Trust & Safety
Aura AI is built local-first. Your source code, design docs, chats, and project memory stay under your control, and your content is not used for training.
Your source code, design docs, prompts, and project context are not used for model training. Aura is built for commercial projects where unreleased mechanics, lore, and production plans need to stay yours.
Account, billing, update, diagnostic, and prompt traffic is encrypted in transit. Local engine communication stays on your machine.
Authentication is handled via secure JWTs. User sessions are validated server-side and scoped securely to your account, ensuring data isolation.
We do not sell, rent, or share your usage data, code context, or personal information with advertisers or data brokers. Ever.
Aura AI is a native background service that runs on your machine. Project context, GDDs, pages, rules, chats, and project memory are local-first and do not sync to a cloud workspace by default.
Our backend enforces rigid server-side validation, ensuring users can only ever access their own subscription and team data. This prevents unauthorized access at the API boundary, guaranteeing your data stays isolated.
A transparent breakdown of every data type Aura touches, where it goes, and who can access it.
| Data Type | Where It Goes | Who Can See It |
|---|---|---|
| AI Prompts & Code Context | Used only to answer the request you submit | Aura request path for response generation only; not used for training |
| GDD Files | Stored locally on your machine; not synced to a cloud workspace by default | You; used only as request context when needed |
| Subscription Data | Remote database (RLS-protected) | You only; Aura backend for credit deduction |
| Email Address | Auth provider; Resend for transactional email | Aura for account management; not shared with third parties |
| Payment Information | Stripe (we never see raw card data) | Stripe only |
| Chat History | Local machine only (in-memory during session) | You only; not synced to any server |
Found a security vulnerability Please report it. We review all reports within 48 hours and will work with you to resolve the issue responsibly.
security@aurainc.coWe don't run a formal bug bounty program, but we will acknowledge your contribution publicly if you'd like.
We are building toward enterprise-grade compliance standards.
Planned. Our architecture is designed to be audit-ready. We will pursue formal certification as the product scales.
Our data model supports GDPR requirements: data minimization, right to erasure, and no unnecessary retention. EU customers can request full data deletion at any time.
Additional client-side controls for GDD handling and team policy enforcement. Planned for a future release.