AuroraDocs
  • Features
  • Sync
  • Platforms
  • Download
  • Docs
  • Privacy
Open app →
Back to AuroraDocs

Privacy Policy

Last updated: April 16, 2026

1. Data Controller

AuroraDocs is developed and operated by Henrik Øgård ("we", "us"). We are the data controller for personal data we collect about you.

Contact us:
Email: contact@auroradocs.eu
Address: Henrik Øgård, Stavanger, Norway

2. Data We Collect

  • Account information: email address and display name you provide at registration.
  • Content you create: pages, notes, tasks, and other objects you store in AuroraDocs.
  • Usage data: login timestamps and last-active time — used only for security and debugging.
  • Local storage: we use localStorage, sessionStorage, and IndexedDB exclusively for app functionality (preferences, offline cache, short-lived handoff state). We use no third-party tracking cookies.
  • AuroraAI / RAG, if enabled later: prompts, retrieved context, workspace routing metadata, server-selected model details, and usage records may be sent to the selected hosted provider. AuroraAI stays blocked for non-cloud and E2EE-enabled workspaces until the separate launch gate is green. Aurora does not use your prompts, retrieved context, or outputs to train Aurora-owned models.
  • Billing and invoices, if paid plans are enabled later: billing contact details, invoice records, tax metadata, payment tokens, and usage counters may be processed by the selected billing provider. Invoice and accounting records follow the billing retention policy and applicable legal obligations once paid plans launch.

3. Purpose and Legal Basis

PurposeLegal basis
Provide and maintain the serviceContract (GDPR art. 6(1)(b))
Send email notifications (optional)Consent (GDPR art. 6(1)(a))
Security and abuse preventionLegitimate interest (GDPR art. 6(1)(f))
Comply with legal obligationsLegal obligation (GDPR art. 6(1)(c))

4. Storage and Retention

Cloud-synced data is stored on AuroraCloud infrastructure that we operate ourselves. Our current server is located in Helsinki, Finland (EU). We plan to migrate to a Norwegian data centre later in 2026 — we will notify users when that move takes place. We retain account data for as long as your account is active. After account deletion, all personal data is removed within 30 days, except anonymised log data which may be retained for up to 90 days for security purposes.

If paid plans are enabled later, billing and invoice records follow the billing retention policy and applicable legal obligations rather than the standard account deletion window.

5. End-to-End Encryption (E2EE)

AuroraDocs supports end-to-end encryption (E2EE) for the main object content body, object titles, property values, comments, workspace chat messages, and uploaded file/image bytes. When E2EE is active, that data is encrypted client-side using keys derived from your login password before it reaches our servers. Save your recovery phrase — we cannot recover your data without it.

Current scope note: E2EE still does not yet cover all structural metadata. Object type, parent/child relationships, some workspace-level settings, and other server-visible sync metadata may still be readable by the server and are used to power sidebar labels, graph structure, sharing, and similar features.

This means the current implementation should be understood as broad content-and-attachment encryption, not full-workspace encryption.

  • The encrypted content is produced client-side before cloud sync.
  • Save your recovery phrase — we cannot recover your data without it.
  • Workspaces without E2EE enabled store content in plaintext on the server, protected by access controls and server-side isolation rules.

6. Third-Party Processors

We do not share personal data with third parties, except:

  • Hetzner Online GmbH — server infrastructure and object storage (EU region, Helsinki). Hetzner acts as a data processor under a data processing agreement.
  • Resend Inc. — email delivery, only when you have enabled email notifications. Resend acts as a processor only when email notifications are enabled.

We never sell personal data.

7. Your Rights

Under GDPR you have the right to:

  • Request access to the data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion ("right to be forgotten") — available directly in Settings → Account.
  • Withdraw consent (e.g. email notifications) at any time.
  • Lodge a complaint with your local data protection authority.

8. Data Processing Agreement (DPA)

Business customers who process personal data through AuroraDocs may request a data processing agreement by contacting us at contact@auroradocs.eu.

We keep a current subprocessor register for business customers. The active processors are Hetzner for cloud infrastructure and object storage, and Resend for transactional email when email notifications are enabled. Business customers can request the latest subprocessor list and a DPA copy by emailing contact@auroradocs.eu.

9. Cookies and Local Storage

AuroraDocs uses no third-party tracking cookies. We use the browser's localStorage, sessionStorage, and IndexedDB to store user preferences, offline content cache, folder sync handles, and short-lived handoff state locally on your device. This notice is informational only. This data never leaves your device unless you explicitly enable cloud sync.

10. Changes to This Policy

We will notify you by email of material changes. Minor updates will be published on this page with an updated date.

Terms of Service AuroraDocs contact@auroradocs.eu