Last updated: 2026-06-04 · Version 2026-06-04

Privacy policy

Aura AI is a Windows desktop AI chat application. This policy explains, in the format required by GDPR Articles 13 and 14 and UK GDPR, what data we and our processors handle, why, for how long, and what rights you have.

Summary (TL;DR)

  • Aura AI has no user account and no sign-in.
  • Your conversations and settings are stored locally on your device.
  • We do not run advertising, cross-app tracking, or profiling.
  • AuraAI Cloud keeps privacy-first aggregate service metrics. Anonymous product diagnostics are used only to improve Aura AI, are preselected during setup, and can be turned off during setup or anytime in Settings.
  • The only data that leaves your device is the message text you choose to send to an AI provider, plus a random installation identifier used to enforce the free daily quota and Premium unlimited entitlement.
  • If you choose to report inappropriate AI-generated content, Aura AI opens an email to support containing the generated response and your report notes.

1. Data controller

The data controller for AuraAI Cloud is:

Vrygen. Contact: contact@auraai.click.

We have not designated a Data Protection Officer because Aura AI does not meet any of the mandatory criteria of GDPR Article 37. Privacy questions are handled by the controller at the address above.

When you select a third-party AI provider yourself (OpenAI, Anthropic Claude, OpenRouter, Ollama, LM Studio, or any compatible endpoint), that provider acts as an independent data controller for your prompts; Vrygen is not a party to that processing.

2. What data we process, why, and on what legal basis

DataPurposeLegal basis (GDPR Art. 6)Where it lives
Random installation identifier (GUID)Enforce the free daily quota; reconcile Microsoft Store entitlement for Premium unlimited accessPerformance of contract (Art. 6.1.b)Locally + AuraAI Cloud (Supabase)
Chat message text + recent conversation contextGenerate AI responsePerformance of contract (Art. 6.1.b)Sent to the AI provider you selected; not retained by Vrygen
Conversation history & settingsLet you read, search, and resume your own chats on your devicePerformance of contract (Art. 6.1.b)Locally only (%LocalAppData%\Aura AI\chat.db)
API keys you enter (BYO provider)Authenticate against your own AI provider accountPerformance of contract (Art. 6.1.b)Locally only, encrypted with Windows DPAPI
Local diagnostic logsHelp you (or our support) troubleshootLegitimate interest (Art. 6.1.f)Locally only, auto-deleted after 30 days, secret-redacted before write
Aggregated AuraAI Cloud service metricsUnderstand Cloud reliability, free-tier limits, Premium conversion, and abuse pressure without storing prompts or responsesLegitimate interest (Art. 6.1.f)AuraAI Cloud (Supabase), aggregated by day
Optional anonymous diagnostics event names and provider categoryHelp improve Aura AI reliability and product flows. This setup option is preselected by default and can be turned off during setup or anytime in Settings. Provider category means only the broad type, such as AuraAI Cloud, OpenAI, Ollama, LM Studio, OpenRouter, Claude, or OpenAI-compatible.Consent (Art. 6.1.a)AuraAI Cloud (Supabase), aggregated by day
AI content report you choose to sendLet support review inappropriate generated contentLegitimate interest (Art. 6.1.f)Saved locally; sent to support by your email app if you send the report
Microsoft Store entitlement (Premium yes/no)Apply Premium unlimited accessPerformance of contract (Art. 6.1.b)Locally + reported to AuraAI Cloud as a single boolean
Privacy consent timestamp & policy versionDemonstrate consent (GDPR Art. 7)Legal obligation (Art. 6.1.c)Locally in settings.json

We do not process any of the special-category data listed in GDPR Article 9 (health, biometrics, political opinion, etc.) on purpose. If you type such data into a prompt, it will be transmitted to the AI provider you selected. Please do not enter sensitive personal data you would not want to share with them.

3. Who else processes your data (sub-processors)

ProcessorServiceLocationSafeguard for transfer outside EEA
Supabase, Inc.AuraAI Cloud Edge Function + Postgres database (installation row, daily quota counter)United States (project region configurable, currently US-East)Standard Contractual Clauses (EU 2021/914) per the Supabase DPA at supabase.com/legal/dpa
OpenRouter, Inc.Routes AuraAI Cloud requests to the underlying free modelsUnited StatesStandard Contractual Clauses per OpenRouter's terms at openrouter.ai/terms
Microsoft CorporationMicrosoft Store distribution, updates, Premium subscription billing, and Windows speech recognitionMultiple (EU/US, governed by Microsoft Online Services DPA)EU-US Data Privacy Framework + Standard Contractual Clauses

When you select a third-party AI provider yourself, that provider becomes the controller of the prompt you send. Their own privacy policy applies (e.g. OpenAI, Anthropic, OpenRouter, or the local server you run yourself).

4. International data transfers

AuraAI Cloud is hosted on Supabase infrastructure currently located in the United States. OpenRouter is also a US-based service. Sending your prompts to AuraAI Cloud therefore involves a transfer of personal data outside the European Economic Area, justified by the Standard Contractual Clauses listed in section 3 (GDPR Article 46.2(c)).

If you do not want your prompts to leave the EEA, choose a self-hosted provider in Settings → Connection (Ollama or LM Studio on your machine, or any endpoint you trust within the EEA). The App will never send your prompt to AuraAI Cloud when another provider is selected.

5. Retention

DataRetention
Conversations and settings (local DB)Kept on your device until you delete them via Settings → Privacy & data or uninstall the App
Local logsAuto-pruned after 30 days by the App itself
AI content reportsLocal copy remains on your device until you delete it; emailed copies are kept only as long as needed for support and safety review
Installation row on AuraAI CloudKept while your installation is active. You can request deletion at any time (section 7)
Bootstrap rate-limit log (IP + day + count)24 hours rolling, used only to prevent mass registration abuse
Daily quota counterReset every day at 00:00 UTC
Aggregated Cloud metrics and optional diagnostics countersKept as daily aggregate counters; they do not contain prompts, responses, API keys, endpoints, model names, custom provider names, or local chat history
Premium entitlement flagUpdated each time you sign in to the Microsoft Store on this installation

We do not keep your prompts or AI responses on AuraAI Cloud after the request completes.

6. Microphone & voice input

If you press the voice button, Windows transcribes audio locally with Windows Speech Recognition. Depending on your Windows privacy settings, Windows may use its online speech service, in which case the audio is sent to and processed by Microsoft under its terms. Aura AI itself does not record or transmit audio.

You can disable voice input entirely by leaving the button untouched, and you can revoke Aura AI's microphone permission in Windows Settings → Privacy & security → Microphone.

7. Your rights (GDPR Articles 15-22)

You have the right to:

  • Access the personal data we hold about your installation (Art. 15). Open Settings → Privacy & data → "Export all my data" to obtain a JSON copy of every conversation and setting.
  • Data portability (Art. 20). The export above is a machine-readable open JSON format.
  • Rectification (Art. 16). Edit any message via right-click → Edit, or edit your settings directly.
  • Erasure / right to be forgotten (Art. 17). Use "Delete all conversations" or "Erase Aura AI from this device" in the same panel. To remove your installation row from AuraAI Cloud, email contact@auraai.click with the installation identifier shown on that panel.
  • Restriction of processing (Art. 18) and objection (Art. 21). Stop using AuraAI Cloud at any time by switching to a self-hosted provider in Settings → Connection.
  • Withdraw consent at any time, with the same effect as above. Past processing remains lawful.
  • Lodge a complaint with a supervisory authority (Art. 77). In France that is the CNIL. A list of authorities in every EEA country is available at edpb.europa.eu.

We respond to verifiable requests within 30 days (Art. 12.3). Because we do not collect a name or email, we will rely on the installation identifier shown in your Settings → Privacy & data panel to authenticate the request.

8. Security measures (GDPR Art. 32)

  • API keys you enter are encrypted at rest with Windows DPAPI scoped to the current user account.
  • The AuraAI Cloud access and recovery tokens are DPAPI-protected on disk.
  • The OpenRouter key provisioned for your installation is encrypted at rest on AuraAI Cloud with AES-GCM using a server-only signing key.
  • All traffic from the App to AuraAI Cloud is HTTPS-only; the App refuses to send a user-supplied API key over a non-HTTPS endpoint unless the host is on the loopback interface.
  • We rotate signing material and revoke compromised keys when we become aware of a leak.
  • Diagnostic logs scrub well-known secret patterns (sk-..., aura_..., Bearer ..., ?key=...) before writing to disk.

9. Children

The App is not directed to children. We require users to be at least 16 years old in the EEA / United Kingdom and 13 years old elsewhere. If you believe a child has used the App without consent, contact contact@auraai.click and we will erase the corresponding installation row.

10. Cookies & local storage

Aura AI is a native Windows desktop application. It does not use cookies. It stores data locally as documented in this policy. There is no web tracker, fingerprinting, or third-party SDK that drops cookies.

11. Automated decision-making

Aura AI does not make decisions that produce legal or similarly significant effects about you (GDPR Art. 22). AI responses are tools for you to evaluate and act on, not decisions about you.

12. Changes to this policy

If this policy changes, the updated version will be published at the same URL with a new "Last updated" date and a new version identifier. Material changes that affect what we collect or who we share it with will trigger a fresh consent prompt in the App.

13. Contact