This Privacy Policy explains how Business Intensity ("AURA", "we", "us", or "our") collects, uses, stores, and discloses personal data when you access or use the AURA platform (the "Service"). We are committed to protecting your privacy and complying with the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the French Data Protection Act (Loi Informatique et Libertés n° 78-17 of 6 January 1978, as amended), and any applicable Google API Services User Data Policy.
1. Data Controller
The data controller responsible for processing your personal data is:
- Entity: Business Intensity
- Service: AURA
- Registered address: France
- Contact email: privacy@business-intensity.com
For any question relating to this Privacy Policy or the processing of your personal data, you may contact us at the address above.
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Data you provide directly
- Account data: first name, last name, email address, password (hashed), profile picture, organization name, role.
- Contact and CRM data: information about your prospects, leads, contacts, opportunities, and appointments that you choose to upload or enter into the Service.
- Communication data: messages, notes, comments, and other content you submit through the Service.
- Support data: any information you provide when contacting our support team.
2.2 Data collected automatically
- Technical data: IP address, browser type and version, operating system, device identifiers, time zone, language settings.
- Usage data: pages visited, features used, click events, session duration, error logs.
- Cookies and similar technologies: see Section 9 below.
2.3 Data from third parties (Google services)
When you choose to connect your Google account to AURA (e.g. to synchronize your Google Calendar), we request access to a limited set of data through Google OAuth, including:
- Your Google email address and basic profile information (
openid email profile). - Your Google Calendar events (
https://www.googleapis.com/auth/calendar.events) for the sole purpose of displaying, creating, modifying, and deleting calendar events on your behalf within AURA.
Limited Use disclosure: AURA's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell it, and do not allow humans to read it except (a) with your explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) where the data is aggregated and anonymized.
3. Purposes of Processing and Legal Bases
We process your personal data for the following purposes and on the following legal bases (Article 6 GDPR):
- Provide and operate the Service (account creation, authentication, organization management, CRM features) — Performance of a contract (Art. 6(1)(b) GDPR).
- Synchronize your Google Calendar when you have connected your Google account — Your explicit consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by disconnecting your Google account from AURA.
- Improve and secure the Service (analytics, monitoring, fraud prevention, debugging) — Our legitimate interests (Art. 6(1)(f) GDPR) in operating a reliable and secure platform.
- Customer support and communications — Performance of a contract and our legitimate interests.
- Compliance with legal obligations (accounting, tax, responses to lawful requests from authorities) — Legal obligation (Art. 6(1)(c) GDPR).
- Marketing communications (only when applicable and where consent is required) — Your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.
4. Recipients and Sub-processors
Your personal data may be shared with the following categories of recipients, strictly to the extent necessary for the purposes described above:
- Authorized members of your organization within AURA (e.g. owners, head of sales, closers).
- Our staff and contractors bound by confidentiality obligations.
- Service providers (sub-processors) acting on our behalf, including:
- Supabase — authentication, database hosting, file storage.
- Google LLC — Google Calendar API and OAuth (only if you connect your Google account).
- Hosting, monitoring, analytics, and email delivery providers.
- Public authorities when required by law (e.g. judicial requisition).
We require all sub-processors to provide appropriate guarantees regarding the confidentiality and security of your personal data, in accordance with Article 28 GDPR.
5. International Data Transfers
Some of our service providers (such as Google LLC) are located outside of the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure that an appropriate safeguard is in place, such as:
- An adequacy decision issued by the European Commission, or
- The Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where necessary by additional technical and organizational measures.
You may request a copy of the safeguards in place by contacting us at the address listed in Section 1.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law:
- Account data: for the duration of your active account, then deleted or anonymized within 30 days following account closure (subject to legal retention obligations).
- CRM and contact data: for the duration of the customer relationship, then archived for up to 3 years for prospecting purposes (in accordance with CNIL guidelines), unless you object earlier.
- Google OAuth tokens: retained for as long as your Google integration is active; revoked and deleted within 24 hours of disconnection.
- Logs and technical data: typically retained for 12 months for security and debugging purposes.
- Accounting and tax records: retained for 10 years pursuant to the French Commercial Code (Code de commerce, art. L.123-22).
7. Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:
- Encryption of data in transit (TLS) and at rest where applicable.
- Strong authentication and access controls (role-based access, least privilege).
- Regular security audits, dependency monitoring, and patching.
- Logging and monitoring to detect anomalous activity.
- Confidentiality agreements with our staff and sub-processors.
Despite these measures, no transmission over the Internet or method of electronic storage is 100% secure. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority (CNIL) in accordance with Articles 33 and 34 GDPR.
8. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — to obtain confirmation of whether we process your data and a copy of it.
- Right to rectification (Art. 16 GDPR) — to have inaccurate or incomplete data corrected.
- Right to erasure / "right to be forgotten" (Art. 17 GDPR) — to request deletion of your data in certain circumstances.
- Right to restriction of processing (Art. 18 GDPR) — to limit how we use your data.
- Right to data portability (Art. 20 GDPR) — to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) — to object to processing based on our legitimate interests, including profiling.
- Right to withdraw consent (Art. 7(3) GDPR) — at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing based on consent prior to withdrawal.
- Right to define directives regarding the fate of your personal data after your death (art. 85 of the French Data Protection Act).
- Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR), including profiling, that produces legal effects concerning you.
To exercise any of these rights, please contact us at privacy@business-intensity.com. We may ask for proof of identity. We will respond within one (1) month, which may be extended by two additional months for complex requests.
You also have the right to lodge a complaint with the French data protection authority (the Commission Nationale de l'Informatique et des Libertés — CNIL) or with the supervisory authority of your habitual residence:
- CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- www.cnil.fr
9. Cookies and Similar Technologies
We use cookies and similar technologies that are strictly necessary for the operation of the Service (e.g. authentication, session management, security). These do not require your consent under Article 82 of the French Data Protection Act.
Where we use non-essential cookies (e.g. analytics, preferences), we will obtain your prior consent through a cookie banner, and you may withdraw your consent at any time through the cookie settings.
10. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete the data.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. The updated version will be indicated by an updated "Last updated" date and will be effective as soon as it is accessible. We encourage you to review this Privacy Policy periodically.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal data, please contact us at:
- Email: privacy@business-intensity.com
- Postal address: Business Intensity — France
