Aura Health Ecosystem – Global Privacy Policy

1. Introduction

Welcome to the Aura Health Ecosystem (“Aura,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, share, and protect personal data when you access our website and services, including our digital platform and integrations with third-party services such as wearable providers.

This Privacy Policy applies to aura.med and its subdomains (including app.aura.med) and related services that reference or link to this policy.

2. Who We Are (Controllers and Roles)

Aura operates through legally separate entities that may support different parts of the service. For privacy purposes, Auramedical Tecnologia da Informação Ltda (“Aura Tech”) acts as the primary Data Controller for platform and integration data, unless otherwise stated.

Depending on your use of Aura services, other entities may also process data for specific purposes (e.g., clinical care or logistics facilitation). When they do, they act under applicable contractual and legal frameworks consistent with this policy.

3. Information We Collect

We collect the following categories of information:

A) Identity and Account Data

Examples: name, email, phone number, account identifiers, and authentication data.

B) Compliance and Verification Data (when applicable)

Examples: government ID (e.g., Passport/National ID/CPF), proof of address, and other information required for compliance and verification processes.

C) Clinical and Health-Related Data (when applicable)

Examples: medical history, laboratory values, prescription logs, clinical notes, and telemedicine records (and, where permitted by law and with appropriate safeguards, audio/video records).

D) Wearable and Connected Services Data (with your authorization)

Sources: Garmin Connect and other third-party services (e.g., Oura, Strava, Apple Health), when you choose to connect them.

Examples of data points: heart rate and resting heart rate, HRV, sleep metrics (stages, duration), activity metrics (steps, intensity), oxygen saturation (SpO2), and stress-related indicators (as provided by the third party).

E) Usage and Device Data

Examples: IP address, device and browser type, approximate location derived from IP, app interactions, logs, and security events.

4. How We Use Information (Purposes)

We use your information for the following purposes:

• Provide and operate Aura services (account creation, authentication, core app features).
• Generate insights and dashboards based on your data to support your chosen services (including wellness monitoring and progress tracking).
• Enable wearable integrations and process data retrieved via authorized third-party APIs (e.g., Garmin Connect).
• Security and fraud prevention (monitoring, logging, abuse prevention, and incident response).
• Legal and regulatory compliance where applicable (including retention obligations for certain records).
• Service improvement (debugging, performance, and user experience improvements).

5. Legal Bases for Processing (LGPD/GDPR)

Where applicable, we process personal data under one or more of the following legal bases:

• Performance of a contract (to provide the services you request).
• Compliance with legal/regulatory obligations (where required).
• Legitimate interests (e.g., security, fraud prevention, and service improvement), balanced against your rights.
• Consent (especially for third-party wearable integrations like Garmin Connect, and for optional features). You may revoke consent at any time.

6. Wearable Integrations (e.g., Garmin Connect)

When you connect a wearable provider (such as Garmin Connect), you authorize Aura to access data made available by that provider through its APIs.

• Purpose limitation: We access wearable data only to support features such as health dashboards, wellness monitoring, and user-facing insights within Aura.
• No sale of data: We do not sell, rent, or trade your wearable/biometric data to advertisers or data brokers.
• User control and revocation: You may disconnect or revoke access at any time via Aura settings and/or the wearable provider’s settings. Once revoked, new data collection from that provider stops.

7. Sharing and Disclosures

We may share information in the following limited circumstances:

A) Service Providers (Processors)

We use trusted vendors to host infrastructure, operate the platform, provide monitoring and security, and support service delivery. These providers process data under contractual obligations, confidentiality, and security requirements.

B) Within the Aura Ecosystem

Where necessary to provide the services you request, data may be shared among entities supporting those services, under appropriate safeguards and role-based access controls.

C) Legal Requirements

We may disclose information if required by law, court order, or valid legal process, or to protect rights, safety, and security.

We do not share wearable/biometric data with third parties for advertising purposes.

8. International Data Transfers

If your use of Aura services involves cross-border processing, we implement appropriate safeguards consistent with applicable laws. Where required, we rely on contractual measures and security controls designed to protect personal data in transit and at rest.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, including legal and regulatory requirements.

• Clinical records (when applicable): retained for the period required by applicable healthcare regulations.
• Wearable data: retained while your account is active and as needed to provide features you request.
• Security logs: retained for a limited period to support security, fraud prevention, and auditing.

When deletion is requested, we will delete or de-identify data where possible, except where retention is required by law or necessary for legitimate purposes (e.g., security, dispute resolution).

10. Security

We use administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration.

Examples of safeguards may include:

• encryption in transit and at rest (where applicable),
• access controls and least-privilege policies,
• monitoring and logging,
• secure development and incident response practices.

No system is 100% secure, but we continuously improve our security posture.

11. Your Rights and Choices

Depending on your jurisdiction, you may have rights to:

• access, correct, or update personal data,
• request deletion (where applicable),
• object to or restrict processing (where applicable),
• request portability (where applicable),
• revoke consent at any time for optional processing (including wearable integrations).

To exercise your rights, contact privacy@aura.med. We may request identity verification and will respond within applicable legal timeframes.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and provide notice where required.

13. Contact

For privacy inquiries or to exercise your rights, contact: privacy@aura.med