How we look after your data.

This Privacy Policy describes how Auria AI Ltd., a Hong Kong company, collects, uses, shares, and protects information in connection with our AI voice-agent platform for clinics (collectively, the “Services”).

This Policy applies to three distinct groups:

• Clinic Users — owners, doctors, nurses, receptionists, and other staff who log in to Auria to configure agents and review outcomes.
• Patients — individuals whose phone numbers, treatment summaries, and voice recordings are processed on behalf of a Clinic.
• Visitors — anyone who visits useauria.com or our marketing pages without logging in.

For Patients, the Clinic is the data controller and Auria is the data processor. The Clinic’s own privacy notice governs the relationship with the Patient; this Policy explains what Auria does on the Clinic’s behalf.

From Clinic Users

• Identity details — name, email, phone, role, clinic name.
• Account credentials — hashed passwords, session tokens, and 2FA details.
• Configuration data — agent scripts, booking settings, EMR webhooks, integrations.
• Usage telemetry — pages visited, actions taken, error logs, IP, device, and browser type.

From Patients (on behalf of the Clinic)

• Contact details — name, phone number, preferred language.
• Clinical context provided by the Clinic — visit type, treatment code, aftercare template, medication reminders.
• Call artifacts — voice recordings, transcripts, Auria’s summaries, sentiment scores, and any rebooking or escalation outcome.
• Consent state — whether the Patient has opted in to automated calls and the timestamp of their decision.

From Visitors

• Standard web analytics via Vercel Analytics — aggregated and pseudonymous.
• Cookies strictly necessary to run the site; no third-party advertising cookies.

We use the data described above for the following purposes, and no others:

• Delivering the Services — placing calls, transcribing them, booking appointments, and feeding outcomes into your Console and EMR.
• Operating & improving reliability — monitoring uptime, debugging issues, preventing fraud and abuse.
• Product improvement — using aggregated and de-identified usage data to improve voice quality, recognition accuracy, and conversation flows.
• Billing — calculating minutes used, SMS fees, and third-party pass-through charges.
• Communication — sending service emails, release notes, security notices, and — only where you have opted in — product updates.
• Legal compliance — responding to lawful requests, enforcing our Terms, and protecting the safety of patients and staff.

We do not sell your data. We do not use patient recordings or transcripts to train general-purpose large language models. We do not share patient data with advertising networks.

We process personal data under the following bases, as relevant to your jurisdiction:

• Performance of a contract — to deliver the Services you have engaged us to provide.
• Legitimate interests — to operate, secure, and improve our platform, provided those interests are not overridden by your rights.
• Consent — for any marketing communications and for jurisdictions where consent is the required basis.
• Legal obligation — where required by law, court order, or regulatory authority.

For Patients, the legal basis is normally the consent they provide to the Clinic at the point of care. Auria processes that data under instruction from the Clinic (the controller).

We share personal data with a small, deliberately chosen set of sub-processors, each under a written data-processing agreement that binds them to the same standards we commit to here:

• Retell AI — voice agent orchestration and transcription.
• Twilio — carrier-grade voice and SMS infrastructure.
• OpenAI & Anthropic — large-language-model providers used for conversation generation and summarisation. Zero-retention, no-training endpoints are used wherever available.
• Cal.com — appointment scheduling when enabled by the Clinic.
• Supabase — our encrypted database and authentication layer, hosted in the Asia-Pacific region.
• Vercel — web hosting and CDN for app.useauria.com and useauria.com.
• Zapier, Google Workspace — only if you opt in to Sheets-based call logging or Zapier-based automations.

We disclose data to law-enforcement or regulators only when compelled by valid legal process, after giving the Clinic notice where we are lawfully able to do so.

Primary data — accounts, configurations, transcripts, and call logs — is stored in Supabase infrastructure hosted in the Asia-Pacific (Singapore) region. Voice recordings processed by Retell and Twilio may transit the United States for model inference before being returned to our APAC datastore.

Where cross-border transfers occur, we rely on standard contractual clauses, vendor-specific data-processing addenda, and regional endpoint configuration where available. We keep transfers minimal by design.

We keep data only as long as it is useful for the Services or required by law:

• Call transcripts & summaries — retained while your account is active; purged 30 days after account closure.
• Raw voice recordings — retained for 30 days by default, then permanently deleted. Clinics may shorten this window in the Console.
• Account and billing records — retained for 7 years to comply with Hong Kong tax and corporate record-keeping rules.
• Security & audit logs — retained for 12 months, rolling.
• Aggregated & de-identified analytics — retained indefinitely; no longer personal data.

We apply the following safeguards:

• TLS 1.2+ in transit, AES-256 at rest.
• Row-level security on every multi-tenant table.
• Least-privilege access; production data is read-only for engineers by default, unlocked with just-in-time approvals.
• Mandatory 2FA for Auria staff accounts.
• Continuous dependency scanning and quarterly third-party security review.
• Incident response runbooks with clinic notification targets of 72 hours from confirmed incident.

No system is perfectly secure. If you believe you have found a vulnerability, write to security@useauria.com. We do not pursue legal action against good-faith security researchers.

Depending on your jurisdiction — Hong Kong PDPO, EU GDPR, UK GDPR, Singapore PDPA, and others — you have rights to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information.
• Delete your data (subject to legal-retention carve-outs).
• Export your data in a structured, machine-readable format.
• Restrict or object to certain types of processing.
• Withdraw consent where consent was the legal basis.
• Lodge a complaint with your local data protection authority.

For Patients, these rights are exercised through the Clinic, because the Clinic is the controller. If a Clinic directs us to assist, we will.

To exercise any right, write to privacy@useauria.com. We respond within 30 days and do not charge for reasonable requests.

We use a minimal set of cookies, all first-party:

• Session cookies — to keep you logged in to the Console.
• Theme and preference cookies — to remember your UI settings.
• Analytics cookies — via Vercel Analytics, which collects pseudonymous visit statistics and does not track individuals across sites.

We do not run advertising pixels. We do not fingerprint your device.

The Services are intended for clinic staff aged 18 and over. We do not knowingly collect data directly from children. Where a Clinic uploads information relating to minor patients, the Clinic warrants that it has the necessary parental or guardian consent.

We will update this Policy from time to time. When changes are material, we will notify you by email at least thirty (30) days before they take effect and post a prominent notice in the Console. Non-material changes — clarifications, typo fixes — will simply update the effective date at the top of this page.

Data Protection lead — Jason Jonarto, Founder
Email — privacy@useauria.com
Postal — Auria AI Ltd., c/o Hong Kong Science and Technology Parks, Pak Shek Kok, New Territories, Hong Kong SAR.

You also have the right to complain to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.