PRIVACY POLICY

1. Data Controller

For the purposes of applicable data protection legislation (including, where applicable, the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”)), the data controller of your personal data is:

Cognimit Technologies LLP
Ahmedabad, Gujarat, India
Email: support@tryaurelia.app

References to “Aurelia,” “the Service,” or “the Platform” in this Policy refer to the Aurelia mobile application (available on Android and iOS), the website at tryaurelia.app, hosted public digital card profiles, and all related services, tools, and APIs operated by Cognimit Technologies LLP.

2. Categories of Personal Data Collected

We collect the following categories of personal data, depending on how you interact with the Service:

2.1 Data You Provide Directly

• Account Registration Data: Full name, email address, and authentication credentials (or third-party OAuth tokens when using Google Sign-In).
• Digital Card Profile Data: Professional information you voluntarily publish on your hosted Aurelia profile, including your name, job title, organization, telephone numbers, email addresses, website URLs, social media handles, and a custom tagline.
• Scanned Contact Data: Images of business cards you capture through the app, and the structured contact records derived therefrom (name, role, organization, phone, email, address, social profiles, and any notes or tags you add manually).
• Communications: Any information you include when you contact us for support, submit feedback, or otherwise correspond with us.

2.2 Data Collected Automatically

• Device Information: Device manufacturer and model, operating system type and version, unique device identifiers, and mobile network information.
• Usage Data: Pages visited, features used, time spent on the Service, crash reports, and performance metrics.
• Log Data: Internet Protocol (IP) address, browser type and version, referring/exit pages, and date/time stamps.
• Advertising Identifiers: Where applicable and with your consent, the Android Advertising ID or Apple Identifier for Advertisers (IDFA), used for serving and measuring advertisements on the free tier.

3. Device Permissions

The Aurelia mobile application requests access to specific device capabilities. Each permission is requested at the point of use, with your explicit consent, and is used solely for the stated purpose:

• Camera: Required to capture photographs of physical business cards for Optical Character Recognition (OCR) and AI-based contact extraction. The camera is activated only when you initiate a scan. We do not access the camera in the background, record video, or use it for any purpose other than card scanning.
• Photo Library / Storage: Required to allow you to select existing photographs of business cards from your device gallery for processing, and to select a profile photograph for your digital card. We access only the specific files you select; we do not scan, index, or upload your broader photo library.
• Internet: Required to synchronize your data with our cloud infrastructure, process AI enrichment requests, serve advertisements, and deliver real-time updates.
• NFC (Near Field Communication): Used optionally to write your digital card URL to an NFC tag for contactless sharing. NFC is activated only when you explicitly initiate a write operation.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Performance of a Contract: Processing necessary to provide you with the Service, manage your account, and fulfill subscription obligations.
• Legitimate Interests: Processing necessary for our legitimate interests, including product improvement, fraud prevention, and analytics, provided these interests are not overridden by your data protection rights.
• Consent: Processing based on your freely given, specific, informed, and unambiguous consent, such as the use of advertising identifiers for personalized ads. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal processes.

5. How We Use Your Information

We use the personal data we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the core Aurelia features, including OCR card scanning, AI contact enrichment, contact organization, digital card hosting, follow-up reminders, and NFC sharing.
• Public Profile Hosting: To host and render your public digital card at a publicly accessible URL (e.g., tryaurelia.app/u/your-id) when you choose to create and share it.
• Account Administration: To authenticate your identity, process subscription payments, manage billing cycles, and maintain your account settings.
• Communication: To send transactional emails (e.g., welcome emails, password reset confirmations), respond to your support inquiries, and deliver security alerts.
• Product Improvement: To analyze usage patterns, diagnose technical issues, conduct internal research, and develop new features.
• Advertising: To serve advertisements on the free tier of the Service via Google AdMob, and to measure advertising performance.
• Legal Compliance: To comply with applicable laws, enforce our Terms of Use, and protect against fraudulent or unauthorized activity.

6. AI Processing & Third-Party Data Processors

We engage third-party service providers who process personal data on our behalf. These processors are contractually bound to use your data only for the purposes we specify and in accordance with this Policy:

• Artificial Intelligence — Google Gemini (via Firebase AI): For users on Pro and Team plans, scanned card images and extracted text are transmitted to Google's Gemini API for structured extraction and company intelligence enrichment. We have configured our integration to prohibit the use of your personal data for training Google's foundational AI models. Google processes this data as a data processor acting on our instructions.
• Cloud Infrastructure — Google Firebase: We use Google Firebase for user authentication (Firebase Auth), database hosting (Cloud Firestore), file storage (Cloud Storage), serverless backend logic (Cloud Functions), push notifications (Firebase Cloud Messaging), crash reporting (Firebase Crashlytics), and app integrity verification (Firebase App Check).
• Payment Processing: Subscription payments are processed by Apple (App Store), Google (Play Store), and/or third-party payment gateways. We do not receive, process, or store your full credit card number, expiration date, or CVV. Payment data is handled exclusively by the respective payment processor in accordance with PCI-DSS standards.
• Advertising — Google AdMob: The free tier of Aurelia displays advertisements served by Google AdMob. AdMob may collect device identifiers and use cookies or similar technologies to deliver personalized advertisements based on your interests. You may manage your ad preferences or opt out of personalized advertising via your device's privacy settings. For details, see Google's Privacy Policy.

7. Public Profile Visibility

When you create a digital card in Aurelia, the information you add to that card is published at a publicly accessible URL (e.g., tryaurelia.app/u/your-id). This profile is designed to function as a modern digital business card and is intentionally accessible to anyone with the link, QR code, or NFC tag.

Only the data you explicitly add to your digital card is made public. Your privately scanned contacts, notes, tags, and internal account settings are never exposed on your public profile. You may edit or delete your public profile at any time from within the Aurelia app.

8. Data Retention

We retain your personal data for as long as your account remains active and as reasonably necessary to provide the Service. Specific retention periods are as follows:

• Account and Contact Data: Retained for the duration of your active account. Deleted upon account deletion (see Section 9).
• Transaction Records: Retained for a minimum period of 6 years following the transaction date to comply with applicable tax and financial reporting obligations.
• Usage and Analytics Data: Retained in aggregated, anonymized form and is not subject to deletion requests.
• Legal Hold: If your data is subject to a legal hold, regulatory investigation, or dispute, we may retain it beyond the standard retention period as required by law.

9. Account Deletion & Right to Erasure

You may request the permanent deletion of your account and all associated personal data at any time by:

• Using the “Delete Account” feature directly within the Aurelia mobile app (Settings > Delete Account).
• Sending a written request to support@tryaurelia.app.

Upon receiving a valid deletion request, we will permanently erase your personal data from our active systems within 30 calendar days, including your account profile, all scanned contacts, digital cards, and uploaded images. Residual copies in encrypted backup systems will be purged within 90 days. Data that we are legally obligated to retain (e.g., financial transaction records) will be retained for the minimum period required by law and then deleted.

10. Your Privacy Rights

Depending on your jurisdiction, you may be entitled to the following rights under applicable data protection legislation (including the GDPR, CCPA, and India's Digital Personal Data Protection Act):

• Right of Access: To request a copy of the personal data we hold about you.
• Right to Rectification: To request correction of inaccurate or incomplete personal data.
• Right to Erasure: To request deletion of your personal data (see Section 9).
• Right to Restriction: To request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability: To receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: To object to our processing of your personal data for direct marketing or where processing is based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at support@tryaurelia.app. We will respond within 30 days (or such shorter period as may be required by applicable law). We may request verification of your identity before processing your request.

11. International Data Transfers

Cognimit Technologies LLP is established in India. Your personal data may be transferred to, stored, and processed in India and in other jurisdictions where our service providers (including Google) operate data centers. These jurisdictions may have data protection laws that differ from those in your home country.

Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the European Commission, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission or equivalent mechanisms recognized by applicable law.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of data at rest in our cloud infrastructure.
• Strict access controls and role-based authentication for internal systems.
• Regular security audits and dependency vulnerability scanning.
• Automated crash reporting and anomaly detection.

Notwithstanding the foregoing, no method of electronic storage or transmission over the internet is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

13. Children's Privacy

The Service is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect, solicit, or process personal data from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take reasonable steps to delete that data promptly. If you believe that a child under 16 has provided us with personal data, please contact us immediately at support@tryaurelia.app.

14. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals to websites. Due to the lack of an industry-standard interpretation of DNT signals, the Service does not currently respond to such signals. We will update this Policy if a uniform standard is established.

15. Cookies & Tracking Technologies

The Aurelia website (tryaurelia.app) may use essential cookies and similar technologies to enable core functionality such as session management and security. We do not use tracking cookies for behavioral advertising on the website. The mobile application uses Google AdMob (free tier only), which may employ its own tracking technologies as described in Section 6.

16. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our data practices, applicable law, or regulatory guidance. When we make material changes, we will update the “Effective Date” at the top of this page and may provide additional notice through the mobile app, via email, or through a prominent notice on the website. Your continued use of the Service following the posting of an updated Policy constitutes your acceptance of the changes.

17. Contact Information

If you have any questions, concerns, or complaints regarding this Privacy Policy, our data practices, or if you wish to exercise your privacy rights, please contact us:

• Data Protection & Privacy Requests: support@tryaurelia.app
• General & Partnership Enquiries: hello@tryaurelia.app
• Registered Entity: Cognimit Technologies LLP, Ahmedabad, Gujarat, India

If you are located in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.