generated images and voice (when shipped): same as conversations.
- Audit logs (login events, abuse signals): 12 months.
5. Your rights
Under GDPR (EU), LGPD (Brazil), CCPA (California), and equivalent regimes, you have the right to:
- Access the personal data we hold about you.
- Correct inaccuracies.
- Delete your account and associated data ("right to be forgotten").
- Export your data in a portable format.
- Object to specific processing.
Exercise any right by writing to privacy@joinaura.chat. We'll respond within 30 days.
6. International transfers
The Service is operated from [TODO — jurisdiction once legal entity is registered]. If you're located outside that jurisdiction, your data is transferred there for processing. We rely on standard contractual clauses where applicable.
7. Children
The Service is for users aged 18+ only (or the legal age of majority in your jurisdiction). We don't knowingly collect data from minors. If you believe a minor has created an account, contact privacy@joinaura.chat and we'll delete the account.
8. Security
We encrypt secrets (OAuth tokens, bot tokens, access tokens) at rest. Passwords are hashed with bcrypt. Transport is TLS everywhere. We monitor for abuse but make no guarantee of perfect security — breaches can happen, and we'll notify affected users promptly if one occurs.
9. Changes
Material changes to this Policy will be notified in-app and by email where applicable.
10. Contact
Privacy questions: privacy@joinaura.chat