Privacy Policy

Auracle is a B2B SaaS platform. Most of the data we process relates to your organization's brands — not to individuals as consumers. We collect the minimum personal data necessary to operate the Service, and we do not sell personal data to third parties.

When you use Auracle, you act as a data controller for the personal data of your team members and brand contacts, and we act as a data processor on your behalf. For data we collect about you directly (your account, billing), we act as a data controller.

We collect data in three ways: data you provide, data generated by your use, and data from third parties.

We do not knowingly collect sensitive personal data (health information, financial account numbers, government IDs, etc.). Please do not submit such information through the Service.

We use collected data to:

• Provide, maintain, and improve the Service
• Execute brand scans across AI answer engines
• Calculate your AI Visibility Index (AVI) score
• Generate content briefs, FAQ blocks, and site audit reports
• Send transactional emails — scan-complete notifications and weekly AVI digests
• Detect and prevent abuse, fraud, and security threats
• Enforce our Terms of Service
• Understand aggregate usage patterns to improve features (using anonymized, non-identifiable data only)
• Communicate important updates about the Service

We do not use your data for advertising, sell it to data brokers, or use it to train external AI models.

We share data only as necessary to operate the Service:

• Service providers — We share data with vendors that help us deliver the Service, as described in the table below.
• Your organization — Other members of your workspace can see brand data, scan results, and AVI scores. Access is governed by the role system (Owner, Admin, Member, Viewer).
• Legal compliance — We may disclose data where required by law, court order, or government authority.
• Business transfers — In the event of a merger or acquisition, your data may be transferred with prior notice.

We never sell personal data.

When you trigger a scan, we send prompts containing your brand name, domain, and generated questions to one or more of:

• Anthropic (Claude)
• OpenAI (ChatGPT)
• Google (Gemini)
• Perplexity

These providers may process and log prompts per their own privacy policies. Prompts contain only publicly-available brand information — we do not send personal data about individuals to AI engines.

• Anthropic Privacy Policy
• OpenAI Privacy Policy
• Google Privacy Policy
• Perplexity Privacy Policy

• Account & organization data — retained for the duration of your account, then deleted within 90 days of closure
• Brand & scan data — retained for the lifetime of your account; individual scan records may be pruned after 12 months on the Starter tier
• Billing records — retained for 7 years as required for tax and legal compliance
• Server logs — retained for up to 90 days for security and debugging purposes

Deletion requests are fulfilled within 30 days, except where retention is required by law.

• Encryption in transit (TLS 1.2+) and at rest
• Row-level security (RLS) policies on all database tables ensuring multi-tenant data isolation
• JWT-based authentication with short-lived tokens
• Rate limiting on all API endpoints to prevent abuse
• Input validation and sanitization to prevent injection attacks
• Regular security audits of RLS policies and access controls

In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, as required by applicable law.

• Essential cookies — Required for authentication (session tokens set by Supabase). Cannot be disabled without breaking the Service.
• Preference cookies — Store UI preferences (e.g., theme, selected time range on charts).

We do not use advertising cookies, cross-site tracking pixels, or sell cookie data to third parties.

• Access — Request a copy of the personal data we hold about you
• Correction — Request that inaccurate data be corrected
• Deletion — Request erasure of your personal data
• Portability — Request your data in a machine-readable format
• Objection / Restriction — Object to or restrict certain processing activities
• Withdraw consent — Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@goauracle.com. We will respond within 30 days.

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority.

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. Contact us at privacy@goauracle.com if you believe we have done so and we will delete it promptly.

Your data may be transferred to and processed in countries outside your own. Where we transfer personal data from the EEA, UK, or Switzerland, we do so using Standard Contractual Clauses (SCCs) or adequacy decisions approved by the European Commission.

Enterprise customers can request specific data residency configurations — contact us for details.

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent in-app notice at least 14 days before taking effect. The "Effective date" at the top shows when this policy was last updated.

Questions or data requests:

We aim to respond within 5 business days and fulfill verified data requests within 30 days.