Aurora - Privacy Policy - Mark Wealth

Last updated: June 2, 2026 Operator: Mark Wealth C Corp. ("Mark Wealth", "Aurora", "the Application", "we", "us", "our") Address: 254 Chapman Rd, Ste 209, Newark, DE 19702, United States Contact: support@markwealth.me

Introduction

Aurora is an AI health-and-wellness concierge application for iOS. Each day it turns the health data you choose to share into a single, plain-language wellness readout - a daily "Brief", a wellness score, and one prioritised recommendation - rather than a dashboard of raw numbers. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, how long we keep it, and the rights and choices available to you. It applies to the Aurora iOS application and any related websites, support channels, and services that link to it (together, the "Service"). This Application provides informational and educational wellness support only. It is not a medical device, does not provide medical advice, diagnosis, or treatment, and is not a substitute for a qualified clinician. You should consult a licensed healthcare professional before making any health-related decision. You are solely responsible for the accuracy and completeness of the information you provide, and for any decisions you make based on the Service. Although we are not a HIPAA "covered entity" or a medical provider, we voluntarily implement administrative, technical, and physical safeguards for the health information you share with us that are consistent with the standards of the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. By creating an account or using the Service, you confirm that you are at least 18 years old and that you have read and understood this Policy. The Service is offered in the United States, Denmark, and Ukraine.

1. Scope and your consent

This Policy covers personal data we process as a controller of your information. Where we process special-category / sensitive data (such as health data), we do so only on the basis of your explicit consent, captured through the in-app permission prompts, toggles, or consent screens, or another lawful basis described in Section 4. You may withdraw consent at any time (Section 9); withdrawal does not affect processing already carried out, and some features will become unavailable without the underlying data.

2. Information we collect

2.1 Information you provide directly

Account data: your email address, used for our passwordless email-code sign-in, and the verification codes themselves.
Onboarding & profile data: age or date of birth, biological sex, height and weight, wellness goals and preferences, and - only if you choose the women's-health path - cycle status and related inputs you enter.
Logged content: mood check-ins, hydration and meal logs, meal photos you upload for food recognition, and the messages you send to Ava, our in-app AI assistant.
Support communications: the contents of emails or in-app messages you send us.

2.2 Health and wellness information (sensitive data)

Aurora is designed around health and wellness data, which is sensitive personal data. Depending on the features you enable, this includes: sleep duration and stages, heart-rate variability (HRV), resting heart rate, steps and activity, recovery and strain metrics, body measurements, mood, nutrition/hydration, and - if you enable it - menstrual-flow and estimated-cycle information. We process this data only to deliver the features you request, and only with your explicit consent.

2.3 Information from your device and connected sources (only with your permission)

Apple HealthKit: with your permission, we read sleep, HRV, resting heart rate, steps, and - if you enable it - menstrual-flow data. We read this data to calibrate your Brief and score; we do not write data back to Apple Health.
Connected wearables (e.g. WHOOP): if you connect a wearable through OAuth, we read recovery, sleep, cycle, workout, and body-measurement metrics from that provider, on a read-only basis, to power your daily wellness readout.
Calendar (optional): if you connect it, we read event/meeting-load signals to shape the timing and content of your Brief.
Device & technical data: push-notification token, time zone, locale, device model and OS version, app version, and a transient IP address used only to deliver responses. We do not store your IP address for profiling.

2.4 Purchase and subscription information

Subscriptions are sold through Apple In-App Purchase. We receive your subscription status and transaction identifiers from Apple and our subscription-management provider (RevenueCat). We never receive or store your payment-card number.

2.5 Usage and product-analytics data

We collect limited product-analytics events (for example, which screens you view and which features you use) to understand and improve the Service. Aurora is a native iOS app: we do not use advertising SDKs, ad networks, or cross-app advertising identifiers, and we do not track you across other apps or websites. iOS App Tracking Transparency does not apply to advertising tracking because we do none; we surface your current iOS tracking choice in the app's Privacy & Data screen for transparency only.

2.6 Aggregated and de-identified data

We may create aggregated or de-identified data that cannot reasonably be linked back to you. Such data is not treated as personal data under applicable privacy laws, and we may use it for research, analytics, and product improvement.

3. How we use your information

We use your information to: - generate your daily Brief, your wellness score (AvaScore), recommendations, and - for women's-health users - estimated cycle context (always "estimated", never a diagnosis or prediction); - operate Ava, our AI assistant, and personalise the experience to your data; - recognise foods from the meal photos you upload, for your food log; - send the notifications you have enabled (daily brief, reminders); - create and manage your account and subscription, and provide customer support; - maintain security, prevent fraud and abuse, debug, and ensure the Service works; - improve the Service using aggregated / de-identified data; and - comply with legal obligations and enforce our Terms. We do not sell your personal data, we do not use your health data for advertising, and we do not process your sensitive data for targeted advertising or profiling that produces legal or similarly significant effects.

4. Legal bases for processing (EU/EEA, Denmark, and where applicable)

Where data-protection law (such as the GDPR) requires a legal basis, we rely on: - Consent - for health/sensitive data and for connecting HealthKit, wearables, or your calendar. You may withdraw it at any time. - Performance of a contract - to provide the Service you sign up for (account, Brief, subscription). - Legitimate interests - to secure the Service, prevent fraud, and improve the product using de-identified data, balanced against your rights. - Legal obligation - to comply with tax, accounting, and other legal requirements.

5. AI features (Ava)

Ava is powered by third-party large-language-model and text-to-speech providers (see Section 6.1). Your conversations and the relevant context are processed to generate responses. Under our agreements with these providers, your content is not used to train their public/foundation models. Ava is informational only and is not a crisis line or a mental-health service. If you are in crisis, call or text 988 (the U.S. Suicide & Crisis Lifeline) or your local emergency number; in an emergency call 911 (U.S.) or your local emergency services.

6. How we share your information

We share the minimum data necessary, and only as described here.

6.1 Service providers (subprocessors)

We use vendors who process data on our behalf under contract and only on our instructions:

Vendor	Purpose	Data involved
Anthropic, OpenAI	AI assistant + recommendation generation	Ava messages, meal photos, and de-identified health and lifestyle context (such as sleep, HRV, cycle phase, activity and logged meals) needed to generate insights and recommendations. Never your name, email address or contact details.
OpenAI, ElevenLabs	Text-to-speech for the voice Brief	Brief text
OpenWeather	Local weather context for recommendations	Coarse location/locale
Apple	HealthKit, In-App Purchase, push notifications	Health permissions, purchase, push token
RevenueCat	Subscription management	Subscription status, transaction IDs
Amazon Web Services (SES)	Transactional email	Email address
DigitalOcean	Cloud hosting / infrastructure	Application data at rest/in transit
Sentry	Crash & error diagnostics	Diagnostics with PII and request bodies stripped
PostHog	Product analytics	Usage events (no health-data payloads)

Every vendor listed above is bound by a data-processing agreement requiring it to protect your data to a standard at least equivalent to this policy, to use it solely to provide its service to us, and not to use it for its own purposes. Our AI providers (Anthropic, OpenAI) are contractually and by their API terms prohibited from using your data to train their models.

6.2 Apple Health data

Data obtained through Apple HealthKit is handled in accordance with Apple's requirements: it is never used for advertising or marketing, and is never sold or shared with third parties for their own purposes.

6.3 Legal and safety disclosures

We may disclose information where we believe in good faith it is necessary to comply with law, regulation, legal process, or a governmental request; to enforce our Terms; or to protect the rights, property, or safety of our users, the public, or Mark Wealth.

6.4 Business transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice (in-app or by email) before your data becomes subject to a materially different privacy policy.

6.5 What we do NOT do

We do not use Stripe or process card payments ourselves; we do not operate a supplement marketplace, drop-shipping, or product fulfilment; we do not perform lab-result/document recognition; and we do not use advertising networks, ad SDKs, or sell/share data for cross-context behavioural advertising.

7. Cookies and similar technologies

Aurora is primarily a native iOS application and does not rely on advertising cookies or cross-site trackers. Our service providers (e.g. analytics and diagnostics SDKs listed in Section 6.1) use device identifiers and similar technologies solely to operate and improve the Service. Any related website uses only the cookies necessary for its operation.

8. Data storage, security, and retention

Consistent with the HIPAA/HITECH-aligned safeguards noted above, we encrypt data in transit (TLS) and encrypt sensitive fields at rest, restrict internal access on a need-to-know basis, and apply operational controls to protect against unauthorised access, loss, or misuse. No method of transmission or storage is 100% secure, but we work to protect your data using industry-standard measures. We retain your personal data only for as long as reasonably necessary for the purposes in this Policy: while your account is active, and for any additional period required to meet legal, tax, accounting, or anti-fraud obligations or to resolve disputes. When you delete your account (Section 9), we delete or de-identify your personal data, except for a limited subset of records we are legally required to retain for a defined period before final deletion.

9. Your privacy rights and choices

9.1 Rights available to you

Subject to applicable law, you can: access a copy of your data; correct inaccurate data; delete your account and data; obtain your data in a portable format; restrict or object to certain processing; withdraw consent; disconnect HealthKit, wearables, or your calendar; and lodge a complaint with a supervisory authority.

9.2 How to exercise your rights

Many controls are in the app (Profile → Privacy & Data - connect/pause/disconnect sources, delete account). For other requests, email support@markwealth.me. We may need to verify your identity before acting, and we will respond within the timeframe the applicable law requires. You will not be discriminated against for exercising your rights.

9.3 United States - state privacy rights

Residents of states with comprehensive privacy laws have additional rights: - California (CCPA/CPRA): the right to know/access, delete, correct, and opt out of the "sale" or "sharing" of personal information and of targeted advertising; the right to limit use of sensitive personal information; and the right to non-discrimination. We do not sell or share personal information, and we do not use sensitive data for targeted advertising. California "Shine the Light" and minors' provisions apply as written by law. - Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): the rights to confirm processing, access, correct (where provided), delete, obtain a portable copy, and opt out of targeted advertising, "sale", and certain profiling. Colorado and certain states require prior consent before processing sensitive data, which we obtain via the in-app prompts. Where offered, you may appeal a decision on your request by replying to our response. - Nevada: you may opt out of the sale of certain covered information; we do not sell it.

9.4 EU/EEA and Denmark (GDPR)

You are a data subject with the rights of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw consent and to lodge a complaint with your supervisory authority (in Denmark, Datatilsynet). Our legal bases are set out in Section 4.

9.5 Ukraine

Residents of Ukraine have the rights provided under Ukraine's personal-data-protection law, including access, correction, and deletion.

9.6 Non-discrimination

We will not deny you the Service, charge different prices, or provide a different quality of service because you exercised your privacy rights, except where the difference is reasonably related to the value of the data, as permitted by law.

10. International data transfers

We operate from and host data in the United States. If you use the Service from Denmark, Ukraine, or elsewhere, your data will be transferred to and processed in the United States and other countries where our service providers operate, which may have different data-protection laws. We take steps to ensure appropriate safeguards for such transfers as required by applicable law.

11. Children's privacy

The Service is intended for adults 18 and older and is not directed to children. We do not knowingly collect personal data from anyone under 18, consistent with COPPA and other applicable laws. If you believe a minor has provided us data, contact support@markwealth.me and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, notify you in the app. Your continued use of the Service after an update means you accept the revised Policy.

13. Contact

Questions, requests, or complaints: support@markwealth.me, Mark Wealth C Corp., 254 Chapman Rd, Ste 209, Newark, DE 19702, United States.