Privacy Policy
Aury ("we", "us", "our") operates the Aury mobile application (the "App"). This policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it.
If you have questions, contact us at [email protected].
The data controller is Alina Maria Rüb, an individual operating Aury as a sole developer. A postal address is available on request to [email protected] and will be added here once Aury is incorporated as a legal entity.
1. What we collect
We only collect what we need to operate the App. We never sell personal data and we never share it with advertisers or data brokers.
Provided by you
- Account identifiers — email address and the Apple-issued user ID we receive from "Sign in with Apple". If you choose Apple's email-relay option, we only ever see the relay address.
- Profile information — display name, bio, date of birth, gender identity, sexual orientation / attraction preferences, relationship style, age range preferences, and lifestyle preferences (kids, smoking, drinking, pets).
- Interests and traits — catalog selections you tap and any custom entries you type.
- Photos — profile and other photos you upload through the App.
- Approximate location — the location you select during onboarding or update in the App. We do not continuously track your real-time location. We add randomized jitter to the coordinates server-side before storing them, so the stored location is never your exact position.
- Messages — content of messages you send to other users. Messages are encrypted at rest on our servers.
Collected automatically
- Device push token — issued by Apple Push Notification service so we can deliver notifications. We can de-link this token from you at any time on request.
- Operational logs — request timestamps, IP address, and error traces, retained briefly for debugging and abuse prevention.
What we do not collect
- We do not use third-party analytics SDKs, advertising SDKs, or trackers.
- We do not access your contacts, calendar, microphone, or camera roll without your explicit picker action.
- We do not collect financial information, health information, or government IDs.
- We do not use cookies or tracking technologies beyond what is strictly necessary to operate the App.
2. Why we collect it
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Create and authenticate your account | email, Apple user ID | Contract |
| Show you to potential matches and show matches to you | profile fields, interests, location, photos | Contract |
| Deliver in-app messages and push notifications | messages, push token | Contract |
| Keep the service safe and prevent abuse | logs, IP | Legitimate interest |
| Comply with law (e.g. lawful requests) | any of the above | Legal obligation |
We process certain special category data (such as sexual orientation and gender identity) based on your explicit consent in accordance with Art. 9(2)(a) GDPR. You may withdraw your consent at any time by deleting your account or adjusting your profile information.
Where we rely on legitimate interests (e.g. to prevent abuse and ensure the security of the service), our interest is to maintain a safe and reliable platform for all users.
Matching
We use automated processing (including matching algorithms) to suggest potential connections based on your profile information, preferences, and activity within the App. This processing does not produce legal effects or similarly significant effects on you.
3. Who we share it with
We share data only with infrastructure providers that process it on our behalf, under contract, and only as needed to run the App.
| Provider | What they process | Where |
|---|---|---|
| Apple | Sign in with Apple, push notifications | EU/US |
| Amazon Web Services | Hosting, database, photo storage | eu-central-1 (Frankfurt) |
| Cloudflare | CDN and TLS termination | Global edge |
| Resend | Transactional email delivery | EU/US |
We do not share data with advertisers, data brokers, or analytics vendors.
If we are ever required by law to disclose data (e.g. court order), we will do so only to the extent legally required and, where lawful, notify you first.
4. International transfers
Your data is primarily stored in the EU (AWS Frankfurt). Some processors (Apple, Cloudflare, Resend) may process data in the United States. Where applicable, we rely on Standard Contractual Clauses for transfers outside the EEA.
5. Retention
- Account and profile data — retained while your account is active.
- Messages — retained while either party's account is active. When you delete your account, your messages are removed from your view; copies in the recipient's view persist until they delete their own account or the message.
- Logs — retained for up to 30 days, then deleted.
- Backups — encrypted backups are retained for up to 30 days for disaster recovery and then overwritten.
When you delete your account, we delete or irreversibly anonymize your personal data within 30 days, except where we are required to retain specific records by law.
If your account remains inactive for an extended period, we may delete or anonymize your data after providing notice, in accordance with applicable law.
6. Your rights
If you are in the EU/EEA, UK, or California you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and personal data ("right to erasure"). You can do this yourself at any time inside the App: My Profile → scroll to the bottom → Delete my account.
- Export a portable copy of your data — email [email protected] and we will send you a structured export within 30 days.
- Object to or restrict specific processing — email [email protected].
- Lodge a complaint with your local supervisory authority (in Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit).
Most of our processing is necessary to provide the service you requested (legal basis: contract). For that processing, the equivalent of "withdrawing consent" is deleting your account, which removes your personal data as described in section 5.
To exercise any of the rights that aren't self-service, email [email protected]. We respond within 30 days.
7. Children
Aury is intended for adults aged 18 and older. We do not knowingly collect data from anyone under 18. If we learn that we have, we delete it. If you believe a minor has provided us data, contact [email protected].
8. Security
We follow industry-standard practices to protect your data, including TLS for traffic in transit and access controls on the systems that store it. Profile photos are stored on AWS S3 under randomly generated per-user paths; the URLs themselves are not authenticated, so anyone who obtains a photo URL while it exists can view that photo. While these URLs are difficult to guess, they are not access-controlled. This means that anyone who obtains a valid URL may be able to view the image while it exists. Photos are deleted from storage when you delete them in the App or delete your account.
No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you and the relevant supervisory authority within the timeframes required by law.
9. Changes to this policy
We may update this policy as the App evolves. If we make a material change we will notify you in the App and update the "Effective date" above. Continued use after a change constitutes acceptance.
10. Contact
Email: [email protected]
Postal address: available on request — email the address above. A registered business address will be added here once Aury is incorporated.