Legal

Privacy Policy

This policy explains how AURA processes personal data on this website and in connection with our services — in accordance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

1. Controller

The controller responsible for the processing of personal data on this site is:
AURA Web Studio LLC
Kristina Goldberg
Los Angeles, CA 90028 · USA
Email: aurawebstudio@hotmail.com

2. Data we collect

Server logs. When you visit this site, our hosting provider records standard technical data: IP address (shortened and pseudonymised where possible), user agent, referring URL, date and time, and the resource requested. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in secure, reliable operation of this website.

Contact form. When you submit the contact form, we process your name, email address, the content of your message, and the consent confirmation. Legal bases: Art. 6 (1) (b) GDPR (pre-contractual measures on your request) and Art. 6 (1) (a) GDPR (your explicit consent).

Direct communication. If you write to us by email or phone, we process the content and metadata of that communication to respond. Legal basis: Art. 6 (1) (b) or (f) GDPR.

3. Hosting and infrastructure

This site is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walpole, MA 01581, USA. Vercel operates a global edge network including EU regions. A Data Processing Addendum (DPA) with Standard Contractual Clauses under Art. 46 GDPR is in place. Details at vercel.com/legal/privacy-policy.

4. Analytics

Vercel Web Analytics and Speed Insights. Cookie-free, privacy-preserving measurement of page views and Core Web Vitals. No personal identifiers are stored; data is aggregated. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in measuring site performance.

Google Analytics 4 (optional). Only loaded after your explicit consent via the cookie banner. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. If loaded, GA4 uses first-party cookies and may transfer data to Google LLC in the USA under Standard Contractual Clauses. You can withdraw consent at any time by resetting the cookie banner. Legal basis: Art. 6 (1) (a) GDPR (consent).

5. Cookies and local storage

We use only strictly necessary local storage to remember your cookie-banner choice (key: aura.cookie-consent, retained for 12 months). Beyond that, no cookies or tracking technologies are set without your explicit consent. Legal basis: § 25 (2) TTDSG / Art. 6 (1) (f) GDPR for strictly necessary entries; § 25 (1) TTDSG / Art. 6 (1) (a) GDPR for optional technologies after consent.

6. Processors and recipients

In addition to Vercel, we engage the following processors (all under Data Processing Agreements pursuant to Art. 28 GDPR):

Supabase Inc. — stores contact-form submissions in the EU region (Frankfurt). supabase.com/privacy.
Resend Inc. — sends transactional notification emails when the contact form is submitted. resend.com/legal/privacy-policy.

No personal data is sold, rented, or disclosed to unrelated third parties.

7. International data transfers

AURA Web Studio LLC is established in the USA. Transfers of personal data outside the European Economic Area are protected through Standard Contractual Clauses (Art. 46 GDPR) with each relevant processor, supplemented where applicable by additional technical measures (encryption in transit, access logging, data minimisation).

8. Retention

Server logs are retained for up to 30 days, then deleted or anonymised. Contact-form submissions are retained as long as necessary to process your enquiry and for up to 24 months thereafter, unless mandatory statutory retention periods apply. Analytics aggregates do not contain personal data.

9. Your rights under the GDPR

You have the right to:

Access your data (Art. 15 GDPR)
Rectification of inaccurate data (Art. 16)
Erasure / the right to be forgotten (Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent at any time, without affecting lawfulness of prior processing (Art. 7)
Lodge a complaint with a supervisory authority (Art. 77)

To exercise these rights, write to aurawebstudio@hotmail.com. We will respond within one month.

10. Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you additionally have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information), and the right not to be discriminated against for exercising your rights. To submit a verifiable consumer request, contact aurawebstudio@hotmail.com.

11. Children's privacy

This site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Data security

AURA uses TLS/HTTPS for all data in transit, strict Content-Security-Policy and modern security headers, rate-limiting, and least-privilege access controls with processors. Suspected incidents are documented and, where required under Art. 33 GDPR, reported to the competent supervisory authority within 72 hours.

13. Updates to this policy

This policy is updated as our processing or applicable law changes. The current version is always available on this page; the date of the last update is shown below.

Last updated: 22 April 2026.