Page Contents:
1. Privacy Policy2. DC Health Data Privacy Policy

Privacy Policy

Effective Date: December 19, 2025
Company: Aura Health, Inc. d/b/a Aurie
Contact: hello@aurie.ai
Address: Aura Health, Inc., 1 Ferry Building Ste. 201, San Francisco, CA 94111

1. INTRODUCTION

This Privacy Policy explains how Aura Health, Inc. (“Aurie,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you access or use the Aurie mobile app, website, and related online services (collectively, the “Services”). Aurie is for adults only. You must be at least 18 years old to create an account and use the Services. By using Aurie, you confirm that you are 18 or older.

Important: Aurie is a wellness companion powered by artificial intelligence. Aurie does not provide medical or mental health care and is not a substitute for professional treatment. If you are in crisis, call 988 (U.S.) or your local emergency number.

By using Aurie, you agree to this Policy. If you do not agree, do not use the Services.

We may update this Policy from time to time. When we do, we will notify you as described in Section 17.

2. INFORMATION WE COLLECT

We collect information in three ways: information you provide directly, information collected automatically, and information generated through your use of the Services.

2.1 Information You Provide

  • Account Information. Email address and password
  • Content You Create. Journal entries, personal notes, reflections, and AI conversation text
  • Preferences and Settings. App preferences and customization choices
  • Communications. Feedback, support messages, and other information you choose to share with us

2.2 Information Collected Automatically

  • Device and Technical Information. Device type, operating system version, app version, device identifiers, language settings, and time zone
  • IP Address and Coarse Location. We collect IP address and may infer coarse, non-precise location from it
  • Usage Information. App interactions, feature usage, session data, and analytics events
  • App Performance Data. Crash reports, diagnostic logs, error reports, and performance metrics

Important Note About IP Address Collection Before Onboarding:
Before you complete onboarding, we collect and use your IP address and coarse location solely to:

  • Prevent fraud and abuse
  • Maintain security
  • Comply with export control laws and U.S. sanctions regulations
  • Enforce lawful regional restrictions

Before onboarding is complete, only limited analytics and security-related technical data, which may include IP address and device identifiers, are processed to maintain basic functionality, prevent abuse, and comply with legal obligations. We do not use this data for behavioral profiling or targeted advertising.

We do not collect precise GPS location data.

2.3 Voice Data (Optional)

If you choose to enable voice features:

  • How Voice Works. Your voice is converted to text by external speech recognition providers, processed by AI processing providers, and may be converted back to speech by text-to-speech providers, all acting as service providers on our behalf.
  • What We Do Not Do. We do not create, store, or use biometric identifiers or voiceprints. We do not use voice data to authenticate or identify you. Audio recordings are processed in real time. Temporary audio and transcripts may be retained for up to 5 days by our voice processing service provider solely for troubleshooting and quality assurance, and are automatically deleted after that period. They are not used to train external AI models or to identify you.
  • Training. Voice data is not used to train external AI models.
  • Control. You can disable voice features at any time in app settings.

2.4 Apple Health and Wearable Data (Optional)

If you choose to connect Apple Health or supported wearables, we may receive the categories you authorize, which may include:

  • Sleep data
  • Activity and movement information
  • Mindfulness minutes

Categories We Do Not Access:

  • Reproductive health data
  • Clinical medical records
  • Blood glucose
  • Other sensitive health categories without your separate, specific consent

How We Use Apple Health Data:

  • Used only to provide wellness features within Aurie
  • Never sold
  • Never shared for cross-context behavioral advertising
  • Never used to train external AI models

Your Control:
You can revoke Aurie’s access to Apple Health at any time through your device settings or in the Aurie app under Settings → Privacy & Data → Health Data.

2.5 Crisis Resource Event Logs

Aurie does not use human reviewers to monitor your messages or review your conversations or journal entries in real time for crisis detection. Automated safety checks may momentarily analyze text you submit at the moment of sending to determine whether crisis resources should be shown. These checks do not retain message content and are not used for ongoing monitoring or long-term analysis.

If certain keywords trigger the display of crisis resources such as 988 or the Crisis Text Line, we log only:

  • That crisis resources were displayed
  • Timestamp
  • Limited technical metadata for safety monitoring

We do not store message content.

We log only that crisis resources were displayed, along with limited technical metadata, for safety monitoring and service integrity. These logs do not include conversation content and are not used for ongoing monitoring or profiling.

Aurie also publishes its crisis detection and response protocol at aurie.ai, which is reviewed and updated at least annually as required by applicable law.

3. HOW WE USE YOUR INFORMATION

We use your information to:

3.1 Provide and Maintain the Services

  • Authenticate your account and maintain security
  • Generate AI-powered wellness conversations
  • Provide journaling and reflection tools
  • Enable voice features
  • Deliver audio content such as guided meditations and sleep stories
  • Sync your data across devices

3.2 Personalize Your Experience

After onboarding, we may use your interactions, preferences, and authorized health data to:

  • Suggest relevant audio content
  • Tailor wellness prompts
  • Personalize AI conversations

3.3 Improve Aurie in a Privacy-Preserving Manner

  • Enhance performance, reliability, and user experience
  • Detect and troubleshoot errors
  • Develop new features and improve existing ones
  • Conduct aggregated or de-identified analytics

We do not use your personal conversations, journal entries, or other personal content to train external AI models.

3.4 Safety and Security

  • Detect and prevent fraud, abuse, and misuse
  • Protect the security and integrity of the Services
  • Enforce our Terms of Service
  • Display crisis resources when appropriate

3.5 Legal Compliance

  • Respond to lawful requests from governmental authorities
  • Comply with applicable laws, regulations, and legal processes
  • Enforce our rights and protect against legal liability

4. HOW WE SHARE INFORMATION

4.1 We Never Sell Your Data

Aurie does not sell personal information. We do not use your personal information for cross-context behavioral advertising. When we use certain analytics or measurement providers in privacy-protective modes, we configure them to operate solely as service providers under the CCPA/CPRA, with data collection limited to non-sensitive conversion events and without device identifiers unless the user opts in.

Certain SDKs operate in a strict privacy-protective mode (e.g., automatic event collection disabled, no device identifiers unless the user opts in, and only non-sensitive conversion events sent). These settings ensure the SDKs function solely as service providers.

4.2 Service Providers and Processors

We share information with trusted service providers who process data solely on our behalf to help us operate the Services. These partners are contractually required to:

  • Act as “service providers” or “processors” under applicable privacy laws, including the CCPA and CPRA
  • Use your information only to provide services to us
  • Not sell, share, or use your data for their own independent purposes
  • Delete or return data upon our instruction

Service Providers and Categories of Information Disclosed (Last 12 Months):
We share information with external service providers who support functions such as:

  • AI processing
  • Voice processing and text-to-speech generation
  • Speech recognition
  • Hosting and authentication
  • Storage and database services
  • Analytics and performance measurement
  • Error monitoring and diagnostics
  • Safety evaluations and automated integrity checks

These service providers are contractually required to act solely on our behalf, may not use your information for their own purposes, and must comply with applicable privacy laws including CCPA/CPRA.

4.3 Legal and Safety Disclosures

We may disclose information when required by law or when necessary to:

  • Comply with legal obligations, court orders, subpoenas, or governmental requests
  • Investigate or prevent fraud, security threats, or violations of our Terms of Service
  • Protect the safety, rights, or property of Aurie, our users, or the public

4.4 With Your Consent

If you explicitly authorize a data transfer, integration, or sharing activity, we will follow your instructions. For example, if you connect Apple Health or another third-party service.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you if your information becomes subject to a different privacy policy.

5. IP ADDRESS, LOCATION, AND REGIONAL RESTRICTIONS

5.1 Why We Collect IP Address

We collect IP address for limited, specific purposes:

  • Before Onboarding: Security, fraud prevention, export control compliance, and lawful regional restrictions
  • After Onboarding: The above purposes, plus understanding general usage patterns through aggregated analytics

We use IP address and system locale to enforce lawful regional restrictions. We do not use this information for personalization before onboarding.

5.2 Coarse Location

We may infer coarse, non-precise location from your IP address to support regional restrictions and security. We do not collect precise GPS locations. To help enforce lawful regional restrictions and protect the security and integrity of the Services, we may block access from certain IP addresses, including those associated with VPNs, proxies, or regions subject to export controls or sanctions.

5.3 What We Do Not Use IP Address or Location For

  • Personalization or content recommendations before onboarding
  • Targeted advertising
  • Tracking across other apps or websites
  • Building user profiles for marketing

5.4 Retention

IP address is deleted within approximately 45 days after account deletion, except where required for legal compliance or fraud investigation.

6. COOKIES AND TRACKING TECHNOLOGIES

6.1 Types of Cookies We Use

Essential Cookies
Required for security, authentication, and basic functionality. These cannot be disabled.

Analytics Cookies
Used to understand how users interact with Aurie through our analytics tools. These insights help us improve performance and user experience.

No Advertising or Marketing Cookies
We do not use cookies for targeted advertising or cross-site tracking.

6.2 Your Cookie Choices

You can control cookies through your browser or device settings. Blocking essential cookies may prevent you from using certain features of the Services.

If you access our website from certain regions, you may see a cookie consent banner.

6.3 Global Privacy Control (GPC)

We honor Global Privacy Control signals where required by law. If your browser sends a valid GPC signal, we will treat it as a request to opt out of the sale or sharing of personal information where applicable.

6.4 Do Not Track

Some browsers support “Do Not Track” signals. We respond to legally required opt-out preference signals such as GPC.

7. AGE RESTRICTIONS AND CHILDREN'S PRIVACY

7.1 18+ Only

Aurie is intended only for adults 18 years of age or older. We rely on self-attestation during registration and do not verify age using government-issued identification.

7.2 COPPA Compliance

Aurie is not directed to children under 13 years of age. We do not knowingly collect personal information from anyone under 13.

If we discover that a user is under 13, we will terminate the account and delete associated personal data as soon as reasonably possible, subject to legal retention requirements.

7.3 Parents

If you believe your child under 18 has created an account, please contact us at hello@aurie.ai. We will take reasonable steps to verify your relationship, delete the account, and confirm deletion.

Under the Children’s Online Privacy Protection Act (COPPA), parents have the right to review and delete their child's information.

8. YOUR PRIVACY RIGHTS

Your privacy rights depend on your location. Depending on where you live, you may have some or all of the rights described below.

8.1 General Rights (Available in Most Jurisdictions)

  • Right to Access. You can request to know what personal information we have collected about you.
  • Right to Correction. You can request that we correct inaccurate information.
  • Right to Deletion. You can request that we delete your personal information, subject to legal exceptions such as fraud prevention, legal compliance, or security requirements.
  • Right to Withdraw Consent. Where we rely on consent as the legal basis for processing, you can withdraw consent at any time.
  • Right to Data Portability. You can request a copy of your data in a structured, commonly used, and machine-readable format where technically feasible.
  • Right to Appeal. If we deny your request, you can appeal the decision.

8.2 How to Exercise Your Rights

In-App:
Settings → Privacy & Data → Your Rights

Email:
hello@aurie.ai

Verification:
We may ask for information to verify your identity before processing your request.

Response Time:
We will respond within the time limits required by applicable law, typically within 45 days for California residents where applicable.

8.3 No Discrimination

We will not discriminate against you for exercising your privacy rights. We will not:

  • Deny you access to the Services
  • Charge different prices or rates
  • Provide a different level or quality of service
  • Suggest that you will receive different pricing or service

9. U.S. STATE-SPECIFIC PRIVACY DISCLOSURES

9.1 California Residents (CCPA/CPRA)

This section applies to California residents and supplements the information in this Privacy Policy.

Your California Privacy Rights:

  • Right to Know. You have the right to request that we disclose:
    • The categories and specific pieces of personal information we have collected about you
    • The categories of sources from which we collected personal information
    • Our business or commercial purpose for collecting or selling personal information
    • The categories of third parties with whom we share personal information
    • The specific pieces of personal information we have collected about you
  • Right to Delete. You have the right to request deletion of personal information we collected from you, subject to certain exceptions.
  • Right to Correct. You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing. You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising.

Important: Aurie does not sell personal information. When we use measurement or analytics tools, they operate in privacy-protective service-provider modes and are not permitted to use your data for cross-context behavioral advertising.

  • Right to Limit Use of Sensitive Personal Information. You have the right to direct businesses to limit the use of your sensitive personal information to purposes permitted by law.

Under California law, “sensitive personal information” may include:

  • Social Security number, driver's license, passport number (we do not collect these)
  • Account log-in credentials (we collect email and password)
  • Precise geolocation (we do not collect this)
  • Racial or ethnic origin, religious or philosophical beliefs, union membership (we do not collect these)
  • Contents of mail, email, or text messages (we collect journal entries and AI conversations)
  • Genetic data (we do not collect this)
  • Biometric data for identification purposes (we do not collect this)
  • Health data (we collect Apple Health data only with your opt-in)
  • Sex life or sexual orientation (we do not collect these)

Aurie uses and discloses sensitive personal information only for purposes permitted under California law, such as to provide the Services you requested.

Right to Non-Discrimination
You have the right not to receive discriminatory treatment for exercising your CCPA rights.

Required Links and Pages:

  • Do Not Sell or Share My Personal Information
    Although we do not sell or share personal information for cross-context behavioral advertising, California law requires that we provide this link.
    To submit a request or learn more, visit: Settings → Privacy & Data or email hello@aurie.ai
  • Limit the Use of My Sensitive Personal Information
    We already limit the use of sensitive personal information to permitted purposes. If you would like to confirm this or have questions, contact us at hello@aurie.ai.

Authorized Agents
You may designate an authorized agent to make requests on your behalf. We will require proof of authorization.

Verification
We will verify your identity before processing requests. We may ask for additional information to confirm your identity.

Categories of Personal Information Disclosed to Service Providers in the Last 12 Months:

  • Identifiers (email, IP address, device identifiers)
  • Internet or network activity (app usage, analytics events)
  • Audio information (voice recordings, temporary transcripts)
  • Health information (Apple Health data, if you opt in)
  • Inferences (crisis event indicators, usage patterns)

Minors Under 16:
Aurie is not directed to individuals under 18. We do not knowingly sell or share personal information of minors under 16.

Shine the Light
California Civil Code Section 1798.83 permits California residents to request certain information about disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their own direct marketing purposes.

9.2 Washington Residents (My Health My Data Act)

This section applies to Washington residents.

Consumer Health Data (CHD):
Under Washington's My Health My Data Act, “consumer health data” includes:

  • Data that identifies or is reasonably linkable to a consumer and relates to the consumer's physical or mental health, including data from wearables or apps like Aurie
  • IP address and similar technical data when collected in connection with a wellness application may be treated as consumer health data

CHD We May Collect:

  • Apple Health data (only if you opt in)
  • Wellness-related app interactions
  • Crisis event indicator logs
  • IP address when linked to wellness use

How We Use CHD:

  • To provide wellness features and personalized content
  • For security, fraud prevention, and compliance
  • To improve the Services in a privacy-preserving manner
  • To comply with legal obligations

We Do Not:

  • Sell consumer health data
  • Share consumer health data for targeted advertising
  • Use consumer health data for secondary purposes unrelated to providing you with Aurie

Your Washington Rights:

  • Access: Request access to your consumer health data
  • Delete: Request deletion of your consumer health data
  • Withdraw Consent: Withdraw consent for collection or use of consumer health data
  • List of Recipients: Obtain a list of specific third parties who have received your consumer health data in the preceding three years

How to Exercise Your Washington Rights:
Email: hello@aurie.ai or use in-app tools under Settings → Privacy & Data

Geofencing Prohibition:
We do not use geofencing to identify, track, collect data about, or send notifications to consumers within 2,000 feet of mental health facilities, homeless shelters, or other sensitive locations.

Processor Agreements:
Our service providers that handle consumer health data are bound by contracts that require them to process data only on our behalf, maintain confidentiality, and comply with Washington law.

Separate Washington Consumer Health Data Privacy Policy.
In addition to this Privacy Policy, Aurie maintains a standalone Washington Consumer Health Data Privacy Policy that explains in detail how we collect, use, share, and protect “consumer health data” under Washington’s My Health My Data Act. This policy is available through a separate and conspicuous link labeled “Washington Consumer Health Data Privacy Policy” on our website and, where supported, within the Aurie app under Settings → Privacy & Data.

9.3 Other U.S. States

If you are a resident of Virginia, Colorado, Connecticut, Utah, or other U.S. states with comprehensive privacy laws, you may have rights similar to those described above, including rights to access, delete, correct, and opt out of certain processing.

To exercise your rights, contact us at hello@aurie.ai.

10. INTERNATIONAL PRIVACY DISCLOSURES

10.1 Canada (PIPEDA)

For Canadian residents, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Your Rights Under PIPEDA:

  • Access: You have the right to access your personal information.
  • Correction: You have the right to request correction of inaccurate information.
  • Withdrawal of Consent: You have the right to withdraw consent for certain processing activities.

Cross-Border Transfers:
Your information may be processed and stored in the United States. We implement appropriate safeguards to ensure comparable protection to PIPEDA standards.

Complaints:
If you have concerns about how we handle your personal information, you may file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.

Contact for PIPEDA Requests:
Email: hello@aurie.ai

10.2 Australia (Privacy Act 1988)

For Australian residents, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

Your Rights Under the Privacy Act:

  • Access and Correction: You have the right to access and correct your personal information.
  • Transparency: We are committed to transparency about our data collection and use practices.
  • Sensitive Information: We collect sensitive information (such as health data) only with your consent.

Cross-Border Disclosures:
We disclose personal information to service providers located outside Australia, including in the United States. We take reasonable steps to ensure these recipients comply with the APPs.

Complaints:
If you are not satisfied with how we handle your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.

Contact for Australian Privacy Requests:
Email: hello@aurie.ai

10.3 Singapore (PDPA)

For Singapore residents, we comply with the Personal Data Protection Act (PDPA).

Your Rights Under the PDPA:

  • Access: You have the right to request access to your personal data.
  • Correction: You have the right to request correction of inaccurate data.
  • Withdrawal of Consent: You have the right to withdraw consent for collection, use, or disclosure of your personal data.

Data Breach Notifications:
In the event of a notifiable data breach, we will notify you and the Personal Data Protection Commission as required by law.

Contact for PDPA Requests:
Email: hello@aurie.ai

11. DATA RETENTION

11.1 While Your Account Is Active

Conversations and Journal Entries:
Retained while your account is active and you continue to use Aurie, and stored in encrypted form at rest in our systems.

Voice Data:
Audio is processed in real time. Temporary audio and transcripts may be retained for up to 5 days for troubleshooting and quality assurance by our voice processing service provider, and are automatically deleted after that period.

Apple Health Data:
Retained only while you authorize the connection. If you revoke access, we will stop receiving new data and delete previously received data within a reasonable time.

Analytics Data:
Raw analytics data is retained for as long as necessary to operate and improve the Services, unless you request deletion. Aggregated and de-identified analytics may be retained indefinitely.

Crisis Event Logs:
We do not store message content. We log only that crisis resources were displayed, along with limited technical metadata, for safety monitoring and service integrity. These logs do not include conversation content and are not used for ongoing monitoring or profiling.

11.2 After Account Deletion

When you delete your account:

Within ~45 Days:
Most personal data is deleted or de-identified, including conversations, journal entries, account information, and device data.

Backups:
Deleted data may remain in encrypted backups for up to 90 days, after which it is removed through our ordinary backup rotation. Data in backups is not accessible or recoverable.

Crisis Event Logs:
Limited technical logs indicating that crisis resources were displayed may continue to exist after account deletion. These logs do not contain message content and are retained only as necessary to support safety and service integrity; they are not kept for a fixed period.

Legal Compliance:
Data required for legal, regulatory, tax, or fraud prevention purposes may be retained for longer periods as required or permitted by law.

11.3 How to Delete Your Account

In-App:
Settings → Account → Delete Account

Email:
hello@aurie.ai

Once you request deletion, we will begin the deletion process. Deletion is permanent and cannot be undone.

12. SECURITY

We implement and maintain reasonable technical and organizational measures designed to protect your information from unauthorized access, loss, misuse, or alteration, including:

Encryption:
Data is encrypted in transit using industry-standard TLS protocols and encrypted at rest using secure encryption algorithms.

Authentication:
Secure authentication mechanisms protect account access.

Access Controls:
We restrict access to personal information to employees, contractors, and service providers who need access to perform their jobs and are bound by confidentiality obligations.

Regular Audits:
We periodically review our security practices and conduct assessments to identify and address vulnerabilities.

Incident Response:
We have procedures in place to respond to data security incidents.

Your Responsibility:
You can help protect your data by:

  • Using a strong, unique password
  • Not sharing your login credentials
  • Keeping your device secure
  • Logging out of shared devices
  • Reporting suspicious activity to hello@aurie.ai or security@aurie.ai

No Guarantee:
While we take security seriously, no system is 100% secure. We cannot guarantee absolute security of your information.

If you believe your account security has been compromised, contact us immediately at security@aurie.ai.

13. ARTIFICIAL INTELLIGENCE DISCLOSURES

13.1 AI-Powered Wellness Companion

Aurie uses artificial intelligence to provide conversational wellness support. You understand and agree that you are interacting with AI, not a human therapist or medical professional.

13.2 AI Limitations and Risks

AI responses are generated algorithmically and may:

  • Be factually inaccurate or outdated
  • Be incomplete or inappropriate
  • Reflect biases or harmful patterns in training data
  • Not consider your complete context or unique circumstances
  • Contain errors or inconsistencies

Do Not Rely on AI for:

  • Medical or mental health diagnosis or treatment
  • Crisis or emergency situations
  • Legal, financial, or safety-critical decisions

Where technically feasible, we configure our AI processing providers so that they do not use your personal data from Aurie to train their general models.

13.3 Guardrails and Safety Measures

We implement technical and operational guardrails designed to:

  • Reduce harmful, discriminatory, or dangerous outputs
  • Detect certain crisis-related keywords and display appropriate resources. These automated safety checks are not human monitoring and do not involve storing or reviewing message content.
  • Monitor for misuse or abuse of AI features

Important Limitations:
Aurie does not monitor messages in real time. AI may not detect or respond appropriately to all crisis situations. Guardrails are not foolproof.

If you are in crisis or think you may harm yourself or others:

  • Call 988 (U.S. Suicide & Crisis Lifeline)
  • Text HOME to 741741 (Crisis Text Line, U.S.)
  • Call 911 or your local emergency number

Aurie cannot contact emergency services on your behalf.

13.4 AI Model Updates

We may update AI models periodically to improve safety, quality, and performance. Updates may change how the AI responds.

13.5 Human Review and Automated Decision-Making

Aurie uses AI to generate wellness conversations and suggestions. These AI-generated outputs are not “automated decisions” that significantly affect your legal rights or similarly significant effects.

If you have concerns about AI-generated content, you may:

  • Request deletion of AI conversation history
  • Export your data
  • Contact us at hello@aurie.ai for assistance

13.6 Not a Substitute for Medical or Mental Health Care

Aurie does not provide medical or mental health care and does not create a doctor–patient, therapist–client, or other professional relationship.

The Services do not diagnose, treat, cure, or prevent any medical, psychiatric, or mental health condition. AI-generated references to mental health conditions, symptoms, or wellness topics are generated algorithmically and should not be interpreted as clinical evaluation, diagnosis, or treatment recommendations.

Aurie is not a substitute for therapy, counseling, or medical treatment. If you need ongoing mental health care, you should contact a licensed therapist, counselor, psychologist, psychiatrist, or medical doctor.

Always seek the advice of a qualified healthcare provider for questions about a medical or mental health condition. Never disregard professional medical advice or delay seeking it because of information provided by Aurie.

14. THIRD-PARTY SERVICES AND LINKS

The Services may contain links to third-party websites, apps, or services that are not owned or controlled by Aurie.

These third-party services have their own terms and privacy practices. We take reasonable steps to ensure they act as service providers under applicable law, but we do not control their independent actions.

We encourage you to review the privacy policies of any third-party services you access.

15. INTERNATIONAL DATA TRANSFERS

15.1 Where We Process Data

Aurie operates primarily in the United States. If you use Aurie from outside the United States, your information will be transferred to, processed, and stored in the United States.

15.2 Safeguards

When we transfer personal information internationally, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by relevant authorities
  • Contractual agreements requiring service providers to protect your data
  • Organizational and technical measures to ensure comparable levels of protection

15.3 Regional Restrictions

We may restrict or block access to the Services in certain regions where:

  • Providing the Services would be unlawful
  • U.S. export controls or sanctions apply
  • We have not obtained required regulatory approvals

We may use IP address lookup and system settings, operated in a privacy-protective manner, to help enforce these regional or legal restrictions.

16. BIOMETRIC DATA (State-Specific)

16.1 General Statement

Aurie does not create, store, or use biometric identifiers or biometric information for the purpose of identifying individuals.

16.2 Voice Data Clarification

Voice features process audio to provide speech-to-text and text-to-speech functionality. Audio is:

  • Processed in real time
  • Deleted automatically after a short retention period used solely for troubleshooting and quality assurance (up to 5 days)
  • Not used to create voiceprints, templates, or identifiers
  • Not used for authentication or identity verification
  • Not used for biometric identification purposes

16.3 Illinois, Texas, and Washington Residents

If you are a resident of Illinois, Texas, or Washington, please note that we do not collect, capture, or otherwise obtain biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, or the Washington biometric privacy law.

17. CHANGES TO THIS PRIVACY POLICY

17.1 How We Notify You

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

  • Updating the “Effective Date” at the top of this Policy
  • Sending an email to the address associated with your account (where required)
  • Displaying a notice in the app or on our website

17.2 When Changes Take Effect

Material changes will take effect no earlier than 30 days after we provide notice, unless changes are required sooner for safety, security, or legal compliance reasons.

Your continued use of the Services after changes take effect means you accept the updated Policy.

17.3 Prior Versions

For disputes that arose before a new version became effective, the version of the Policy in effect at the time the dispute arose will apply.

18. GOVERNING LAW

This Privacy Policy is governed by the laws of the State of Delaware, United States of America, except where preempted or superseded by applicable federal or other state privacy laws.

19. CONTACT US

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Email:
hello@aurie.ai (general inquiries)

Postal Mail:
Aura Health, Inc.
1 Ferry Building Ste. 201
San Francisco, CA 94111
United States

Data Protection Inquiries:
For inquiries related to your privacy rights under applicable law, email hello@aurie.ai with “Privacy Request” in the subject line.

By using Aurie, you acknowledge that you have read, understood, and agree to this Privacy Policy.

WASHINGTON CONSUMER HEALTH DATA PRIVACY POLICY

Effective Date: December 19, 2025
Company: Aura Health, Inc. d/b/a Aurie
Contact: hello@aurie.ai
Applies to: Washington residents under the My Health My Data Act (RCW 19.373)

1. INTRODUCTION

This Washington Consumer Health Data Privacy Policy (“CHD Privacy Policy”) explains how Aura Health, Inc. (“Aurie,” “we,” “us,” or “our”) collects, uses, shares, and protects Consumer Health Data (CHD) as defined under Washington’s My Health My Data Act (MHMDA).

Aurie is for adults only. You must be at least 18 years old to create an account and use the Services. By using Aurie, you confirm that you are 18 or older.

By using Aurie as a Washington resident, you agree to this Washington Consumer Health Data Privacy Policy, in addition to our main Privacy Policy.

2. WHAT IS CONSUMER HEALTH DATA (CHD)?

Under the MHMDA, “consumer health data” includes any personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s physical or mental health status.

For Aurie, CHD may include:

  • Sleep data
  • Activity or movement data
  • Mindfulness minutes
  • Wellness interactions within the app
  • Inferences about mental or emotional state
  • Crisis resource event indicators
  • IP address or device identifiers when linked to wellness-related features
  • Any health insights derived from your usage patterns

We do not collect clinical medical records or reproductive health data.

3. CATEGORIES OF CHD WE COLLECT

We collect the following categories of CHD:

(a) Data you provide

  • Reflections, wellness notes, and journal entries (wellness-related content)

(b) Data from device settings and wearable connections

  • Sleep, activity, mindfulness minutes (Apple Health or similar)

(c) Data generated through your interactions with Aurie

  • Crisis resource event indicators
  • Wellness interaction metadata
  • AI conversation context related to wellness
  • Inferences derived from usage patterns

(d) Technical data linked to wellness use

  • IP address
  • Device identifiers
  • System locale

4. SOURCES OF CONSUMER HEALTH DATA

We collect CHD from:

  • Direct input from you
  • Your device (with your permission)
  • Apple Health or wearable integrations
  • Inferences generated by Aurie
  • Metadata from crisis resource display events
  • Technical information derived during app usage when linked to wellness functions

5. PURPOSES OF COLLECTION AND USE

We use CHD for the following purposes:

  • Providing wellness features and AI conversations
  • Personalizing suggestions and content
  • Detecting when crisis resources must be displayed
  • Improving app performance and safety
  • Preventing fraud, misuse, and abuse
  • Complying with legal obligations
  • Maintaining security and enforcing terms

We may use aggregated and, where feasible, de-identified analytics based on Consumer Health Data to improve the performance, safety, and user experience of Aurie. We do not use Consumer Health Data to build marketing profiles or for targeted advertising.

6. HOW WE SHARE CHD

We do not sell CHD.

We only share CHD with:

(a) Service providers acting on our behalf

Such as:

  • AI processing providers
  • Speech-to-text and voice processing providers
  • Text-to-speech providers
  • Hosting, authentication, and storage providers
  • Analytics and measurement providers
  • Error monitoring and diagnostics providers

All service providers are contractually required to:

  • Process CHD only on our behalf
  • Maintain confidentiality
  • Not sell or use CHD for any independent purpose

Aurie does not currently have any affiliates as defined under Washington law with whom we share CHD. If this changes, we will update this policy and obtain your consent before sharing CHD with any affiliate.

(b) Third parties when required by law

We may disclose CHD to authorities when required to comply with legal obligations.

(c) Third parties with your explicit authorization

Any sharing beyond what is necessary to provide the Service requires separate and distinct consent.

7. CONSENT REQUIREMENTS (MANDATORY UNDER MHMDA)

(a) Collection Consent

We obtain your affirmative, opt-in consent before collecting CHD that is not strictly necessary to provide Aurie.

(b) Sharing Consent (Separate & Distinct)

Any sharing of CHD beyond what is necessary to operate Aurie requires separate and distinct consent presented independently from other permissions.

(c) Withdrawal of Consent

You may withdraw consent at any time by emailing hello@aurie.ai. Withdrawal is as easy as giving consent.

8. YOUR RIGHTS UNDER MHMDA

Washington residents have the following rights regarding their CHD:

  • Right to Access
  • Right to Deletion
  • Right to Withdraw Consent
  • Right to Confirm Processing
  • Right to Data List (list of third parties who received CHD)
  • Right to Appeal a Denial

You may exercise these rights:

  • In-app, where supported
  • Or by emailing hello@aurie.ai

We will verify your identity before processing your request.

9. LIST OF THIRD PARTIES

Upon request, we will provide a list of all third parties who have received CHD in the preceding three years, and the categories of CHD disclosed to each.

10. GEOFENCING PROHIBITION

Aurie does not use geofencing to identify, track, collect data from, or send messages to individuals within 2,000 feet of:

  • Mental health facilities
  • Hospitals
  • Clinics
  • Reproductive health centers
  • Homeless shelters
  • Addiction treatment centers
  • Similar health-related locations

11. DATA SECURITY

We use reasonable and appropriate technical and organizational safeguards, including:

  • Encryption in transit and at rest
  • Access controls
  • Authentication protections
  • Periodic security reviews

However, no system is perfectly secure.

12. DATA RETENTION

CHD is retained in accordance with our main retention schedule:

  • Active accounts: retained while your account is active
  • Backups: up to 90 days
  • Crisis event logs: retained only as necessary to support safety, detect misuse, and maintain service integrity. These logs do not include message content.
  • Legal requirements: longer retention when necessary

13. CHANGES TO THIS POLICY

We may update this CHD Privacy Policy as required by law or operational changes. Significant changes will be posted conspicuously on our website.

14. CONTACT

If you have questions, concerns, or requests related to this CHD Privacy Policy or our data practices, please contact us:

Email:
hello@aurie.ai (general inquiries)

Postal Mail:
Aura Health, Inc.
1 Ferry Building Ste. 201
San Francisco, CA 94111
United States

By using Aurie, you acknowledge that you have read, understood, and agree to this Washington Consumer Health Data Privacy Policy, in addition to our main Privacy Policy.