Privacy Policy & Security

At Aura Lift, we understand that mental health data is deeply personal. We're committed to protecting your information with industry-leading client-side encryption and complete transparency about our security measures.

Last updated: August 5, 2025

Zero-Knowledge Privacy Achieved

Your sensitive data is now protected with military-grade client-side encryption. Your journal entries, chat conversations, and personal notes are encrypted on your device before transmission, ensuring true zero-knowledge privacy.

Current Status: Client-side AES-256 encryption with user-controlled keys. Our servers store encrypted data they cannot read, providing maximum privacy protection.

Advanced Security Measures

Industry-leading security features protecting your most sensitive personal data

✅ Active

Client-Side Encryption

AES-256 encryption with keys derived from your password. Your data is encrypted on your device before transmission.

✅ Active

Zero-Knowledge Architecture

Our servers store encrypted data they cannot read. Only you have access to your personal content.

✅ Active

AWS Infrastructure Security

Additional encryption at rest using AWS managed keys, HTTPS/TLS 1.3, and secure JWT authentication.

✅ Active

Encrypted Data Export

Complete data portability with client-side decryption - you can export all your data securely.

✅ Active

Session Key Management

Encryption keys are automatically cleared on logout and timeout for maximum security.

✅ Active

Compliance Ready

Foundation for HIPAA compliance with comprehensive audit logging and access controls.

Comprehensive Privacy Policy

1. Information We Collect

Personal Information

  • Account Data: Email address, first name, last name, password (encrypted)
  • Profile Information: Optional biographical details you choose to provide
  • Contact Preferences: Communication and notification settings

Health and Wellness Data (Client-Side Encrypted)

  • AI Conversations: Encrypted interactions with our AI life coaches (we cannot read content)
  • Journal Entries: Encrypted personal reflections and thoughts (we cannot read content)
  • Mood Notes: Encrypted personal notes in mood tracking (numerical data unencrypted for analytics)
  • Progress Data: Some insights and goals may be encrypted based on your privacy settings

🔒 Privacy Note: Your most sensitive content is encrypted with keys only you control. We store this data encrypted and cannot access the contents even if required by law.

Technical Information

  • Usage Analytics: App interactions, features used, session duration (unencrypted metadata)
  • Device Information: Device type, operating system, app version
  • Network Data: IP address, internet service provider (for security)
  • Performance Data: Error logs, crash reports, loading times

Payment Information

  • Billing Data: Processed securely by Stripe (we don't store credit card numbers)
  • Transaction History: Subscription payments and billing records

2. How We Use Your Information

Service Provision

  • • Provide personalized AI life coaching (AI cannot read encrypted content)
  • • Generate insights and analytics from unencrypted metadata
  • • Enable mood tracking and progress visualization
  • • Maintain your account and provide customer support

Privacy-Preserving AI Improvement

  • • Improve AI models using only unencrypted conversation data (when you opt-in)
  • • Develop new features based on usage patterns, not content
  • • Enhance crisis detection from system patterns (not content reading)
  • • Improve overall platform performance and reliability

🛡️ Privacy First: We cannot use your encrypted journal entries or chat content to train AI models, ensuring your most sensitive thoughts remain completely private.

Safety and Security

  • • Detect potential crisis situations from system patterns and user reports
  • • Monitor for policy violations in unencrypted system interactions
  • • Prevent fraud and ensure platform security
  • • Comply with legal obligations while protecting encrypted data

3. Data Sharing and Disclosure

What We CANNOT Do (Due to Encryption)

  • We CANNOT read your encrypted journal entries even if required by law
  • We CANNOT access encrypted chat conversations for any purpose
  • We CANNOT share encrypted content because we cannot decrypt it
  • We CANNOT recover encrypted data if you forget your password

What We DON'T Do

  • We DO NOT sell your personal data to advertisers or data brokers
  • We DO NOT share individual health information with third parties for marketing
  • We DO NOT use your data for targeted advertising outside our platform

Limited Sharing Scenarios (Unencrypted Data Only)

  • Service Providers: AWS for hosting, Stripe for payments (under strict data agreements)
  • Anonymized Research: De-identified, aggregated metadata for mental health research
  • Legal Requirements: Unencrypted data only when required by law
  • Emergency Situations: Limited to system alerts and user-initiated emergency contacts

4. Advanced Data Security Measures

Client-Side Encryption (Zero-Knowledge)

  • AES-256 Encryption: Military-grade encryption applied on your device
  • PBKDF2 Key Derivation: Encryption keys derived from your password with 10,000 iterations
  • Unique IVs: Each piece of data encrypted with a unique initialization vector
  • Client-Only Keys: Encryption keys never transmitted to our servers
  • Session Security: Keys automatically cleared on logout and timeout

Infrastructure Security

  • Encryption at Rest: Additional AWS managed encryption for all database storage
  • Encryption in Transit: HTTPS/TLS 1.3 for all data transfers
  • Authentication: Secure JWT tokens and password hashing
  • AWS Infrastructure: Multi-layered security provided by AWS serverless platform
  • Access Controls: Role-based access for our technical team (cannot access encrypted content)

Privacy Achievement: Your sensitive data is encrypted on your device before transmission. Our servers store encrypted data they cannot read, providing true zero-knowledge privacy where even we cannot access your personal content.

5. Password Recovery and Data Access

Important: Due to our zero-knowledge encryption system, there are important limitations you should understand about password recovery and data access.

Password Recovery Limitations

  • • If you forget your password, we cannot recover your encrypted data
  • • Password reset means permanent loss of encrypted journal entries and chat history
  • • This is by design to ensure maximum privacy protection
  • • We provide secure backup options before enabling encryption

We prioritize your privacy over convenience. While this means we cannot help recover forgotten passwords, it also means your most sensitive data is protected even from us.

6. Your Rights and Controls

Data Access Rights

  • View Your Data: Access all personal information through your account
  • Download Everything: Export all your data including encrypted content (client-side decryption)
  • Data Portability: Transfer your information to other services in standard formats
  • Usage Reports: Request detailed reports on how your unencrypted data is used

Control and Deletion

  • Account Deletion: Permanently delete your account and all associated data
  • Selective Deletion: Remove specific conversations, entries, or data types
  • Data Correction: Update or correct any inaccurate information
  • Encryption Toggle: Choose what data to encrypt for maximum privacy

Privacy Controls

  • Encryption Settings: Control what data is client-side encrypted
  • Analytics Opt-out: Disable usage analytics collection
  • Communication Preferences: Control emails and notifications
  • AI Training Opt-out: Prevent unencrypted data from improving AI models

7. Data Retention and Deletion

Retention Periods

  • Active Accounts: Data retained while your account is active
  • Inactive Accounts: Data retained for 2 years after last login
  • Cancelled Subscriptions: Data retained for 90 days for potential reactivation
  • Account Deletion: All personal data permanently deleted within 30 days
  • Encrypted Data: Automatically becomes unrecoverable if encryption keys are lost

Deletion Process

  • Immediate: Account access disabled immediately upon deletion request
  • 30-Day Window: Complete data removal from all systems and backups
  • Encrypted Data: Already unreadable to us, securely overwritten during deletion
  • Backup Purging: Data removed from all backup systems and archives

8. Third-Party Services and Integrations

Service Providers We Use

  • Amazon Web Services (AWS): Cloud hosting and data storage
  • Stripe: Payment processing and subscription management
  • SendGrid: Email delivery and communication
  • Cloudflare: Content delivery and DDoS protection

AI and Machine Learning

  • OpenAI: GPT models for AI coaching conversations (data not stored by OpenAI)
  • Internal AI Systems: Custom models trained on anonymized conversation data
  • Analytics Providers: Anonymized usage data for service improvement

All third-party services operate under strict data processing agreements that limit how they can use your information.

9. International Data Transfers

Your data is primarily stored in AWS data centers within the United States. When data is transferred internationally, we ensure appropriate safeguards are in place:

  • • Standard Contractual Clauses for EU data transfers
  • • Adequacy decisions for countries with equivalent protection
  • • Encryption during all international transfers
  • • Regular audits of international data handling practices

10. Children's Privacy (COPPA)

Aura Lift is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If we learn that we have collected personal information from a child under 18, we will delete that information immediately. If you believe we have collected information from a child, please contact us at privacy@auraliftai.com.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request detailed information about data collection and use
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the "sale" of personal information (we don't sell data)
  • Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, contact us at privacy@auraliftai.com with "CCPA Request" in the subject line.

Note: Due to our client-side encryption, we cannot access or delete encrypted content without your password. Account deletion will make encrypted data permanently unrecoverable.

12. Contact Us About Privacy

We're committed to addressing your privacy concerns promptly and transparently. Contact us through:

  • Privacy Email: privacy@auraliftai.com
  • General Support: support@auraliftai.com
  • Data Protection Officer: dpo@auraliftai.com
  • Legal Team: legal@auraliftai.com

We aim to respond to all privacy inquiries within 48 hours and resolve issues within 30 days.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will notify you of significant changes through:

  • • Email notification to your registered address
  • • Prominent notice in the app or on our website
  • • Push notification for mobile app users
  • • Updated "Last modified" date on this page

Continued use of our service after changes indicates acceptance of the updated policy.

Our Privacy Commitment

We believe privacy is a fundamental right. With our client-side encryption, your most sensitive data is protected even from us - that's true privacy.

Zero-Knowledge Security

Data Portability

User Control

Complete Transparency

Contact Privacy TeamRead Terms of Service