AUREXIS — PRIVACY POLICY
Effective date: 13 April 2026
Last updated: 13 April 2026
This Privacy Policy explains how Aurexis ("Aurexis," "we," "us," or "our") collects, uses, shares, and protects personal data when you visit aurexis.app (the "Site"), request access to, or use the Aurexis opportunity-to-reality engine and related services (together, the "Services").
Aurexis is operated by AUREXIS AI PRIVATE LIMITED, a company incorporated in India (Faridabad, Haryana). For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary for the personal data we handle, and you are the Data Principal.
We built Aurexis on one principle: nothing is simulated — every number traces to a real source, or it is honestly marked absent. We apply the same honesty here. This policy describes what we actually collect and do today, and clearly marks what is planned but not yet in place.
1. Scope
This policy applies to personal data of visitors to the Site, people who request early access, and users of the Services. It does not apply to: (a) the internal engineering of third-party providers we rely on, which have their own policies; or (b) applications that you design, build, and deploy using Aurexis, which you control and are responsible for (see Section 12).
2. Information we collect
a) Information you give us directly
- Access-request and contact details. When you request access or subscribe to updates, we collect your name and email address, and any information you submit through our access-request form. (If our early-access form is hosted by a third-party form provider such as Google Forms, information you enter there is also processed by that provider — see Section 5.)
- Account details. When accounts become available, this will include your login email and a securely hashed password. (Real authentication and saved accounts are a planned feature; where it is not yet live, we say so.)
- Profile intake. To build your founder profile, we collect the answers you provide about yourself — for example how you work, your skills, goals, interests, risk appetite, decision-making style, and your target domain.
- Run inputs and content. Opportunity selections, blueprint choices, and any text or materials you enter into a run.
- Communications. Messages, feedback, and support requests you send us.
b) Information generated when you use the Services
- Run records. Each end-to-end run and its per-stage record — Profile, Discover, Blueprint, Forge, Sentinel, the Deploy step, Dashboard, and Studio — including the specifications and source code generated for you and the preview/live URLs created.
- Sourced market signals. Public developer-ecosystem data (for example repository counts, new-project activity, and stars from the GitHub Search API) fetched on your behalf and stamped with its source and timestamp. This is public data about software projects, not information about you (see Section 5 on how GitHub is used).
c) Information collected automatically
- Log and device data. IP address, browser and device type, referring pages, pages viewed, and timestamps.
- Cookies and similar technologies. We use only the cookies necessary to operate the Site and remember basic preferences.
We do not intentionally collect special-category or sensitive personal data, and we ask that you not enter such data into a run.
3. How we use your information, and our legal bases
Under the DPDP Act we process personal data on the ground of your consent, or on a legitimate use the Act specifically permits (such as a purpose for which you voluntarily provided the data, or preventing fraud and securing the Services). We do not rely on a general "legitimate interests" ground for DPDP purposes, because the DPDP Act does not provide one. For users in the EU/UK, we identify the corresponding GDPR basis separately.
| Purpose | Examples | DPDP (India) ground | GDPR (EU/UK) basis |
|---|---|---|---|
| Provide and operate the Services | Run the seven-stage engine, build your profile, generate and deploy your product | Consent; the purpose you provided the data for | Performance of a contract |
| Communicate with you | Access invitations, service and security notices, replies to your requests | Consent | Consent; legitimate interests |
| Secure the Services and prevent abuse | Debugging, preventing fraud/abuse, measuring reliability | Legitimate use (fraud prevention / security) | Legitimate interests |
| Comply with law | Respond to lawful requests; keep required records | Legal obligation | Legal obligation |
Consent and notice. Where we rely on your consent, we obtain it through a clear affirmative action (for example, a checkbox that is not pre-ticked) at the point of collection, together with an itemized notice of the data we collect, the purposes, and how to withdraw. You may withdraw consent at any time (see Sections 9–10); withdrawal does not affect processing already carried out, and may limit features that require the data.
We process your personal data only for the purposes for which you provided it, or for compatible purposes described here. We do not sell your personal data, we do not use it for third-party advertising, and we do not use your profile intake or run content to train third-party AI models beyond what is needed to return your result (see Section 4).
4. AI processing (important)
Aurexis relies on third-party AI providers to deliver core stages of a run:
- Profile, Discover, and Blueprint stages send your intake answers and/or chosen opportunity to our AI reasoning provider (Anthropic) — to synthesize your profile, to propose opportunity candidates and search queries, and to produce a build specification. (For Discover, the AI proposes candidate ideas and search terms only; the actual figures are then fetched from real public sources — see Section 5.)
- Studio (GEO) measurement sends neutral buyer queries that never name your product to AI assistants (Claude with live web search, and optionally Perplexity), then checks whether your product appears spontaneously. These queries are designed not to disclose your identity or your product.
Your inputs are sent to these providers solely to perform your run. We do not use, and do not authorize these providers to use, your inputs to train their public models beyond what is necessary to return your result, subject to each provider's terms. AI-generated output can be inaccurate or incomplete; you are responsible for reviewing it before you rely on or publish it.
5. When we share your information — subprocessors
We share personal data only with service providers ("subprocessors") that process it on our behalf to deliver the Services, under contracts that require appropriate confidentiality and security:
| Subprocessor | Purpose | Approx. location |
|---|---|---|
| Anthropic | AI reasoning (Profile, Discover, Blueprint, GEO probes) | United States |
| v0 by Vercel | App building and production deployment | United States |
| Perplexity (optional) | Additional GEO probing | United States |
| Supabase | Database and persistence (when configured) | United States / EU |
| Google (Forms) | Early-access request form | United States |
GitHub is not a personal-data subprocessor. For the Discover stage we query the GitHub Search API for public software-project statistics (repository counts, stars, new-project activity). We send only ecosystem search terms; no personal data about you is shared with GitHub.
We may also disclose personal data: (a) to comply with law, legal process, or a lawful government request; (b) to protect the rights, safety, or property of Aurexis, our users, or the public; and (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this policy or notify you of any material change.
6. International data transfers
Aurexis is based in India, and several of our subprocessors are located outside India (primarily the United States). Where we transfer personal data across borders, we do so in reliance on appropriate safeguards, such as the recipient's contractual commitments and standard data-protection terms, and in accordance with applicable law, including any restrictions the Government of India may notify under the DPDP Act. For transfers of EU/UK personal data to the United States, we rely on standard contractual clauses and equivalent contractual safeguards.
7. Data retention
We keep personal data only as long as needed for the purposes in this policy, and then delete or anonymize it:
- Access-request and contact data: until you unsubscribe, or up to 24 months
- Profile and run records: for as long as your account is active, and up to 12 months after it becomes inactive or is closed
- Log and security data: up to 12 months
Where a run creates a real public deployment or generated source, those artifacts may persist with the third-party builder/host until removed.
8. Security
We take reasonable technical and organizational measures to protect personal data, including encryption of data in transit, access controls, and vetting of the subprocessors we use. Notably, the Aurexis engine's security stage (Sentinel) never executes model-generated code when it audits it, so the audit itself does not become a security hole.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We do not claim any specific security certification (such as SOC 2, ISO 27001, or HIPAA compliance) unless and until we have actually obtained it.
Personal-data breach. If we become aware of a personal-data breach, we will notify each affected Data Principal without undue delay — describing, in plain language, the nature of the breach, its likely consequences, the measures we have taken or propose to take, and steps you can take to protect yourself — and we will notify the Data Protection Board of India (and any other authority) with the particulars and within the timelines required by the DPDP Act and its rules.
9. Your rights
Subject to applicable law, you have the right to:
- Access a summary of the personal data we hold about you, a summary of how we process it, and the identities of any other data fiduciaries or processors with whom we have shared it and what was shared (DPDP Act, Section 11);
- Correct, complete, or update inaccurate or incomplete data;
- Erase your personal data where it is no longer needed or you withdraw consent;
- Withdraw consent at any time (without affecting processing already carried out);
- Nominate another individual to exercise your rights in the event of death or incapacity (DPDP Act);
- Not be subject to a decision producing legal or similarly significant effects based solely on automated processing without a way to seek human review; and
- For users in the EU/UK, additionally to restrict or object to processing and to data portability.
To exercise any right, contact us using Section 10. We will respond to rights requests within 30 days, or any shorter period required by applicable law. You also have the right to complain to the Data Protection Board of India (or your local supervisory authority) if you believe your rights have been infringed.
10. Grievance Officer and contact
For any question, request, or complaint about your personal data, contact:
Grievance Officer / Privacy Contact
AUREXIS AI PRIVATE LIMITED
Email: founder@aurexis.app
We will acknowledge grievances promptly and aim to resolve them within 90 days, or sooner where required by the DPDP Act and its rules.
11. Children
The Services are not directed to, and may not be used by, anyone under 18. We apply an age confirmation at sign-up/intake to check that you are 18 or older, and we do not knowingly collect personal data from children.
Consistent with the DPDP Act, we do not knowingly undertake tracking, behavioral monitoring, profiling, or targeted advertising directed at children. If processing of a child's or a person with disability's data ever becomes necessary or is discovered, we will obtain verifiable consent of a parent or lawful guardian as required, and will otherwise delete the data. If you believe a child has provided us personal data, contact us and we will delete it.
12. Third-party links and the apps you build
The Site and Services may link to third-party sites, and Aurexis lets you build and deploy your own applications to live URLs. Those third-party sites, and the applications you create and operate, are not governed by this policy. You are the controller of any personal data your deployed application collects, and you are responsible for its privacy practices and compliance.
13. Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, take additional steps to notify you where required.
14. Contact us
Questions about this policy? Email founder@aurexis.app.