Privacy Policy

Aura is a leading provider of digital security products for consumers. This Privacy Policy describes how we process and handle data provided to Aura in connection with your use of our products, services, apps, and websites that link to this policy (we refer to these collectively as our “services”).

Information security and privacy are at the heart of what Aura values and promotes as a company. As such, we think it’s important to be transparent about how we handle your information. That level of transparency also makes for a lengthy document, but we’ve tried to make it more readable by organizing it into a logical structure and using plain language.

Aura offers a variety of services, and this policy describes our comprehensive approach to ensuring privacy considerations across all our services.  We have some unique approaches to managing data for certain of our products and services. Please refer to “Product Specific Privacy Notices” below for more details. 

This policy uses the term “personal data” to refer to information that is related to an identified or identifiable natural person.

In this policy, “Aura”, “we”, “us” and “our” refer to the companies that comprise Aura that are responsible for your data, which may be any of the following entities or their corporate affiliates:

• Intersections Inc. (a U.S. company)
• Pango Inc. (a U.S. company)
• Pango GmbH (a Swiss company)
• Get Aura Inc. (a U.S. company)
  

If you use any of the following products, a different Aura group company is responsible for handling your data in accordance with this policy:

• Betternet LLC (a U.S. company) is responsible for Betternet.
• TouchVPN, Inc. (a U.S. company) is responsible for TouchVPN.

See the Contact Us section below for our contact details or you can email us at privacypolicy@aura.com.

For Aura’s individual customers, we want to make sure you are aware of how we use your personal data in accordance with fair and lawful practices. 

You generally do not have to disclose personal data to us unless you require us to perform certain services for you. However, we need to collect and process certain information that is necessary or legally required in order to provide the services to you or otherwise perform our contractual relationships with you.

Certain Aura services may process data differently or in additional ways compared to other services that we note in Product Privacy Notices specific to such services, in product documentation, or inside products themselves at places where such information is relevant. Please refer to these Products Privacy Notices to better understand our privacy practices for each product:

• Aura Identity Theft Protection Services
• Aura AntiVirus
• ‍Robo Shield
• VPN Products
• Betternet Safe Shopping
• Hotspot Shield Premium Family plan
• Figleaf

Some of Aura’s services are offered to businesses. For those services, our customer is a business or other organization who may authorize individual end users to use the services that it has purchased from us. Where an organization is our customer, it may maintain accounts with Aura through which it and its users may submit information (“Customer Data”). That organization typically controls those accounts and any associated Customer Data. In this case, Aura is generally a processor of Customer Data and the organization is the controller.

This section describes the various types of information we collect from and about you. This information is not collected in all situations, but only in specific situations needed to provide our services. 

For example, our Identity Protection products may collect a significant amount of information about you to help provide our services, but our VPN products only collect a limited amount of information. To understand the context in which collection occurs, see Section 2 (How do we use your information?) and our Product Privacy Notices. More information about some of the mechanisms we use to collect this information, such as cookies, is available in Section 4 (Tracking Technologies & Cookies) and our Cookie Policy.

1.1 Information you provide to us

In order to provide our services, we need information about you to provide those services and manage your account with us.  Where service components go beyond the base service, we provide you with clear choices to decide if you want these additional functions.

• Account information. Some services require or allow you to create an account before you can access them. As part of registering for an account, we may collect information such as your name, username, email address, password and certain other information from you. For our identity protection products, we will also request your Social Security Number and other personal information.
• Billing and payment information. In order to purchase a service, you may need to provide us with certain details such as billing name, billing contact details (street addresses, email addresses), and payment instrument details.
• Identity verification information. Some services require you to verify your identity as part of creating an account to access them. We may collect information such as email addresses or phone numbers for this purpose.
• Communications and submissions. You may choose to provide us with information when you communicate with us (e.g. via email, phone, or chat for support or to inquire about our services), including when you fill out an online form, respond to surveys, provide feedback, post comments to our website, participate in promotions, or submit information through our services.

1.2 Information collected when you use our services

In order to continuously improve the levels of service we provide, we collect information about your use of our services to monitor for problems and look for opportunities to make improvements.

• Usage information. We collect information about how you interact with our services, such as how often you use our services, how much bandwidth you use, and when and for how long you use our services.
• Device information. We collect information from and about the device you use to access our services, including about the browsers and Aura apps you use to access our services. For example, we may collect device identifiers, browser types, device types and settings, operating system versions, mobile, wireless, and other network information (such as internet service provider name, carrier name and signal strength), and application version numbers.
• Diagnostic information. We may collect information about the nature of the requests that you make to our servers (such as what is being requested, information about the device and app used to make the request, timestamps, and referring URLs). However, our VPN products do not log any information that associates your identity with your VPN browsing activity. We do not maintain any records that show what you were browsing or accessing through a VPN connection. See the VPN Products Privacy Notice for more information.
• Location information. Unless otherwise expressly stated, we do not collect your location information based on your device’s GPS or other device sensor data. However, we may collect your approximate location by calculating an imprecise latitude and longitude based on your IP address to provide you with better service (e.g. to connect you to the nearest and fastest VPN server).

1.3 Information provided to us by third parties

As part of our services, we can receive information about you from third parties.  We take the same level of precautions and transparency of use that we provide for information you provide us directly.

• Referrals. If you are invited to use an Aura service, the person who invited you may submit your personal data, such as your email address or other contact information.
• Third Party Accounts. Some services may allow you to register an account using a third-party account (such as a Google or Microsoft account), and in some cases, you may register third party accounts such as your bank accounts or social media accounts with us. If you do so, that third party may send us some information about you that they have. You may be able to control what information they send us via your privacy settings for that third party account.
• Threat Information. We receive information from reputable members of the security industry who provide information to help us to provide, develop, test, and improve our services (for example, lists of malicious URLs, spam blacklists, phone number blacklists, and sample malware). Some of this information may contain personal data on an incidental basis.
• Business Customers. Organizations that use our business and enterprise products may submit personal data to facilitate account management and invite individuals to use those products.
• Monitoring Services. For some of our products and services, we will collect publicly available information about you from third parties to provide the extent of disclosures to you. For eg court records, home title and dark web scanning. 

Aura uses personal information to provide our services for the purposes described below. Aura employs internal risk management functions to ensure we continue to only use your information for the purposes we disclose to you and are taking appropriate steps to protect that data from exposure. 

• To provide, maintain, troubleshoot, and support our services. We use your information for this purpose on the basis that it is required to fulfill our contractual obligations to you. Examples: using information about how much bandwidth you use and how long you use our services in order to provide the services in accordance with a plan to which you have subscribed; using threat and device information to determine whether certain items pose a potential security threat; and using usage information to troubleshoot a problem you report with our services and to ensure the proper functioning of our services.
• For billing and payment purposes. We use your information in order to perform billing administration activities and process payments, which are required to fulfill our contractual obligations.
• To communicate with users and prospective users. We use your information to communicate with you, including by responding to your requests, and sending you information and updates about our services. We may do this in order to fulfill our contract with you, because you consented to the communication, or because we have a legitimate interest in providing you with information about our services.
• To improve our services. We want to offer you the best services and user experiences we can, so we have a legitimate interest in continually improving and optimizing our services. To do so, we use your information to understand how users interact with our services. Examples: we analyze certain usage, device, and diagnostic information to understand aggregated usage trends and user engagement with our services (and, for example, invest in technical infrastructure to better serve regions with increasing user demand); we may use device and threat information to conduct spam, threat, and other scientific research to improve our threat detection capabilities; we review customer feedback to understand what we could be doing better.
• To develop new services. We have a legitimate interest in using your information to plan for and develop new services. For example, we may use customer feedback to understand what new services users may want.
• To market and advertise our services. We may use your information to provide, measure, personalize, and enhance our advertising and marketing based on our legitimate interest in offering you services that may be of interest. Examples: we may use information such as who or what referred you to our services to understand how effective our advertising is; we may use information to administer promotional activities such as sweepstakes and referral programs. Note that our VPN products do not use your VPN browsing activity for these purposes and we do not maintain any records that show what you were browsing or accessing through a VPN connection.
• To prevent harm or liability. We may use information for security purposes (such as to investigate security issues or to monitor and prevent fraud) and to prevent abuse. We may do this to comply with our legal obligations, to protect an individual’s vital interests, or because we have a legitimate interest in preventing harm or liability to Aura and our users. For example, we may use account, usage, and device information to determine if an entity is engaging in abusive or unauthorized activity in connection with our services.
• For legal compliance. We internally use your information as required by applicable law, legal process, or regulation. To learn about our practices regarding sharing your information with third parties for legal compliance purposes, see Section 3.1 below. We also use your information to enforce our legal rights and resolve disputes.

In some situations, Aura may share your information with third parties who may collect, store, use, process and transfer the data for Aura. Aura employs oversight processes and controls to the secure sharing of data with only trusted parties.

Neither Aura, nor any of the companies that comprise Aura, sell your personal information (except if you utilize our free products).

3.1. In General

We may disclose your information in the following circumstances:

• In accordance with your instructions or consent. For example, some services may allow you to register an account using a third-party account (such as a Google or Microsoft account). If you choose to do so, we will share information with the third-party account provider.
• To your business organization (for our business services). If a business customer is providing you with access to our services through a business account, others in that organization may be able to see and manage your account and the information associated with it (such as an administrator).
• For collaborating with others. Some services may provide ways for different users to interact or collaborate with each other. Your information will be shared in connection with those activities if you choose to engage in them.
• Affiliates and third-party service providers. To help us provide some aspects of our services, we work with trusted third parties and partners (including affiliated companies in the Aura group). To protect your data, we enter into appropriate confidentiality and data processing terms with these third parties, review their security practices, and limit information sharing to the scope of what they are helping us with. Examples of activities that third parties help us with include:

• processing customer payments
• providing analytics about our services
• providing sales and customer support
• maintaining the infrastructure required to provide our services
• delivering our marketing and advertising content

• For security research purposes. A sanitized subset of our threat intelligence data may be shared with selected reputable members of the cybersecurity industry for the purpose of security threat research and facilitating community efforts to improve online security.
• In connection with an acquisition or investment. If ownership or control of all or part of our services, assets, or business changes or an investment entity conducting due diligence in connection with an acquisition or investment, we may transfer certain information to the new owner.
• Aggregated or de-identified data. We may use and share aggregated data and data that is de-identified such that it no longer reveals the identity of an individual user for regulatory compliance, research and analysis, our own marketing and advertising activities and other legitimate business purposes.
• To comply with legal process and the law.  If you use our VPN products, we protect your privacy by ensuring that we do not log or record online activities that you conduct over a VPN connection in any way that can be tied back to you, meaning that we do not have any data to share with law enforcement and government agencies who make requests for information about what you were doing through a VPN connection. Subject to the foregoing, we may share your information if we are required to do so by applicable law; to comply with our legal obligations; to comply with legal process; and to respond to valid law enforcement requests relating to a criminal investigation, or alleged or suspected illegal activity that may expose Aura, you, or any of our other users to legal liability. If we share your information for these purposes, we limit the information shared to what is legally necessary, and challenge information requests that we believe are unlawful, overbroad, or otherwise invalid.
• To enforce our rights and prevent fraud and abuse. We may share limited amounts of your information to enforce and administer our agreements with customers and users, and to respond to claims asserted against Aura. We may also share your information in order to protect against fraud and abuse against Aura, our affiliates, users and others.

3.2. Products Provided Free of Charge

Aura offers some products for free, with no charge to you at all.  For these products, we do help cover the costs of providing these services by displaying ads in certain regions for which we receive compensation for from advertisers.  We do not display third party ads in our paid products.

Displaying Ads.  With respect to our free mobile apps and other free products, we may serve ads to users in certain regions. Although the money we make from displaying these ads offsets only part of the costs of making these apps and services available for free, we provide free apps because we believe it’s important that everyone has the opportunity, regardless of their situation, to have secure and private access to the internet.

The ads we display in our services are supplied either by advertisers or affiliate networks we have relationships with, or by Google, or other third-party advertising networks (“third-party ad networks”). To display these ads in our apps, we may integrate into them a software development kit (SDK), which consists of software code provided by a third party, such as an ad network.

We do not provide third-party ad networks with any personal data about you, except for an approximate city-level latitude and longitude which lets them show ads which are more relevant for your approximate geographic location. However, third-party ad networks may collect information through their SDKs, such as your mobile advertising identifier, IP address, and device information, for the purpose of serving you with “personalized” ads (ads that they think are more relevant to you) and measuring your response to those ads. If you are using a VPN connection, your IP address is hidden from ad networks and replaced with the IP address of our VPN servers. Because we do not provide ad networks with personal data about you (apart from city-level location), third-party ad networks personalizes ads based on information that they collect from you and that they already have about you - not based on information we share with them.

Google collects this information according to the Google advertising privacy notice. Where an AdChoices logo appears on an ad, you can click it to learn more about the ad network that provided the ad, its privacy policy, and your choices regarding opting out from any personalized advertising. If you opt out from personalized advertising, you may still see non-personalized ads.

While we request you not to use ad blockers to prevent the display of ads because that is how we support our free services, our services are able to continue functioning if you do use ad blockers.

About Tracking Technologies

Aura uses various technologies in our services to help us collect information, primarily on our websites and in our marketing emails. For convenience, we refer to these as “tracking technologies,” although they are not always used to track individuals and the information collected is in a non-identifiable form that does not reference any personal data. 

Tracking technologies include:

• Cookies: Cookies are small portions of text that are stored on the device you use to access our services. Cookies enable us (or third parties that we allow to set cookies on your device) to recognize repeat users. Cookies may expire after a period of time, depending on what they are used for. Please see our Cookie Policy for more details.
• Pixel Tags / Page Tags / Web Beacons / Tracking Links: These are small, hidden images and blocks of code placed in web pages, ads, and our emails that allow us to determine if you perform a specific action. When you access a page, ad, or email, or click a link, these items let us know that you have accessed that page, opened an email, or clicked a link.
• SDKs: SDKs or software development kits are software code provided by our business partners that let our software interact with the services those partners provide. For example, in our free mobile apps, we may use an SDK to enable our app to serve ads from an advertising network. Sometimes these interactions will involve that business partner collecting some information from the device on which the software is run.

• Google Analytics: We use Google Analytics to help us understand how users use our services. Google makes available a Google Analytics Opt Out Browser Add-On if you do not want to participate in Google Analytics.

Opt-out of receiving marketing communications from Aura- You may elect for us not to contact you for marketing purposes, by emailing us or following the instructions in the section below labeled Your Rights with your Personal Data.

Securing personal data is an important aspect of protecting privacy. Aura employs a range of administrative, organizational, technical, and physical safeguards designed to protect your data against unauthorized access, loss, or modification. We endeavor to use reasonably available state-of-the-art network and information security standards, protocols and technologies, including encryption, intrusion detection and data loss prevention, and we monitor our systems to ensure that they comply with our security policies.

We implement physical, technical and organizational safeguards to protect your personal data in our custody, both at rest and in transit, and should these measures fail to prevent a data breach, we will promptly take the necessary remedial measures, and we will notify you as well as applicable regulators of any such breach, as required by applicable law.

If you have any questions about the security of your personal data or the security of our products, or wish to report a potential security issue, please contact security@aura.com. When reporting a potential security issue, please describe the matter in as much detail as possible and include any information that might be helpful.

6.1. Transfers to Other Countries

Aura may transfer your personal data to countries other than the one in which you reside. We do this to facilitate our operations, and transferees include other Aura group companies, service providers, and partners. Laws in other countries may be different to those that apply where you reside. For example, personal data collected within Switzerland, the United Kingdom, or the European Economic Area (EEA) may be transferred and processed outside Switzerland, the United Kingdom, or the EEA for purposes described in this policy. We put in place appropriate safeguards that help to ensure that such data receives an adequate level of protection. These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between us and our business affiliates and associates to which we choose to transfer the information that requires these companies to safeguard personal information they process from the EEA, the UK and Switzerland.  You may contact us if you would like more information about such safeguards. We implement similar appropriate safeguards with our third-party service providers and further details can be provided upon request.

If you change your country of residence, the Aura group company responsible for your data may change accordingly, and your data may be transferred to that other company.

6.2. Privacy Shield

One of our subsidiaries, Pango Inc. has certified its compliance to the U.S. Department of Commerce with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, and Switzerland to the United States.

Under such frameworks, Pango Inc. is subject to the enforcement authority of the U.S. Federal Trade Commission. If you have any questions or concerns relating to our Privacy Shield certification, you can contact us using the contact details for Pango Inc. in the Contact Us section below. You may also contact your European Data Protection Authority or Commission, or contact our designated Privacy Shield independent recourse mechanism, JAMS. In some circumstances, you may have the right to invoke binding arbitration through the Privacy Shield Framework.

Where we receive your personal data under a Privacy Shield Framework and subsequently transfer it to a third party for processing, we will be responsible if such third parties process your personal data in a manner inconsistent with the Privacy Shield Principles, except where we can establish that Aura was not responsible for the violation.

Aura generally retains your personal data for as long as is needed to provide the services to you, or for as long as you have an account with us. We may also retain personal data if required by law, or for our legitimate interests, such as abuse detection and prevention, and defending ourselves from legal claims. Residual copies of personal data may be stored in backup systems for a limited period as a security measure to protect against data loss.

Depending on your country of residence, you may have certain legal rights in relation to your personal data that we maintain. Subject to exceptions and limitations provided by applicable law, these may include the right to:

• access and receive a copy of your personal data;
• correct your personal data;
• restrict the processing of your personal data;
• object at any time to the processing of your personal data;
• have your personal data erased;
• data portability;
• withdraw any consent you previously gave to the processing of your data (such as opting out to marketing communications);
• lodge a complaint with a data protection authority;
• request that we provide you with the categories of personal data we collect, disclose or sell about you; the categories of sources of such information; the business or commercial purpose for collecting or selling your personal data; and the categories of third parties with whom we share personal data. This information may also be provided in this Privacy Policy.

Please note your rights and choices vary depending upon your location, and some information may be exempt from certain requests under applicable law.

You may be able to exercise some of these rights by using the settings and tools provided in our services. For example, you may be able to update your user account details via the relevant account settings screen of our apps. You may also be able to opt out from receiving marketing communications from us by clicking an “opt out” or “unsubscribe” link in such communications.

Otherwise, if you wish to exercise any of these rights, you may contact us using the details in the “Contact Us” section below. As permitted by law, we may ask you to verify your identity before taking further action on your request.

Below are the types of lawful basis that we will rely on to process your Personal Data:

• Legitimate Interest  in conducting, operating and managing our business to enable us to effectively deliver our services to you and our other customers 
• Processing your Personal Data where it is necessary for compliance with a legal or regulatory obligation that we are subject. 
• For purposes of fulfilling our contract with you at your request.
• For specific purposes based on your consent.

For additional information and rights available to California consumers, see the California Supplemental Privacy Notice.

10.1 Connecticut Privacy Rights

It is our Policy to protect the confidentiality of Social Security numbers, prohibit unlawful disclosure of Social Security numbers, and limit access to Social Security numbers by having safeguards in place to help protect Social Security numbers.

Aura occasionally licenses its technology to third party partners who may integrate it with applications developed and offered by those partners. Our partners, and not Aura, are responsible for those applications and for determining what data is collected by those applications and how it is processed. Please contact the relevant partner and refer to their Privacy Policy to learn more about how those applications process your personal data.

Our services are not intended for and may not be used by minors. In this context, minors are individuals under the age of 18 or as defined by applicable law. Aura does not knowingly collect personal data from minors or allow them to use our services except in certain cases, minors over the age of 13 may use certain of our services but only with the consent of their parent or legal guardian. If we discover that we have collected personal data from a minor without appropriate consents, we may delete such data without notice. For  certain countries, parental consent may be required for processing  the  personal data of children under the age of 16. In such cases, those under the age of 16 may not use the services without the consent or authorization of their parent or legal guardian. If you believe a minor has provided personal information without parental or guardian consent, the parent or guardian may contact us by emailing us at privacypolicy@aura.com.

Aura may update this Privacy Policy from time to time in accordance with this section for reasons such as changes in laws, industry standards, and business practices. Aura will post updates to this page and update the “Last updated” date above. If we make updates that materially alter your privacy rights, we will also provide you with advance notice, such as via email or through the services. If you disagree with such an update to this policy, you may cancel your services account. If you do not cancel your account before the date the update becomes effective, your continued use of our services will be subject to the updated Privacy Policy.

We expect this Privacy Policy to evolve over time and welcome feedback from our users about our privacy practices. If you have any questions or complaints about our privacy practices, you can contact us at privacypolicy@aura.com or at the following address:

Intersections Inc. dba Aura/Pango Inc./Betternet LLC/TouchVPN Inc.

15 Network Drive, Burlington, MA 01803
privacypolicy@aura.com

Pango GmbH

Hansmatt 32, 6370 Stans, Switzerland
privacypolicy@aura.com

September 8, 2020: New cookie policy, other minor edits

Pango Holdings Inc. was acquired by Aura effective July 1, 2020. For archived versions of the Pango privacy policy in effect prior to this policy, refer here.