Privacy Policy

1. Who we are

AuraPass ("we", "us") provides a portable wellness identity that lets guests share their preferences, allergies and rituals with partner spas. Contact: privacy@aurapass.io.

2. Data we collect

• Account data: name, email, profile photo (if you sign in with Google).
• Wellness profile: preferences (pressure, scents, music, lighting), allergies, intentions, therapist notes you've consented to keep.
• Visit data: records of visits to partner spas, including treatment type and date.
• Technical data: device type, IP address, basic analytics for security and reliability.

3. How we use it

To operate your AuraPass, share the categories you've chosen with the spas you tap-to-share with, secure your account, and improve the product. We never sell your data.

4. Google sign-in

If you sign in with Google, we receive your name, email and profile picture from Google. We use this only to create and authenticate your AuraPass account. We do not access your Gmail, Drive, Calendar or any other Google service. You can revoke access any time at myaccount.google.com/permissions.

5. Sharing with spas

A spa only sees your data when you present your QR and they scan it, and only the categories you've enabled in Privacy settings. You can revoke any category at any time; future visits respect the new setting.

6. Storage & security

Data is encrypted in transit (TLS) and at rest. Row-level access controls ensure only you and the spas you've consented to can read your profile. We retain data while your account is active and delete it within 30 days of account closure.

7. Your rights

You may access, correct, export or delete your data at any time from your profile, or by emailing privacy@aurapass.io. EU/UK residents have rights under GDPR; California residents under CCPA.

8. Cookies

We use only essential cookies for authentication and security. No third-party advertising trackers.

9. Changes

We will notify you by email of material changes at least 14 days before they take effect.