AURORA

Privacy Policy

Last updated: June 30, 2026

This Privacy Policy explains how Aurora collects, uses, shares, and protects personal information when you use the Service. Because Aurora is a multi-tenant platform, our role differs by context: for an Operator's own account and platform data we act as a controller; for personal data an Operator manages about its clients and attendees, we act as a processor on the Operator's behalf.

1. Information we collect

Account data: name, email, password (hashed), phone, role, and workspace details for Operators and their team members.

Client & contracting data (controlled by Operators): client contact details, contracts and e-signatures (including signer name, email, IP address, user agent, and timestamp captured as a signing audit trail), invoices, and payment records.

Media & content: audio, video, logos, choreography, brand assets, and safety-map geometry you upload.

Payments: we do not store full card numbers. Stripe processes payments and we retain limited records (amounts, status, last-four where provided, payout and ledger metadata) for reporting and reconciliation.

Attendee/donor data: when someone joins a broadcast or tips, we collect minimal data — a coarse session record and, only if voluntarily provided, a donor name and message. We minimize and time-bound this data.

Usage & device data: log data, IP address, device/browser information, and analytics needed to operate and secure the Service.

2. How we use information

To provide and operate the Service (authentication, tenancy, branding, media transcoding, preview, broadcast synchronization, payments, notifications), to secure it (rate limiting, fraud and abuse prevention, audit logging), to meter and bill usage, to provide support, and to comply with legal obligations.

We send transactional messages (email/SMS) such as invites, contracts, receipts, approval requests, and broadcast links. Operator team members can set notification preferences. We do not sell personal information.

3. Sub-processors & sharing

We share data with service providers who help us run the Service, under contractual confidentiality and data-protection terms. Current categories include: cloud hosting and storage (AWS), payments (Stripe), email (SendGrid), SMS (Twilio), mapping/airspace data (Mapbox and public FAA data services), and AI providers used for show generation (e.g., Anthropic, Google) where you use those features.

Operators can see and control much of the personal data in their workspace. We share data with an Operator about its own clients and attendees as part of providing the Service to that Operator.

We may disclose data to comply with law, enforce our terms, or protect rights and safety. If Aurora is involved in a merger or acquisition, data may transfer subject to this Policy.

4. Payment data & PCI

Card details are entered directly into Stripe's secure elements and do not pass through Aurora's servers. We rely on Stripe's PCI-DSS compliance for card processing and retain only non-sensitive transaction metadata needed for invoicing, reporting, and reconciliation.

5. Your rights & choices

Depending on your location (including under GDPR and CCPA/CPRA), you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. The Service includes self-serve tools: clients can request export or deletion of their personal data from the client portal, and Operators can export or offboard their workspace data.

Where Aurora is a processor (an Operator's client/attendee data), we will route or assist with rights requests in coordination with the relevant Operator. We honor verified requests within the timeframes required by applicable law, while retaining records we are legally required to keep (such as tax and payment records).

To exercise rights or ask questions, use the in-product privacy tools or contact privacy@aurorashows.com.

6. Data retention

We retain personal data for as long as needed to provide the Service and for legitimate business and legal purposes. Personal data subject to a deletion request is soft-deleted and anonymized, while financial and tax records are retained for the period required by law. Attendee/donor data is minimized and retention-bounded. On Operator offboarding, workspace data is made available for export and then scheduled for deletion after a retention window.

7. Security

We use technical and organizational measures including encryption in transit, private storage with scoped access, tenant isolation enforced at the data layer, hashed credentials with session revocation, optional two-factor authentication, rate limiting, signed webhooks, audit logging, and least-privilege access. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify affected parties of incidents as required by law.

8. International transfers

We operate primarily in the United States. If you access the Service from outside the U.S., your data may be processed in the U.S. and other countries. Where required, we use appropriate transfer mechanisms (such as Standard Contractual Clauses) with our sub-processors.

9. Children

The Service is not directed to children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect their personal data. Broadcast attendance is anonymous and does not require an account.

10. Cookies

We use strictly necessary cookies for authentication and security (e.g., session and tenant context). We keep non-essential tracking to a minimum and will provide controls where required by law.

11. Changes & contact

We may update this Policy; the “last updated” date reflects the latest version and material changes will be communicated. Contact us at privacy@aurorashows.com.