Privacy Policy

Aury is a conversational AI system that allows you to discuss topics related to your mental well-being.

In this Privacy Policy we explain:

• what personal data we process,
• for what purposes and on what legal basis,
• how long we store it,
• to whom we may disclose data,
• and what rights you have.

This Privacy Policy applies to:

• our consumer products (including the prevention program "Digitale Stressbewältigung mit Aury"),
• our website,
• as well as all contact channels (e.g., email, social media).

Where data processing differs between the prevention program "Digitale Stressbewältigung mit Aury" and other offerings, we indicate this in the respective section.

The controller responsible for data processing is:

Aury Care GmbH

Email: info@aury.co

Managing Directors: Saskia Fester, Robert Wasenmüller, Maximilian Rank

Frank Trautwein (external Data Protection Officer)

• Data subject requests (e.g., access, erasure, data copy): dpo@aury.co
• Confidential inquiries directly to the DPO: dsb@freshcompliance.de

Depending on usage, we process in particular:

• Account/contact details (e.g., email, name – if provided)
• Communication content (e.g., chat messages, feedback)
• Usage/log data (e.g., timestamps, technical logs, IP address)
• Device/browser data (e.g., device type, operating system, app/browser information)

Important note on sensitive data (health data):

If you share information about your mental state, symptoms, or health in conversations, this may constitute health data. We only process such data to the extent necessary for the use of Aury and on the legal bases specified in the respective section.

Depending on the purpose, we rely in particular on:

• Art. 6(1)(b) GDPR (contract / use of the application)
• Art. 6(1)(a) GDPR (consent, e.g., newsletter, optional analytics/tracking)
• Art. 6(1)(f) GDPR (legitimate interest, e.g., IT security, abuse/error analysis)
• Art. 6(1)(c) GDPR (legal obligations, where applicable)

Where health data is involved, an additional exception under Art. 9 GDPR applies (e.g., explicit consent, where required).

We use processors (e.g., hosting, infrastructure, analytics tools) that process data exclusively on our instructions.

In addition, third-party providers may be independently responsible (e.g., messenger/social media platforms) when you use those channels. Details are provided in the respective sections.

We store personal data only as long as necessary for the respective purpose or as long as statutory retention obligations exist.

Specific storage periods are stated for the respective processing activities (e.g., hosting logs, analytics, newsletter).

You have – subject to the applicable conditions – the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on legitimate interests (Art. 21 GDPR)
• Withdrawal of consent at any time with effect for the future (Art. 7(3) GDPR)

To exercise your rights, contact us at: dpo@aury.co.

You may lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht (Brandenburg)

https://www.lda.brandenburg.de/lda/de/ueber-uns/kontaktanreise/

Aury generates responses automatically (AI-powered). We do not make solely automated decisions that produce legal effects concerning you or similarly significantly affect you.

We may update this Privacy Policy if our processing, legal requirements, or products change. The current version is always available in the application or on our website.

The following overview shows all sub-processors that we use for the data processing activities described in sections 2-5 (exception: use of the beta version on WhatsApp – please refer to the providers listed in the respective sections).

We provide you with access to our applications through the following channels:

For the prevention program "Digitale Stressbewältigung mit Aury", only this section applies.

We provide a web app for the use of Aury and for the use of the prevention program "Digitale Stressbewältigung mit Aury". The prevention program is not available via WhatsApp or other messengers.

Status note: The prevention program is currently in final preparation and will be published shortly.

• Hosting of the web app & infrastructure: Scalingo SAS as hosting provider; server operation via Outscale SASU (a brand of Dassault Systèmes SE) in France (EU).
• Storage & processing of personal data: exclusively within the EU/EEA.
• AI-powered features (model hosting): Microsoft Azure Cloud (EU Data Zone) and Google Vertex AI (EU Data Zone).
• No third-country transfer: Within the scope of the prevention program, no transfer of personal data to third countries (e.g., USA) takes place.

This section expressly does not apply to the prevention program "Digitale Stressbewältigung mit Aury", but only to separately offered services of Aury Care GmbH ("non-prevention offerings") that may be accessible via third-party platforms.

Aury chat via WhatsApp (Beta):

A beta version of an Aury service may be offered via WhatsApp. This WhatsApp beta is not part of the prevention program and is separate from it.

Third-party providers & possible third-country transfer:

• When using WhatsApp, personal data (in particular your phone number, communication metadata, and content within the scope of platform usage) is transmitted to and processed by WhatsApp/Meta as an independent provider.
• For users in the EU: Through the use of WhatsApp, transfers to third countries (e.g., USA) may occur – depending on the processing by WhatsApp/Meta and any additional service providers engaged within the scope of the WhatsApp beta.

End-to-end encryption:

WhatsApp uses end-to-end encryption for message content. Please note that certain metadata (e.g., phone numbers, device/usage information) may still be processed by WhatsApp/Meta.

WhatsApp Privacy Policy

Important note on channel choice:

If you prefer processing exclusively within the EU/EEA without third-country transfers, please use the prevention program via the Aury web app (where available). The WhatsApp beta is a separate channel with different data protection conditions.

These details describe our technical service providers ("processors") for hosting and AI features. For the prevention program "Digitale Stressbewältigung mit Aury", only EU/EEA processing applies; third-country transfers are excluded.

Our website and web applications (including the prevention program "Digitale Stressbewältigung mit Aury") as well as the associated infrastructure (e.g., user management, database, backups, system logs) are operated by Scalingo SAS (hosting provider) using servers of Outscale SASU (a brand of Dassault Systèmes SE) as infrastructure provider exclusively in France (EU).

Data processed:

IP address, technical protocol/log data (e.g., timestamps, device/browser information), account/contact details (e.g., email; name, if provided), as well as content/information that you enter in the web app, insofar as it is stored for usage purposes.

Purposes:

Operation and provision of the website/web app, IT security, error/performance analysis, abuse and disruption prevention.

Legal basis:

Art. 6(1)(b) GDPR (provision/use of the web app) and Art. 6(1)(f) GDPR (security, stability, abuse prevention).

Third-country transfer:

No transfer of data to third countries takes place.

Storage period:

Log/system data generally up to 180 days (security/error analysis), thereafter deletion/anonymization unless statutory obligations prevent it. Account and usage data stored in the application generally until deletion of the account or as long as required for usage.

For AI-powered features in the web app (including the prevention program "Digitale Stressbewältigung mit Aury"), we use model hosting in EU data zones at:

• Microsoft Azure (EU): https://www.microsoft.com/de-de/privacy/privacystatement (as of 26.02.2026)
• Google Vertex AI (EU): https://cloud.google.com/privacy/gdpr?hl=de (as of 26.02.2026)

Training:

Google does not process customer data on Vertex AI for training/fine-tuning without prior permission/instruction.

For Azure-based GenAI services, it is likewise described that content is not used for training and may be temporarily stored for security/abuse monitoring.

Data processed:

Content of individual user messages. No direct identifiers such as user IDs, email addresses, profiles, or tracking data are transmitted to the model hosts. A personal reference can only arise if you include it in the message text yourself.

Purposes:

Generating responses for chatting with Aury.

Legal basis:

Art. 6(1)(b) GDPR (provision of AI features as part of the web app). Where health data is involved, additionally Art. 9 GDPR (see section on "sensitive data/health data").

Third-country transfer:

No transfer of data to third countries takes place.

Storage period:

Depending on the provider/service, content is temporarily stored for service assurance and abuse/security monitoring (typically up to 30 days) and subsequently deleted, unless statutory obligations prevent it.

This section does not apply to the prevention program but only to the separately offered WhatsApp beta.

For the processing of individual chat messages in the WhatsApp beta, we additionally use OpenAI as a model host; content may be transferred to servers in the USA.

Data processed:

Only message content is transmitted (no user IDs/emails/profiles/tracking data by us). A personal reference can only arise if you include it in the text yourself.

Legal basis:

Art. 6(1)(b) GDPR (provision of the WhatsApp beta as a service).

Third-country transfer:

For transfers to the USA, this is carried out on the basis of appropriate safeguards (in particular EU Standard Contractual Clauses) and additional measures, where required.

Storage period:

For API-based processing, deletion/removal of API content after a limited period (typically 30 days) is described; furthermore, it is stated that data is not used for training by default.

When you chat with Aury, you are interacting with an AI-powered system, not a human.

Aury is designed to provide general support and information on mental well-being. Aury is not a substitute for professional (psycho-)therapeutic, medical, or psychological diagnosis or treatment.

Important notes on usage:

• AI responses may be inaccurate, incomplete, or biased. Do not use them as the sole basis for important decisions, especially in health matters.
• If you are in an acute crisis or believe you or others are at risk: please contact local emergency/crisis services.

Reporting problematic responses:

• On WhatsApp via our feedback feature (e.g., "/feedback" plus the relevant response).
• By email to info@aury.co.

Note: Aury is not intended to perform emotion recognition or biometric categorization.

We only use analytics and product optimization tools if you have explicitly consented (opt-in).

Data processed (with opt-in):

• Usage data (e.g., timestamps, duration, features used)
• Technical events (e.g., error codes)
• Pseudonymized usage identifier, where applicable
• Anonymized or heavily pseudonymized excerpts from interactions (e.g., for quality measurement), where technically provided, where applicable

Recipients / service providers:

The data is transmitted in pseudonymized form to the following processors and processed in the EU:

• DataDog, Inc. (EU operation/region): https://www.datadoghq.com/legal/privacy/ (as of 26.02.2026)
• PostHog, Inc. (EU operation/region): https://posthog.com/privacy (as of 26.02.2026)
• Langfuse GmbH: https://langfuse.com/privacy (as of 26.02.2026)
• Proton AG: https://proton.me/legal/privacy (as of 26.02.2026)

Legal basis:

• Art. 6(1)(a) GDPR (consent)
• Insofar as terminal device access/cookies are concerned: Section 25(1) TDDDG (consent)

Withdrawal:

You may withdraw your consent at any time with effect for the future.

Storage period:

• Usage data: generally up to 180 days after last activity
• Pseudo-/anonymized interaction excerpts, where applicable: generally up to 7 days or until your deletion request

We only contact you if it is necessary for the provision of the service (service messages) or if you have consented (e.g., newsletter).

We may send you necessary messages regarding usage (e.g., security/feature notices, confirmations).

Legal basis: Art. 6(1)(b) GDPR (contract) and, where applicable, Art. 6(1)(f) GDPR (security).

Aury can send you reminders that you have actively set up (e.g., during onboarding or via "/remindme"). Stop: e.g., "/stopremindingme" (WhatsApp) or via settings (web app, where available).

Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (if part of a feature you activated).

If you subscribe, we will send you updates and information about Aury. You can unsubscribe at any time via the link in each email or via info@aury.co.

Legal basis: Art. 6(1)(a) GDPR (consent).

We may invite you (with your consent) to participate in voluntary surveys.

Legal basis: Art. 6(1)(a) GDPR (consent).

We store contact information and preferences until you withdraw your consent. After withdrawal, we delete them unless retention is necessary for evidentiary purposes.

When you visit our website, we process server log data that is technically necessary to deliver and protect the website.

Data processed: IP address, date/time, page accessed, referrer URL, browser/OS, status codes, data volume.

Purposes: Delivery, IT security, error analysis, abuse prevention.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

Storage period: Generally up to 180 days (security/error analysis), thereafter deletion or anonymization.

We use (i) technically necessary cookies or similar technologies and (ii) optional technologies (e.g., analytics) only after consent.

• Technically necessary: Required for the function you have expressly requested. Legal basis: Section 25(2) TDDDG; Art. 6(1)(f) GDPR (or Art. 6(1)(b) GDPR, depending on the function).
• Optional (e.g., analytics): Only after opt-in. Legal basis: Section 25(1) TDDDG; Art. 6(1)(a) GDPR.

You can change your selection at any time via the consent tool or browser settings (where available).

If you consent, we use Google Analytics (Google LLC). This may involve transfers to the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework.

Data processed: Online identifiers (e.g., cookie IDs), device/browser data, usage data, truncated IP address (where enabled).

Purposes: Reach measurement, website optimization.

Legal basis: Art. 6(1)(a) GDPR (consent) and Section 25(1) TDDDG.

Third-country transfer: Transfers to the USA on the basis of the EU-U.S. Data Privacy Framework (adequacy decision of the European Commission).

Storage period: According to settings in Google Analytics (configuration).

https://policies.google.com/privacy (as of 26.02.2026)

We operate a company profile on LinkedIn. Provider: LinkedIn Ireland Unlimited Company.

LinkedIn processes personal data as an independent controller; processing may also take place in third countries (e.g., USA).

Communication via LinkedIn: If you contact us via LinkedIn, we process the data you provide to respond.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual/contractual) or Art. 6(1)(f) GDPR (communication).

Storage period: As required; additionally, the platform's deletion/storage policies apply.

Page Insights / joint controllership: For so-called "Page Insights", we are jointly responsible with LinkedIn (Art. 26 GDPR). Within the scope of Page Insights, LinkedIn processes aggregated statistics about the use of our company page (e.g., page views, demographic characteristics of visitors, interactions with posts).

• Agreement ("Joint Controller Addendum"): https://legal.linkedin.com/pages-joint-controller-addendum
• LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy