Legal

Privacy Policy

Last updated: 2026-05-07

1. Who We Are

[Aura & Archive LLC] ("Aura & Archive," "we," "us," or "our") operates the website at aura-archive.com and provides AI-generated fine art portrait services for adult customers and adults with their pets. We are incorporated in the United States.

This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our website or use our services. It applies to all users regardless of location.

For privacy inquiries, data requests, or complaints, contact us at privacy@aura-archive.com. We respond to all requests within 30 days (or within the shorter timeframe required by applicable law).

2. Information We Collect

We collect personal information in the following categories:

A. Information you provide directly

  • Photos you upload — the source image used to generate your portrait. This may include a facial image of you and/or your pet. See Section 5 (Face Image Data) for the specific disclosures that apply to photos depicting human faces.
  • Account credentials — email address and password (hashed), managed via Supabase Auth.
  • Order and payment information — name, email, shipping address, and payment card details. Card data is processed exclusively by Stripe; we never receive or store raw card numbers.
  • Communications — messages you send us via email or a contact form.

B. Information collected automatically

  • Usage and device data — IP address, browser type and version, operating system, referring URL, pages visited, time on page, and clickstream data. Collected via first-party server logs and, if enabled, PostHog analytics.
  • Session and authentication cookies — strictly necessary cookies set by Supabase to maintain your authenticated session and remember your login state.
  • Visitor region cookie — a visitor_region cookie set by our Next.js middleware at the time of your first visit. This cookie stores a coarse geographic region (e.g., "EU," "US-CA," "OTHER") derived from your IP address and is used solely to determine which privacy disclosures and consent flows to present. It does not contain your IP address, does not track your behavior across sessions, and expires after 365 days.
  • Approximate geolocation — country and state/region derived from IP address at the time of your visit. We do not collect GPS or precise device location.

3. How We Use Your Information (Lawful Bases — GDPR Art. 6)

We process personal information only when we have a recognized legal basis. For users in the European Economic Area (EEA) or United Kingdom, the applicable GDPR Article 6 lawful basis is noted for each purpose.

  • Generating your portrait from the uploaded photo — Contractual necessity (Art. 6(1)(b)); where the photo depicts a human face, also your explicit consent (Art. 9(2)(a)) collected at the point of upload.
  • Processing payments and fulfilling orders Contractual necessity (Art. 6(1)(b)).
  • Sending transactional communications (order confirmations, shipping updates, delivery notifications) — Contractual necessity (Art. 6(1)(b)).
  • Responding to support inquiries Legitimate interest (Art. 6(1)(f)): providing effective customer service.
  • Fraud prevention and security Legitimate interest (Art. 6(1)(f)): protecting the integrity of our service and users.
  • Service analytics and improvement Legitimate interest (Art. 6(1)(f)): understanding aggregate usage patterns to improve performance. Analytics data is not linked to individual orders or portraits.
  • Legal compliance (record-keeping, tax obligations) — Legal obligation (Art. 6(1)(c)).

We do not use personal information for automated decision-making or profiling that produces legal or similarly significant effects on individuals.

4. Your Photos and Generated Portraits

Source photos you upload are stored in encrypted cloud storage (Supabase Storage) and transmitted to OpenAI's API solely to generate your portrait. We do not use your photos to train AI models, and we do not sell, license, or otherwise share your photos with any party other than those listed in Section 6 (Third-Party Processors).

Generated portrait files are stored in your account and retained per the schedule in Section 8 (Data Retention). You may download your purchased portraits at any time from your account, and you may request deletion of all source photos and generated files independently of your account deletion.

5. Face Image Data and Biometric Information

When a source photo depicts a human face, that image constitutes biometric or facial recognition data under some laws (including certain state laws in the United States). The following disclosures apply:

  • What we collect: A photograph containing one or more human faces, uploaded by you for the purpose of generating a stylized portrait.
  • How it is used: The photo is transmitted to OpenAI's image generation API, which processes it to apply an artistic style. We do not extract, create, or store facial geometry data (face templates, faceprints, or biometric identifiers). The output is an artistic rendering, not a biometric record.
  • Consent: By uploading a photo that depicts a human face, you explicitly consent to this processing. You must not upload a photo of another adult without that person's knowledge and express consent.
  • Retention: Source photos containing faces are retained for no longer than 90 days after the associated session is closed or order is fulfilled, whichever is later, unless you maintain an active account. You may request earlier deletion at any time by emailing privacy@aura-archive.com.
  • No sale or third-party disclosure: We do not sell, lease, trade, or profit from face image data. Transmission to OpenAI is solely for fulfillment and is subject to OpenAI's API data processing terms.

6. Third-Party Processors

We share limited personal information with the service providers listed below. Each processor receives only the data necessary for its specific function and is subject to contractual data protection obligations consistent with applicable law.

  • OpenAI, Inc. (San Francisco, CA, USA) — processes uploaded photos via the image generation API to create stylized portrait output. Receives: image file, style prompt. Does not receive your name, email, or payment data. Data processed in the USA; subject to OpenAI's API data processing terms.
  • Stripe, Inc. (San Francisco, CA, USA) — processes payments. Receives: name, email, billing address, and payment card details. Stripe is a PCI-DSS Level 1 certified processor.
  • Supabase, Inc. (San Francisco, CA, USA) — provides authentication, database, and file storage. Receives: account credentials, order metadata, portrait files, source photos. Data stored on AWS infrastructure in the USA (default region).
  • Printful, Inc. (Charlotte, NC, USA) — produces and ships all-over-print apparel (t-shirts, sweatshirts, hoodies). Receives: shipping name and address, print file.
  • Prodigi Group Ltd. (London, UK) — produces and ships prints, framed canvas, phone cases, and mugs. Receives: shipping name and address, print file. Data may be transferred to production facilities in the USA, UK, and EU.
  • Resend, Inc. (San Francisco, CA, USA) — delivers transactional emails (order confirmations, shipping notifications, account emails). Receives: recipient email address and message content.
  • Vercel, Inc. (San Francisco, CA, USA) — hosts and serves the aura-archive.com website and API routes. Receives: all HTTP request data including IP addresses and request headers during transit; server logs retained per Vercel's standard retention schedule.
  • PostHog, Inc. (San Francisco, CA, USA) — product analytics, if enabled. Receives: anonymized event data, page views, and interaction events. PostHog is configured to respect GPC signals and to exclude personal identifiers from event payloads where feasible. Analytics can be disabled via your browser's privacy settings or a GPC-enabled browser extension.

We do not sell personal information to data brokers, identity resolution services, or advertising networks. We do not share personal information for cross-context behavioral advertising.

Note: payment accounts with Stripe and fulfillment accounts with Printful and Prodigi are shared infrastructure across affiliated brands operated by the same owner. Payout consolidation and tax reporting (1099-K) occur at the account level across brands. No personal customer data is shared between brands for marketing or customer-facing purposes.

7. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly necessary cookies — Supabase session and authentication tokens required for the Service to function. These cannot be disabled without breaking core functionality.
  • Functional cookies — the visitor_region cookie (described in Section 2) used to serve the appropriate privacy disclosures. Set by our server-side middleware; does not track behavior.
  • Analytics cookies — set by PostHog if analytics are enabled. Used to count page visits and measure product interactions in aggregate. No advertising or cross-site tracking.

We do not use advertising cookies, third-party tracking pixels, device fingerprinting, or cross-site behavioral tracking of any kind.

Global Privacy Control (GPC): We honor GPC signals transmitted by your browser as a valid opt-out of the sale or sharing of your personal information under CCPA/CPRA. When our middleware detects a GPC signal, analytics collection is suppressed for that session and no data is shared with third parties for behavioral purposes.

8. Data Retention

  • Source photos (face images): Retained for 90 days after session close or order fulfillment, whichever is later. Deleted earlier on request.
  • Generated portrait files: Retained while your account is active. For anonymous sessions, retained for 30 days after session expiry.
  • Account data: Retained until you request account deletion.
  • Order records: Retained for 7 years for financial and legal compliance purposes, even if your account is deleted.
  • Server and access logs: Automatically purged within 30 days.
  • Analytics events: Retained in PostHog for up to 12 months, then automatically deleted per PostHog's data lifecycle settings.

9. International Data Transfers

Our Service is operated from the United States. If you access the Service from the EEA, United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States, which does not have an adequacy decision from the European Commission for all types of processing.

We rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as the transfer mechanism for data flows to our US-based processors. Where processors publish their own SCCs or Binding Corporate Rules, we rely on those instruments as applicable.

Data transferred to Prodigi (UK) for fulfillment is subject to the UK International Data Transfer Agreement (IDTA) or equivalent mechanism under UK GDPR.

10. Your Rights

All users (global baseline):

  • Right to access a copy of the personal information we hold about you (Art. 15 GDPR)
  • Right to correct inaccurate or incomplete data (Art. 16 GDPR)
  • Right to request deletion of your data ("right to be forgotten") (Art. 17 GDPR)
  • Right to receive your data in a structured, machine-readable format (Art. 20 GDPR)
  • Right to restrict processing in certain circumstances (Art. 18 GDPR)

EEA and UK residents (GDPR / UK GDPR — Arts. 15–22):

  • Right to withdraw consent at any time without affecting lawfulness of prior processing
  • Right to object to processing based on legitimate interest (Art. 21)
  • Right not to be subject to solely automated decision-making with legal effects (Art. 22)
  • Right to lodge a complaint with your national Data Protection Authority (DPA)

California residents (CCPA / CPRA):

  • Right to know the categories and specific pieces of personal information collected (§1798.100)
  • Right to know the categories of third parties with whom we share information (§1798.110)
  • Right to delete personal information, subject to exceptions (§1798.105)
  • Right to correct inaccurate personal information (§1798.106)
  • Right to opt out of the sale or sharing of personal information (§1798.120)
  • Right to limit use of sensitive personal information (§1798.121)
  • Right not to receive discriminatory treatment for exercising these rights (§1798.125)
  • GPC signals are honored as an opt-out signal automatically — no further action required

To exercise any right, email privacy@aura-archive.com with the subject line "Privacy Request" and describe your request. We will verify your identity before acting on access, deletion, or portability requests. We will respond within 30 days (45 days for complex GDPR requests; 45 days with one 45-day extension for CCPA requests where notice is provided).

11. CCPA Disclosure: Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the California Consumer Privacy Act (CCPA / CPRA):

  • Identifiers — name, email address, IP address, account ID, cookie identifiers
  • Commercial information — order history, products purchased, transaction amounts
  • Internet or other network activity — pages visited, session events, browser and device data
  • Geolocation data — approximate location (country, state) derived from IP address
  • Visual information — photos you upload for portrait generation
  • Sensitive personal information — photos depicting human faces may constitute biometric data as defined by California law

We have not sold personal information for monetary consideration. We have not shared personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond those necessary to provide the service.

12. Children's Privacy

The Service is directed exclusively to adults aged 18 and older. We do not knowingly collect personal information from any person under 18. Portrait subjects must be adults. If you believe we have inadvertently collected information from or about a minor, please contact us immediately at privacy@aura-archive.com and we will delete that information promptly.

13. Security

We implement technical and organizational measures appropriate to the risk posed by our processing activities, including TLS encryption in transit, AES-256 encryption at rest (Supabase Storage), access controls limiting employee access to personal data, and regular security reviews.

No system is perfectly secure. If you become aware of a potential security issue affecting your data, please notify us immediately at security@aura-archive.com.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and, where required, relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR Art. 33; without unreasonable delay under CCPA).

14. Changes to This Policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify registered users by email at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

Contact and Data Controller

Data Controller: [Aura & Archive LLC], [Address TBD]

Privacy inquiries: privacy@aura-archive.com

Security disclosures: security@aura-archive.com

General inquiries: hello@aura-archive.com

Privacy Policy — Aura & Archive