Legal

Privacy Policy

Last updated: May 2026

AuraPass Ltd ("AuraPass", "we", "us", "our")

1. Who we are

AuraPass provides a digital wellness profile service that allows guests to store personal preferences and health information and share them with partner spas. Our registered office is AuraPass Ltd, London, United Kingdom — the full registered address is available on request via privacy@aurapass.io. Our ICO data controller registration is currently in progress; the reference number will be published here once issued.

2. What data we collect

We collect and store the following categories of information:

Personal data

Name, email address, and any contact details you provide when creating your AuraPass account.

Wellness preferences

Treatment preferences including massage pressure, scent preferences, temperature preferences, focus areas, session goals, and conversation preferences.

Special Category health data

Health conditions, allergies and sensitivities, current medications, pregnancy status, and recent surgical or medical history. Under UK GDPR, this data is classified as Special Category data and is subject to additional protections.

Usage data

Records of when and with which partner spas you have shared your AuraPass, for the purpose of maintaining your visit history.

3. How we use your data

We use your data solely for the following purposes:

  • To create and maintain your AuraPass profile
  • To share your selected information with partner spas at the moment you choose to check in
  • To maintain a record of your visits at partner spas
  • To send you service-related communications (e.g. account confirmation, profile updates)
  • To comply with our legal obligations

We do not use your data for advertising, profiling, or any purpose beyond the delivery of the AuraPass service.

4. Our legal basis for processing

Personal data (name, email)

Legal basis: Contract — necessary to provide the AuraPass service

Wellness preferences

Legal basis: Consent — you provide this voluntarily

Special Category health data

Legal basis: Explicit consent — you confirm this at the point of entry

Visit history

Legal basis: Legitimate interests — to provide continuity of service

You may withdraw your consent at any time by deleting your AuraPass profile or specific data fields within the app.

5. Who we share your data with

Partner spas

When you check in at a partner spa, only the information you have chosen to share is made visible to the therapist at that spa, for the duration of that visit only. Partner spas are contractually prohibited from storing, copying, or using your AuraPass data beyond the purpose of delivering your treatment.

Service providers

We use a small number of trusted third-party providers to operate our platform (cloud hosting, email delivery). All providers are GDPR-compliant and process data only on our instruction.

We do not sell your data. We do not share your data with advertisers, data brokers, or any third party for commercial purposes.

6. How long we keep your data

We retain your data for as long as your AuraPass account is active. If you delete your account, all personal and health data is permanently deleted within 30 days. Visit history is anonymised rather than deleted, to allow us to maintain aggregate service statistics.

7. How we protect your data

All Special Category health data is encrypted at rest and in transit. Access to your data is restricted to authorised AuraPass personnel and is subject to strict access controls. We conduct regular security reviews and comply with ICO guidance on the handling of health data.

8. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct any inaccurate data
  • Delete your data ("right to be forgotten")
  • Restrict how we process your data
  • Portability — receive your data in a machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at: privacy@aurapass.io

9. Cookies

Our website uses essential cookies only. We do not use tracking or advertising cookies. A full cookie policy is available at aurapass.io/cookies.

10. Changes to this policy

We may update this policy from time to time. We will notify you of any material changes by email or through the AuraPass app. Continued use of AuraPass following notification constitutes acceptance of the updated policy.

11. Contact & complaints

For any privacy-related queries, contact our Data Protection Lead at: privacy@aurapass.io

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.