Table of contents

Privacy Policy

1. Data Controller

The controller responsible for processing personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Flutter Innovation GmbH

Pappelallee 53, c/o Kleber Puchaski

10437 Berlin

Germany

Email: privacy@aurali.co

Aurali is a digital product operated by Flutter Innovation GmbH.

2. Purpose and Scope of This Policy

This Privacy Policy explains how personal data is processed when you use Aurali, a digital platform for self-directed reflection.

Aurali is designed according to the principles of:

  • data minimisation
  • user control
  • privacy by design
  • purpose limitation

We process personal data only to the extent necessary to provide the Service.

3. Categories of Personal Data

Depending on how you use the Service, we may process the following categories of data:

3.1 Account Data (if applicable)

  • Email address
  • Authentication identifiers
  • Language and basic preferences

3.2 User-Provided Content

  • Text or voice inputs voluntarily provided during reflection sessions
  • Notes or reflections explicitly saved by the user

Important:

Reflection content is processed ephemerally by default and is stored only if you explicitly choose to save it.

3.3 Technical and Usage Data

  • Session timestamps
  • Device and browser information
  • Security-related logs

We do not collect special categories of personal data unless you choose to provide them voluntarily as part of your own reflections.

4. Purposes of Processing

Personal data is processed exclusively for the following purposes:

  • Providing and operating the Aurali Service
  • Enabling reflective sessions and summaries
  • Maintaining account functionality and security
  • Ensuring system reliability and preventing misuse

Aurali does not use personal data for:

  • Advertising
  • Behavioural profiling
  • Marketing
  • Automated decision-making with legal or significant effects

5. Legal Bases for Processing

Processing is carried out in accordance with Article 6 GDPR on the following bases:

  • Article 6(1)(b) GDPR – Performance of a contract (use of the Service)
  • Article 6(1)(a) GDPR – Consent, where applicable
  • Article 6(1)(f) GDPR – Legitimate interests (security, system stability)

Where consent is required, it may be withdrawn at any time.

6. AI Processing and Use of Data

Aurali uses automated systems, including artificial intelligence, to generate reflective prompts and summaries.

6.1 No AI Training on User Data

Personal data and reflection content:

  • Is not used to train general or proprietary AI models
  • Is not reused for improving models outside the individual session context

6.2 Processing Characteristics

  • AI processing is session-based and context-limited
  • Outputs are non-deterministic and ephemeral unless saved by the user
  • The system has no understanding, awareness, or memory beyond defined scope

7. Data Storage and Retention

Aurali follows a user-controlled retention model:

  • Unsaved reflections are deleted automatically after the session
  • Saved content remains available until deleted by the user
  • Account data is retained only as long as the account remains active

Users may delete their data at any time through the Service or by contacting us.

8. Data Sharing and Processors

We do not sell personal data.

Personal data may be processed by carefully selected service providers (e.g. hosting, infrastructure, technical support) acting as data processors under Article 28 GDPR.

All processors are:

  • Contractually bound
  • Limited to necessary access
  • Subject to confidentiality and security obligations

9. International Data Processing

Some technical services may involve data processing outside the European Union (e.g. infrastructure or development partners).

Where this occurs, appropriate safeguards are implemented, including:

  • Standard Contractual Clauses (SCCs)
  • Access limitations
  • Technical and organisational security measures

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit and at rest (where applicable)
  • Access controls and least-privilege principles
  • Monitoring and security audits

No system can guarantee absolute security, but we continuously review and improve our safeguards.

11. Your Rights Under GDPR

You have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectify inaccurate data (Art. 16 GDPR)
  • Delete your data (Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)

Requests can be submitted using the contact details above.

12. Supervisory Authority

You have the right to lodge a complaint with a data protection authority, in particular in:

  • Your country of residence
  • Your place of work
  • Germany (where the controller is established)

13. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes.

The current version is always available within the Service.