No trackers.
No analytics.
Just what's necessary.

Contact-form submissions. When you write us via the form on /chat we receive: your name (if you fill it in), your email, the topic you select, and the message body. We need these to reply.

Server logs. Standard nginx access logs: IP address, timestamp, requested URL, user-agent. Used for security, debugging, and rate-limiting. Rotated and deleted every 14 days.

Nothing else. No third-party analytics, no advertising pixels, no fingerprinting, no behavioural tracking, no cookies that persist beyond your session for our purposes.

The only client-side storage we use is a single localStorage key (aurolabs.cookie-notice.v1) that remembers you've dismissed the privacy notice. It contains the literal string dismissed and nothing else.

We don't set tracking or analytics cookies. We don't load Google Analytics, Hotjar, Facebook Pixel, Segment, or any equivalent. The site is purely server-rendered HTML with a small amount of inline JS for animations.

Contact-form data: processed on the basis of legitimate interest (replying to a message you sent us) and where applicable on your consent (you typed it in and pressed Send).

Server logs: processed on the basis of legitimate interest for security, abuse prevention, and operating the service.

Contact-form messages: currently captured only in operational server logs until we reply. No separate customer database is in use yet. When one comes online (with a Stripe-backed product) we'll keep it for the active relationship plus 12 months, then delete unless there's a legal reason to retain.

Server logs: 14 days, then rotated out (verified — daily rotation, 14 generations).

localStorage notice key: stays on your device until you clear it. Cosmetic only — it just remembers you've dismissed the notice.

The site runs on DigitalOcean in Amsterdam (AMS3) — EU. Inbound mail to roberto@aurolabs.ai is handled by Namecheap PrivateEmail. Outbound transactional email via Resend when a feature requires it. Payments (when relevant) via Stripe. None of these are loaded on the public site itself — they only run server-side or for specific authenticated flows.

Under the GDPR you have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. You can also lodge a complaint with the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY).

To exercise any of these rights, email roberto@aurolabs.ai with the subject "Data request". We aim to reply within 7 days, and resolve within 30.

Aurolabs AB · Stockholm, Sweden · roberto@aurolabs.ai