Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• • Account information: email address used for authentication via Apple Sign-In or email-based magic link (one-time password)
• • Profile information: display name, date of birth, gender, gender preferences, city, availability status, and profile prompt answers
• • Photos: profile photos you upload (up to 6 images, JPEG/PNG/WebP format, max 5 MB each), stored in Supabase Storage
• • Messages: text content of messages you send to your matches through in-app chat
• • AI Insights preference: whether you have opted in to AI-powered conversation analysis
• • Support communications: any messages, feedback, or requests you send to our support team

1.2 Information Collected Automatically

• • Location data: approximate location (city-level) derived from device GPS, collected only with your explicit permission via the iOS location prompt. Used solely for matching you with nearby users. We do not collect continuous or precise GPS coordinates.
• • Usage data: app opens, feature interactions, onboarding progress, paywall views, subscription events, and screen flow analytics — collected via PostHog
• • Device information: device model, operating system version, app version, locale, and timezone
• • Crash data: error logs, stack traces, and breadcrumbs collected via Sentry in production builds only
• • Push notification tokens: Apple Push Notification service (APNs) device tokens used to deliver push notifications about new matches, messages, and account activity
• • Aura proximity data: if you enable the Aura feature, Aura collects Bluetooth Low Energy (BLE) and Ultra-Wideband (UWB) signal data to detect proximity to other Aura-enabled users. This data is processed locally on your device for distance estimation and is not transmitted to our servers. Only a binary "proximity event" (confirming two users were near each other) is recorded — never raw BLE/UWB signal data or precise coordinates.

1.3 Information from Third Parties

• • Apple Sign-In: if you authenticate with Apple, we receive your email address (or a private relay address if you choose to hide your email) and a unique user identifier. We do not receive your Apple ID password.
• • RevenueCat (payments): we receive subscription status, purchase history, and plan tier from RevenueCat to determine your subscription level. We do not receive financial information such as credit card numbers, bank accounts, or billing addresses.

2. How We Use Your Information

• • Providing the Service: creating your profile, displaying it to potential matches, facilitating conversations, and delivering push notifications
• • Matching: using your location, gender preferences, availability status, and profile data to suggest compatible matches via the daily profile delivery system
• • AI-Powered Features (opt-in only): analyzing your conversation patterns to generate Conversation Pulse scores, Chemistry Scores, Date Radar timing, coaching tips, green/red flag detection, date suggestions, and monthly personal insights reports
• • Aura proximity matching (opt-in only): detecting nearby Aura-enabled users through BLE and UWB to facilitate real-world discovery. Proximity detection is processed entirely on your device.
• • Subscription management: verifying your subscription tier via RevenueCat and enabling premium features accordingly
• • Analytics and improvement: understanding how users interact with the Service to improve functionality, fix bugs, and develop new features
• • Safety and moderation: reviewing user reports of abusive behavior, enforcing Community Guidelines, detecting prohibited content, and protecting users from harm
• • Communications: sending push notifications about new matches, messages, and important account updates
• • Legal compliance: responding to lawful requests from courts and regulatory authorities, and fulfilling our obligations under applicable law

We do not sell your personal information. We do not use your data for advertising. We do not share your conversations with third parties for their own marketing or commercial purposes.

3. AI Processing: On-Device and Server-Side

Aura uses two distinct categories of artificial intelligence processing. Understanding the difference is important to your privacy:

3.1 On-Device AI (Apple Foundation Models)

Certain AI features run entirely on your device using Apple Foundation Models (Apple Intelligence). When processing occurs on-device:

• • Your data never leaves your device for AI processing
• • No conversation content, photos, or profile data is sent to Apple or any third party for this purpose
• • Processing happens locally using your device's Neural Engine
• • Examples include text analysis, smart suggestions, and natural language understanding features integrated through Apple's on-device APIs

3.2 Server-Side AI (Supabase Edge Functions)

More complex AI features are processed server-side through our Supabase Edge Functions. These include:

• • compute-conversation-insights: analyzes message patterns (frequency, response times, question ratios, topic continuity, message length) to generate Conversation Pulse and Chemistry Scores
• • conversation-coach-tap: provides conversation coaching tips based on observable patterns
• • flag-detector: identifies potential green and red flags in conversation dynamics
• • propose-date: suggests date ideas based on conversation context and user preferences
• • generate-personal-insights: creates monthly personal insights reports summarizing your communication patterns

When server-side AI processing occurs, your conversation data is sent to our Supabase Edge Functions infrastructure. The data is processed in real-time, and only the generated insights are stored in your account. Raw conversation data is not retained by the AI processing pipeline beyond the duration of the request.

3.3 Your AI Consent Rights

• • Explicit opt-in: AI analysis is disabled by default. You must explicitly enable it during onboarding or in your account settings.
• • Transparency: when AI Insights are enabled, both participants in a conversation see a visible indicator so neither party is analyzed without awareness.
• • Scope: AI analyzes observable conversation patterns only. It does not make emotional inferences about other users, read private thoughts, or predict behavior.
• • No message generation: AI never writes, drafts, or suggests messages on your behalf. Every message in every conversation is authored entirely by the user who sent it.
• • Revocable at any time: you can disable AI Insights from your account settings. When disabled, no new analysis is performed on your conversations.
• • Rate-limited: AI processing is capped at 50 calls per user per day to prevent misuse and ensure fair resource allocation.

4. Aura Feature: Bluetooth and UWB Data

Aura is a premium feature that uses Bluetooth Low Energy (BLE) and Ultra-Wideband (UWB) technology to detect proximity to other Aura users who have also enabled Aura. The following data practices apply specifically to Aura:

• • BLE/UWB signals: your device broadcasts and receives short-range wireless signals to estimate distance to nearby Aura-enabled devices. All signal processing occurs on your device. Raw signal data (RSSI values, UWB ranging data) is never transmitted to our servers.
• • Proximity events: when a mutual proximity detection occurs (both users are Aura-enabled and within range), a minimal record is stored — containing only the two user identifiers and a timestamp. No location coordinates or signal strength data is included.
• • Ghost Mode: Aura includes a Ghost Mode that makes you invisible to proximity detection. When Ghost Mode is active, your device does not broadcast BLE/UWB signals and you will not appear in other users' Aura results.
• • Opt-in and revocable: Aura requires explicit activation and Bluetooth/UWB permission grants through iOS system prompts. You can disable Aura at any time from your account settings, which immediately stops all BLE/UWB broadcasting and scanning.
• • Premium only: Aura is available exclusively to paid subscribers, adding an additional layer of accountability.

5. Data Sharing and Third-Party Services

We share your data only with the following categories of service providers, each bound by data processing agreements that limit how they may use your information:

• • Supabase (infrastructure): hosts our database, authentication system, file storage (profile photos), and serverless Edge Functions. Your profile data, messages, photos, and AI-generated insights are stored on Supabase infrastructure. Supabase servers are located in the United States.
• • RevenueCat (payments): manages subscription billing through the Apple App Store. We receive subscription status and tier information. RevenueCat does not receive your profile information, messages, or conversation data.
• • PostHog (analytics): receives anonymized usage events (e.g., "paywall_viewed," "onboarding_completed," "match_created") to help us understand how the Service is used and identify areas for improvement. PostHog does not receive message content, profile details, or photos.
• • Sentry (error tracking): receives crash reports, error logs, and performance data in production builds to help us identify and fix bugs. Sentry does not receive message content, profile photos, or conversation data. Crash reports may include device information and anonymized stack traces.
• • Apple (platform services): provides Sign-In with Apple for authentication, Apple Push Notification service (APNs) for delivering push notifications, and the App Store for subscription payment processing. Apple processes your payment information for subscriptions directly — we do not receive or store your payment details. Apple Foundation Models process data on your device and do not transmit it to Apple.

We do not share your data with data brokers, advertisers, or any third parties not listed above. We do not sell, rent, or trade your personal information under any circumstances.

6. Legal Basis for Processing

We process your personal information on the following legal bases, depending on your jurisdiction:

6.1 Quebec Law 25 (Loi 25 / Bill 64)

As a company headquartered in Quebec, we comply with Quebec's privacy legislation. Under Loi 25:

• • We collect personal information only for serious and legitimate purposes directly related to providing the Service
• • We obtain your express consent before collecting, using, or disclosing sensitive personal information (including AI analysis of conversations, location data, and biometric-adjacent proximity data from Aura)
• • We provide a clear and accessible privacy policy written in plain language
• • We conduct privacy impact assessments for any project involving the acquisition, use, or disclosure of personal information
• • We have designated a Privacy Officer responsible for ensuring compliance (see Section 13)
• • We implement de-identification measures for personal information used for analytics and research purposes
• • We notify affected individuals and the Commission d'acces a l'information du Quebec (CAI) in the event of a confidentiality incident involving personal information

6.2 PIPEDA (Canada)

• • Consent: we obtain meaningful consent for the collection, use, and disclosure of your personal information
• • Purpose limitation: we collect personal information only for identified purposes and do not use it for unrelated purposes without fresh consent
• • Accuracy: we provide tools for you to correct your personal information directly in the app
• • Safeguards: we protect your information with security measures appropriate to the sensitivity of the data

6.3 GDPR (European Economic Area, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, we process your personal data on these bases:

• • Contract performance: processing necessary to provide the Service you signed up for (profile creation, matching, messaging)
• • Consent: AI-powered conversation analysis, location data collection, Aura proximity detection, and push notifications — each of which you explicitly opt in to
• • Legitimate interest: analytics to improve the Service, security monitoring, and fraud prevention
• • Legal obligation: responding to lawful requests from authorities and complying with applicable laws

7. Data Storage, Security, and International Transfers

Your data is stored on Supabase-managed infrastructure located in the United States. We implement the following security measures:

• • All data is encrypted in transit using TLS 1.2 or higher
• • All data is encrypted at rest using AES-256 encryption
• • Authentication tokens are stored on your device using the iOS Keychain, Apple's hardware-backed secure storage
• • Row-level security (RLS) policies ensure users can only access their own data through the API
• • Server-side Edge Functions validate all requests and enforce rate limits
• • Photos are stored in private Supabase Storage buckets with signed URLs for authorized access only

International transfers: since Aura is headquartered in Quebec and our infrastructure is in the United States, your personal information is transferred to the United States for processing. For users in Quebec, this transfer is conducted in compliance with Loi 25's requirements for cross-border data transfers, including ensuring that the receiving jurisdiction provides adequate privacy protection. For EEA users, transfers are governed by standard contractual clauses (SCCs) approved by the European Commission.

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal information:

8.1 Rights Available Directly in the App

• • Access and portability: export a copy of all your personal data in machine-readable JSON format via Account > Export my data. This includes your profile information, messages, matches, AI-generated insights, and account metadata.
• • Rectification: correct any inaccurate profile information directly by editing your profile
• • Erasure (right to be forgotten): permanently delete your account and all associated data via Account > Delete account. Deletion cascades to all profile data, photos (removed from storage), messages, match history, AI-generated insights, date proposals, analytics identifiers, and push notification tokens. This action is immediate and irreversible.
• • Withdraw consent: disable AI Insights at any time via Account settings. Revoke location permission or Bluetooth permission via iOS Settings.

8.2 Additional Rights (Contact Us to Exercise)

• • Object: object to processing based on legitimate interest
• • Restriction: request that we limit processing of your data in certain circumstances
• • De-indexing: under Loi 25, request the de-indexing of links associated with your name from our systems
• • Automated decision-making: request information about any automated decision-making that produces legal effects or similarly significant effects on you. Aura does not currently make any fully automated decisions with legal effect.
• • Complaint: lodge a complaint with the Commission d'acces a l'information du Quebec (CAI) if you are in Quebec, the Office of the Privacy Commissioner of Canada, or your local data protection authority if you are in the EEA

To exercise any right not available directly in the app, contact our Privacy Officer at charlesdotdirect@gmail.com. We will acknowledge your request within 10 business days and respond substantively within 30 calendar days, as required by law.

9. Data Retention

We retain your personal data for as long as your account is active and as needed to provide the Service. Specific retention periods:

• • Account and profile data: retained until you delete your account
• • Messages: retained until you or the other participant deletes their account
• • Photos: stored in Supabase Storage until you remove them or delete your account, at which point the files are permanently deleted from storage
• • AI-generated insights: retained until you disable AI Insights or delete your account
• • Aura proximity events: retained for 90 days, then automatically deleted
• • Moderation reports: retained for 12 months after resolution for safety and legal compliance purposes
• • Analytics data: retained in anonymized, aggregated form. Individual user identity is reset upon sign-out or account deletion, making the data non-identifiable
• • Crash reports: retained by Sentry for 90 days, containing no personally identifiable message or profile content

Account deletion: when you delete your account, all personal data is permanently and irreversibly deleted. This includes profile information, photos (removed from storage), messages, match history, AI-generated insights, date proposals, Aura proximity records, and push notification tokens. Deletion is processed by our delete-account Edge Function and executes immediately as a cascading operation. We retain no backup copies of deleted account data.

10. Children's Privacy

Aura is intended exclusively for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. Age verification is enforced during onboarding through date of birth collection. If we learn that we have collected data from a person under 18, we will delete that data and terminate the account immediately without notice. If you believe an underage person is using Aura, please report them using the in-app report feature or contact us at charlesdotdirect@gmail.com.

11. Cookies and Tracking Technologies

The Aura mobile app does not use cookies. We do not use advertising identifiers (IDFA) and do not engage in cross-app tracking. We have opted out of the App Tracking Transparency (ATT) framework because we do not track users across other apps or websites. Our analytics provider (PostHog) uses anonymous device-level identifiers for first-party analytics only. The Aura website at getpulse.date may use essential cookies required for site functionality; no third-party advertising or tracking cookies are used.

12. Confidentiality Incidents (Data Breaches)

In compliance with Loi 25, if a confidentiality incident (data breach) involving your personal information presents a risk of serious injury, we will: (1) take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature; (2) notify the Commission d'acces a l'information du Quebec (CAI) promptly; and (3) notify you directly with a description of the incident, the personal information involved, the measures taken, and how to contact our Privacy Officer. We maintain an internal register of all confidentiality incidents as required by law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-app notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. The "Effective" date at the top of this page indicates when the policy was last revised.

14. Privacy Officer and Contact Information

In accordance with Loi 25, Aura has designated a Privacy Officer responsible for ensuring compliance with Quebec's privacy legislation. If you have questions about this Privacy Policy, wish to exercise your rights, or have a concern about our data practices, contact us:

If you are not satisfied with our response, you may file a complaint with the Commission d'acces a l'information du Quebec (CAI) at www.cai.gouv.qc.ca or the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.