Information security and privacy are at the heart of what Aura values and promotes as a company. As such, we think it’s important to be transparent about how we handle your information. That level of transparency also makes for a lengthy document, but we’ve tried to make it more readable by organizing it into a logical structure and using plain language.
Aura offers a variety of services, and this policy describes our comprehensive approach to ensuring privacy considerations across all our services. We have some unique approaches to managing data for certain of our products and services. Please refer to “Product Specific Privacy Notices” below for more details.
This policy uses the term “personal data” to refer to information that is related to an identified or identifiable natural person.
Who is Aura?
In this policy, “Aura”, “we”, “us” and “our” refer to the below companies or brands in this section, or the brands listed in the Product Privacy Notices, that are responsible for your data:
- Aura Sub, LLC (a U.S. company)
- Aura Growth GmbH (a Swiss company)
- Get Aura Inc. (a U.S. company)
How Aura handles your information depends on our relationship with you.
Product Privacy Notices
Certain Aura services may process data differently or in additional ways compared to other services that we note in Product Privacy Notices specific to such services, in product documentation, or inside products themselves at places where such information is relevant. Please refer to these Products Privacy Notices to better understand our privacy practices for each product:
- Aura Identity Theft Protection Services
- Aura AntiVirus
- Aura Privacy (fka Figleaf)
- Aura VPN
- Aura Call Protection
1. What Information Do We Collect About You?
This section describes the various types of information we collect from and about you. The information we may collect may differ depending on which product you use.
1.1 Information you provide to us
We and our service providers need to collect certain information about you to provide our services, respond to your requests, and manage your account with us. Where service components go beyond the base service, we provide you with clear choices to decide if you want these additional functions.
- Account information. Some services require or allow you to create an account before you can access them. As part of registering for an account, we may collect information such as your name, username, email address, password and certain other information from you, including if applicable, your Circle account and login information. For our identity protection products, we will also request your Social Security Number and other information.
- Billing and payment information. In order to purchase a service, you may need to provide us with certain details such as billing name, billing contact details (street addresses, email addresses), and payment instrument details.
- Identity verification information. Some services require you to verify your identity as part of creating an account. We may collect information such as email addresses or phone numbers for this purpose.
- Communications and submissions. You may choose to provide us with information you volunteer when you communicate with us (e.g. via email, phone, or chat for support or to inquire about our services), including when you fill out an online form, respond to surveys, provide feedback, post comments to our website, participate in promotions, participate in forums, websites and related information services to share your experiences or discuss technical issues ,or submit information through our services.
- Camera, Photos. You may choose to provide us with images and other information from your device’s camera and photos to further enable us to provide the services. For example, you may provide us with a photo of your driver’s license to monitor your license id number.
- Documents. You may choose to upload documents and other files to our services that are stored on your device.
- Phone Contacts. If you activate our call protection services, we may access the phone numbers in your phone’s contact list to ensure that those numbers are not blocked. We do not capture the names or other contact information associated with the number, and store the information as a cryptographic hash rather than as a plain text number. This information is exclusively used to provide our Services, and is not shared with third parties.
1.2 Information collected automatically when you use our services
- Usage information. We collect information about how you interact with our services, such as how often you use our services, how much bandwidth you use, and when and for how long you use our services.
- Device information. We collect information from and about the device you use to access our services, including about the browsers, Aura apps and if applicable, Circle apps you use to access our services. For example, we may collect device identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers.
- Diagnostic information. We may collect information about the nature of the requests that you make to our servers (such as what is being requested, information about the device and app used to make the request, timestamps, and referring URLs). However, our VPN product does not log any information that associates your identity with your VPN browsing activity. We do not maintain any records that show what you were browsing or accessing through a VPN connection. See the VPN Product Privacy Notice for more information.
- Location information. Unless otherwise expressly stated, we do not collect your location information based on your device’s GPS or other device sensor data. However, we may collect your approximate location by calculating an imprecise latitude and longitude based on your IP address to provide you with better service (e.g. to connect you to the nearest and fastest VPN server).
1.3 Information provided to us by third parties
As part of our services, we can receive information about you from third parties. We take the same level of precautions and transparency of use that we provide for information you provide us directly.
- Referrals. If you are invited to use an Aura service, the person who invited you may submit information about you, such as your email address or other contact information.
- Third Party Accounts. Some services may allow you to register an account using a third-party account (such as a Google or Microsoft account), and in some cases, you may register third party accounts such as your bank accounts or social media accounts with us. If you do so, that third party may send us some information about you that they have. You may be able to control what information they send us via your privacy settings for that third party account.
- Threat Information. We receive information from reputable members of the security industry who provide information to help us to provide, develop, test, and improve our services (for example, lists of malicious URLs, spam blacklists, phone number blacklists, and sample malware). Some of this information may contain personal data on an incidental basis.
- Business Customers. Organizations that use our business and enterprise products may submit personal data to facilitate account management and invite individuals to use those products. We process such information at the direction of such business customers.
- Monitoring Services. For some of our products and services, we will collect publicly available information about you from third parties to provide the extent of disclosures to you. For example, court records, home title, auto title, and dark web scanning.
2. How Do We Use Your Personal Information?
Aura uses your information for the purposes described below. Aura employs internal risk management functions to ensure we continue to only use your information for the purposes we disclose to you and are taking appropriate steps to protect that data from exposure.
- To provide, maintain, troubleshoot, and support our services. We use your personal data for this purpose on the basis that it is required to fulfill our contractual obligations to you. Examples: using information about how much bandwidth you use and how long you use our services in order to provide the services in accordance with a plan to which you have subscribed; using threat and device information to determine whether certain items pose a potential security threat; and using usage information to troubleshoot a problem you report with our services and to ensure the proper functioning of our services.
- For billing and payment purposes. We use your information in order to perform billing administration activities and process payments, which are required to fulfill our contractual obligations.
- To communicate with users and prospective users. We use your information to communicate with you via email, SMS, push notifications or other messaging about the Services or relevant updates, including by responding to your requests, and sending you information and updates about our services. We may do this in order to fulfill our contract with you, because you consented to the communication, or because we have a legitimate interest in providing you with information about our services.
- For measurement, research and analytics, including to develop new services. We have a legitimate interest in using your information for measurement, research and analytics, including to plan for and develop new services. For example, we may analyze certain usage information to understand how users interact with our services and make improvements; we may use customer feedback to understand what new services users may want.
- Aggregated or anonymized data, for any purpose where the information is aggregated or anonymized so that no individual data is directly, or indirectly, identifiable.
- To prevent harm or liability. We may use information for security purposes (such as to investigate security issues or to monitor and prevent fraud) and to prevent abuse. We may do this to comply with our legal obligations, to protect an individual’s vital interests, or because we have a legitimate interest in preventing harm or liability to Aura and our users. For example, we may use account, usage, and device information to determine if an entity is engaging in abusive or unauthorized activity in connection with our services.
- For legal compliance. We internally use your information as required by applicable law, legal process, or regulation. To learn about our practices regarding sharing your information with third parties for legal compliance purposes, see Section 3.1 below. We also use your information to enforce our legal rights and resolve disputes and complaints.
If applicable for the Parental Control Services, Aura or its duly authorized support representatives which may include its affiliate Circle, may need to access your account information in order to troubleshoot, debug, and otherwise offer support and solutions to users. Remote access may be enabled by the user via the App. If you make a support request and wish to limit the level of access for the Parental Control Services in your App or account, you must state those limitations at the time of your support request.
3. Who Do We Share Your Information With and Why?
In some situations, Aura may share your information with third parties who may collect, store, use, process and transfer the data for Aura. Aura employs oversight processes and controls to the secure sharing of data with only trusted parties.
Neither Aura, nor any of the companies that comprise Aura, sell your personal data.
3.1. In General
We may disclose your information in the following circumstances:
- In accordance with your instructions or consent. For example, some services may allow you to register an account using a third-party account (such as a Google or Microsoft account). If you choose to do so, we will share information with the third-party account provider.
- To your business organization (for our business services). If a business customer is providing you with access to our services through a business account, others in that organization may be able to see and manage your account and the information associated with it (such as an administrator).
- For collaborating with others. Some services may provide ways for different users to interact or collaborate with each other. Your information will be shared in connection with those activities if you choose to engage in them.
- Affiliates. We may share your name, email address, and other contact information with our subsidiaries and affiliates including Circle Media Labs, Inc. (“Circle”) or Intersections, LLC dba Pango (“Pango”) to better market our collective products and services to you. We and our affiliated entities may also share information with third-party data controllers where such sharing is legally required, such as with the use of certain cookies and related tracking technologies for compliance with specific geographic laws.
- With our partners. We may provide your personal data to partners to confirm your eligibility for joint or co-branded offers or to communicate and administer such offers (e.g. verify eligibility, assess effectiveness of joint offer, etc.). Our partners are not allowed to use any data including personal data that they receive from us for any purpose except for communicating, evaluating, improving, and administering the offer in question. This will not affect the partner’s ability to use personal data that it may already have obtained from you or other sources. If you do not wish to receive promotional emails from our partners, you can unsubscribe directly using the unsubscribe link or tool provided in the partner’s email or other communication to you.
- Third-party service providers. With the exception of any data collected through your use of our virtual private network where our VPN Product Privacy Notice applies, we may disclose the information we collect to service providers to help us provide some aspects of our services, we work with trusted third parties and partners (including our affiliate companies such as Circle Media Labs, Inc. when they act as our service providers). In cases where we may share your personal data, we enter into appropriate confidentiality and data processing agreements with these third parties, review their security practices, and limit information sharing to the scope of what they are helping us with. Examples of activities that third parties help us with include:
- processing customer payments
- providing analytics about our services to help us understand how the services are being used
- providing sales and customer support
- maintaining the infrastructure required to provide our services
- delivering our marketing and advertising content
- For security research purposes. A sanitized subset of our threat intelligence data may be shared with selected reputable members of the cybersecurity industry for the purpose of security threat research and facilitating community efforts to improve online security.
- In connection with a business transaction. If a substantial corporate transaction occurs, for example changes to ownership or control of all or part of our services, assets, or business, sale of a website, initial public offering, or an investment entity is conducting due diligence in connection with an acquisition or investment, then we may share the personal data we collect in connection with that substantial corporate transaction.
- Aggregated or de-identified data. We may aggregate and de-identify any data we collect and use and share such data so that it no longer reveals the identity of an individual user for regulatory compliance, research and analysis, our own marketing and advertising activities and other legitimate business purposes.
- To comply with legal process and the law. If you use our VPN product, we protect your privacy by ensuring that we do not log or record online activities that you conduct over a VPN connection in any way that can be tied back to you, meaning that we do not have any data to share with law enforcement and government agencies who make requests for information about what you were doing through a VPN connection. Subject to the foregoing, we may share your information if we are required to do so by applicable law; to comply with our legal obligations; to comply with legal process; and to respond to valid law enforcement requests relating to a criminal investigation, or alleged or suspected illegal activity that may expose Aura, you, or any of our other users to legal liability. If we share your information for these purposes, we limit the information shared to what is legally necessary, and challenge information requests that we believe are unlawful, overbroad, or otherwise invalid.
- To enforce our rights and prevent fraud and abuse. We may share limited amounts of your information to enforce and administer our agreements with customers and users, and to respond to claims asserted against Aura. We may also share your information in order to protect against fraud and abuse against Aura, our affiliates, users and others.
4. Tracking Technologies & Cookies
About Tracking Technologies
Aura collects certain information by automated means when you interact with our Services. Like many companies, Aura uses various technologies including “cookies” and related technologies such as pixel tags on our Services to help us collect information, primarily on our websites and in our marketing emails. Our Service Providers (such as analytics providers) may also place cookies and similar technologies on the Services. For convenience, we refer to these as “tracking technologies,” although they are not always used to track individuals.
Tracking technologies include:
- Pixel Tags / Page Tags / Web Beacons / Tracking Links: These are small, hidden images and blocks of code placed in web pages, ads, and our emails that allow us to determine if you perform a specific action. When you access a page, ad, or email, or click a link, these items let us know that you have accessed that page, opened an email, or clicked a link.
- SDKs: SDKs or software development kits are software code provided by our business partners that let our software interact with the services those partners provide. Sometimes these interactions will involve that business partner collecting some information from the device on which the software is run.
- Google Analytics: We use Google Analytics to help us understand how users use our services. Google makes available a Google Analytics Opt Out Browser Add-On if you do not want to participate in Google Analytics.
When you visit Our Site, Aura may view and/or store the IP address of the device you are using. Aura uses this information to determine the general physical location of the device and understand from what regions of the world Our Site’s visitors come from. Aura also may use this information to enhance the Site.
Opt-out of receiving marketing communications from Aura- you may elect for us not to contact you for marketing purposes, by following the instructions in the section below labeled Your Rights with your Personal Data. Some browsers offer a “Do Not Track” (“DNT”) signal whereby you may indicate your preference regarding tracking and cross-site tracking. Aura does not currently recognize or respond to DNT signals.
Securing personal data is an important aspect of protecting privacy. Aura employs a range of administrative, organizational, technical, and physical safeguards designed to protect your data against unauthorized access, loss, or modification. We endeavor to use reasonably available state-of-the-art network and information security standards, protocols and technologies, including encryption, intrusion detection and data loss prevention, and we monitor our systems to ensure that they comply with our security policies.
We implement physical, technical and organizational safeguards to protect your personal data in our custody, both at rest and in transit, and should these measures fail to prevent a data breach, we will promptly take the necessary remedial measures, and we will provide notices as required by applicable law.
If you have any questions about the security of your personal data or the security of our products, or wish to report a potential security issue, please contact email@example.com. When reporting a potential security issue, please describe the matter in as much detail as possible and include any information that might be helpful.
6. International Data Transfers
Aura may transfer your personal data to countries other than the one in which you reside. We do this to facilitate our operations, and transferees include other Aura group companies, service providers, and partners. Laws in other countries may be different to those that apply where you reside. For example, personal data collected within Switzerland, the United Kingdom, or the European Economic Area (EEA) may be transferred and processed outside Switzerland, the United Kingdom, or the EEA for purposes described in this policy. We put in place appropriate safeguards that help to ensure that such data receives an adequate level of protection. These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between us and our business affiliates and associates to which we choose to transfer the information that requires these companies to safeguard personal information they process from the EEA, the UK and Switzerland. You may contact us if you would like more information about such safeguards. We implement similar appropriate safeguards with our third-party service providers and further details can be provided upon request.
If you change your country of residence, the Aura affiliate or company responsible for your data may change accordingly, and your data may be transferred to that other company.
7. Data Retention
Aura generally retains your personal data for as long as is needed to provide the services to you, or for as long as you have an account with us. We may also retain personal data if required by law, or for our legitimate interests, such as abuse detection and prevention, and defending ourselves from legal claims. Residual copies of personal data may be stored in backup systems for a limited period as a security measure to protect against data loss.
8. Your Rights with Your Personal Data
Depending on your country of residence, you may have certain legal rights in relation to your personal data that we maintain. Subject to exceptions and limitations provided by applicable law, these may include the right to:
- access and receive a copy of your personal data we have collected from You or shared in the past 12 months;
- update or correct your personal data if it changes or if you believe that any information that we have collected about you is inaccurate or out-of-date;
- to object to or restrict our use or processing of your personal data;
- Email marketing - unsubscribe to our email list by clicking the link at the bottom of marketing emails.
- SMS marketing - you can reply with the word ‘Stop’ to any SMS in order to unsubscribe
- Tailored advertising using third party cookies - refer to our list of advertising services using cookies here for company-specific choices, or visit http://optout.aboutads.info to exercise an industry-wide opt-out. In addition, you may reject or delete cookies through your browser settings.
- request that we delete or erase your personal data;
- data portability;
- if we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing We conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
- lodge a complaint with a data protection authority;
Please note your rights and choices vary depending upon your location, and some information may be exempt from certain requests under applicable law.
You may be able to exercise some of these rights by submitting your request at https://preferences.aura.com/privacy or by using the settings and tools provided in our services. For example, you may be able to update your user account details via the relevant account settings screen of our apps. You may also be able to opt out from receiving marketing communications from us by clicking an “opt out” or “unsubscribe” link in such communications. Specifically, the GDPR gives users residing in the EU the rights to access, correct, delete, or object to the processing of your personal information. If you are a resident of any EU member country, you may also exercise these rights by submitting your request at https://preferences.aura.com/privacy. For other inquiries, you can contact our Data Protection Officer (DPO). Aura has appointed Bird & Bird DPO Services SRL as a DPO, and may be reached:
- by using the following email: DPO.Aura@twobirds.com
- by mail at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium
For all users, if you wish to exercise any of these rights, you may submit your request at https://preferences.aura.com/privacy or by dialing 1 (844) 914-2991. As permitted by law, we may ask you to verify your identity before taking further action on your request.
9. Legal Basis for Our Processing of Your Personal Data
Under the GDPR, we may only process personal data where we have a sufficient legal basis.
*You expressly authorize and consent to the collection, processing, and sharing of your child’s personal data by adding them to your Family Plan, setting up and by registering their devices with the Parental Control Services and/or creating their profile for the Parental Control Services with us under your account or the Family Plan.
10. Your State Privacy Rights
For additional information and rights available to consumers in certain states, see the U.S. Supplemental Privacy Notice.
11. Technology Licensing
12. Age Restrictions
The administration, configuration and management of the services are not intended for and may not be used by minors. In this context, minors are individuals under the age of 18 or as defined by applicable law. Aura does not knowingly collect personal data from minors when creating or administering our services or allow them to use our services except in certain cases, minors over the age of 13 may use certain of our services but only with the consent of their parent or legal guardian.
In the case of Parental Controls (“Parental Control Services”) offered as part of the Aura subscription, our Parental Control Services are expressly designed for parents to monitor the Internet and mobile activity of their children. As a result, certain personal information related to children’s devices may be accessible by the parent-administrators of the Parental Control Services, as well as Aura in our administration of the Services. This data includes Navigation Information, which are the websites visited or apps used, as well as the times and days allocated to such uses. In some jurisdictions, this information may be deemed ‘personal’ and subject to local laws. Circle does not use Navigation Information for any commercial purpose other than to provide the Services.
Some versions of the Parental Control Services may provide a secure platform for family members to send messages to one another (“Secure Family Messages”). Where these Secure Family Messages include personal information of children under the age of 16, prior consent of the parent or legal guardian of any such children is required. Therefore, when the Secure Family Messages feature is activated by a User, the User shall verify any minor Users under the age of 16 for this feature, and shall provide consent for Aura’s personal information collection practices for children under the age of 16. Failure to provide the necessary and required consent shall be a material breach of this Agreement, and grounds for termination of this Policy and your use of the Services.
If we discover that we have collected personal data from a minor without appropriate consents, we may delete such data without notice. For certain countries, parental consent may be required for processing the personal data of children under the age of 16. In such cases, those under the age of 16 may not use the services without the consent or authorization of their parent or legal guardian. If you believe a minor has provided personal information without parental or guardian consent, the parent or guardian may contact us by emailing us at firstname.lastname@example.org.
14. Contact Us
Aura Sub LLC dba Aura
250 Northern Ave., 3rd Floor, Boston, MA 02210
Aura Growth GmbH
Hansmatt 32, 6370 Stans, Switzerland