Privacy Policy

1. Controller

The controller responsible for the processing of personal data on this site is:
AURA Web Studio LLC
Kristina Goldberg
W 6240 Sunset Blvd
90028 Los Angeles, CA · USA
Email: hello@aura-web-studio.com

2. Data we collect

Server logs. When you visit this site, our hosting provider records standard technical data: IP address (shortened and pseudonymised where possible), user agent, referring URL, date and time, and the resource requested. Legal basis: Art. 6 (1) (f) GDPR, legitimate interest in secure, reliable operation of this website.

Contact form. When you submit the contact form, we process your name, email address, the content of your message, and the consent confirmation. Legal bases: Art. 6 (1) (b) GDPR (pre-contractual measures on your request) and Art. 6 (1) (a) GDPR (your explicit consent).

Concierge form. If you use the on-site Concierge, we process your three short answers, your name, your email address, your consent confirmation, and your IP address. The IP address is used solely for rate-limiting and is discarded automatically after one hour. Your answers, name, and email are sent to Anthropic to generate a proposal text, then forwarded to AURA by email so we can prepare a tailored reply. Legal bases: Art. 6 (1) (b) GDPR (pre-contractual measures on your request) and Art. 6 (1) (a) GDPR (your explicit consent).

Direct communication. If you write to us by email or phone, we process the content and metadata of that communication to respond. Legal basis: Art. 6 (1) (b) or (f) GDPR.

3. Hosting and infrastructure

This site is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walpole, MA 01581, USA. Vercel operates a global edge network including EU regions. A Data Processing Addendum (DPA) with Standard Contractual Clauses under Art. 46 GDPR is in place. Details at vercel.com/legal/privacy-policy.

4. Analytics

Vercel Web Analytics and Speed Insights. Cookie-free, privacy-preserving measurement of page views and Core Web Vitals. No personal identifiers are stored; data is aggregated. Legal basis: Art. 6 (1) (f) GDPR, legitimate interest in measuring site performance.

5. Cookies and local storage

At the time of writing, this site does not set any tracking cookies or marketing technologies. We only use one strictly necessary local-storage entry to remember your cookie-banner choice (key: cookie-consent, retained for 12 months). You can change or withdraw this choice at any time via the "Cookie settings" link in the footer. Legal basis: § 25 (2) TTDSG / Art. 6 (1) (f) GDPR for strictly necessary entries; § 25 (1) TTDSG / Art. 6 (1) (a) GDPR for any optional technologies we may introduce in the future after your consent.

6. Processors and recipients

In addition to Vercel (hosting, see Section 3), we engage the following processors under Data Processing Agreements pursuant to Art. 28 GDPR:

Anthropic PBC (USA), processes your Concierge answers, name, and email to generate the proposal text. Anthropic does not train on data submitted via its API. Standard Contractual Clauses under Art. 46 GDPR apply. anthropic.com/legal/privacy.
Upstash, Inc. (USA), provides the Redis backend used to rate-limit the Concierge endpoint per IP address. The IP and a request counter are stored for one hour and then expire automatically. No content is stored. upstash.com privacy.
Resend Inc. (USA), sends the studio notification email containing your Concierge submission and the AI-drafted proposal. resend.com/legal/privacy-policy.
Cal.com Inc. (USA), booking platform for free 30-minute consultations. The booking calendar is embedded as an inline module in our contact section. As soon as you view that section, your browser loads scripts from Cal.com, your IP address is transmitted to Cal.com, and Cal.com sets functional cookies required for the calendar. If you then select a time slot, your name, email and chosen time are additionally processed by Cal.com under their own privacy policy. cal.com/privacy.

No personal data is sold, rented, or disclosed to unrelated third parties.

7. International data transfers

AURA Web Studio LLC is established in the USA. Transfers of personal data outside the European Economic Area are protected through Standard Contractual Clauses (Art. 46 GDPR) with each relevant processor, supplemented where applicable by additional technical measures (encryption in transit, access logging, data minimisation).

8. Retention

Server logs are retained for up to 30 days, then deleted or anonymised. Concierge submissions and the generated proposal are kept only as part of the resulting email correspondence, retained as long as necessary to process your enquiry and for up to 24 months thereafter, unless mandatory statutory retention periods apply. Rate-limit entries (IP plus a counter) expire automatically after one hour. Analytics aggregates do not contain personal data.

9. Your rights under the GDPR

You have the right to:

• Access your data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16)
• Erasure / the right to be forgotten (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, without affecting lawfulness of prior processing (Art. 7)
• Lodge a complaint with a supervisory authority (Art. 77)

To exercise these rights, write to hello@aura-web-studio.com. We will respond within one month.

10. Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you additionally have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information), and the right not to be discriminated against for exercising your rights. To submit a verifiable consumer request, contact hello@aura-web-studio.com.

11. Children's privacy

This site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Data security

AURA uses TLS/HTTPS for all data in transit, strict Content-Security-Policy and modern security headers, rate-limiting, and least-privilege access controls with processors. Suspected incidents are documented and, where required under Art. 33 GDPR, reported to the competent supervisory authority within 72 hours.

13. Updates to this policy

This policy is updated as our processing or applicable law changes. The current version is always available on this page; the date of the last update is shown below.