Privacy Policy
Effective: 6 April 2026
This privacy policy explains how Aurolabs AB collects, uses, stores, and protects your personal data when you use our decision intelligence service. It is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Data controller
The data controller responsible for your personal data is:
- Company: Aurolabs AB
- Location: Stockholm, Sweden
- Organisation number: Pending registration
- Data protection contact: roberto@aurolabs.ai
For all privacy-related inquiries, including requests to exercise your rights under GDPR, please contact us at the email address above.
2. Personal data we collect
We collect the following categories of personal data:
| Category | Examples | Legal basis (GDPR) |
|---|---|---|
| Account data | Name, email address, organisation name | Performance of contract (Art. 6(1)(b)) |
| Service input data | Questions you submit, follow-up messages, decision contexts | Performance of contract (Art. 6(1)(b)) |
| Service output data | Generated decision reports, analysis results | Performance of contract (Art. 6(1)(b)) |
| Payment data | Billing name, email, and payment method identifiers (we do not store card numbers; these are handled entirely by our payment processor) | Performance of contract (Art. 6(1)(b)) |
| Technical data | IP address, browser type, device information, session identifiers | Legitimate interest (Art. 6(1)(f)) |
We do not collect special category data as defined in Article 9 of the GDPR (e.g. health data, political opinions, biometric data, racial or ethnic origin).
3. Purposes of processing
We process your personal data for the following purposes:
- To provide the decision intelligence service, including generating AI-powered reports based on your inputs
- To create and manage your user account
- To send transactional communications (account confirmation, report delivery, service notifications)
- To process subscription payments
- To maintain service security, prevent fraud, and diagnose technical issues
- To comply with applicable legal obligations (e.g. Swedish accounting law)
We do not sell your personal data. We do not use your data for advertising or profiling purposes.
4. Data processors and international transfers
We share personal data with the following categories of third-party processors, all bound by data processing agreements:
| Processor category | Purpose | Data shared | Location |
|---|---|---|---|
| AI inference providers | Generating AI-powered reports and analysis | Your questions, decision contexts, and report prompts | USA |
| Email delivery service | Sending transactional emails | Email address, email content | USA |
| Payment processing service | Handling subscription billing | Name, email, billing details | USA |
| Cloud infrastructure provider | Hosting the service and storing data | All service data (encrypted at rest) | EU |
International transfers
Some of our processors are located in the United States. For these transfers, we rely on:
- The EU-US Data Privacy Framework adequacy decision (where the processor is certified), and/or
- Standard Contractual Clauses (SCCs) approved by the European Commission
You may request a copy of the applicable transfer safeguards by contacting us.
5. Cookies
We use a single session cookie that is strictly necessary for the service to function. This cookie is HttpOnly and is used solely for authentication. No tracking, analytics, or advertising cookies are used.
Under the ePrivacy Directive, strictly necessary cookies do not require consent. Full details are available in our Cookie Policy.
We reserve the right to introduce analytics cookies in the future. If we do, we will obtain your prior consent before setting any non-essential cookies and update this policy and our Cookie Policy accordingly.
6. Data retention
- Account data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days.
- Reports and service input/output: Retained for 1 year after your last access to the relevant report, then automatically deleted.
- Payment records: Retained for 7 years as required by Swedish accounting law (Bokforingslagen 7 kap. 2 §).
- Server logs: Automatically purged after 90 days.
7. Your rights under GDPR
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15): You may request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): You may request that we correct inaccurate or incomplete data.
- Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email roberto@aurolabs.ai. We will respond within 30 days. If the request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days, and we will inform you of any such extension.
Supervisory authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY):
- Website: www.imy.se
- Email: imy@imy.se
8. Security measures
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption for all data in transit
- Encryption at rest for stored data
- Access controls limiting personal data access to authorised personnel
- Infrastructure hosted within the European Union
9. Children
Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
10. Automated decision-making
The reports generated by our service are produced through automated processing, including AI inference. These outputs are informational research inputs and are not used to make decisions that produce legal effects or similarly significant effects concerning you. You are always free to disregard the content of any report.
11. Changes to this policy
We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through the service before the changes take effect. The "Effective" date at the top indicates the latest revision.
12. Contact
For any privacy-related questions, data subject requests, or concerns:
- Email: roberto@aurolabs.ai
- Company: Aurolabs AB, Stockholm, Sweden