AURA 300

Privacy Policy

Effective Date: June 2026

This Privacy Policy explains how Aura 300 Inc. ("Aura", "we", "us") collects, uses, shares, and protects personal data when providing AI-powered communication and automation services to salons, clinics, and beauty businesses ("Clients"), and when processing data on behalf of Clients regarding their end customers.

1. Who We Are

Aura 300 Inc. is a Delaware C-Corp providing AI agents (e.g., Emma, Yuki, Nami) that automate communication, scheduling, marketing, and analytics for hair and beauty salons and aesthetic/cosmetic clinics in Australia, Ireland, the United Kingdom, and the United States.


Aura acts in two capacities: (a) as a Data Processor when processing end customer data on behalf of Clients (who are the Data Controllers), under GDPR Art. 28, UK GDPR Art. 28, and equivalent laws; and (b) as a Data Controller for limited operational data (e.g., Client account data, support logs, platform analytics) under legitimate interests or contractual necessity. Contact: privacy@aura300.ai

2. Who This Applies To

• Salon and clinic owners and their authorised staff using Aura 300 Services.


• End customers of salons and clinics who interact with AI agents by phone, SMS, WhatsApp, or other channels. • Website visitors to aura300.ai.

3. What Personal Data We Process

From Clients: Name, business contact information, CRM login or API credentials (stored encrypted, used only to deliver the Services), subscription and usage data.


From End customers (on behalf of Clients): Name, contact information (email, phone), booking history, preferences, and responses to AI agents; call recordings, transcripts, messaging content and metadata.


Meta/WhatsApp Data: Message content, delivery status, opt-in/out preferences (as applicable).


Advertising data (Nami clients only): Audience data, ad performance metrics, and conversion events processed via Meta's advertising platform.


Special category data: The Services are not designed to process health, biometric, or other special category data. Clients must not submit such data without a separate written agreement with Aura. See the DPA Annex IV.

4. Legal Basis for Processing

Aura processes personal data:


• As a data processor on behalf of Clients (the data controllers), per GDPR Art. 28, UK GDPR Art. 28, and the Australian Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024).


• As a data controller for limited administrative data (e.g., Client accounts, support logs) under legitimate interests (fraud prevention, platform security, service improvement, accurate business records) or contractual necessity. Under US state privacy laws, Aura acts as a service provider under Client instructions and does not sell or share personal information as defined under CCPA/CPRA or equivalent state laws.

5. Data Use

We use data to:


• Deliver our AI reception, booking, marketing, and analytics services.


• Authenticate and sync with CRM systems as authorised agent, solely to deliver the Services. • Improve our AI performance and customer experience.


• Record, transcribe, and process voice calls and communications for service delivery and quality assurance.


• Create and manage advertising campaigns on Meta platforms (Nami clients only).


• Comply with legal obligations and enforce our terms.

6. Sharing and Sub-Processors

We use third-party sub-processors to deliver services, including:


• Twilio (telephony and SMS)

• Stripe (payment processing, PCI-DSS compliant)

• Meta (WhatsApp Business)

• Meta (Ads Platform) (Nami clients only)

• OpenAI / Retell AI (AI and language model processing)

• AWS (infrastructure hosting)

• Phorest, Fresha, Kitomba, Treatwell, Shortcuts, Timely, Ovatu (CRM integrations)


All sub-processors are under contract with equivalent data protection obligations. A current list is available at https://aura300.ai/sub-processors. Aura does not sell or share personal data for third-party advertising purposes.

7. International Transfers

We use Standard Contractual Clauses (SCCs) under GDPR (Commission Implementing Decision 2021/914) for EU transfers, and the UK International Data Transfer Addendum (IDTA) for UK transfers, where required for transfers outside the EU/EEA, UK, or a country with an adequacy decision. For transfers from Australia, Aura takes steps to ensure overseas recipients handle personal data consistently with the Australian Privacy Principles.

8. Data Retention

• Salon account data is retained while the subscription is active.


• Customer data processed on behalf of Clients is deleted within 30 days of termination unless otherwise instructed by the Client in writing, subject to applicable legal retention requirements. Call recordings and transcripts are retained for the period specified in the applicable service agreement. Advertising campaign data (Meta) is retained for 12 months following campaign end then deleted or anonymised. Backup copies may be retained until overwritten in accordance with Aura's standard schedule, subject to ongoing confidentiality obligations.

9. Your Rights

Depending on your jurisdiction, you may have the right to:


• Access personal data held about you

• Request correction or deletion

• Object to certain types of processing

• Withdraw consent where processing is based on consent • Data portability (GDPR Art. 20 and equivalent, where applicable)

• Opt out of the sale or sharing of personal information (US state law, including CCPA/CPRA)

• Lodge a complaint with a supervisory authority: Irish DPC (Ireland), ICO (UK), OAIC (Australia), relevant state AG or FTC (US)


To exercise any right, contact privacy@aura300.ai. Aura will respond within the timeframe required by applicable law. Where Aura acts as Processor for end customer data, requests may be forwarded to the relevant Client as Data Controller. Aura will not discriminate against you for exercising any privacy rights.

10. Security

We implement encryption in transit and at rest, role-based access controls with per-tenant isolation, audit logging, and regular security testing. In the event of a confirmed security incident affecting personal data, Aura will notify affected Clients without undue delay and in accordance with applicable law, including within 72 hours where required under GDPR Art. 33.


10A. AI Disclosure

Aura's agents (Emma, Yuki, Nami) are AI-powered automated systems, not human staff. Clients are responsible for informing end customers that communications may be handled by an AI assistant where required by applicable law. Aura does not use Client Customer Data to train proprietary AI models. Third-party AI providers (OpenAI, Retell AI) process data solely to provide requested AI functionality under their contractual commitments. Calls and communications may be recorded and transcribed; Clients are responsible for providing all required notifications and consents for call recording in their jurisdictions.

11. Children

Aura services are not directed at individuals under the age of 16. Clients are responsible for ensuring lawful data collection from minors where applicable.

12. Marketing Communications

All marketing communications sent via Aura AI are governed by the Client's lawful basis and consent mechanisms. We honour opt-out preferences at all times. Clients are responsible for compliance with applicable anti-spam and electronic marketing laws including PECR (UK), EU ePrivacy Directive, AU Spam Act, and CAN-SPAM (US).

13. Changes to This Policy

We may update this policy periodically. Significant changes will be notified via email or platform dashboard with reasonable advance notice. Continued use of the Services after notification constitutes acceptance of the updated Policy.


13A. Law Enforcement Requests: Aura may disclose personal data where required by applicable law, court order, or other valid legal process. Where permitted by law, Aura will endeavour to notify the relevant Client prior to disclosure.

14. Mergers and Acquisitions

In the event of a merger, acquisition, or sale of Aura 300 Inc., personal data may be transferred to the acquiring party, provided they commit to data protection standards no less protective than those in this Policy.

15. Contact

For any privacy-related queries, data subject rights requests, or concerns:

• Email: privacy@aura300.ai

• General: info@aura300.ai | aura300.ai

• Data Processing Addendum: https://aura300.ai/dpa


EU/UK Representative (GDPR Art. 27 / UK GDPR Art. 27): Aura 300 Inc. does not have an establishment in Ireland or the United Kingdom. As Aura offers services to residents in those jurisdictions, Aura is required to designate a local representative in each territory before this Policy is published. Aura is in the process of appointing a GDPR representative service for both the EU and the UK. This Policy will be updated with the representative's name and contact details before go-live with EU or UK residents. In the meantime, all privacy enquiries should be directed to privacy@aura300.ai.

© 2026 Aura 300 Inc. — Delaware C-Corp. All rights reserved.

🇦🇺 Australia

🇮🇪 Ireland

🇬🇧 United Kingdom

🇺🇸 United States