Privacy Policy
Last updated: May 31, 2026.
This Policy describes how the Aurora Arcana app and service collects, uses, stores, shares, and protects your personal data. It is written to comply simultaneously with the Brazilian General Data Protection Law (LGPD, Lei 13.709/2018), the European General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), and the California Consumer Privacy Act (CCPA/CPRA).
1. Data controller
The controller of personal data processed by Aurora Arcana is:
- Marcos da Silva de Souza (individual, sole proprietor, while incorporation of a legal entity is pending)
- Contact address: provided on formal written request to the email below.
- Contact email: [email protected]
2. Data Protection Officer (DPO)
For now, the Data Protection Officer (DPO) role required by Art. 41 of the LGPD and Art. 37–39 of the GDPR is provisionally exercised by the controller, via:
3. Data we collect
We collect only what's necessary for the app to work.
3.1. Identifiers
- anonId — UUID generated on the device, stored locally. Links your history to the backend without requiring login.
- Name (optional) — if you fill it in under Settings.
- Email (optional) — if you subscribe to Aurora+ or enable account recovery.
3.2. Sensitive data
The data in this subsection is sensitive personal data as defined by Art. 5, II of the LGPD and Art. 9 of the GDPR. It requires specific, explicit consent.
- Birth data used for the natal chart: date, time, city, latitude/longitude, time zone.
- Emotional wellbeing captured by the mood tracker: emoji, energy scale, optional text note.
- Conversations with Aurora: everything you type into the chat, including emotional context.
3.3. Content you create
- Card draws, daily mood, conversations, shared readings, social feed (if you opt in).
3.4. Location
- City of birth: you provide it manually; it's geocoded.
- Current location: only if you turn on astrocartography.
- Country by IP via Cloudflare: used once to pre-mark the country picker; the IP is not stored.
3.5. Device and push
- Push token (APNs/FCM), platform, app version.
3.6. Payment
- Stripe IDs (customer, subscription, payment intent). We do not store card numbers.
3.7. Telemetry
- Minimal and opt-out.
4. Legal basis by purpose
Each purpose has a specific legal basis, per Art. 7 of the LGPD and Art. 6 of the GDPR (and Art. 9 when dealing with sensitive data):
- Operating the app (drawing cards, saving history): performance of contract (LGPD Art. 7, V · GDPR Art. 6(1)(b)).
- Natal chart and chat with Aurora: specific consent (LGPD Art. 7, I and Art. 11, I · GDPR Art. 9(2)(a)).
- Astrocartography and push: consent via OS prompt.
- Country pre-selection by IP: legitimate interest, low risk (LGPD Art. 7, IX · GDPR Art. 6(1)(f)).
- Aurora+ subscription: performance of contract.
- Security and fraud prevention: legitimate interest.
- Tax and judicial obligations: legal obligation.
You can withdraw any consent at any time.
5. Sharing with third parties (processors)
We don't sell your data. We share only with processors strictly necessary, under contract (Art. 33 LGPD / Art. 28 GDPR):
- Stripe — payments and subscriptions (US, under SCC).
- OpenAI — generates Aurora's responses, with
store=falserequired (US, under SCC). - Cloudflare — CDN, reverse proxy, protection (global network, under SCC).
- Apple and Google — distribution, push notifications.
Since the app is operated from Brazil and uses processors in the United States, there is an international transfer, covered by Standard Contractual Clauses (Art. 46 GDPR; Art. 33–36 LGPD).
6. Retention
- Data kept while the account is active.
- After deletion (
DELETE /api/users/me) or uninstall, we hold data for 30 days for payment disputes. - After that period, data is deleted or anonymized.
- Security logs and tax data may be retained for the minimum legal period.
7. Your rights as a data subject
Per Art. 18 of the LGPD and Art. 15–21 of the GDPR, you have the right to:
- Access and portability —
GET /api/users/me/export. - Correction —
PATCH /api/users/meor in Settings. - Deletion —
DELETE /api/users/me. - Anonymization or blocking — by request to the email.
- Withdrawal of consent — in Settings or by email.
- Information about sharing — Section 5.
- Objection to processing based on legitimate interest.
- Complaint to the ANPD (Brazil) or the national authority in the EEA.
We answer requests within 15 days (LGPD) and 30 days (GDPR).
8. Children and teens
Aurora Arcana is not directed at children under 13.
- Brazil: 13–17 year olds require parental or guardian consent (LGPD Art. 14).
- European Union: GDPR Art. 8 — default limit 16 years.
- US: COPPA — collecting personal information from children under 13 is prohibited without verifiable parental consent.
9. Security
- TLS 1.2+ for all traffic.
- Secrets rotated every 90 days.
- Passwords and tokens never in plain text.
- Audit of administrative access.
- Principle of least privilege.
- Pseudonymization in telemetry — the
anonIdis never sent to third parties, including OpenAI.
10. Cookies and local storage
In the app: only strictly necessary technical storage. No tracking, fingerprinting, or behavioral ad SDKs.
On the site: only strictly necessary cookies/localStorage (session and language). No marketing, cross-site analytics, or social network pixels.
11. Artificial Intelligence
The Aurora feature uses OpenAI's gpt-5-nano model:
- Responses are generated statistically — they can contain inaccuracies.
- Content is symbolic. Don't use it for medical, legal, financial, or safety decisions.
- Conversations are not used to train models —
store=falserequired. anonIdis never sent to OpenAI.
11.a. Automated Decisions (Art. 22 GDPR / Art. 20 LGPD)
Aurora generates responses using AI, but no decision with legal effects is taken solely by automated processing. Your readings are symbolic and contemplative. You have the right to human review — write to [email protected] with subject Art. 20 LGPD / Art. 22 GDPR review.
12. California residents (CCPA / CPRA)
If you are a California resident, the CCPA/CPRA grants you specific rights. To exercise them visit Your Privacy Choices or write to [email protected].
13. Changes to this policy
We may update this policy. The version in force is always the one published on this page. Material changes will be communicated in the app before taking effect.
14. Contact
- Email: [email protected]
- ANPD: gov.br/anpd