This policy refers to the use of Aury in the US.

Version 1.1, September 2024

Für die deutschsprachige Version, klicke bitte hier.

Take your time and read the entire privacy policy. But the most important things first:

• Aury is not a medical device and is not suitable for medical purposes. If you have persistent symptoms or suspect an illness, please contact a doctor or therapist.
• Your data will only be processed on servers in the EU and the USA. When transferring to countries outside the EU, appropriate safeguards are applied to protect your data (e.g. standard contractual clauses).
• Your data will not be sold and we will not use it for advertising purposes.
• We will delete your data upon request.

Aury is a conversational AI that allows you to discuss matters related to your mental well-being. Aury is provided to you by Saskia Fester, Maximilian Rank, Robert Wasenmüller (hereafter "us" / "we"). In order to provide Aury, we process personal data that can directly or indirectly identify you. Protecting your data is very important to us. This privacy policy explains which data we process, for what purpose, how long we store it, and what rights you have in connection with your data processing.

General Section

§ 1 Name and Address of the Data Controller

This privacy policy applies to the processing of your personal data by:

Saskia Fester, Maximilian Rank, Robert Wasenmüller
c/o Factory Works GmbH
Rheinsberger Str. 76/77,
10115 Berlin,
Germany
E-Mail: info@loqulabs.ai

§ 2 Contact Details of the Data Protection Officer

Aury has appointed an external Data Protection Officer. You can contact them at:

heyData GmbH
Schützenstraße 5,
10117 Berlin,
Germany
E-Mail: info@heydata.eu

§ 3 Your Rights Regarding Your Data

You have the following rights under the GDPR and, where applicable, US privacy laws (such as CCPA):

• Right of Access (Art. 15 GDPR): You have the right to request information from us at any time about the personal data we hold about you, including the purposes of the processing, the categories of data, the recipients, and the planned retention periods.
• Right to Rectification (Art. 16 GDPR): If your personal data is inaccurate or incomplete, you can request that it be corrected.
• Right to Erasure (Art. 17 GDPR): Under certain conditions, you have the right to request the deletion of your data.
• Right to Restrict Processing (Art. 18 GDPR): Under certain conditions, you can request that the processing of your data be restricted.
• Right to Object (Art. 21 GDPR / CCPA): You have the right to object to the processing of your data if it is based on legitimate interests or is being processed in the public interest.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

If you are a California resident (CCPA), you also have the right to:

• Request disclosure of what personal information is collected and how it is used.
• Opt-out of the sale of personal information (although Aury does not sell data).
• Request deletion of your data, unless exceptions apply (such as data needed for a business purpose).

§ 4 Data Processing Outside the EEA

If we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the European Commission under Article 45(3) GDPR guarantee the security of the data during transfer, provided such decisions exist, as is the case for the United Kingdom, Canada, and Israel.

For data transfers to service providers in the United States, the legal basis for the data transfer is an adequacy decision of the European Commission if the service provider is also certified under the EU-US Data Privacy Framework.

In other cases (e.g., where no adequacy decision exists), the legal basis for the data transfer is usually, unless we indicate otherwise, Standard Contractual Clauses (SSC). These are a framework adopted by the European Commission and form part of the contract with the respective third party. Pursuant to Article 46(2)(b) GDPR, they ensure the security of the data transfer. Many providers have also provided contractual guarantees that go beyond the Standard Contractual Clauses, which offer additional protection. These include, for example, guarantees regarding the encryption of data or an obligation for the third party to notify the data subject if law enforcement authorities attempt to access the data.

§ 5 Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your data violates the GDPR or other applicable privacy laws, you have the right to lodge a complaint with a supervisory authority. For us, the competent authority is:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstraße 219,
10969 Berlin,
Germany

If you reside in California or elsewhere in the United States, you can also lodge complaints with the California Attorney General or local state data privacy authorities.

Aury – The Application

§ 6 Hosting

Aury is hosted on the servers of an external service provider, Scalingo SAS, which stores and processes data exclusively within the EU and specializes in handling sensitive data.

Processed Data: IP addresses, contact information, names, and other personal data necessary for the use of Aury.
Legal Basis: Art. 6(1)(b) GDPR – performance of a contract.
Storage Period: Your data will be deleted as soon as it is no longer required for its intended purpose and there are no statutory retention periods that prevent deletion. You can find specific deletion periods in the respective functions below.

§ 7 Channels

You can use a beta version of Aury through WhatsApp, which is provided by WhatsApp LLC, a subsidiary of Meta Platforms Inc., which uses servers in the USA. More information about the processing of your data by WhatsApp can be found in WhatsApp's privacy policy:https://www.whatsapp.com/legal/privacy-policy[26.09.2024].

Important for EU users: By using WhatsApp, your data may be transferred to the US. We ensure data protection through the use of Standard Contractual Clauses (SCCs) approved by the EU.

§ 8 User Account and First Use

Processed Data: Phone number, the name you choose to be addressed by (not necessarily your real name), and a user ID.
Legal Basis: Art. 6(1)(b) GDPR – performance of a contract.
Retention Period: Your data will be securely deleted 180 days after your last activity or upon your request for deletion. For US residents, retention practices comply with CCPA, and data will not be retained longer than necessary for business purposes.

§ 9 Interaction with Aury

Processed Data: Messages you share with Aury. These messages are anonymized and sent to OpenAI OpCo, LLC for processing. Further information on how OpenAI processes your data can be found here:https://openai.com/policies/row-privacy-policy/ [26.09.2024].

Important: Anonymization means that no directly identifiable personal data (such as IP addresses or phone numbers) are transmitted. However, the context of the conversation may allow inferences about your identity.

Legal Basis: Art. 6(1)(b) GDPR – performance of a contract.

For US users, this processing aligns with CCPA requirements for transparency and restricted data use.

§ 10 Analytics and Tracking

Data processed: Usage data, such as time and duration of use. This data is forwarded in pseudonymized form to tools provided by DataDog, Inc. and PostHog, Inc. for processing and analysis, which use servers in the USA.

Note: Pseudonymization means that we do not transfer any direct personal data (e.g. IP addresses or telephone numbers), but data derived from them (e.g. your user ID) that could be indirectly traced back to you.

You can find more information about how DataDog processes this data here:https://www.datadoghq.com/legal/privacy/ [09/26/2024].

You can find more information about how PostHog processes this data here:https://posthog.com/privacy [09/26/2024].

Important: Usage data does not include the content of your conversations with Aury - they remain secret. However, you can provide us with the transcripts of individual sessions for analysis purposes. This only happens with your express permission and only for the transcript of the respective conversation, for example if you state in feedback surveys that your conversation experience was in need of improvement. The transcripts are only evaluated anonymously.

Legal Basis: Art. 6(1) lit. f) GDPR - legitimate interest in the analysis and optimization of our product and Art. 6(1) lit. a) GDPR - consent.

Storage Period: Your usage data will be securely deleted 180 days after the last activity, transcripts after 7 days or after your deletion request.

§ 11 Reminders and Marketing

None of your data will be sold or used for advertising purposes. Aury will not send you advertisement. Aury can send you reminders. You will only receive reminders if you have explicitly set them up. Before Aury can send you reminders, you must give your consent during the onboarding process or type /remindme during your conversation with Aury. You may revoke this consent at any time by typing /stopremindingme during your conversation with Aury. You will find all the information in Aury's channel description and during the onboarding process.

Aury – The Website

§ 12 Provision of the Website

When visiting our website, we use Google Analytics, which is provided by Google LLC and hosted on US servers, to process personal data for analytical purposes (IP address, browser, etc.).

You can find more information about how Google processes this data here:https://policies.google.com/privacy [09/26/2024].

Legal Basis: Art. 6(1)(f) GDPR – legitimate interest in analyzing and optimizing our website.

Retention Period: 14 days.

For US users, these practices adhere to CCPA and other state privacy laws by using data only for business purposes.

§ 13 Customer Service and Inquiries

Processed Data: Name, email address, and other information you provide to us.

Legal Basis: Art. 6(1)(b) GDPR – (pre-)contractual measures.

Retention Period: Until your inquiry is resolved, or you request deletion.

For US users, this also aligns with CCPA principles.

§ 14 Social Media

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, that uses servers in the USA. The privacy policy is available here:https://www.linkedin.com/legal/privacy-policy [26.09.2024].

Data processed: When network users contact us via our profiles, we process the data provided to us in order to answer the enquiries.

Legal Basis: Art. 6(1) lit. b) GDPR - (pre-)contractual measures.

Storage Period: Until your inquiry is resolved, or you request deletion.