OAURA
Table of Contents

Privacy Policy

Welcome to OAURA.

We're building a mental wellness app that helps you develop OCD coping skills, practice evidence-based techniques, and build confidence in your daily life.

Email: support@ocdaura.com

In GDPR terms, we are the data controller for the personal data described in this policy.

1. Introduction

1.1 Scope

This policy applies to the OAURA iOS and Android apps, ocdaura.com, our support emails, and social media channels. Third-party sites we simply link to are outside our control; please check their policies.

1.2 What OAURA is, and is not

OAURA is not medical treatment, therapy, or medical advice. It does not diagnose, treat, or cure any medical condition. OAURA is a self-help and educational tool that provides 24/7 AI-powered support, guided exposures, response prevention journaling, and meditation content based on evidence-based approaches. You stay in charge of your wellness journey; we simply provide guidance and support.

2. Information We Collect

2.1 Data you give us directly

Account Information:
We collect your email address to create your account and enable sign-in through Apple, Google, or email.

Profile & Onboarding Data:
We collect your name, age, and information about your OCD experience - including subtype, symptoms, and therapy history. This helps personalize your app experience.

Any journal entries, exposure exercises, response prevention notes, and chat conversations you create are stored securely in our encrypted database. This data may include mental health information and is treated as special-category data under GDPR Article 9.

We store this information to provide you with the app's core features - we do not read, analyze, or process the content of your wellness data beyond what's necessary to display it back to you in the app.

Legal bases: Contract (to deliver the service you signed up for) and Consent (by creating an account and using OAURA's features).

2.2 Data collected automatically

We receive pseudonymized usage events (linked to your account but containing no personal information like name or email) showing which screens you open, how long sessions last, and which features you use. This helps us improve the app experience. We also collect device information (device model, operating system, app version) and crash logs to keep OAURA stable and secure.

What we do NOT track: We do not track the content of your therapeutic data. Your chat messages, journal entries, exposure exercise details, and meditation notes are never included in analytics.

Legal bases: Legitimate interest (security, app improvement).
Where national law or app-store rules require it, we obtain consent for analytics first.

2.3 Payments

Subscriptions are handled by RevenueCat. They receive Apple/Google receipt IDs and country codes; we never see your card number.

Legal bases: Contract (to give you paid features) and legal obligation (tax compliance).

3. Tools We Trust

We only work with providers that meet GDPR standards and have signed Standard Contractual Clauses (SCCs) if they are outside the EEA.

Supabase – database, authentication, and encrypted storage. Primary storage is in the US East (Virginia); covered by SCCs.
Privacy Policy

Anthropic Claude API – generates AI chat responses. Data retained for up to 30 days for safety compliance only, never used for model training. Covered by SCCs.
Privacy Policy

OpenAI API – text embeddings for content search. Covered by SCCs.
Privacy Policy

RevenueCat – subscription validation; US servers under SCCs.
Privacy Policy

Render – backend server hosting; US servers covered by SCCs.
Privacy Policy

PostHog – product analytics to understand feature usage and improve the app. We track which features you use and how you navigate the app, but we do not track the content of your therapy data (chat messages, journal entries, exposure details, etc.). US servers covered by SCCs.
Privacy Policy

We keep this list up-to-date and will add any new providers here.

4. International Transfers

OAURA's data infrastructure is based in the United States (US East - Virginia region). Regardless of where you're located, your data will be transferred to and stored in the United States.

We protect these transfers using Standard Contractual Clauses (SCCs) and strong encryption in transit (TLS 1.3) and at rest (AES-256). These safeguards ensure your data is protected to international standards.

5. Security

All network traffic is protected by TLS 1.3. Databases are encrypted at rest with AES-256. Internal access is strictly role-based and logged. We run regular vulnerability scans and security assessments. If a personal data breach poses a risk to you, we will notify you and the appropriate Data Protection Authority within 72 hours, as GDPR Articles 33-34 require.

6. Your Rights

You may access, correct, delete, export or restrict your data; withdraw consent; or object to certain uses. To exercise these rights, email support@ocdaura.com. We'll respond within 30 days. If you're in the EU, you can also lodge a complaint with your local Data Protection Authority.

7. Marketing and Cookies

Our website loads essential cookies automatically to make the site work. The OAURA mobile app collects anonymized usage data as described in Section 2.2.

8. Children

OAURA is intended for users aged 18 and older. We do not knowingly collect data from anyone under 18. We delete any underage account immediately upon discovery. If you're a parent and believe your child has provided us with personal data, please contact us at support@ocdaura.com so we can delete it.

9. Changes

If we materially change this policy, we'll announce it in-app or by email at least 15 days before it takes effect. We'll also update the "Last updated" date at the top of this page.

10. Contact

Have questions about this Privacy Policy or your data? Email us at support@ocdaura.com.