Privacy Policy and Personal Data Processing

Introduction

Welcome! The confidentiality of your data is a priority for us. This privacy policy explains what personal data the Aurema application collects and processes, how we use it, for what purposes, and what rights you have in relation to this data. We are committed to processing personal data responsibly and in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 (“GDPR”) and applicable national rules.

By using the Aurema application and creating an account, you confirm that you have read and understood this Privacy Policy. We will not use your personal data in a manner inconsistent with the purposes stated in this policy. We will not sell, rent, or disclose personal data to third parties for marketing or advertising purposes without your explicit consent.

If you are visually impaired, have another disability, or need support in other languages, you may access this Privacy Policy by emailing us at support@aurema.app

What Data We Collect and Why

Account and Login Data

When you create an account with Aurema, we ask for your email address and a password. The password is stored in encrypted form through Firebase Authentication.

Purpose: To create and manage your account, allow secure login, and send essential communications about your account.

Legal basis: Performance of a contract—necessary to provide the service in accordance with the Terms and Conditions.

Conversation Content

When you use the AI chat feature, we process the content of the messages you enter. Your messages are securely transmitted to OpenAI GPT-4.1 to generate responses and conversation summaries.

Purpose: To provide personalized responses, create conversation summaries, generate personalized meditations, and store your conversation history.

Legal basis: Performance of the contract; explicit consent for sensitive data. To the extent you disclose information relating to your emotional or mental health, we process this sensitive information only on the basis of your explicit consent.

Sensitive information is treated with a high level of confidentiality: it is processed automatically and is not accessed by the Aurema team unless absolutely necessary (e.g., at your express request for technical support or when required by law).

Generated Personalized Meditations

After each conversation, Aurema offers personalized audio meditation. A summary of your conversation is transmitted to Cartesia AI to produce the audio recording.

Purpose: To provide personalized meditation content tailored to the issues and emotions you expressed.

Legal basis: Contract performance—necessary to provide the personalized mindfulness functionality.

Subscription and Payment Information

We use trusted third-party services (Apple App Store, Google Play Store, and RevenueCat) to manage payments and subscriptions. We do not collect or store sensitive financial details (card numbers, CVV codes) ourselves.

Purpose: To manage your subscription, validate access to premium features, and maintain transaction history for support purposes.

Legal basis: Contract performance—necessary to fulfill our contract with you.

Technical and Application Usage Data

We automatically collect technical data including IP address, device type, operating system, app version, language settings, unique device identifiers, usage session times and durations, event and error logs.

Purpose: To ensure proper functioning and security of the application, detect and prevent unauthorized access, identify and fix technical issues, and understand feature usage.

Legal basis: Our legitimate interest—necessary to maintain integrity, availability, and security of the service.

Sharing Data with Third Parties

In order to provide Aurema services, we collaborate with certain third-party services. Data is only transferred to the extent necessary:

• Firebase (Google LLC): User authentication, database for storing conversations and meditations, infrastructure hosting. Your email, encrypted password, conversation data, and account settings are stored in Firebase databases.
• OpenAI (OpenAI, L.L.C.): Provides AI technology to generate responses and conversation summaries. The content of your messages is sent to OpenAI’s GPT-4.1 model to provide intelligent functionality. According to OpenAI policies, data sent through their API is not used to train general models.
• Cartesia AI: Generates personalized audio meditations. Conversation summaries are sent to create audio content. Cartesia uses the summary exclusively for this purpose.
• RevenueCat: Manages subscriptions and in-app purchases. Receives unique user identifier, subscription information, and purchase transaction status to verify and synchronize subscription status across platforms.
• App Stores (Apple/Google): Process financial transactions directly. We do not access or store your financial details. We only receive confirmation that payment was successful and subscription validity dates.
• Render: Hosts our backend infrastructure. Data may transit through Render servers during application operation.

We also may disclose data if legally required by public authorities, necessary to establish or defend legal claims, or during reorganization/merger/acquisition.

Transfer of Data Outside the EEA

Some of our partners (OpenAI, Google/Firebase, Render, RevenueCat) may process or store data outside the European Economic Area (EEA), particularly in the United States. In all cases of international data transfers, we take appropriate measures to ensure a level of protection similar to that provided in the EU, including implementing Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Retention Period

We retain your personal data only for as long as necessary:

• Account data and conversation/meditation content: Kept for as long as you have an active account. When you delete your account, all associated data will be irreversibly deleted or anonymized.
• Subscription and transaction data: Retained for as long as you have an active subscription and thereafter for periods required by financial and tax legislation (up to 5-10 years).
• Logs and technical data: Retained for short periods (several weeks or months) to allow security incident analysis, then automatically deleted.

Important: Simply uninstalling the app does not delete your account and data from our servers. To delete your data, use the Delete Account option in the application or send us an explicit request.

Personal Data Security

We take the security of your data seriously and have implemented appropriate technical and organizational measures:

• Encrypted communication: All communications use secure protocols (HTTPS/TLS)
• Secure storage: Data stored in secure environments with advanced physical and digital security measures
• Internal control: Strict confidentiality principles, limited access to user data, all access logged
• Testing and updating: Constant updates, security testing, monitoring for suspicious activity

Despite all our efforts, no method of data transmission or storage is 100% secure. In the unlikely event of a security incident, we will act in accordance with our legal obligations and notify you and relevant authorities as required.

Your Rights in Relation to Personal Data

As a data subject under GDPR, you have the following rights:

• Right of access: Obtain confirmation about whether we process your data and access to that data
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure (“right to be forgotten”): Request deletion of your personal data
• Right to restrict processing: Request temporary suspension of data processing in certain cases
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on our legitimate interest
• Right to withdraw consent: Withdraw consent at any time (for processing based on consent)
• Right to lodge a complaint: File a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) in Romania or your local supervisory authority

To exercise these rights, contact us using the details below. We will respond within one month of receipt.

Use by Minors

Aurema is not intended for children under the age of 18. We do not knowingly collect personal data from individuals under this age. If you are under 16, please do not create an account without verified parental consent. If we discover we have collected data from a minor, we will delete it as soon as possible.

Changes to the Privacy Policy

This Privacy Policy may be updated periodically. When we make substantial changes, we will notify you by prominently posting a new version and, if changes are significant, we may send you an email or in-app notification. Each version will be marked with an effective date.

Contact

The controller of your data is TECH FRONTIERS S.R.L., a Romanian company with its registered office at Str. Miron Cristea nr. 10, Copăceni, Ilfov County, 077005, Romania. If you have any questions, concerns, or requests regarding this Privacy Policy or wish to exercise your data protection rights, please contact us:

Thank you for using Aurema and for trusting us to accompany you on your journey of self-reflection and well-being.