Privacy Policy - Aury Platform

This privacy policy describes how Aury Care GmbH processes personal data in the context of the Aury Platform. The Aury Platform is a solution where other providers ("your provider") use the web infrastructure, AI components, and related services of Aury Care GmbH and refer to this privacy policy.

This privacy policy does not apply to our own consumer products (e.g., the Aury app, the prevention program "Digital Stress Management with Aury," or the WhatsApp beta). For these, please refer to our separate privacy policy:

aury.co/privacy

In this privacy policy, we explain:

• which personal data we process,
• for what purposes and on what legal basis,
• how long we store it,
• to whom we may disclose data,
• and what rights you have.

When using Aury Platform products, there are two data protection roles:

• Your provider/contractual partner is generally the Controller under GDPR for the processing of your data in their product. They determine the purposes and legal bases of processing, fulfill the information obligations under Art. 13/14 GDPR, and are the point of contact for your data subject rights.
• Aury Care GmbH processes data within the Aury Platform as a Processor on behalf of your provider (Art. 28 GDPR). We process personal data exclusively according to documented instructions from your provider.

Important: For access, deletion, objection, and other data subject rights, please contact your provider first. We support your provider in handling requests to the extent we are technically involved.

Aury Care GmbH

Email: info@aury.co

Managing Directors: Saskia Fester, Robert Wassenmueller, Maximilian Rank

Frank Trautwein (external Data Protection Officer)

• Data subject requests (e.g., access, deletion, data copy): dpo@aury.co
• Confidential inquiries directly to the DPO: dsb@freshcompliance.de

Depending on the applicable conditions, you have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on legitimate interests (Art. 21 GDPR)
• Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)

Please direct requests first to your provider (Controller). Alternatively, you can contact us at dpo@aury.co; we will forward your request to the provider as necessary.

You can lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht (Brandenburg)

https://www.lda.brandenburg.de/lda/de/ueber-uns/kontaktanreise/

Note: For the operation of our own website (Section 4) and for internal communication tools (Section 5), different provisions may apply, which are explained in the respective sections.

The Aury Platform — including web applications and associated infrastructure (e.g., user management, database, backups, system logs) — is hosted by Scalingo SAS (hosting provider) using servers of Outscale SASU (a brand of Dassault Systèmes SE) as infrastructure provider exclusively in France (EU).

• Scalingo Compliance: https://doc.scalingo.com/security/overview/compliance
• Scalingo DPA: https://scalingo.com/data-processing-agreement

Processed data (typical):

IP address, technical protocol/log data (timestamps, device/browser information, status codes), account/contact details where applicable (e.g., user IDs, name — if used by the provider in the product), as well as content and information processed within the white-label product.

Purposes:

Operation and provision of the platform, IT security, error and performance analysis, abuse and disruption prevention.

Legal basis:

The legal basis towards you is determined by your provider as Controller. Aury Care GmbH processes data as Processor according to documented instructions from the provider (Art. 28 GDPR).

Third-country transfer:

No transfer of data to third countries takes place.

Storage periods:

• System and security logs: generally up to 180 days, then deletion or anonymization (unless legal obligations require otherwise).
• Application and account data: generally until deletion by or on instruction of the provider, or as long as required for operation.

For AI-powered features in the Aury Platform, we use model hosting in EU data zones at:

• Microsoft Azure (EU) and
• Google Vertex AI (EU).

Individual user message contents are processed to generate responses.

Further information:

• Microsoft Azure: https://www.microsoft.com/de-de/privacy/privacystatement
• Google Vertex AI: https://cloud.google.com/privacy/gdpr?hl=de

Data minimization:

We do not transmit any direct identifiers (e.g., no email addresses, no user IDs, no profiles or tracking data) to the model hosts. A personal reference can only arise if you include it in the message content yourself.

Training:

• Google Vertex AI: Google does not process customer data on Vertex AI for training or fine-tuning without prior permission/instruction. Further information: https://docs.cloud.google.com/vertex-ai/generative-ai/docs/vertex-ai-zero-data-retention
• Microsoft Azure: For Azure-based GenAI services, prompts and completions are not used for training. Temporary storage (typically up to 30 days) may occur for abuse monitoring and service reliability. Further information: https://learn.microsoft.com/en-us/answers/questions/5757291/data-privacy-zero-data-retention

Legal basis:

As in Section 2.1; the legal basis towards you is determined by your provider. Aury processes data according to instructions (Art. 28 GDPR).

Where health data is involved (see Section 2.7), your provider determines the additional legal basis under Art. 9 GDPR.

Third-country transfer:

No transfer of data to third countries takes place.

Storage period:

Depending on the provider/service, content is stored briefly to ensure service delivery and for abuse and security monitoring (typically up to 30 days) and then deleted, unless legal obligations require otherwise.

For error resolution, quality assurance, and — where provided for by the provider (e.g., based on user consent) — for product analytics, we use the following sub-processors:

• Datadog, Inc. (EU operation/region) — Infrastructure monitoring and error analysis: https://www.datadoghq.com/legal/privacy/ (as of 26.02.2026)
• PostHog, Inc. (EU operation/region) — Product analytics and usage statistics: https://posthog.com/privacy (as of 26.02.2026)
• Langfuse GmbH — LLM observability and quality assurance of AI responses: https://langfuse.com/privacy (as of 26.02.2026)
• Proton AG — Quality assurance of AI responses: https://proton.me/legal/privacy (as of 26.02.2026)

Datadog, Inc. and PostHog, Inc. are US companies; we use these services exclusively through their EU data centers. Personal data is processed in pseudonymized form.

Processed data:

• Usage data (e.g., timestamps, duration, features used)
• Technical events (e.g., error codes)
• Pseudonymized user identifiers where applicable
• Anonymized or heavily pseudonymized excerpts from interactions where applicable (e.g., for quality measurement), to the extent technically provided

Legal basis:

The legal basis towards you is determined by your provider.

Storage period:

Generally up to 180 days after last activity.

In the context of the Aury Platform, we typically use the following sub-processors:

If your provider uses additional tools or services beyond these, you will find details in their privacy policy.

Without certain data (e.g., technically necessary connection data and the content you enter), the product cannot be provided technically. Your provider determines which inputs are mandatory.

The system generates responses automatically (AI-powered). We do not make solely automated decisions that produce legal effects concerning you or similarly significantly affect you.

If you provide information about your mental state, symptoms, or health in conversations, this may qualify as health data within the meaning of Art. 9 GDPR. The legal basis for processing such data (e.g., Art. 9(2)(a) GDPR — explicit consent) is determined by your provider as Controller. We process such data exclusively according to their instructions.

When you access our website, we process server log data that is technically required to deliver and protect the website.

Processed data:

IP address, date/time, page accessed, referrer URL, browser/OS, status codes, data volume.

Purposes:

Delivery, IT security, error analysis, abuse prevention.

Legal basis:

Art. 6(1)(f) GDPR (legitimate interest in secure operation).

Storage period:

Generally up to 180 days (security/error analysis), then deletion or anonymization.

We use (i) technically necessary cookies or similar technologies and (ii) optional technologies (e.g., analytics) only with consent.

• Technically necessary: Required for the function you have expressly requested. Legal basis: Section 25(2) TDDDG; Art. 6(1)(f) GDPR (or Art. 6(1)(b) GDPR, depending on the function).
• Optional (e.g., analytics): Only after opt-in. Legal basis: Section 25(1) TDDDG; Art. 6(1)(a) GDPR.

You can change your selection at any time via the consent tool or browser settings (where available).

If you consent, we use Google Analytics (Google LLC). This may involve transfers to the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework.

Processed data:

Online identifiers (e.g., cookie IDs), device/browser data, usage data, truncated IP address (where enabled).

Purposes:

Audience measurement, website optimization.

Legal basis:

Art. 6(1)(a) GDPR (consent) and Section 25(1) TDDDG.

Third-country transfer:

Transfers to the USA based on the EU-U.S. Data Privacy Framework (adequacy decision of the European Commission).

Storage period:

According to Google Analytics settings (configuration).

https://policies.google.com/privacy (as of 26.02.2026)