Effective: June 28, 2026
We collect information you provide directly: Account Information — email address, username, and password when you register. Profile Information — optional bio, avatar, and preferences. User Content — forum posts, comments, product reviews, wishlist items, and comparison history. Communications — if you contact us, we keep records of those interactions.
We also collect automatically: Usage Data — pages visited, features used, search queries, time spent. Device Information — browser type, operating system, IP address. Cookies & Similar Technologies — necessary cookies for authentication, analytics cookies for improvement (with your consent).
If you upload product photos, we extract and discard metadata (EXIF data including GPS location) before storage. We do not collect sensitive health information, though product ingredients you search for may imply skin concerns.
We use your information to: provide and maintain the service (authentication, forum, comparisons); personalize your experience (product recommendations, saved comparisons); communicate with you (password reset, notification emails, newsletter if subscribed); improve our platform (analyze usage patterns, fix bugs, train moderation AI); comply with legal obligations (respond to lawful requests, enforce our Terms); and detect and prevent abuse (spam, fraudulent accounts, terms violations).
We do not sell your personal information to third parties. We do not use your data for targeted advertising. We do not share your data with beauty brands or retailers.
If you are in the European Economic Area (EEA), our legal bases for processing are: Consent — for cookies, newsletter subscription, and optional profile features. Contractual Necessity — to provide the service you signed up for (authentication, forum features). Legitimate Interests — to improve our platform, prevent abuse, and ensure security. Legal Obligation — to comply with applicable laws and regulatory requirements.
We retain your data only as long as necessary: Account information — until you delete your account (available in account settings). Forum posts and reviews — retained indefinitely but anonymized if you delete your account (author becomes "Deleted User"). Wishlist and comparison history — 90 days after account deletion. Failed login attempts — 24 hours. Notifications — 90 days. Search logs — 30 days. Error logs — 7 days.
Depending on your jurisdiction, you have the right to: Access — request a copy of your personal data. Correction — update inaccurate information. Deletion — request erasure of your data (GDPR Art. 17 "right to be forgotten"). Portability — receive your data in a structured, machine-readable format (JSON). Restriction — limit how we process your data. Objection — object to processing based on legitimate interests. Withdraw Consent — at any time, without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, email privacy@auracompare.com. We will respond within 30 days. For Quebec residents: you may also contact the Commission d'accès à l'information du Québec.
We use the following categories of cookies: Necessary — authentication tokens, CSRF protection, session management. These cannot be disabled. Analytics — anonymous usage statistics to improve our platform (optional, consent required). We do not use advertising or tracking cookies from third parties.
You can manage cookie preferences via our cookie consent banner (shown on first visit). You may also configure your browser to reject cookies, though some features may not function properly.
We use the following third-party services: Cloudflare — DNS, CDN, DDoS protection, edge security (SSL, WAF). Data passed through Cloudflare includes IP addresses and request metadata. Cloudflare R2 — object storage for user-uploaded images. SMTP2GO — transactional email delivery (password resets, notifications). GitHub Pages — frontend hosting. Oracle Cloud — backend API hosting. Sentry — error tracking (only when enabled).
Each service has been selected for its security posture. Data transfers are protected by encryption in transit (TLS 1.2+) and at rest. Where services are located outside Canada, we rely on adequacy decisions or Standard Contractual Clauses.
We implement appropriate technical and organizational measures: encryption in transit (TLS 1.2+), encryption at rest (database encryption, R2 server-side encryption), password hashing (bcrypt, 12 rounds), JWT with RS256 asymmetric signatures, regular security audits, rate limiting and brute-force protection, and strict access controls (no direct database access from outside the Docker network).
Despite these measures, no online service is 100% secure. In the event of a data breach affecting your personal information, we will notify you within 72 hours as required by GDPR Art. 33.
AuraCompare is not intended for users under the age of 13. Users under 18 may not purchase age-restricted products (those containing retinol, vitamin A derivatives, or other regulated ingredients) without parental supervision. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, contact us immediately.
Your data is primarily processed in Canada and the United States. For users in the European Economic Area, the United Kingdom, and Switzerland, we ensure appropriate safeguards are in place through Cloudflare's GDPR compliance program and Standard Contractual Clauses with sub-processors.
We may update this Privacy Policy from time to time. Material changes will be notified via email (if you have an account) or a prominent notice on the website. Continued use of the service after changes constitutes acceptance. We encourage you to review this policy periodically.
For privacy-related inquiries, data subject requests, or to reach our Data Protection Officer: Email: privacy@auracompare.com
Address: AuraCompare Privacy, c/o Capecraft Digital, Halifax, Nova Scotia, Canada
Quebec Law 25: For Quebec residents, our privacy officer can be reached at the same email. You have the right to request information about the personal data we hold, how it is used, and to whom it is disclosed.
California Residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of your data. We do not sell your personal information.
Necessary (always active): `aura_token` — JWT authentication token. `csrf_token` — CSRF protection. `aura_consent` — cookie consent preference. Expiry: session to 1 year.
Analytics (optional): Currently none. We may add privacy-preserving analytics in the future with prior consent.