Privacy Policy

About Aura

Aura A.I LLC ("Aura," "we," "us," or "our") is a sales activity tracking and coaching platform that helps sales teams analyze their meeting performance and improve outcomes through data-driven insights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our service.

We take your privacy seriously. If you have any questions, please contact us at privacy@aura-app.ai.

Information We Collect

Account and Authentication Data

When you create an Aura account, we collect information through Clerk, our authentication provider:

• Email address and identity credentials
• Full name and optional profile information
• Organization membership and role
• Multi-factor authentication (MFA) settings
• Session tokens and login history
• Authentication method (password, SSO, OAuth)

Calendar Data (via Nylas Integration)

When you connect your calendar account (Google Calendar, Microsoft Outlook, etc.) through Nylas, Aura accesses:

Calendar Events:

• Meeting events and metadata (title, time, participants, description)
• Conference or meeting room information
• Attendee lists and response status

Meeting Recordings & Transcripts (via Nylas Notetaker):

• Meeting recordings (video files) when Nylas Notetaker is enabled
• Meeting transcripts (text files) generated by Nylas Notetaker
• Participant information and join or leave times
• Conference session metadata

Note on Google Drive: We do not directly access Google Drive. Meeting recordings and transcripts are provided through Nylas Notetaker.

Booking Page Data

When you use a booking page to schedule a meeting, we collect:

• Name, email address, and optionally phone number
• Responses to custom prequalification questions set by the meeting organizer
• Browser metadata (timezone, user agent) for scheduling purposes
• Visitor session ID for cross-session identification (with consent)
• UTM parameters and referral data for marketing attribution (with consent)

What We DON'T Collect

• Personal emails or email content (except booking-related transactional emails)
• Documents unrelated to meetings
• Personal photos or files
• Browser history or device information (except basic analytics)

Data Architecture and Multi-Tenant Isolation

How Your Data is Stored

All Aura user and organizational data is securely stored in Supabase, a PostgreSQL-based database platform. Aura operates as a multi-tenant platform, meaning multiple organizations use the same infrastructure while remaining completely isolated from each other.

Row Level Security (RLS)

We enforce Row Level Security (RLS) at the database level, which means:

• Organization-Based Access: Every query is automatically filtered by organization ID, ensuring you can only access your organization's data.
• Zero-Trust Architecture: The database itself (not application code) enforces access control, making it technically impossible to accidentally expose another organization's data.
• Cryptographic Separation: Even database administrators cannot view data from other organizations without disabling RLS explicitly.
• Audit Logging: All data access is logged and can be audited for compliance purposes.

Infrastructure Providers

• Supabase: PostgreSQL database hosting in the US (AWS N. Virginia region)
• Vercel: Application hosting and edge network for global access

Both providers are SOC 2 Type II certified for security and reliability.

How We Use Your Data

Primary Use Cases

• Meeting Analysis: Analyze meeting patterns, duration, and participant engagement.
• Sales Performance: Classify meetings as sales-related and provide performance insights.
• Content Processing: Process transcripts to identify key topics, sentiment, and action items.
• Activity Tracking: Create comprehensive records of sales activities for coaching.

Data Processing

• Automated Analysis: AI-powered analysis of transcripts for sales insights.
• Classification: Automatic categorization of meetings (sales calls, demos, follow-ups).
• Reporting: Generate performance dashboards and coaching recommendations.
• Storage: Securely store processed insights and metadata (not raw recordings).

Artificial Intelligence Processing

Aura uses AI to analyze meeting transcripts and generate sales insights. We believe in transparency about how AI processes your data.

AI Providers

Meeting transcripts are processed by the following AI providers:

• Anthropic (Claude): Transcript analysis and insight generation
• OpenAI (GPT-4): Transcript analysis and insight generation
• Google (Gemini): Transcript analysis and insight generation

How AI Processes Your Data

• In-Memory Processing: Transcripts are sent to AI providers via API and processed in-memory. They are not permanently stored by the AI providers.
• No Model Training: AI providers do not use data sent via their APIs to train their models (per their enterprise API terms).
• Output Storage: AI-generated insights (summaries, action items, coaching recommendations) are stored in your organization's Aura database.
• Your Control: Organization administrators can select which AI provider to use or disable AI features entirely.

What AI Analyzes

• Meeting transcripts (text only, not audio or video)
• Conversation topics and sentiment
• Action items and follow-up recommendations
• Sales performance patterns

AI-generated insights are recommendations only. Aura makes no warranties regarding AI accuracy. You are responsible for reviewing all AI-generated content before using it for business decisions.

Data Security and Storage

Security Measures

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access Control: Role-based access with multi-factor authentication required.
• Infrastructure: Hosted on SOC 2 compliant cloud providers (Vercel, Supabase).
• Monitoring: 24/7 security monitoring and automated threat detection.
• Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and Permissions-Policy headers protect against XSS, downgrade attacks, and unauthorized browser API access.
• PII Redaction: Personal data (emails, phone numbers, names) is automatically redacted from error tracking and application logs.

Data Retention

• Meeting Metadata: Retained for service duration plus 30 days after account deletion.
• Recordings or Transcripts: Processed then deleted within 48 hours (insights retained).
• Analytics Data: Aggregated insights retained for historical reporting.
• Account Deletion: Complete data purge within 30 days of account termination.

Your Rights and Controls

Universal Rights

Regardless of your location, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate information.
• Deletion: Request deletion of your data (subject to legal retention requirements).
• Portability: Request your data in a portable, machine-readable format.
• Object: Object to certain types of data processing.

GDPR Rights (European Economic Area)

If you are located in the EEA, UK, or Switzerland, GDPR grants you additional rights including the right to restrict processing and the right to lodge a complaint with your data protection authority.

Geo-Based Consent: We automatically detect visitors from EU/EEA countries using server-side geolocation. Visitors from these regions are shown a GDPR consent checkbox on booking forms and a cookie consent banner before any non-essential tracking is activated. No tracking scripts load until consent is explicitly given (zero-load consent policy).

CCPA/CPRA Rights (California Residents)

If you are a California resident, the CCPA grants you the right to:

• Know what personal information is collected, used, and shared.
• Request deletion of personal information collected from you.
• Opt-out of the sale or sharing of personal information.
• Receive equal service and pricing even if you exercise your rights.
• Correct inaccurate personal information.

We do not sell your personal information.

Exercising Your Rights

To exercise your rights, email us at privacy@aura-app.ai with your request, including sufficient detail to identify your account. We will respond within 30 to 45 days.

CCPA Categories of Personal Information

In the last 12 months, Aura has collected the following categories of personal information for California residents. Aura does not sell personal information.

Do Not Sell or Share My Personal Information

Under the California Consumer Privacy Act (CCPA) and similar US state privacy laws, you have the right to opt out of the "sale" or "sharing" of your personal information for targeted advertising purposes.

Aura uses tracking technologies (Meta Pixel, HYROS) on public pages that may constitute "sharing" of personal information under these laws. To opt out:

• Enable Global Privacy Control (GPC) in your browser settings or install a browser extension that supports GPC. Aura automatically honors GPC signals and will not load any tracking scripts when GPC is detected.
• Email us at privacy@aura-app.ai with the subject "Do Not Sell" and we will process your request within 15 business days.

Opting out will not affect your ability to use Aura's services. We do not sell personal information in the traditional sense (exchanging data for monetary compensation).

Global Privacy Control & Do Not Track

Global Privacy Control (GPC)

We honor the Global Privacy Control (GPC) browser signal. When your browser sends a GPC signal, we automatically:

• Reject all non-essential cookies without showing a consent banner.
• Prevent loading of advertising and attribution tracking scripts (Meta Pixel, HYROS, Google Tag Manager).
• Disable visitor session tracking on public pages.

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the GPC signal is treated as a legally binding opt-out request. We do not attempt to override, ignore, or circumvent this signal.

Do Not Track (DNT)

While the older Do Not Track (DNT) browser header lacks a legal framework, we treat it similarly to GPC: if DNT is enabled and no explicit consent has been given, we default to essential-only cookies.

Subprocessors

We work with carefully selected third-party providers to deliver our service. These providers have contractual obligations to protect your data.

What We DON'T Share

• Raw meeting recordings or transcripts with advertisers or marketers.
• Individual participant information outside your organization.
• Personal identifying information for commercial purposes.
• Data with data brokers, aggregators, or information resellers.

Subprocessor Change Notice

We will notify customers 30 days before adding a new subprocessor that processes customer personal data. Customers may object to a new subprocessor by emailing privacy@aura-app.ai. The current list of subprocessors is maintained on this page; a complete change history is available upon request.

Current Subprocessors

International Data Transfers

Aura is headquartered in the United States. If you are located in the European Economic Area or another jurisdiction with strict data transfer laws, your data is transferred internationally to our US-based servers. We comply with EU Standard Contractual Clauses (SCCs) for GDPR compliance.

Data Processing Addendum (DPA)

B2B customers may request a Data Processing Addendum (DPA) including EU Standard Contractual Clauses by emailing privacy@aura-app.ai. We use the European Commission's 2021 SCCs (Module 2: Controller-to-Processor).

Google-Specific Commitments

API Services User Data Policy Compliance:

• Limited Use: Google user data used solely for stated purposes.
• Human Review: Limited to authorized personnel for debugging or security only.
• No Reverse Engineering: Will not attempt to extract additional data or capabilities.
• Scope Minimization: Request only minimum necessary permissions.

Cookies and Tracking Technologies

Cookies are small text files stored on your device that help us remember your preferences and understand how you use Aura. They are essential for authentication, security, and improving your experience.

Geo-Targeted Consent Policy

We use IP-based geolocation (via Vercel's edge network) to determine your jurisdiction and apply the appropriate consent model:

• GDPR countries (EU/EEA/UK and 45 regulated jurisdictions): No non-essential tracking scripts load until you explicitly accept cookies via the consent banner. No advertising pixels (Meta Pixel, HYROS), no third-party analytics, and no visitor tracking cookies are set before consent.
• Non-GDPR countries (US, Canada, etc.): Tracking scripts load automatically. You may opt out at any time using the Do Not Sell My Information process above, or by enabling Global Privacy Control (GPC) in your browser.
• Essential cookies (authentication, security) are always active regardless of jurisdiction.

Cookie Inventory

Most browsers allow you to control cookies through settings. You can delete cookies or disable them, though some features of Aura may not work properly without essential cookies.

Legal Basis for Processing (GDPR)

• Legitimate Interest: Business analytics and performance improvement.
• Consent (Art. 6(1)(a)): Processing of personal data submitted via booking forms when consent is explicitly given via the GDPR consent checkbox.
• Consent: Explicit consent for Google Workspace integration.
• Contract Performance: Providing sales coaching services as agreed.
• Legal Obligation: Compliance with applicable laws and regulations.

Children's Privacy

Aura is intended for business use by adults. We do not knowingly collect personal information from children under 16 in the European Economic Area, or under 13 in the United States and other jurisdictions. If you believe we have inadvertently collected such information, contact privacy@aura-app.ai and we will delete it promptly.

Changes to This Policy

We will notify users 30 days before material changes, obtain new consent for expanded data usage, and maintain historical versions of this policy.

Contact Information

Aura A.I LLC

26 Broadway
New York, NY 10004
United States

For questions about this policy: support@aura-app.ai or privacy@aura-app.ai

See also our Terms of Service.