Aureader

Privacy Policy

Last updated: 13 May 2026

This Privacy Policy explains how Aura Intelligence SL ("we", "us", "Aureader") collects, uses, and protects the personal data of users of the Aureader service (the "Service") at aureader.com and its mobile applications. We comply with the EU General Data Protection Regulation (GDPR), Spanish Organic Law 3/2018 on Data Protection (LOPDGDD), and Spain's LSSI-CE.

Data controller
Aura Intelligence SL (NIF B75350439), Spain.
Contact: support@aureader.com

1. What data we collect

  • Account data: email address, password hash (Argon2id — we never see your password), display name (optional), and Google account ID if you sign in with Google.
  • User content: the books, articles, and text you upload to your library; the URLs you submit for article extraction; the audio that we synthesise from that content; your listening progress (timestamps within each item).
  • Preferences: reading mode (paired / unified avatars), voice and avatar choices, default playback speed.
  • Payment data: for subscribers, we store your Stripe customer ID, subscription status, and your current plan. We never see or store your card details — those live only at Stripe.
  • Technical data: IP address (used only for rate limiting and abuse detection, not stored beyond 30 days), browser user-agent on the request that issued your last login.

2. Why we process it (purposes and legal bases)

  • To provide the Service (parse uploads, synthesise audio, sync progress, serve your library) — legal basis: performance of contract (GDPR Art. 6(1)(b)).
  • To bill you if you have a paid subscription — legal basis: performance of contract.
  • To send transactional emails (sign-up verification, password reset, billing receipts) — legal basis: performance of contract.
  • To prevent abuse (rate limiting, fraud detection) — legal basis: legitimate interest (Art. 6(1)(f)).
  • To comply with legal obligations (tax records, retention of billing documents) — legal basis: legal obligation (Art. 6(1)(c)).

3. Who we share it with (sub-processors)

We share your data only with the providers we use to run the Service. Each one is bound by a Data Processing Agreement (DPA):

  • Vercel Inc. (USA) — hosts the web frontend. Transfer covered by EU Standard Contractual Clauses.
  • Fly.io Inc. (USA) — hosts the API backend. SCCs apply.
  • Neon Inc. (USA, EU region available) — Postgres database. We use the EU region where available.
  • Upstash Inc. (USA) — Redis cache and job queue. SCCs apply.
  • Cloudflare, Inc. (USA/EU) — object storage (R2), CDN, DNS, and registrar. EU edge nodes serve EU users.
  • Resend Inc. (USA) — transactional email delivery (verification, password reset, receipts). SCCs apply.
  • Stripe Payments Europe Ltd. (Ireland) — payment processing. Stripe is an independent controller for card data.
  • Google LLC (USA) — only if you choose "Sign in with Google". Google sees the sign-in event and shares your email + ID token audience with us. SCCs apply.
  • Sentry (Functional Software Inc.) (USA) — error monitoring. We strip personal identifiers from event payloads. SCCs apply.

We do not sell, rent, or trade your data. We do not use it to train third-party AI models. We do not show ads.

4. How long we keep it

  • Account + content: until you delete your account (Account → Danger zone → Delete account, or by emailing support@aureader.com).
  • Cached audio: automatically purged 90 days after last access. Always regenerable on demand.
  • Billing records: retained for 4 years to meet Spanish tax law requirements (Ley General Tributaria).
  • Server logs (including IP): 30 days, then deleted.
  • Sentry error events: 30 days.

5. Your rights

Under the GDPR, you have the right to:

  • Access a copy of your personal data (Art. 15) — use Account → "Download my data" for a one-click export.
  • Rectify incorrect data (Art. 16) — edit your profile in Account, or email us.
  • Erase your data (Art. 17, "right to be forgotten") — Account → Danger zone → Delete account. Backup copies are purged within 30 days.
  • Portability (Art. 20) — the "Download my data" export is in machine-readable JSON.
  • Restrict or object to processing (Arts. 18, 21) — email us; we'll suspend the listed processing while we evaluate.
  • Lodge a complaint with the Spanish Data Protection Authority, AEPD, or your local supervisory authority in the EU.

6. Children

Aureader is not directed at children under 14. Under Spanish implementation of the GDPR, the minimum age for consenting to data processing is 14. If we learn that we hold personal data on a child under 14 without verifiable parental consent, we will delete it.

7. International transfers

Some of our sub-processors are based outside the European Economic Area (primarily in the United States). Where this is the case, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) and, where the provider is certified, the EU-US Data Privacy Framework.

8. Security

We use TLS for all network traffic, encrypt secrets at rest in the hosting platform's secret store, hash passwords with Argon2id, and use JWT-based session cookies with the HttpOnly and Secure attributes. No system is 100% secure; we'll notify you and the AEPD without undue delay if we discover a breach affecting your data.

9. Cookies

The web app uses a single strictly-necessary cookie (jwt) to keep you signed in. This cookie is exempt from the consent requirement under the LSSI-CE because it is necessary to provide the Service. We do not use advertising or tracking cookies.

10. Changes to this policy

We may update this policy from time to time. We'll announce material changes by email at least 14 days before they take effect. The current version is always available at aureader.com/legal/privacy.

11. Contact

Questions about this policy or your data? Email support@aureader.com.

Aureader · Operated by Aura Intelligence SL (NIF B75350439) · Spain