Privacy Policy

Last updated: 10 June 2026

1. Who We Are (Data Controller)

AuraDaq ("we", "us") is the controller responsible for your personal data. AuraDaq is an independent project operated by its founder as a sole proprietor in India. For any privacy question, or to exercise your rights, contact us — including our Grievance Officer — at legal@auradaq.com; a postal address is available on request.

This Policy explains what we collect, why, the legal bases we rely on, who we share it with, and the rights you have under laws including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), India's Digital Personal Data Protection Act, 2023 (DPDP Act), Canada's PIPEDA, Brazil's LGPD, and the Australian Privacy Principles (APPs).

2. Data We Collect

When you use AuraDaq, we collect:

  • Account: email address, username, signup timestamp.
  • Auth: OAuth tokens (Google) managed by Supabase Auth.
  • Submissions: event text, source URLs, timestamps, your username.
  • Votes: event ID, vote direction, timestamp — linked to your account.
  • Usage analytics: page views, sessions (via PostHog, only with your consent).
  • Error logs: stack traces, request metadata (via Sentry, no intentional PII).
  • IP address: processed transiently for rate-limiting, security, and abuse prevention; not retained beyond a short TTL (max 24 hours).
  • Early access: email and your consent record, if you joined the waitlist.

3. Legal Bases for Processing

Under the GDPR and comparable laws we rely on the following legal bases (under the DPDP Act, the corresponding basis is your consent or a permitted "legitimate use"):

  • Consent — analytics (PostHog) and waitlist/launch email. You can withdraw consent at any time.
  • Performance of a contract — providing your account, authentication, and the core service.
  • Legitimate interests — preventing abuse and fraud, rate-limiting, securing the Platform, and diagnosing errors (balanced against your rights).
  • Legal obligation — retaining or disclosing data where the law requires.

4. How We Use Your Data

  • Account: authentication and session management.
  • Submissions & votes: display on the Platform, calculate aura scores.
  • Analytics: understand usage patterns and improve the product (consent-based).
  • Rate limiting & security: prevent abuse (via Upstash Redis, TTL-based).
  • Error tracking: diagnose and fix bugs (via Sentry).

5. Waitlist & Launch Email

If you join the waitlist, we use your email solely to notify you when AuraDaq launches and to send closely related service messages. The legal basis is your consent, given when you tick the boxes on the form (we record the consent and its version). Every email we send includes a one-click unsubscribe link, and you can opt out at any time by emailing legal@auradaq.com. We do not sell your email or use it for third-party advertising.

6. Data Sharing & Sub-processors

We do not sell your personal data. We share data only with the service providers (processors) below, under data-processing agreements, to run the Platform:

  • Supabase — database and authentication.
  • Vercel — hosting and edge network.
  • PostHog — product analytics (consent-based).
  • Sentry — error monitoring.
  • Upstash — rate limiting (ephemeral, TTL-based).
  • Cloudflare — CAPTCHA (Turnstile) and DDoS protection.

We may also disclose data where required by law, to enforce our Terms, or to protect the rights and safety of users and the public.

7. International Data Transfers

Our service providers may store and process data in the United States and other countries outside your own. Where personal data of EU/UK/other protected residents is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU-US / UK-US Data Privacy Framework where the provider is certified. You may request more information about these safeguards by contacting us.

8. Data Retention

  • Account data: retained while your account is active.
  • Submissions & votes: retained while the account exists and as needed to provide the Platform; removed or anonymized on account deletion, subject to legal-retention needs.
  • Waitlist email: retained until launch or until you unsubscribe, whichever is first.
  • Rate-limit keys & IP data: auto-expire within 24 hours.
  • Analytics events: retained per PostHog's retention policy (1 year on the current tier).

We keep personal data only as long as necessary for the purposes above or to meet legal obligations, then delete or anonymize it.

9. Your Rights (GDPR / UK GDPR)

If you are in the EU, UK, or a comparable regime, you have the right to:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — have your data deleted ('right to be forgotten').
  • Restriction — limit how we process your data.
  • Portability — receive your data in a portable, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — at any time, without affecting prior lawful processing.
  • Complain — lodge a complaint with your local data protection supervisory authority.

To exercise any right, contact legal@auradaq.com. We respond within the timeframes required by law (generally one month under the GDPR).

10. India (DPDP Act, 2023)

If you are in India, you are a Data Principal. You have the right to access a summary of your personal data, to correction and erasure, to grievance redressal, and to nominate another person to exercise your rights. Contact our Grievance Officer at legal@auradaq.com. If unsatisfied, you may approach the Data Protection Board of India.

11. California (CCPA / CPRA)

If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, to delete it, to correct it, and to opt out of its sale or sharing. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we will not discriminate against you for exercising your rights. To make a request, contact legal@auradaq.com.

12. Analytics & Your Choices

Analytics (PostHog) load only after you grant consent. We do not initialize or capture analytics until you click "Accept analytics" on our consent banner. You can decline at any time using the banner, or change your choice later from your privacy settings. Declining does not affect your ability to use the Platform.

13. Cookies

We use a single strictly-necessary session cookie for authentication (Supabase Auth), which is required to keep you logged in. We do not use advertising or cross-site tracking cookies. PostHog sets a first-party analytics cookie only after you grant analytics consent.

14. Children

AuraDaq is intended only for adults aged 18 and over. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact legal@auradaq.com and we will delete it.

15. Security

All data is encrypted in transit (TLS) and at rest. Row-Level Security is enabled on all database tables. We conduct periodic security reviews. No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard measures.

16. Data Breach Notification

In the event of a personal-data breach that is likely to affect your rights, we will notify the relevant supervisory authority and affected users within the timeframes and in the manner required by applicable law.

17. Changes to This Policy

We may update this Policy from time to time. We will revise the "last updated" date and, for material changes, take reasonable steps to notify you before they take effect.

18. Grievance Officer & Contact

Grievance Officer: AuraDaq's founder, reachable at legal@auradaq.com. General privacy questions: legal@auradaq.com. We acknowledge requests promptly and respond within the timeframes required by applicable law.