Aura Privacy Policy

Effective Date: October 2, 2025

Scope of this Policy
Information We Collect
How We Use Your Information
How We Share Your Information
Your Options and Rights Regarding Your Information
Other Important Information
Privacy Disclosures for Specific Jurisdictions
Contact Information, submitting requests, and our response procedures

Scope of this Policy

This privacy policy (“Policy”) of Aura, Inc. and its affiliates ("Aura," "we," or "us") describes our practices regarding the processing of your personal information (“Information”). This Policy applies to Aura’s products and services (including our website at https://aura.care and websites or mobile applications that link to it), our social media pages or handles, our products and services, communications with us (the “Services”), and anywhere else it is linked or posted.

We may change this Policy from time to time. If we do, we will notify you by posting the updated version, or via email, the app, or otherwise.

This Policy does not apply to third-party websites, mobile applications, or services that may link to the Services or be linked to from the Services, such as third-party lab providers (e.g., Junction or its lab network), wearable device providers, or any health professionals you may engage separately; third-party systems such as health data aggregators, platforms, or APIs not controlled by Aura (e.g., Metriport, Apple Health); or third-party applications or content that may link to or be accessible from or on the Services. Please review the privacy policies of those third-party websites and applications to understand their privacy practices.

Information We Collect

We collect Information from you directly, from the devices you use to interact with us, and from third parties. We may combine Information from the Services together with other Information we obtain from our business records and third-party sources. We may use and share Information that we aggregate (compile to create statistics that cannot reasonably identify a particular individual) or de-identify (strip Information of all unique identifiers such that it cannot be linked to a particular individual) at our discretion.

Information you give us

You may provide the following Information to us directly:

Contact Information, including name, email address, and telephone number.
Demographic Information, such as gender, date of birth, and zip code.
Third-party login credentials, if you register or log in using platforms such as Google or Apple.
Lab results, including clinical laboratory data that you authorize us to receive through our integrated lab partner(s) (e.g., Junction).
Health-related information provided during onboarding or assessments, such as symptoms, diagnoses, medications, medical history, or family medical background.
Account credentials, including username, password, and other access-related security information.
Preferences and settings, such as your selected health goals, notifications, and consent acknowledgments.
Payment Information, including credit card Information.
Content you may include in survey responses.
Information contained in your communications to us, including call recordings of customer service calls.
Information you make available to us via a social media platform.
Your use of our Services.
Any other Information you submit to us.

Information we collect automatically

We may collect the following Information from you and the device you use to interact with our Services:

Device Information, including IP address, device identifiers, and details about your web browser, operating system, language preferences, approximate location, and time zone.
Analytical Information, including details about your interaction with our Services, website, app, and electronic newsletters, the pages or features you access, actions you take, the time and duration of your interactions, and referring URLs
Web diagnostic Information, including web traffic logs.
Certain advertising IDs, such as IDFA.
Your purchasing history, as well as other associated pieces of information.
Cookies and similar technologies, used to recognize your browser or device, store preferences, and track session activity (see also “Cookies, Mobile IDs, and Similar Technologies”).

Information We Collect From Other Sources

We may collect the following Information about you from or using third-party sources, including our processors.

Subscription registration Information.
Information about your interaction with advertisements on our Services, or ads that we place on third-party websites, from online advertising companies.
If you decide to invite others to the Services, we will collect your and the other person’s names, email addresses, and/or phone numbers to send an email or text message and follow up with the other person. You agree that you will obtain the other person’s consent before giving us his or her contact Information. You also agree that you will not send us the contact Information of a minor. We will inform any other person you invite that you gave us his or her Information in the invitation email.

Third parties that we collect your Information from include:

Lab integration partners that provide us with your lab test results upon your authorization.
Service providers, such as payment processors, hosting providers, and customer support platforms.
Marketing or co-branding partners, in cases where we offer promotional services jointly.

You may choose to decline to share certain types of Information or limit certain permissions. However, some features of the Service may not work properly without specific Information.

Cookies and Similar Tracking Technologies

We use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.

What are cookies and similar tracking technologies?

Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. Cookies may uniquely identify your device and store preferences or other data.

Web beacons (also known as single-pixel or clear GIFs) are electronic images embedded in web pages or emails. When your browser loads content that contains a web beacon, it connects to the hosting server, allowing that server to collect data such as your IP address and browser type. Web beacons may also be used in our emails to determine whether they are opened or interacted with. In addition, third-party analytics and ad partners (such as Google and Facebook) may collect data through cookies and tracking technologies. This may include: identifiers (e.g., cookie or device IDs), IP address, browser and device type, pages visited, and inferences from your browsing behavior; these partners may use this data to improve their own services and deliver ads across other websites.

Mobile analytics and advertising IDs are identifiers generated by mobile operating systems (e.g., iOS or Android) that apps can access. These IDs function similarly to cookies and allow for tracking and personalization on mobile devices.

How do our partners and we use cookies and similar technologies?

We and our third-party analytics and advertising partners use these technologies to:

Store your preferences and settings
Enable you to log in
Analyze how our websites and services perform
Track usage behavior and interaction patterns
Develop insights and inferences
Deliver and tailor interest-based advertising
Detect fraud or security issues
Fulfill other legitimate business purposes

We and/or our partners may also share this data with third parties for these purposes. For additional information, see “How We Share Your Information” below.

What controls are available?

You can manage cookie and tracking preferences through your browser settings or mobile device system settings.

Cookie Notice and Banner

When you visit our Platform, you may be presented with a cookie banner or pop-up notice that informs you about our use of cookies and provides options to manage your preferences.

Ad Choices

You have options to limit the Information that our partners and we collect for online advertising purposes.

You may disable cookies in your browser or mobile device using its settings menus. Your mobile device may give you the option to disable advertising functionality. Because we use cookies to support Service functionality, disabling cookies may also disable some elements of our online properties.
The following industry organizations offer opt-out choices for companies that participate in them: the Network Advertising Initiative, the Digital Advertising Alliance, and the European Interactive Digital Advertising Initiative.
You may use our cookie settings menu.
You may contact us directly.

If you exercise these options, please be aware that you may still see advertising, but it will not be personalized. Nor will exercising these options prevent other companies from displaying personalized ads to you.

If you delete your cookies, you may also delete your opt-out preferences.

Do Not Track

Your browser or device may include “Do Not Track” functionality. Our Information collection and disclosure practices and the choices that we provide to you will continue to operate as described in this privacy policy, regardless of whether a Do Not Track signal is received.

How We Use Your Information

We may use your Information for the following purposes.

Service functionality and business operations: To provide you with our Services, including to take steps to enter a contract for sale or for services, bill or invoice for Services, process payments, fulfill orders, enable third party services like lab testing, send Service communications (including renewal reminders), customer support, and conduct general business operations, such as accounting, recordkeeping, and audits.
Service improvement: To improve and grow our Services, including developing new products and services, and understand how our Services are being used, our customer base and purchasing trends, and the effectiveness of our marketing.
Personalization: To offer you recommendations and tailor the Services to your preferences. This may involve creating or inferring new Information about you based on the data you provide or that we collect, such as generating personalized wellness insights based on your lab test results, symptoms, or health goals, and estimating general trends (e.g., changes over time in biomarker categories or health goal progress). We do so using artificial intelligence technologies, which may involve using your Information for training and model development purposes. This inferred data helps improve your experience and is processed according to this Policy.
Advertising and marketing: To send you marketing communications, personalize the advertisements you see on our Services and third-party online properties, and measure the effectiveness of our advertising. We may share your Information, normally limited to technical identifiers and certain other data categories, with business partners, online advertising partners, and social media platforms for this purpose. PLEASE NOTE THAT WE WILL NEVER SHARE YOUR HEALTH DATA FOR ADVERTISING PURPOSES.
Security: To protect and secure our Services, assets, network, and business operations, and to detect, investigate, and prevent theft, unauthorized use, or abuse of the Services and other activities that may violate our policies or be fraudulent or illegal.
Legal compliance: To comply with legal process, such as warrants, subpoenas, court orders, and lawful regulatory or law enforcement requests, and to comply with applicable legal and regulatory requirements.

How We Share Your Information

We may share any of the Information we collect with the following recipients.

Affiliates: We share Information with other members of our group of companies. We ensure that all our affiliates follow the same standards as stipulated by this Privacy Policy and our internal protocols.

Service providers: We engage vendors to perform specific business functions on our behalf, and they may receive Information about you from us or collect it directly. These vendors are obligated by contract to use the Information that we share only for the purpose of providing these business functions, which include:

Supporting Service functionality, such as vendors that customer service and customer relationship management, subscription fulfillment, freight services, application development, list cleansing, and communications.
Analytics and marketing services, including entities that analyze traffic on our online properties and assist with identifying and communicating with potential customers.
Security vendors, such as entities that assist with security incident verification and response, service notifications, and fraud prevention.
Information technology vendors, such as entities that assist with website design, hosting and maintenance, data and software storage, and network operation.
Advertising and Marketing vendors, such as entities that support the distribution of marketing emails or that facilitate serving personalized advertisements.

Here are some of the main service providers we rely on:

Service provider	Link to privacy policies	Activity
Google Cloud	Governed by separate cloud processing agreements	Our storage and infrastructure providers allow us to securely store your data.
Amplitude	https://amplitude.com/privacy	Our performance analytics providers allow us to monitor bugs, errors, and security events.
Meta/Facebook, FunnelFox/Adapty, Snov.io	https://www.facebook.com/privacy/policy/, https://adapty.io/privacy/, https://snov.io/privacy-policy	Our marketing partners that help us spread information about the Services and reach more users
OpenAI	https://privacy.openai.com/	We may integrate various AI functions and tools to enable the Services that would be helpful and useful to you
Anthropic	https://privacy.claude.com/en/	We may integrate various AI functions and tools to enable the Services that would be helpful and useful to you
Apple	https://www.apple.com/uk/legal/privacy/en-ww/	Distributing iOS apps and push notification services.
Google Play	https://policies.google.com/privacy?hl=en-US	Distributing Android apps.
Stripe, PayPal, Merchanto	https://stripe.com/en-pl/privacy, https://www.paypal.com/us/legalhub/paypal/privacy, https://admin.merchanto.org/privacy	Our payment providers that help us process your payments (including banking card data)
Junction	https://www.junction.com/privacy	Our lab testing partner helps you secure your test in various lab providers such as Quest, BioReference, and Labcorp

Business partners: In certain cases, we may share your contact Information with other organizations for marketing purposes.

Online advertising partners: We partner with companies that assist us in advertising our Services, including partners that use cookies and online tracking technologies to collect Information to personalize, retarget, and measure the effectiveness of advertising.

Social media platforms: If you interact with us on social media platforms, the platform may be able to collect Information about you and your interaction with us. If you interact with social media objects on our Services (for example, by clicking on a Facebook “like” button), both the platform and your connections on the platform may be able to view that activity. To control this sharing of Information, please review the privacy policy of the relevant social media platform.

Government entities/Law enforcement: We may share Information when we believe in good faith that we are lawfully authorized or required to do so to respond to lawful subpoenas, warrants, court orders, or other regulatory or law enforcement requests, or where necessary to protect our property or rights or the health and safety of our employees, contractors, customers, or other individuals. We will always strive to limit the scope of such subpoenas and requests to ensure only the minimum necessary Information is shared, if any.

Other businesses in the context of a commercial transaction: We may change our ownership or corporate organization while providing the Services. We may transfer to another entity or its affiliates, or service providers, some or all Information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets, or any line of business, change in ownership control, or financing transaction. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your Information as described in this Policy.

Security

We use a combination of physical, technical, and administrative safeguards to protect the Information we collect through the Services. While we use these precautions to safeguard your Information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.

Specifically, we implemented the following measures to protect your Information:

Encryption: We use an industry-standard security protocol (Secure Sockets Layer—SSL) to help ensure that the information is encrypted and protected from third parties. SSL helps ensure that the communication between your browser and our servers is private and that the information contained therein is safe and delivered only to our computers.
Firewall: Once your Information reaches our servers, we protect it in many ways, including storing it on secure servers and using a device known as a firewall, which protects your information by detecting and preventing unauthorized access to the information.
Authorized access: Using our firewalls and other mechanisms, we also protect your Information by only allowing access to it by employees and authorized parties who have a legitimate and verified need to access the information in order to service your requests and administer policies and claims.
Organizational Measures. We maintain internal data protection policies and procedures designed to ensure the lawful and secure processing of your Information
Technical Measures: We regularly monitor and update our IT systems to address potential vulnerabilities and apply security patches in a timely manner.

You are responsible for keeping your account credentials secure. If you believe your account has been compromised, please contact us immediately.

If there is a security system breach and, where required by law, we will either post a notice or try to contact you by email. We will take reasonable steps to fix the issue according to applicable laws and this Privacy Policy. For potential personal data breaches, we may take additional actions, such as logging you out from all devices, resetting your password, and taking other necessary steps to address the situation.

Your Options and Rights Regarding Your Information

Your rights. All our users have the following universal rights:

You have a right to request information about what Information we process about you.
You may ask us to erase your Information. Please be aware that erasing some Information may affect your experience using certain features of the Services that rely on historical data.
If you believe your personal data is inaccurate or incomplete, you can request to correct it or, in some cases, correct it yourself from within the app.
You have a right to opt out of the sale of your Information as defined under applicable laws. As such, we do not sell your data. Under certain state laws (for example, California or other states), if we disclose personal information to a third party for any benefit, this is legally defined as a “sale” or “sharing” of personal data, even if the third party does not use the personal information for any other purpose. We do not sell your data for monetary gain.

How to exercise your rights. Contact us at care@aura.care to exercise your privacy rights.

Alternatively, you can also email us at care@aura.care. We will address your request within 30 days after receipt. It can take us up to 90 days, in some cases, for example, for the full erasure of your personal data stored in our backup systems. We will notify you if we require additional time and provide the reasons for the delay.

Emails and Email Unsubscribe: We may send you email communications related to the Services, including account confirmations and updates, lab order details and results notifications, Service announcements and product updates, and promotional or marketing messages. If you do not wish to receive marketing Information from us or wish to opt out of future email promotions from us, please contact us. Please note that all promotional email messages you receive from us will include an option to opt out of future email marketing communications. You may still receive important transactional or Service-related communications that are necessary for operating your Account and the provided Services you requested.

Jurisdiction-specific rights. You may have certain rights with respect to your Information depending on your location or residency. Please see “privacy disclosures for specific jurisdictions” below. Please contact us to exercise your rights.

If you reside in the European Economic Area, the United Kingdom, or Switzerland, please read carefully about your rights below. Generally, we strive to provide our users with the widest possible privacy rights under the most stringent data privacy regimes.

Other Important Information

Data retention

We will keep your Information for as long as necessary to provide you with the Services or fulfill the purposes for which it was collected.

Please note that such actions as deletion of the mobile application do not result in the deletion of your Information. Please file a request in accordance with this Policy to permanently delete your data.

We may store Information about you for 3 years after you cease using our Services, if you decide to reactivate them.

Cross-border data transfer

We may collect, process, and store your Information in the United States and other countries. The laws in the United States regarding Information may be different from the laws of your country. Any such transfers will comply with safeguards as required by relevant law, including the adoption of relevant standard contractual clauses (SCCs) if the transfer is happening between the European Economic Area and the United States.

Information about children

Aura does not knowingly collect or solicit any Information from anyone under the age of 18 through its Services. If we learn that we have inadvertently collected Information from a child under age 18, we will delete that Information. If you believe that we might have any information from a child under 18, please contact us using the contact details provided at the end of this Policy.

Privacy Disclosures for Specific Jurisdictions

European Economic Area, the United Kingdom, and Switzerland

We process “personal data,” as that term is defined in the European Union’s General Data Protection Regulation (“GDPR”).

Your rights under the GDPR: Users who are located in the European Economic Area (“EEA”), the U.K., or Switzerland have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for data protection authorities are available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

If you are located in the EEA, the U.K., or Switzerland, you have the following rights.

Access and Portability: Request access to personal data we hold about you in a portable format so that you can easily move, copy, or transfer it to third parties for other services or purposes.
Correction: Request that we rectify inaccurate or incomplete personal data we store about you.
Erasure: Request that we erase personal data when such data is no longer necessary for the purpose for which it was collected, when you withdraw consent, and no other legal basis for processing exists.
Restriction of processing: Request that we restrict our processing of personal data if there is a dispute about the accuracy of the data; if the processing is unlawful; if the processing is no longer necessary for the purposes for which it was collected but is needed by you for the establishment, exercise or defense of legal claims; or if your request to object to processing is pending evaluation.
Objection to processing: Object to the processing of your personal data based on our legitimate interests or for direct marketing (including profiling). We will no longer process the data unless there are compelling legitimate grounds for our processing that override your interests, rights, and freedoms, or for the purpose of asserting, exercising, or defending legal claims.
Transfers: Obtain Information about and a copy of the safeguards we use to transfer personal data across borders.

We process your Information for the purposes of performing a contract with you for Services, with your consent, and based on our legitimate interests in operating and promoting our business and Services.

Please contact us at care@aura.care to exercise these rights. Our contact details are in the Contact Information, Submitting Requests, and Our Response Procedures section below.

California

Your California Privacy Rights: “Shine the Light” Law

California residents, in some cases, are entitled once a year, free of charge, to request and obtain certain Information regarding our disclosure, if any, of certain categories of personal Information to third parties for their own direct marketing purposes in the preceding calendar year. Please contact us to inquire about this Information.

Contact Information, submitting requests, and our response procedures

Contact

Please contact us if you have questions or wish to take any action with respect to the Information to which this privacy policy applies. Our main EU establishment is at the address provided below.

Email: care@aura.care

Address: 14 RUE BEFFROY, 92200 NEUILLY-SUR-SEINE, FRANCE; 228 Park Ave S PMB 75218, New York, NY, 10003-1502, US

Telephone: +1 929 357 2773

If needed, you may also contact your local data protection authority. A list of local data protection authorities is available here.

Making a request to exercise your rights

Submitting requests: You may request to exercise your rights by making a request using the contact Information above.

We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Verification: We generally must verify your identity before responding to your request. We verify your identity by asking you to provide personal identifiers that we can match against Information we may have collected from you previously. We may need to follow up with you to request more Information to verify identity.

We will not use personal Information we collect in connection with verifying or responding to your request for any purpose other than responding to your request.

Aura Consumer Health Data Privacy Policy

Effective August 1, 2025

This Consumer Health Privacy Notice supplements the Aura Privacy Policy at https://aura.care/consumer/ (Policy) and applies to personal information defined as “consumer health data” subject to the Washington State My Health My Data Act (MHMD), the Nevada Health Data Privacy Act (NHDPA), or other applicable state consumer health privacy law.

Consumer Health Data We Collect

As described in the Policy, the consumer health data we collect depends on the context of your interactions with Aura, and the choices you make (including your privacy settings), the products and features you use, your location, and applicable law. Because consumer health data is defined very broadly, many of the categories of Information we collect about you could also be considered consumer health data.

Examples of consumer health data may include: lab results, such as clinical laboratory data that you authorize us to receive through our integrated lab partner(s) (e.g., Junction), and health-related information provided during onboarding or assessments, such as symptoms, diagnoses, medications, medical history, or family medical background. Additional information is in the section on “Information You Give To Us” section of the main privacy policy.

Sources of Consumer Health Data

As described further in the Information You Give Us and Information We Collect Automatically sections of the Policy, we collect Information (which may include consumer health data) directly from you, from your interactions with our Services, your communications with us, from third parties, and from publicly available sources.

Why We Collect and Use Consumer Health Data

We collect and use consumer health data for the purposes described in the How We Use Your Information section of our Policy. We collect and use consumer health data as reasonably necessary to provide you with the Services you have requested or authorized. This may include delivering and operating the Services and their features, personalization of certain features, ensuring the secure and reliable operation of the Services and the systems that support them, troubleshooting and improving the Services, and other essential business operations that support the provision of the Services (such as analyzing our performance, meeting our legal obligations, developing our workforce, and conducting research and development).

We may use consumer health data for other purposes for which we give you choices and/or obtain your consent as required by law – for example, for advertising or marketing purposes. See the Your Options and Rights Regarding Your Information section of the Policy and the How to Exercise Your Rights section below for more details on the controls and choices you may have.

Our Sharing of Consumer Health Data

We may share each of the categories of consumer health data described above for the purposes described in the How We Share Your Information section of the Policy.

For example, we may share your Information, including consumer health data, with your consent or as reasonably necessary to complete any transaction or provide any Service you have requested or authorized. If you make a purchase, we will share consumer health data about the transaction as necessary to process the payment, including protection against fraud. And we may disclose consumer health data when we believe that doing so is necessary to comply with applicable law or respond to a valid legal process.

Third Parties With Which We Share Consumer Health Data

We share your consumer health data with the third parties listed in the How We Share Your Information section of the Policy for the purposes listed above.

How to Exercise Your Rights

If you are covered by the MHMDA, the NHDPA, or other applicable consumer health privacy law, then you may have certain rights with respect to consumer health data, including rights to access, delete, or withdraw consent relating to such consumer health data, subject to certain exceptions.

You can request to exercise such rights using the various tools and mechanisms described in the Contact Information, Submitting Requests, and Our Response Procedures section of the Policy. If your request to exercise a right is denied, you may appeal that decision by contacting us at the address in that section. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint, the Nevada State Attorney General at https://ag.nv.gov/complaints/file_complaint/, or other regulatory authority as applicable.