AURA 300

CRM Access Authorization

Effective Date: June 2026

This CRM Access Authorization ("Authorization") forms part of the agreement between Aura 300 Inc. ("Aura") and the subscribing salon, clinic, or beauty business ("Client"), together with the Terms of Service at https://aura300.ai/terms, the Privacy Policy at https://aura300.ai/privacy, and the Data Processing Addendum at https://aura300.ai/dpa. In the event of conflict, the DPA prevails on data protection matters.

1. Authorization and Limited Agency Appointment

• The Client expressly authorizes Aura, its personnel, systems, and approved sub-processors to access, retrieve, transmit, update, and process information within the Client's CRM platform(s) solely as necessary to provide the Aura Services, using credentials and access mechanisms provided or approved by the Client.


• The Client appoints Aura as its limited authorized agent solely for accessing the Client's CRM platform(s) on the Client's behalf and under the Client's instructions. Aura has no authority to enter into agreements, make legal commitments, incur obligations, or otherwise bind the Client except as expressly configured by the Client through the Services.


• This appointment is consistent with established professional services practice and with the data portability principles reflected in CFPB Section 1033 of the Dodd-Frank Act, which Aura's architecture is designed to support as it develops toward a full data portability model for the salon and clinic vertical.

2. Purpose of Access

Aura requires CRM access to:

• Retrieve and update appointment availability

• Sync booking confirmations, cancellations, and changes

• Personalize outbound communications

• Enrich AI conversations with service/stylist data

• Update customer records following calls or WhatsApp interactions

3. Nature of Access

• CRM login credentials will be provided by the Client or created for Aura as a unique service user (recommended)


• Where available, Clients should use API-based authentication with a dedicated service account scoped to the minimum permissions required (least-privilege principle). Multi-factor authentication should be maintained on all primary accounts. Disabling MFA is discouraged and should only be considered where API-based access is unavailable


• Aura will access the system through encrypted connections and perform role-based access control

4. Data Scope

Data accessed may include:

• Customer name, contact information, and notes

• Appointment history and preferences

• Service menus and staff assignments

5. Limitations & Security

Aura will:

• Only access data required for contracted services

• Not store or export CRM data outside of permitted systems

• Log all API or manual access events for auditability

6. Sub-Processors

Aura may use sub-processors (e.g., AWS, OpenAI, Retell AI) under written agreements mirroring data protection obligations.

7. Revocation of Access

Client may revoke access at any time by removing Aura's credentials or disabling credentials and notifying privacy@aura300.ai. Upon revocation, Aura will cease processing within 24 hours and will delete any locally cached credentials. Revocation of CRM access does not automatically terminate the subscription.


7A. Platform Terms of Service Warranty:

The Client represents and warrants that:


(a) granting Aura access to the Client's CRM accounts does not violate any agreement between the Client and any CRM platform provider;


(b) the Client has the contractual and legal right to authorize third-party agent access of this nature; and


(c) the Client will notify Aura immediately in writing if any CRM platform provider advises that third-party agent access is restricted, modified, or prohibited. Aura shall not be liable for any claim by a CRM platform provider arising from access granted on the Client's instruction and warranty under this Section.


7B. Effect of Authorization; Client Responsibility:

The Client acknowledges that actions performed by Aura through authorized CRM access are performed at the Client's direction. The Client remains responsible for verifying the accuracy of information maintained in its CRM systems and for the outcomes of automated actions taken by Aura based on that information, including appointments, schedules, pricing, deposits, and customer records. Aura is not liable for outcomes resulting from inaccurate, incomplete, or misconfigured Client data.


7C. Schedule A:

Schedule A lists the CRM platforms and locations currently authorized. It must be updated whenever a new CRM platform or location is added or an existing authorization is removed. No new CRM platform or location may be accessed by Aura until an updated Schedule A has been issued and accepted. Current update process: Client emails privacy@aura300.ai; Aura will issue an updated Schedule A within 5 business days. Dashboard self-service updates are a planned feature. Aura will update this section when that feature is available.

8. Acceptance

☑ By ticking the checkbox during signup, connecting a CRM integration, providing credentials, or otherwise enabling Aura's access to a CRM platform, the Client: (a) confirms that it has read and understood this Authorization; (b) authorizes Aura to access and process CRM data as described herein; (c) agrees to Aura's Terms of Service, Privacy Policy, and Data Processing Addendum; and (d) confirms that the individual providing authorization has authority to bind the Client. This electronic acceptance constitutes a legally binding authorization with the same force and effect as a handwritten signature.

© 2026 Aura 300 Inc. — Delaware C-Corp. All rights reserved.

🇦🇺 Australia

🇮🇪 Ireland

🇬🇧 United Kingdom

🇺🇸 United States