AAUREO
DRAFT — pending legal review before production launch. This document is provided for transparency during the pre-launch phase and does not yet constitute final legal terms.

Privacy Policy

Last updated: 4/29/2026

1. Who we are

AUREO is operated from Colombia and offers wellness suggestions generated by AI. We process your data in accordance with the California Consumer Privacy Act (CCPA), the U.S. Federal Trade Commission Health Breach Notification Rule (FTC HBNR), Washington's My Health My Data Act (WA MHMD) where applicable, and Colombia's Habeas Data law (Ley 1581/2012).

2. Data we collect

  • Identification: name, email, city, age.
  • Anthropometric: weight, height, activity level.
  • Health: blood test results you upload, wearable metrics (Garmin, Oura, etc.) if you connect them, health goals, dietary restrictions, supplements.
  • Family: basic data of family members you register for shared meal plans.
  • Usage: history of plans, recipes, shopping lists, and analyses generated.
  • Payment: processed by Stripe — we never store card numbers.

3. Consumer health data — WA MHMD & FTC HBNR

Some data we process qualifies as consumer health data under WA MHMD and as personal health records under the FTC HBNR. We:

  • Never sell consumer health data; we do not share it with third parties for advertising purposes.
  • Obtain affirmative opt-in consent at signup before collecting health data.
  • Will notify you within 60 days if a breach affects your data, as required by the FTC HBNR.

4. How we use your data

  • To generate personalized meal plans and analyses.
  • To improve the quality of the Service's suggestions.
  • To communicate Service changes.
  • To comply with legal obligations.

5. Service providers

We share strictly necessary data with:

  • Anthropic, Inc. — to generate AI responses (Claude).
  • Supabase, Inc. — storage and authentication.
  • Stripe, Inc. — payment processing.
  • Vercel, Inc. — web application hosting.

These providers act as data processors and are contractually bound to protect your data.

6. Your CCPA rights

If you are a California resident, you have the right to:

  • Know what personal information we collect about you.
  • Request access to and a copy of that information.
  • Request deletion of your information.
  • Correct inaccurate information.
  • Opt out of the "sale" or "sharing" of your personal information (we do not sell or share it).
  • Be free from retaliation for exercising any of these rights.

Exercise these rights from Settings → Export my data or Delete account, or by writing to privacy@aureo.app (provisional address).

7. WA My Health My Data rights

Washington residents have additional rights to confirm the collection of their consumer health data, withdraw consent, and request deletion. Use the same channels as above.

8. International transfers

Some of our providers store data outside Colombia and the United States (e.g., Brazil for Supabase). We rely on standard contractual protections and choose providers with adequate safeguards.

9. Retention

We keep your data while your account is active or as needed to meet legal obligations. Account deletion removes identification and health data within 30 days.

10. Security

We apply reasonable technical and administrative measures: TLS in transit, encryption at rest, Row-Level Security on the database, encrypted secrets in Vercel, and access logging on sensitive data.

11. Children

AUREO is not directed to children under 18. Data of minors recorded as family members is entered under the responsibility of the legal guardian who created the account. We do not knowingly collect data directly from children under 13.

12. Changes

Changes will be notified by email and posted here at least 15 days in advance.

13. Complaints

If you believe your rights have not been honored, you may contact the appropriate authority in your jurisdiction (e.g., the California Attorney General, the Washington State Attorney General, or the Colombian Superintendence of Industry and Commerce).