Security & Data Handling

Encryption at Rest: All face images and personal data are encrypted at rest in Supabase Storage using industry-standard encryption.

Secure Transport: Data in transit is encrypted using TLS 1.3.

Access Control: Only authorized Auraly services can access your data. No human employee has direct access to your face images.

Retention: Face images are encrypted and stored for future scan comparison until you delete your Auraly account.

Deletion: You can delete your Auraly account in the app. This removes Auraly profile data, scans, plans, check-ins, and scan images.

AI Service Processing: During a scan, your face image is sent to:

• ML Kit: Used on device for face landmark detection before upload.
• OpenAI: Used through a Supabase Edge Function to generate your personalized plan text from your scan and preferences.

No Direct Payment Processing: We do not store your credit card or payment details. All billing is handled by RevenueCat, which processes transactions through the App Store and Google Play.

Server-Side Verification:Subscription status is verified server-side using RevenueCat's API on every app launch.

• Supabase: PostgreSQL database and file storage. GDPR-compliant.
• OpenAI: Personalized plan generation.
• RevenueCat: Subscription and revenue analytics. PCI-DSS compliant.
• PostHog: Anonymized analytics. No personal data stored.
• Sentry: Error tracking and crash reporting. Anonymized, no personal data.

If we become aware of a security breach or incident that affects your data, we will notify you within 72 hours via email and/or in-app notification as required by law.

Email us at hello@auralyapp.com