Privacy Policy
Version 2.0 — Effective: May 24, 2026
1. Data Controller
The data controller for the personal data processed through Auralis AI (the "Service") is:
- Horizon Consulting LLC
- Contact for privacy matters: privacy@auralis.digital
- General contact: brian@ildiavolodelmarketing.com
2. Personal Data We Collect
2.1 Account data (you provide): name, email, phone number, hashed password, timestamp of acceptance of these terms.
2.2 LinkedIn / X / Instagram account data: when you connect a social account via Unipile, we receive a session token and the public profile (name, headline, avatar, profile URL).
2.3 Outreach data: leads you import (name, email, headline, location, company), conversations and messages exchanged through the connected accounts, campaign configurations.
2.4 Usage data: login timestamps, IP address (for security logs), login count.
2.5 Voice data (optional, opt-in): if you use voice cloning, we send your sample audio to Fish Audio. The cloned voice model ID is stored with your LinkedIn account.
3. Data We Do NOT Collect
We never store your LinkedIn / X / Instagram password. The 6-digit verification code displayed during account linking is forwarded only to Unipile to establish the session — Auralis does not retain it. We do not use tracking, advertising, or analytics cookies. We do not sell, rent, or share your data for marketing purposes.
4. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the Service (account, campaigns, messaging) | Contract — Art. 6(1)(b) |
| Security logs, fraud prevention, rate limiting | Legitimate interest — Art. 6(1)(f) |
| Transactional emails (verification, notifications) | Contract — Art. 6(1)(b) |
| Voice cloning (Fish Audio) | Consent — Art. 6(1)(a) |
| Comply with legal requests | Legal obligation — Art. 6(1)(c) |
5. Data Retention
- Account data: for the duration of your active account.
- LinkedIn messages and conversations: 4 months from sending/receiving, then automatically deleted.
- Leads and campaigns: for the duration of your active account.
- Security logs (IP, login timestamps): 12 months.
- After account deletion: all personal data is permanently erased within 15 days.
- Backups: may contain data for up to 30 days after deletion before being overwritten.
6. Sub-processors and International Transfers
We use the following third-party processors. Some are located outside the European Economic Area (EEA). For these transfers we rely on the EU Standard Contractual Clauses (2021/914/EU) and, where applicable, supplementary technical measures.
| Processor | Purpose | Location |
|---|---|---|
| Hostinger | VPS hosting | EU (Lithuania) |
| Unipile SAS | LinkedIn / X / IG API gateway | France (EU) |
| Anthropic PBC | AI message generation (Claude) | USA — SCCs |
| Resend | Transactional email | USA — SCCs |
| Fish Audio | Voice cloning (opt-in) | USA — SCCs |
| Cloudflare Inc. | CDN / DDoS protection | USA — SCCs |
| Stripe Inc. | Payments (when applicable) | USA — SCCs |
7. Automated Decision-Making and AI (GDPR Art. 22)
The optional AI SDR feature uses large language models (Anthropic Claude) to generate replies to your leads. This processing does not produce legal or similarly significant effects on the data subjects. You retain full control: every conversation can be reviewed, edited, paused, or taken over manually at any time. You can disable the AI SDR for any account or lead from the dashboard.
8. Data Concerning Your Leads
When you import leads or connect a LinkedIn account, you are acting as the data controllerfor those individuals' data; Horizon Consulting LLC acts as your data processor. You are responsible for having a valid legal basis to contact them (e.g., legitimate interest for B2B prospecting under Recital 47, or consent). You can sign our Data Processing Agreement.
9. Your Rights (GDPR Art. 15–22)
As a data subject you have the right to:
- Access the data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erasure — request deletion of your data (Art. 17)
- Restrict processing (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, where processing relies on consent
You can exercise rights 1, 3, and 5 directly from Settings → Privacy & GDPR. For any other request, email privacy@auralis.digital. We will respond within 30 days (GDPR Art. 12.3).
10. Right to Lodge a Complaint
If you believe our processing of your data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. For users in Italy: Garante per la protezione dei dati personali (garanteprivacy.it).
11. Security
Passwords are hashed with bcrypt (cost factor 12). Data in transit is encrypted via TLS 1.2+. The database is hosted on an isolated network. Access to production systems is restricted to authorized personnel and audited. Sessions use HttpOnly, Secure, SameSite=Lax cookies.
12. Data Breach Notification (GDPR Art. 33–34)
In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority within 72 hours and, where the risk is high, the affected users without undue delay.
13. Children
Auralis is a B2B service not intended for children. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us data, contact us and we will delete it.
14. Changes to This Policy
Material changes will be notified by email and via in-app banner at least 30 days before they take effect. The version number above is incremented for every change.