Privacy

General Information and Your Rights

Aury is a conversational AI system that allows you to discuss matters related to your mental well-being.

Aury is provided to you by us, the 117 Digital UG (hereafter also as 'we').

This privacy policy explains which data we process, for what purpose, how long we store it, and what rights you have in connection with your data processing.

It applies to

• our product
• our website
• any channels you can contact us through, such as email or social media.

What It Means

Read this! Because you agree to it when using Aury, this website or contacting us.

Name and Address of the Data Controller

This privacy policy applies to the processing of your personal data by:

What It Means

Contact us if you have any issues, also privacy issues at: info@aury.co

Contact Details of the Data Protection Officer

Aury has appointed an external Data Protection Officer. You can contact them at:

What It Means

Or contact our DPO at: dpo@aury.co

But only for privacy issues.

Your Rights Regarding Your Data

You have the rights under the EU GDPR and, where applicable, US privacy laws (such as CCPA):

• Right of Access (Art. 15 GDPR) or Right of Disclosure (under CCPA): You have the right to request information from us at any time about the personal data we hold about you, including the purposes of the processing, the categories of data, the recipients, and the planned retention periods.
• Right to Rectification (Art. 16 GDPR): If your personal data is inaccurate or incomplete, you can request that it be corrected.
• Right to Erasure (Art. 17 GDPR and CCPA): Under certain conditions, you have the right to request the deletion of your data.
• Right to Restrict Processing (Art. 18 GDPR): Under certain conditions, you can request that the processing of your data be restricted.
• Right to Object (Art. 21 GDPR / CCPA): You have the right to object to the processing of your data if it is based on legitimate interests or is being processed in the public interest.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to Opt-Out of Data Sale (CCPA): You have the right to opt-out of the sale of personal information, but we don't sell your data in the first place.

What It Means

You have rights! Yes, as any human should. Yours include that we

• delete
• correct
• stop collecting and processing
• show you
• hand over (it's similar to showing you your data except you get your data in a format only machines can read so you could theoretically use it for something else - we believe this is more for nerds 🤓)

your data.

Data Processing Outside the EEA

If we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the European Commission under Article 45(3) GDPR guarantee the security of the data during transfer, provided such decisions exist, as is the case for the United Kingdom, Canada, and Israel.

For data transfers to service providers in the United States, the legal basis for the data transfer is an adequacy decision of the European Commission if the service provider is also certified under the EU-US Data Privacy Framework.

In other cases (e.g., where no adequacy decision exists), the legal basis for the data transfer is usually, unless we indicate otherwise, Standard Contractual Clauses (SSC). These are a framework adopted by the European Commission and form part of the contract with the respective third party. Pursuant to Article 46(2)(b) GDPR, they ensure the security of the data transfer. Many providers have also provided contractual guarantees that go beyond the Standard Contractual Clauses, which offer additional protection. These include, for example, guarantees regarding the encryption of data or an obligation for the third party to notify the data subject if law enforcement authorities attempt to access the data.

What It Means

ONLY FOR 🇪🇺 USERS:

There is a complex political discussion going on. In short: The EU is worried that the US government can potentially collect data from you without a judge allowing the goverment to do so 👩‍⚖️.

So we minimize the use of providers using US servers. Sometimes that's impossible. When this is the case, we carefully choose the providers we work with and make sure they only receive the data they necessarily need, ideally anonymized or encrypted.

Right to Lodge a Complaint

If you believe that the processing of your data violates the GDPR or other applicable privacy laws, you have the right to lodge a complaint with a supervisory authority. For us, the competent authority is:

If you reside in California or elsewhere in the United States, you can also lodge complaints with the California Attorney General or local state data privacy authorities.

What It Means

Contact these people if you think we misuse your data against the law. I mean, we're not, but just so you know: The state you live in has someone to kick our asses if we would.

The Application

Channels

You can use a beta version of Aury through WhatsApp, which is provided by WhatsApp LLC, a subsidiary of Meta Platforms Inc., which uses servers in the USA. More information about the processing of your data by WhatsApp can be found in WhatsApp's privacy policy.

Important for EU users: By using WhatsApp, your data may be transferred to the US and Meta Inc. and the US government theoretically could access them. We ensure data protection through the use of Standard Contractual Clauses (SCCs) approved by the EU.

What It Means

You can chat with Aury via WhatsApp.

Web 🖥️ and Mobile 📱 App will follow soon.

To our EU users 🇪🇺: WhatsApp uses US servers!

They get your phone number for sure 😬. An they theoretically share it with Meta Inc. and the US goverment.

They use End-to-End encryption which basically means nobody there can read your message - puh… 😮‍💨. Best to read about it and the limitations of it yourself:

Hosting

Aury is hosted on servers of an external service provider, Scalingo SAS, which stores and processes data exclusively within the EU and specializes in handling sensitive data. How they process your data can be found here:

Processed Data: IP addresses, contact information, names, and other personal data necessary for the use of Aury or this website.

Legal Basis: Art. 6(1)(b) GDPR – performance of a contract.

Storage Period: Your data will be deleted as soon as it is no longer required for its intended purpose and there are no statutory retention periods that prevent deletion. You can find specific deletion periods in the respective functions below.

What It Means

We store all your data in France, EU.

The provider we use is specialized in dealing with highly sensitive data and has a bunch of certifications 🏅 and we suspect they have barbwire, cameras and security around their server buildings 👮.

So, your data is stored in probably one of the safest places within the EU 🛡️. But again, best to read for yourself:

User Account and Data

Processed Data: Phone number, the name you choose to be addressed by (not necessarily your real name), and a user ID.

Note: While we don't store your messages (see below), we do store information we derive from your messages so that Aury can offer some basic functionalities like memory. These are stored in a different database than the data that could directly identify you.

Legal Basis: Art. 6(1)(b) GDPR – performance of a contract.

Storage Period: Your data will be securely deleted 180 days after your last activity or upon your request for deletion. For US residents, retention practices comply with CCPA, and data will not be retained longer than necessary for business purposes.

What It Means

We receive your phone number! I mean, how could we otherwise let Aury respond to you? But rest assured: We store your number at a different location than your messages. So any potential hacker would need to break into both and put together your data to get them.

A note on the retention period: A note on the retention period: This means that if you haven't been active for >180 days, we delete everything and you have to start over - It's like Aury had amnesia and forgot everything. We know this is annoying to some of you who wanted to return but our lawyers said this is the most time we are able to do this.

Your Messages

Processed Data: Messages you share with Aury.

These messages are anonymized and sent to our AI models. Some of our models come from third party providers, e.g. OpenAI OpCo, LLC for processing. Further information on how OpenAI processes your data can be found here:

Important: Anonymization means that no directly or indirectly identifiable personal data (such as IP addresses, phone numbers or user ID's) are transmitted. However, the context of the conversation may allow inferences about your identity.

Legal Basis: Art. 6(1)(b) GDPR – performance of a contract.

Storage Period: Your messages will be deleted from our servers right after your session ended, unless you allow us to analyze your transcript (see section on Analytics and Tracking).

Memory function: Summaries of your conversations and derived content necessary to perform the contract are stored upon the same conditions as your user data (180 days after your last activity or upon your request for deletion).

What It Means

Your messages stay confidential! 🤫

• In WhatsApp, they are E2E encrypted.
• With OpenAI, we don't send them along with any identifiers. They only receive your plain message and don't use it for training purposes and delete them after 30 days.
• For ourselves: We don't read them, unless you explicitly allow us to analyze them anonymized (see Analytics and Tracking).

A note on anonymity 👤: Your messages only are as anonymous as you decide them to be. If you share information that can only be traced back to a handful of people, then they are not really anonymous anymore.

A note on Aury's memory function 🧠: Aury remembers important parts of the conversations you have and summarizes them so it does not simply forget about you when you return. However, this means that while your transcript gets deleted, important parts of it remain in our systems.

Information in accordance to the EU AI Act

In accordance with the EU AI Act for Limited Risk products, please be aware of the following: When chatting with Aury, you are interacting with an AI-driven chatbot, not a human.

Aury is designed to assist with general inquiries and provide support but is not a substitute for professional therapeutic advice.

Responses generated by AI may contain biases, inaccuracies, or errors. Do not rely on these responses for critical decisions, especially regarding your health or well-being.

Aury's AI responses are generated based on specific guidelines designed to provide general support and information. The guidelines are set up to ensure the AI remains neutral and respectful. However, the system's answers are generated in real-time and may be influenced by the way questions are phrased. Please note that responses may still contain biases or inaccuracies, as the AI model is trained on diverse internet data.

You can flag Aury's responses. On WhatsApp, use our built-in feedback functionality for that. Simply type your feedback (or explictly: /feedback) in chat and include the response you want to flag as inappropriate.

What It Means

When chatting with Aury, you are not chatting with a human being but a piece of software. So far, no news 📰. I mean, even my wife's grandma gets that.

But you should know that when interacting with a generative AI system like Aury, this system can make mistakes.

The other information in the paragraph is more for nerds 🤓.

Analytics and Tracking

Processed Data: Usage data, such as time and duration of use as well as an anonymized form of the transcript. This data is forwarded in pseudonymized form to tools provided by DataDog, Inc. and PostHog, Inc. for processing and analysis, which use servers in the US.

Note: Pseudonymization means that we do not transfer any direct personal data (e.g. IP addresses or telephone numbers), but data derived from them (e.g. your user ID) that could indirectly be traced back to you.

Legal Basis: Art. 6(1) lit. f) GDPR - legitimate interest in the analysis and optimization of our product and Art. 6(1) lit. a) GDPR - consent.

Storage Period: Your usage data will be securely deleted 180 days after the last activity, transcripts after 7 days or after your deletion request.

What It Means

Aury just got released. To unlock it's potential we need your feedback 🫵. We don't just collect it but always ask your permission before. Even if you provide it, we only analyze your data in a way that protects your privacy. If you provide your consent, this is what we do:

We analyze how you interact Aury (like when you use it, how often, etc.) in pseudonymized form. Pseudonymized means: No direct personal info like your phone number, but something that could indirectly link back to you. Below you see what we see when we analyze this kind of data.

Reminders and Marketing

We only reach out to you in ways that you have explicitly agreed to. Here's how we handle reminders, newsletters, and marketing communications:

1. No Sale of Data or Unsolicited Advertising

   None of your data will be sold or used for unsolicited advertising. Aury will not send you advertisements unless you have explicitly opted in to receive specific communications.

2. Reminders from Aury

   Aury can proactively send you reminders that you set up to help you stay on track with your mental well-being goals.

   Consent: You will only receive reminders if you have explicitly set them up during the onboarding process or by using the command `/remindme` in your conversation with Aury.

   Revoking Consent: You may stop receiving reminders at any time by typing `/stopremindingme` during your conversation with Aury. This option is also explained in Aury's channel description.

3. Newsletters

   If you subscribe to our newsletter via our website, we will send you updates, resources, and information about new features related to Aury.

   Opt-In: You will only receive newsletters if you have explicitly opted in by providing your email address.

   Unsubscribing: You can unsubscribe at any time using the link provided in each newsletter email or by contacting us directly.

4. WhatsApp Community

   You have the option to join our WhatsApp community to receive updates, resources, and content related to Aury.

   Opt-In: Joining our WhatsApp community is entirely voluntary. You can leave the group at any time using WhatsApp's 'Leave Group' feature.

5. User Surveys

   Occasionally, we may send you surveys to gather feedback on your experience with Aury.

   Consent: These surveys will be sent only after you have interacted with Aury, and participation is entirely voluntary.

   Opting Out: If you do not wish to receive survey invitations, you can opt out by responding to the survey request or contacting us directly.

Legal Basis: The processing of your data for reminders, newsletters, and surveys is based on your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time without affecting the legality of the processing carried out prior to your withdrawal.

Storage Period: Your contact information and preferences will be stored until you revoke your consent or unsubscribe from these services. Data related to reminders will be deleted as soon as they are no longer needed for their intended purpose.

What It Means

We will not sell your data or send you unsolicited ads. Promise!

The only ways we may reach out to you are if you want

• Aury to set reminders for you (super cool feature, you don't have to remember shit anymore, Aury does for you!)
• to receive our newsletter
• be part of our beta community on WhatsApp (Highly exclusive! ✨ Invite only! 🤫 We reach out to you if we want you in there, but only if you consent 😉)
• to receive user surveys (please do, they help us make Aury better🙏).

For each of these, we will explicitly ask you and you can opt-out anytime.

The Website

Provision of the Website

Processed Data: When visiting our website, we use Google Analytics, which is provided by Google LLC and hosted on US servers, to process personal data for analytical purposes (IP address, browser, etc.).

Legal Basis: Art. 6(1)(f) GDPR – legitimate interest in analyzing and optimizing our website.

Storage Period: 14 days.

For US users, these practices adhere to CCPA and other state privacy laws by using data only for business purposes.

What It Means

We get personal data from you also if you visit this website.

If you agree to our cookies 🍪 we also track your website usage!

This is an example of what we can see on our analytics dashboard:

Customer Service and Inquiries

Processed Data: IP address, email address, Name and other information you provide to us in your message.

Legal Basis: Art. 6(1)(b) GDPR – (pre-)contractual measures.

Storage Period: 14 days after your inquiry is resolved, or you request deletion.

For US users, this also aligns with CCPA principles.

What It Means

Well, if you contact us, we know about you - surprise 🎊.

Depending on the channel you contact us, e.g. email, social media, or WhatsApp, we can see either your email address, social media profile, or phone number.

Social Media

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, that uses servers in the USA. The privacy policy is available here:

Processed Data: When network users contact us via our profiles, we process the data provided to us in order to answer the enquiries.

Legal Basis: Art. 6(1) lit. b) GDPR - (pre-)contractual measures.

Storage Period: 14 days after your inquiry is resolved, or you request deletion.

What It Means

Yes, also social media processes your personal data. They might even make money off it - again, surprise.

But in regards to us, we only see your profile if you interact with our profile, e.g. follow it, or contact us.