Privacy Policy — AURA

This Privacy Policy explains how AURA ("we", "our", "us") collects, uses, and protects information when you use our chatbot platform.

1. Information We Collect

We collect information you provide when registering and using the platform:

Account data: name, email address, workspace name
Chatbot content: knowledge base documents you upload, bot configurations, conversation logs
Usage data: API call counts, token usage, estimated cost (for your BYOK monitoring)
Billing data: subscription plan, invoices (payment processing handled by Stripe)
Technical data: IP address, browser type, access timestamps (for security purposes only)

2. How We Use Your Information

To provide and improve the AURA platform
To process your subscription and send invoices
To send transactional emails (magic links, team invitations)
To detect abuse and protect the platform
To comply with legal obligations

3. API Keys (BYOK — Bring Your Own Key)

We do not share, sell, rent, or otherwise transfer your API keys to any third party.

Your LLM API keys (OpenAI, Anthropic, Groq, etc.) are:

Encrypted at rest using AES-256-CBC before storage
Never written to logs, error reports, or analytics
Only decrypted in memory when making API requests on your behalf
Never accessed by AURA staff for any purpose

Tenant responsibility: If your API key is compromised by a third party through means outside of AURA (e.g., key leaked from your own systems), AURA bears no responsibility for unauthorized usage or charges incurred. You should monitor your LLM provider dashboard regularly and rotate keys if you suspect compromise.

4. Data Sharing

We do not sell your personal data to any third party. We do not share customer data with third parties except:

Stripe — for payment processing (governed by Stripe's privacy policy)
Your chosen LLM providers — your chatbot conversation content is sent to the LLM provider you select (OpenAI, Anthropic, etc.) to generate responses
As required by law — in response to valid legal requests

5. Data Retention

Conversation logs: retained for 90 days unless you delete them earlier
Account data: retained while your subscription is active, then deleted within 30 days of account closure
Billing records: retained for 7 years as required by financial regulations
API usage logs: retained for 12 months

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

Right of access — request a copy of your data
Right to rectification — correct inaccurate data
Right to erasure — request deletion of your data ("right to be forgotten")
Right to restriction — limit how we process your data
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests

To exercise these rights, contact us at privacy@aura.bot. We will respond within 30 days.

Data Processing Agreements (DPA) are available on request for EU business customers.

7. International Data Transfers

AURA is hosted on servers in the EU/EEA region. If data is transferred outside the EEA (e.g., to LLM providers in the US), we ensure appropriate safeguards are in place under GDPR Article 46, including standard contractual clauses.

8. California Privacy Rights (CCPA)

California residents have the right to know what personal information is collected, to opt out of the sale of personal information, and to request deletion. AURA does not sell personal information.

9. Cookies

We use strictly necessary session cookies for authentication. We do not use tracking or advertising cookies. See our Cookie Policy for details.

10. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256-CBC encryption at rest for sensitive data, and regular security reviews.

11. Contact

For privacy inquiries: privacy@aura.bot