Privacy Policy

How Aura Protects Your Information

Aura is an AI therapy co-pilot that augments continuous care between live therapist sessions. This Privacy Policy explains how we collect, use, store, and share information when you interact with Aura across web, mobile, and integrated messaging channels such as WhatsApp. If you have any questions, contact support@citt.ai.

Last updated: November 8, 2025

Information We Collect

Aura gathers only the information needed to deliver safe, continuous therapeutic support and to keep your care team informed.

  • Account & profile data: name, email, phone number, therapist assignment, and enrolment preferences collected during signup or provided by your clinic.
  • Conversation content: messages, check-ins, proactive outreach responses, and voice-note transcripts shared with Aura. When you send audio, we transcribe it to text and discard the recording after processing.
  • Therapy context: therapist prompts, modality preferences, consent acknowledgements, assessment results, and custom pricing records that help your therapist oversee care.
  • Usage and device signals: timestamps, delivery status, reminder settings, and limited technical details used to maintain secure sessions and improve reliability.
  • Billing details: payment method tokens and subscription metadata managed through Stripe on behalf of your therapist or clinic.

How We Use Your Information

  • Deliver 24/7 AI-assisted chat support between live sessions.
  • Share relevant updates, assessments, and risk alerts with your assigned therapist for oversight.
  • Run safety checks that escalate crises to clinicians and emergency contacts.
  • Send reminders and proactive check-ins via the Aura app, push notifications, email, or WhatsApp when you opt in.
  • Process payments and manage therapist-specific subscription pricing.
  • Improve Aura's quality, compliance, and security through analytics and auditing.
  • Meet legal, regulatory, and contractual obligations with therapists and clinics.

Legal Bases for Processing

We rely on the following legal bases, depending on your region:

  • Consent: for optional features such as proactive reminders, WhatsApp messaging, or voice transcription.
  • Contract: to deliver services requested by you, your therapist, or your clinic.
  • Legitimate interests: to keep Aura secure, prevent abuse, and enhance user experience while respecting your rights.
  • Legal obligations: where we must meet regulatory, tax, or accounting requirements.

Sharing and Disclosure

We never sell personal information. We share data only with trusted partners that support core functionality:

  • Your therapist or clinic: to coordinate care, review conversation summaries, and manage subscription settings.
  • Supabase: secure database, storage, and authentication services hosted within the EU or US, depending on your tenant.
  • Vercel: cloud hosting for the Aura web application.
  • OpenAI & ElevenLabs: generate AI chat responses and optional audio playback. We minimise prompts and do not allow these providers to train on your data.
  • Stripe: payment processing and subscription management.
  • Meta (WhatsApp Business): when you opt to converse via WhatsApp; we send only the messages required to power the chat.
  • Push notification providers: to deliver browser or device alerts when you enable them.
  • Legal authorities: when required by law, to protect vital interests, or to respond to emergencies involving risk of harm.

Data Retention

We retain information for as long as you maintain an Aura account or as required by your clinic's policies. When your account is closed, we archive essential records for legal, regulatory, and safety purposes, then securely delete or anonymise the rest.

International Transfers

Aura may process data in jurisdictions where our partners operate, including the United States, European Union, and United Kingdom. We use standard contractual clauses or other approved safeguards to protect international transfers.

Security

We apply encryption in transit, least-privilege access controls, secure development practices, and ongoing monitoring. Despite these safeguards, no system is perfectly secure; please contact us immediately if you suspect unauthorised access to your account.

Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, or export your data, and to object to or restrict certain processing. You can:

  • Update settings in the Aura app or via your therapist.
  • Adjust notification preferences, opt out of WhatsApp messaging, or revoke voice transcription at any time.
  • Request data access or deletion by emailing support@citt.ai. We respond within the timelines required by applicable law.
  • If you use Aura through Facebook or WhatsApp, you can remove the “Citt AI” app from your Facebook account settings (Settings > Apps and Websites > Citt AI > Send Request). Meta will send a signed deletion request to Aura and you will receive a confirmation code with status updates at chat.citt.ai/data-deletion.

Children’s Privacy

Aura is designed for adults and authorised adolescent patients under the supervision of licensed clinicians. We do not knowingly collect or store personal data from children without verifiable parental or clinical consent. Contact us if you believe a minor has used Aura without approval.

Changes to this Policy

We may update this Privacy Policy to reflect product improvements or legal requirements. Significant changes will be communicated through the Aura app or via email, and the “Last updated” date will be revised.

Contact Us

For privacy questions, data requests, or security concerns, email support@citt.ai. You can also reach your supervising therapist or clinic directly for care-related questions.