Privacy Policy

1. Who we are

Aura Social Pty Ltd (trading as AURA TWIN) is the data controller for personal information collected through the AURA TWIN app and this website. We are an Australian company (ACN 696 919 963), operating under the laws of Queensland, Australia.

Our registered address and contact details are set out in Section 15. Where this policy refers to "we", "us", or "our", it means Aura Social Pty Ltd.

This policy covers personal information collected through:

• The AURA TWIN Android application
• The waitlist website at auratwin.co
• Any email or other communication you send us

2. What we collect

We collect only what the service needs to function. Here is exactly what that is:

Account information

• Passkey identifier — a cryptographic credential created on your device via Android Credential Manager. We store the public key only; your private key never leaves your device.
• Display name — the name you choose to be known by in the app.
• Suburb — used for hyper-local matching. We do not collect your street address, GPS coordinates, or continuous location history.

Tasker verification artifacts (taskers only)

If you register as a tasker (someone who offers to complete gigs), we collect the following before you are allowed to bid:

• Government-issued photo ID image
• Full legal name and date of birth
• ABN or sole-trader equivalent
• Business contact details
• For regulated trades: trade licence proof and public liability insurance certificate

These documents are stored encrypted at rest. They are used to display a verification badge to users you connect with. See Section 4 for what the verification badge does and does not mean.

Gig metadata

• Gig title, category, and suburb
• Bid amounts in Aura credits
• Gig status and completion timestamp
• Dispute flags (if raised)

Communication metadata (not content)

When messages are sent between users, we record:

• Sender and recipient account identifiers
• Timestamp
• Approximate message size

We never record the message body. Chat plaintext and bid contents are encrypted on your device before transmission. The server cannot decrypt them.

Device information

• Firebase Cloud Messaging (FCM) push token — used to deliver notifications when you are offline
• App version and OS version — used for support and compatibility

Map state (transient)

When you view the map, Mapbox receives your viewport bounds to serve the correct map tiles. This is transient — we do not log your map history or derive your movement patterns from it.

Waitlist information

If you submit a waitlist request via this website, we collect your email address, mobile number, postcode, role, and an optional one-sentence note. This data is submitted directly to Supabase via a REST POST and stored in our Supabase project database. Supabase is listed as a sub-processor in Section 6 of this policy and is subject to the same data-handling commitments. We do not use a mailto: link or any other third-party form processor for this data.

3. What we don't collect

Beyond chat content, we also do not collect:

• Bid contents — also encrypted end-to-end
• Real-world payment information — there is no payment rail in the pilot; Aura credits are an internal ledger
• Continuous GPS location — suburb-level only, no location history
• Advertising identifiers — no IDFA, no GAID, no ad-tech tracking
• Contacts, photos, or files from your device, unless you explicitly attach them to a gig
• Anything from third-party social networks
• Criminal background check data — we do not conduct background checks

4. How we use what we collect

We use your information only for the following purposes:

• Running the service — matching posters with taskers, routing encrypted messages, maintaining the Aura credit ledger, showing you relevant gigs in your suburb.
• Verification badges — displaying a badge summary to users you connect with, so they can see that you have submitted the required documents. The badge does not constitute our endorsement or validation of those documents.
• Dispute trail — if a dispute arises, the gig record, bid record, and communication metadata (not the message content) form a factual trail that we surface to both parties and, during the pilot, to the founder as escalation contact.
• Push notifications — delivering messages queued while your device was offline, via FCM.
• Support and safety — responding to support requests, investigating abuse reports, and enforcing these policies.
• Legal compliance — retaining data as required by law and responding to lawful government requests.

We do not use your information for advertising, profiling, or sale to third parties.

5. How we store and protect it

Our production database is hosted on Supabase (managed PostgreSQL). Data at rest is encrypted using AES-256, consistent with Supabase's default storage encryption. During the pilot, the Supabase project is hosted on AWS infrastructure in the United States. We intend to migrate to an Australian region after the pilot concludes, and will update this section and notify users when that move is complete. See Section 8 for what this means for you.

Verification artifacts (ID images, licence documents) are stored encrypted at rest in Supabase Storage. They are accessible only to our backend service; they are not publicly accessible URLs.

End-to-end encrypted message payloads are never stored in decryptable form. The server stores the ciphertext envelope (sender ID, recipient ID, timestamp, size, ciphertext) only. The hardware-backed Android KeyStore holds the private key component for E2EE; we do not hold it.

Access to our production database is restricted to named team members via Supabase's access control. We do not share database credentials externally.

6. Who we share with

We share data with the following sub-processors only:

Supabase

Managed PostgreSQL database, authentication, and storage. Processes: account data, gig metadata, communication metadata, verification artifacts, Aura credit ledger. Data is encrypted at rest on Supabase infrastructure. Supabase Privacy Policy.

Firebase Cloud Messaging (Google)

Push notification delivery. Processes: FCM push token, notification payload (which may include a brief notification summary). FCM delivers the notification; message content remains encrypted. Firebase Privacy Policy.

Mapbox

Geospatial map tiles and suburb-level geocoding. Processes: map viewport bounds when you view the map. Tile requests do not include account identifiers. Mapbox Privacy Policy.

Google Fonts CDN

The waitlist website loads Manrope and Inter typefaces from Google Fonts. This involves a network request to Google's CDN, which may log your IP address. Google Privacy Policy.

We use no third-party analytics provider and no advertising network — only our own first-party, cookieless, aggregate visit and download counts on AURA's own server (see section 10). We do not sell personal data to any party, ever.

7. International transfers

AURA TWIN is an Australian product, but during the pilot phase your personal information is stored on Supabase's AWS infrastructure in the United States. By using the service, you consent to this transfer and storage. Supabase encrypts data at rest and in transit. The chat messages and bid contents you exchange with other users are end-to-end encrypted on your device before transmission and the Supabase server cannot decrypt them — see Section 4. We plan to migrate to an Australian AWS region after the pilot and will notify users via in-app message and email when that migration completes.

If you are in the European Economic Area (EEA) or United Kingdom, we rely on standard contractual clauses (incorporated into Supabase's data processing agreement) as the legal basis for any international transfer of your data.

If you are in Australia, international transfers are governed by Australian Privacy Principle 8. We take reasonable steps to ensure that any overseas recipient handles personal information in a way that is consistent with the Australian Privacy Act 1988 (Cth).

8. How long we keep it

9. Your rights

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

If you are in Australia, you have the following rights under APP 12 and APP 13:

• Access — you can request a copy of the personal information we hold about you.
• Correction — you can ask us to correct personal information that is inaccurate, out of date, incomplete, or misleading.
• Deletion — you can ask us to delete your account and associated personal information, subject to the retention exceptions in Section 8.
• Complaints — if you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Under the GDPR (European users)

If you are in the European Economic Area or UK, you also have the right to:

• Obtain a portable copy of your data in a structured, machine-readable format
• Restrict processing of your data in certain circumstances
• Object to processing based on our legitimate interests
• Request erasure ("right to be forgotten"), subject to legal retention obligations
• Lodge a complaint with your local supervisory authority

Our lawful basis for processing is, depending on context: performance of a contract (providing the service), compliance with a legal obligation, or our legitimate interests in operating a safe and fraud-resistant platform.

Under the CCPA (California users)

California residents have the right to know what personal information we collect and to request deletion. We do not sell personal information as defined by the CCPA. To exercise your rights, contact us at the address in Section 15.

To exercise any of these rights, email info@auratwin.co. We will respond within 30 days for Australian requests and within the applicable statutory period for EU and California requests.

10. Cookies and tracking

The AURA TWIN app does not use cookies. It does not include any advertising SDK or analytics SDK during the pilot.

The waitlist website (auratwin.co) uses no cookies and no third-party analytics or advertising scripts. We do keep anonymous, aggregate visit and download counts on AURA's own server (not a third party). For each request we record the page path, the referring site, and a daily one-way hash derived from your IP address and browser so we can estimate unique visitors — we never store your raw IP address, and the hash cannot be reversed back to it. The external network requests the page makes are:

• Google Fonts CDN — to load the Manrope and Inter typefaces. This is a standard font CDN request. Google may log the requesting IP address. You can disable this by blocking fonts.googleapis.com in your browser, which will cause the page to fall back to system fonts.
• AURA analytics endpoint (aura-ktor.fly.dev) — a single cookieless beacon recording the anonymous visit count described above, plus the app-download button, which routes through this endpoint so we can count downloads before delivering the file. No cookies, no third party.

There is no cookie consent banner because there is nothing that requires consent under the Australian Privacy Act or the EU ePrivacy Directive beyond what is disclosed in this section.

11. Data breaches

We take the security of personal information seriously. If an eligible data breach occurs — meaning a breach that is likely to result in serious harm to any affected individual — we will comply with our obligations under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Australian Privacy Act 1988 (Cth).

This means we will:

• Notify affected individuals as soon as practicable
• Notify the OAIC as required under the NDB scheme
• Take reasonable steps to contain the breach and reduce harm

12. Children

AURA TWIN is restricted to users aged 18 years and over. The pilot is an adult service involving financial transactions in the form of Aura credits and real-world task arrangements. We do not knowingly collect personal information from anyone under 18. If you believe a minor has registered, please contact us immediately at info@auratwin.co and we will close the account and delete the information.

13. Changes to this policy

We may update this policy as the service evolves. When we make material changes — such as adding a new sub-processor, changing a retention period, or launching a new feature that involves personal data — we will notify registered users by in-app notification or email before the change takes effect.

The version number and "Last updated" date at the top of this page always reflect the current version. The previous version is available on request by emailing info@auratwin.co.

14. Contact and complaints

If you have a question or concern about this policy or the way we handle your personal information, contact us first:

Aura Social Pty Ltd (trading as AURA TWIN)
ACN 696 919 963
Queensland, Australia
info@auratwin.co

We aim to respond to all privacy enquiries within 14 days. If you are not satisfied with our response, or if we do not respond within 30 days, you may escalate to:

Office of the Australian Information Commissioner (OAIC)
oaic.gov.au
1300 363 992
GPO Box 5218, Sydney NSW 2001

For EU residents, you may also contact your local data protection authority.