AURA APP PRIVACY POLICY
Effective Date: March 20, 2026 Last Updated: April 21, 2026
AuraApp ("App") is operated by Emirhan Uysal. In this Privacy Policy, "we", "us", and "our" refer to Emirhan Uysal. AuraApp is a global platform that enables users to manage their digital wardrobe, receive AI-powered outfit recommendations, experience a virtual try-on cabin, and create peer-to-peer (C2C) second-hand clothing listings.
As the Data Controller, we process your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK, Law No. 6698), the US Children's Online Privacy Protection Act (COPPA), and other applicable global privacy laws.
Emirhan Uysal Samsun, Turkey 📧 Contact & Data Protection Officer (DPO): [email protected]
2.1 Personal Information • Name (display name): Used for profile display and social interactions. • Email address: Used for authentication, email verification, password reset, and account management. • Phone number (optional): Used for SMS verification if provided. • Username: Used for social identity and profile identification. • Bio: Displayed publicly on your profile at your discretion. Legal Basis: Performance of contract (GDPR Art. 6/1-b).
2.2 Authentication Data • Password: Stored using bcrypt hashing; never stored in plain text. • OAuth identifiers: Identity data received from Google, Apple, or Facebook when using social sign-in. • Session tokens (JWT): Generated and signed for session management. Legal Basis: Performance of contract and legitimate interest (security).
2.3 Photos and Video Content • Photos taken with camera or selected from gallery: Used for wardrobe item creation, profile photos, social posts, and AI virtual try-on/editing features. • Video content: Used for social sharing purposes. • EXIF metadata: Sensitive EXIF data (GPS coordinates, camera information, personal tags) is automatically stripped from uploaded photos in compliance with GDPR Article 25 (Privacy by Design). Cleaned technical data may be retained for image quality optimization. Legal Basis: Explicit consent and performance of contract.
2.4 Location Data • Approximate location (coarse): Used via Weather API to provide weather-appropriate outfit recommendations. • Precise location (fine): Used only in the Swap (trade) feature, with your explicit consent, to set listing location. Location data is not continuously tracked; it is collected only when the relevant feature is actively used and permission is granted. Legal Basis: Explicit consent (GDPR Art. 6/1-a).
2.5 Audio Data • Microphone input: Used for speech-to-text conversion in the voice assistant (style advisor) feature. • Audio data is processed on-device and is not stored on our servers. Temporary recordings are automatically deleted after processing. Legal Basis: Explicit consent.
2.6 Device and Technical Data • Push notification token (FCM): Used via Firebase Cloud Messaging to deliver notifications. This token is shared with Google/Firebase infrastructure. • Device identifier: Used for session management and security purposes. • IP address and log records: Collected for security, fraud prevention, and debugging purposes. Legal Basis: Legitimate interest (GDPR Art. 6/1-f).
2.7 Usage and Analytics Data • App interaction data: Anonymous usage statistics such as screen views, feature usage frequency, and button clicks are collected. • This data is used solely for internal analysis and is not shared with third parties. • Personal identifiers (email, phone, address) are automatically stripped from analytics data (GDPR Article 25 — Privacy by Design). Legal Basis: Legitimate interest.
2.8 Artificial Intelligence (AI) Analysis Data • Physical proportions, style preferences, and color palette inferences are derived from your uploaded images to provide personalized outfit recommendations. • In the Virtual Try-On feature, clothing simulation is performed on your uploaded photos. • For AI chat, style guidance, description generation, and embeddings, your text queries and related context data may be transferred to AI service providers. • For image generation, editing, and background removal features, uploaded images, editing instructions, and generated outputs may be processed by AI service providers only for the requested operation. • AI-generated outputs are algorithmic suggestions and do not constitute medical, psychological, or definitive aesthetic evaluations. Legal Basis: Explicit consent (GDPR Art. 6/1-a).
2.9 Subscription and Payment Data • AuraApp processes in-app subscriptions and credit purchases through Apple App Store and Google Play Store infrastructure. • Credit card, bank account, or payment information is not directly collected, processed, or stored by AuraApp. All payment transactions occur within the secure payment infrastructure of the respective store platform. • Adapty is used for subscription management. Adapty processes information such as your subscription status (active/inactive), plan type, and renewal date. Adapty's privacy policy: https://adapty.io/privacy • Deleting your AuraApp account may not automatically cancel an active subscription managed through Apple App Store or Google Play. If you have an active subscription, you should cancel it from the relevant store account before deleting your app account. Legal Basis: Performance of contract. THIRD-PARTY SERVICE PROVIDERS
AuraApp uses the following third-party infrastructure for service delivery. Only the minimum data required for service operation is shared with these providers:
| Provider | Purpose | Shared Data |
|---|---|---|
| Supabase (EU/US) | Authentication, database, file storage, and Edge Functions | User ID, email/phone, profile, messages, listings, app data, technical logs |
| ImageKit (CDN) | Image upload, hosting, CDN delivery, and optimization | Uploaded photos, media URLs, file metadata |
| Cloudflare R2 | Object storage and signed upload URLs for media files | Uploaded media files, storage keys, technical storage metadata |
| Firebase / Google (US) | Push notifications (FCM) | Device push token, notification preferences, technical delivery logs |
| Google Maps / Places / Geocoding | Location selection, place search, and coordinate/address conversion | Approximate or permitted location, search query, selected place data |
| OpenWeatherMap / Open-Meteo | Weather-based recommendations | Approximate location, selected city/coordinates, weather query data |
| Adapty (US) | Paywall, subscription, and purchase validation | Subscription status, plan, store transaction ID, user ID |
| Apple App Store / Google Play | In-app purchase and subscription billing | Payment transactions and store transaction records; we do not access card/bank details |
| OpenRouter (US) | AI request routing, chat, text generation, image-model access, and embedding workflows | User prompts, style preferences, wardrobe/product descriptions, context data, model outputs, and limited technical usage logs |
| Google AI models (via OpenRouter) | Gemini 2.5 Flash Lite and Gemma 4 31B-based chat, analysis, description generation, and style recommendations | AI queries, context data, wardrobe/product descriptions, preference signals, model outputs |
| Google Gemini Embedding (via OpenRouter) | Embedding generation for search, matching, recommendations, and contextual similarity | Text content, wardrobe/product descriptions, style context, embedding outputs |
| OpenAI models (via OpenRouter/Wavespeed) | GPT Image 2 text-to-image, GPT Image 2 edit, and GPT-5.4 Image 2-based image generation, virtual try-on, and image editing | Uploaded images, reference images, editing instructions, generation prompts, generated visual outputs |
| xAI / Grok Imagine models (via Wavespeed) | Image editing, garment replacement, and same-composition edit workflows | Uploaded images, reference images, editing commands, generated visual outputs |
| Wavespeed AI | Execution of image generation/editing requests and background removal | Uploaded images, editing instructions, generation prompts, background-removal inputs, generated visual outputs |
| Google / Apple / Facebook OAuth | Social sign-in | Social account identifier, email, name/profile data to the extent provided by the provider |
| HIBP (haveibeenpwned.com) | Password security check | SHA-1 hash prefix (k-anonymity) |
Data sharing with these providers is limited to the purposes listed above. We expect service providers to process your personal data under security and confidentiality obligations equivalent to the protection level described in this policy, and we apply appropriate contractual and technical safeguards.
Your data is never sold to advertising networks, data brokers, or analytics platforms, nor shared for marketing purposes under any circumstances.