Privacy Policy — AURUM

Last updated: May 27, 2026

1. Data controller

For the purposes of Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018, the entity above acts as the data controller of personal data collected through the AURUM application.

2. Data we process

AURUM processes the following data only to deliver the service:

2.1 Account data

2.2 Profile and goals

2.3 Health data (special category — GDPR Art. 9)

With your explicit in-app consent, AURUM reads the following from Apple HealthKit:

AURUM does not write any data to HealthKit. These signals are used solely to compute your daily readiness, adjust your workouts, and show you your progress.

2.4 Activity logs

2.5 Technical data

3. Legal bases

PurposeLegal basis
Create and manage your accountContract performance (GDPR Art. 6(1)(b))
Deliver the coaching serviceContract performance (GDPR Art. 6(1)(b))
Read Apple HealthKit dataExplicit consent (GDPR Art. 9(2)(a))
Process meal photos and voice notesExplicit consent (GDPR Art. 6(1)(a))
Service communications (changes, incidents)Legitimate interest / contract
Error monitoring and service improvementLegitimate interest (GDPR Art. 6(1)(f))

You can withdraw consent at any time in the app (Settings → Privacy) or by emailing pxpep.j10@gmail.com.

4. Retention

5. Recipients and international transfers

Data is stored on servers in the European Union (Railway / managed PostgreSQL).

We share data with the following processors, only as needed to deliver the service:

ProviderPurposeLocationSafeguards
OpenAI, L.L.C.Meal photo analysis (GPT-4o) and voice transcription (Whisper)USAEU Standard Contractual Clauses
Sentry (Functional Software, Inc.)Error monitoringUSA / EUEU Standard Contractual Clauses
Railway Corp.Backend and database hostingEUEU Standard Contractual Clauses
Apple Inc.App Store distribution, HealthKitUSAEU-US Data Privacy Framework

We do not sell your data. We do not share your data with advertisers. We do not use your data to train our own or any third-party AI models.

OpenAI explicitly states that API data is not used to train their models (we use the API).

6. Your rights

Under GDPR you have the right to:

You can exercise these rights from inside the app (Settings → Account → Export / Delete my data) or by emailing pxpep.j10@gmail.com. We will respond within one month.

If you believe we are processing your data unlawfully, you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) or your local supervisory authority.

7. Security

8. Children

AURUM is intended for users aged 16 and over. If we learn we have collected data from a minor without valid parental consent, we will delete it immediately.

9. Changes to this policy

We will publish any updates at this same URL and, for material changes, notify you in-app before they take effect.

10. Contact

For any privacy questions or to exercise your rights:

pxpep.j10@gmail.com