Privacy Policy

Privacy Policy

Effective Date: April 22, 2026

This Privacy Policy explains how AuraGuardian ("we", "us", "our") collects, uses, stores, and protects information when you use our cloud security platform and agent software (the "Service").

1. Information We Collect

Account Data. When you register, we collect your name, email address, and billing information. Payment processing is handled by Stripe; we do not store credit card numbers.

Security Telemetry. When the AuraGuardian agent is active on your site, it transmits the following data to our platform for threat analysis:

• Visitor IP addresses
• HTTP request metadata (user agent, referrer, request method, path)
• Country of origin (derived from IP geolocation headers)
• Action taken (ALLOW, BLOCK, CHALLENGE) and the corresponding reason

This data is stored in our access_logs table and is automatically archived after 7 days and permanently deleted after 90 days.

License & Domain Data. We record which domains are linked to each license key to enforce plan limits and prevent unauthorized key sharing.

2. How We Use Your Information

• Threat Detection: Telemetry is analyzed to maintain global threat intelligence lists (banned IPs, scanner signatures, proxy domains) that protect all customers.
• Service Delivery: Account data is used for authentication, billing, and customer support.
• Product Improvement: Aggregated, anonymized usage statistics help us improve detection accuracy.

3. Data Processing & Storage

All data is processed and stored on servers located in the AWS region configured by the platform operator. Data in transit is encrypted via TLS 1.2+. Security engine payloads delivered to your server are encrypted with AES-256-CBC and authenticated with HMAC-SHA256.

4. Data Retention Data TypeRetention Period Access logs (hot)7 days Access logs (archive)90 days Account dataDuration of account + 30 days Billing recordsAs required by applicable tax law

5. Third-Party Services

• Stripe — Payment processing (Privacy Policy)
• AWS — Cloud infrastructure (Privacy Policy)

6. Your Rights

You may exercise the following rights by contacting us:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your account and associated data.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing where we rely on legitimate interest.

For EU/EEA residents, these rights are guaranteed under the General Data Protection Regulation (GDPR). For California residents, similar rights are provided under the California Consumer Privacy Act (CCPA).

7. Cookies

The AuraGuardian agent sets a single first-party cookie (aura_passport) on visitor browsers after they pass a security challenge. This cookie identifies the visitor as verified and prevents repeated challenges. It expires after 24 hours and contains no personal information — only a cryptographic hash derived from the license key.

8. Data Processor Role

When the AuraGuardian agent processes visitor traffic on your website, we act as a Data Processor on your behalf. You remain the Data Controller for your visitors' personal data. A Data Processing Agreement (DPA) is available upon request.

9. Security Measures

• All API communications use TLS 1.2+
• Engine payloads are encrypted (AES-256-CBC) and integrity-verified (HMAC-SHA256)
• Decrypted security logic executes in memory only — never written to disk as plaintext
• Database access uses prepared statements to prevent SQL injection
• Administrative access requires two-factor authentication

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.

11. Contact

For privacy-related inquiries, data access requests, or DPA requests, contact us at the address listed on our Contact page.