Data Compliance Policy

01 Regulatory Framework

Aura24 operates in compliance with the following data protection laws:

1.1 India

• Information Technology Act, 2000 (IT Act)
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
• Digital Personal Data Protection Act, 2023 (DPDPA) — as it becomes effective
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

1.2 European Union

• General Data Protection Regulation (GDPR) — for users in EU/EEA
• ePrivacy Directive — for cookies and electronic communications

1.3 United States

• California Consumer Privacy Act (CCPA) — for California residents
• California Privacy Rights Act (CPRA) — effective amendments
• Children's Online Privacy Protection Act (COPPA) — Aura24 does not allow users under 18

1.4 Other Jurisdictions

• Brazil: Lei Geral de Proteção de Dados (LGPD)
• United Kingdom: UK GDPR and Data Protection Act 2018
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

02 Data Protection Principles

We adhere to the following data protection principles:

2.1 Lawfulness, Fairness, and Transparency

• We process data only with valid legal basis (consent, contract, legitimate interest, legal obligation)
• We clearly inform users about data processing
• Our Privacy Policy is accessible and written in plain language

2.2 Purpose Limitation

• Data is collected for specific, explicit, and legitimate purposes
• Data is not used in ways incompatible with those purposes

2.3 Data Minimization

• We collect only the data necessary for the stated purposes
• We avoid collecting "nice to have" data without justification

2.4 Accuracy

• We maintain accurate and up-to-date data
• Users can correct their data through the app

2.5 Storage Limitation

• Data is retained only as long as necessary
• We have clear retention schedules (see Section 6)

2.6 Integrity and Confidentiality

• We use industry-standard security measures
• Data is encrypted in transit and at rest

2.7 Accountability

• We document our data processing activities
• We can demonstrate compliance to regulators upon request

03 Legal Basis for Processing

We process personal data under the following legal bases:

04 Data Categories Collected

4.1 Personal Identifiers

• Name, email address, date of birth, gender
• Profile photo, Google account identifier
• Phone number (if provided for OTP)

4.2 Authentication Data

• Encrypted passwords (where applicable)
• OAuth tokens, JWT session tokens
• Device identifiers for security

4.3 Communication Data

• Messages exchanged with Companions
• Voice recordings (if voice features used)
• Profile preferences and interaction history

4.4 Technical Data

• IP address, device model, OS version
• App crash reports, error logs
• Usage analytics

4.5 Financial Data

• Subscription status and transaction history
• Coin balance and purchase history
• Payment is processed by Razorpay; we do not store card details

4.6 Sensitive Data (where applicable)

• Sexual orientation or gender identity (if voluntarily provided in profile)
• Religious or political views (if mentioned in conversations, but not actively collected)

05 International Data Transfers

5.1 Primary Data Storage

User data is primarily stored in AWS Mumbai (ap-south-1) region to maintain proximity to our Indian user base.

5.2 Cross-Border Transfers

Some processing occurs in other regions:

• OpenAI: United States (for AI conversation generation)
• Google Cloud (Gemini): United States, EU
• Firebase (Google): Global infrastructure
• ElevenLabs: United States (voice synthesis)
• Sarvam AI: India

5.3 Transfer Safeguards

For cross-border transfers, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements (DPAs) with all vendors
• Encryption in transit (TLS 1.3) and at rest (AES-256)

06 Data Retention

07 User Rights

7.1 Universal Rights

All users have the right to:

• Access: Request a copy of their data
• Correction: Update inaccurate information
• Deletion: Request permanent account and data deletion
• Restriction: Limit how we process their data
• Portability: Receive data in machine-readable format
• Objection: Object to certain processing (e.g., direct marketing)
• Withdraw Consent: Revoke previously given consent

7.2 GDPR-Specific Rights (EU/EEA Users)

• Right to lodge a complaint with a supervisory authority
• Right to not be subject to automated decision-making
• Right to specific information about data processing

7.3 CCPA-Specific Rights (California Residents)

• Right to know what personal information is collected
• Right to opt-out of sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

7.4 DPDPA-Specific Rights (Indian Users)

• Right to nominate a person to exercise rights in case of incapacity
• Right to grievance redressal through our Grievance Officer
• Right to data correction and erasure

7.5 How to Exercise Rights

• In-app: Settings → Account → Privacy options
• Email: home@spilltv.com
• Response time: Within 30 days (may extend to 90 days for complex requests)
• Verification: We may verify your identity before processing requests

08 Consent Management

8.1 Obtaining Consent

We obtain consent through:

• Explicit opt-in checkboxes during registration
• Granular consent for marketing, notifications, analytics
• Device-level permissions (camera, microphone, contacts)

8.2 Withdrawing Consent

Users can withdraw consent at any time via:

• In-app Settings
• Email to home@spilltv.com
• Device settings (for permissions)

Withdrawal does not affect prior lawful processing.

09 Children's Data

We do not knowingly collect data from anyone under 18. Our measures include:

• Mandatory date of birth verification at signup
• Age confirmation required for AI Companion interactions
• Content moderation to detect minor users
• Immediate account deletion if a minor is identified

If you believe a child has provided data to Aura24, contact home@spilltv.com immediately. We will delete the data within 7 days of verification.

10 Data Security Measures

10.1 Technical Safeguards

• Encryption in transit: TLS 1.3 for all network communication
• Encryption at rest: AES-256 for stored data
• Access controls: Role-based access, principle of least privilege
• Authentication: Firebase Authentication with multi-factor option
• Network security: AWS VPC, security groups, WAF
• Vulnerability scanning: Quarterly security audits
• Penetration testing: Annual third-party security assessment

10.2 Organizational Safeguards

• Employee data protection training
• Confidentiality agreements with all staff and vendors
• Incident response plan
• Data Protection Officer (DPO) appointed

10.3 Vendor Management

• All third-party vendors sign Data Processing Agreements
• Vendor security assessments before onboarding
• Regular review of vendor compliance

11 Data Breach Response

11.1 Detection

We have monitoring systems to detect potential breaches in real-time.

11.2 Notification Timeline

• Internal escalation: Within 1 hour of detection
• Regulatory notification: Within 72 hours (GDPR), as required by IT Act
• User notification: Without undue delay if high risk to user rights

11.3 Notification Content

Breach notifications will include:

• Nature of the breach
• Categories and approximate number of affected users
• Likely consequences
• Measures taken to address the breach
• Steps users should take to protect themselves
• Contact for further information

11.4 Documentation

All breaches, regardless of notification requirement, are documented internally for accountability.

12 Cookies and Tracking Technologies

12.1 Mobile App

Aura24 mobile app does not use traditional browser cookies. We use:

• Advertising ID (with consent): For analytics and crash reporting
• Device ID: For security and fraud prevention
• Push notification tokens: For messaging functionality

12.2 Website (www.aura24.co.in)

Our website uses minimal cookies:

• Essential cookies: Session management (no consent required)
• Analytics cookies: Google Analytics (with consent)
• Functional cookies: Language and preference storage

Users can manage cookies through browser settings or our cookie banner.

13 AI-Specific Compliance

13.1 AI Transparency

Users are informed:

• They are interacting with AI Companions, not humans
• AI responses are generated by language models
• Conversations may be reviewed for safety and improvement

13.2 AI Training Data

• We do not use user conversations to train foundation models (OpenAI, Gemini)
• Anonymized and aggregated data may be used for our own AI fine-tuning
• Users can opt out of AI training data usage (settings → privacy)

13.3 Algorithmic Decision-Making

Aura24 does not use AI for high-stakes automated decision-making (e.g., credit, employment, legal status). AI is used solely for:

• Conversational responses
• Content moderation
• Personalization of in-app experience
• Voice synthesis

14 Grievance Officer

In compliance with Indian regulations:

Response Commitments

• Acknowledgment: Within 24 hours
• Initial response: Within 7 days
• Final resolution: Within 15 days

15 Data Protection Officer (DPO)

For GDPR-related inquiries:

EU users may also contact their local data protection authority.

16 Audit and Accountability

We maintain:

• Records of Processing Activities (ROPA) per GDPR Article 30
• Data Protection Impact Assessments (DPIA) for high-risk processing
• Internal audit logs for data access and modifications
• Compliance documentation available to regulators upon request

17 Changes to This Policy

We may update this Data Compliance Policy to reflect:

• Changes in applicable laws
• New features or services
• Updated security practices
• Regulatory guidance

Material changes will be notified via:

• Email to registered users
• In-app notification
• Notice on www.aura24.co.in

18 Contact for Compliance Inquiries