AAurora Limited
Buy Credits

Legal

Privacy Policy

We treat your data the way we treat the wood in our workshop — with care, only what's needed, nothing wasted. This page explains what we collect, why, and the rights you have over it.

Last updated · June 17, 2026

1. Who we are

Aurora Limited sp. z o.o. ("Aurora Limited", "we", "us") is the data controller of personal data processed through aurora-limited.pro, our checkout, our AI planner, and any of our showrooms or studios. Our registered office is at Bartycka 22B/21A, 00-716 Warszawa, Poland.

You can reach our Data Protection Officer at [email protected].

2. What we collect

  • Account data — email, hashed password, display name, account preferences.
  • Order data — billing & shipping address, items ordered, credit balance, invoices, VAT identification where applicable.
  • Payment data — handled by our PCI-DSS compliant payment partner. We store the last four digits of the card and the transaction ID only.
  • AI Planner inputs — photos, floor plans, and prompts you upload, plus the renders we return. Used to deliver the service and improve quality with your consent.
  • Usage data — IP address, device & browser, pages visited, referrer, approximate location. Used for security, fraud prevention, and aggregate analytics.
  • Support & correspondence — anything you send to our team by email, chat, or contact form.

3. Why we process it

  • Contract — to deliver renders, fulfil orders, and run your account.
  • Legitimate interest — fraud prevention, debugging, security, product improvement.
  • Legal obligation — tax records, invoicing, consumer protection.
  • Consent — optional analytics, marketing emails, model-training contributions. Withdrawable at any time.

4. How long we keep it

Account & order records: 10 years (EU accounting law). Renders & prompts: 18 months unless you delete them sooner. Support tickets: 3 years. Marketing-list entries: until you unsubscribe. Server logs: 90 days.

5. Who we share it with

Sub-processors limited to: our payment provider, our shipping partners, our transactional email provider, our cloud hosting provider (EU region), and our analytics provider. A current list is available on request from the DPO.

We never sell your personal data and we don't share it with advertising networks.

6. International transfers

Data is stored in the European Economic Area. Where a sub-processor operates outside the EEA, transfers are covered by the European Commission's Standard Contractual Clauses and supplementary technical measures.

7. Your rights

  • Access, rectification, erasure, restriction, and portability of your data.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, without affecting prior processing.
  • Lodge a complaint with your local supervisory authority (in Poland: the UODO).

To exercise any of these, write to [email protected]. We answer within 30 days.

8. Security

TLS in transit, AES-256 at rest, hashed passwords with per-user salts, role-based access controls, and quarterly penetration testing. We notify affected users and the relevant authority within 72 hours of any qualifying breach.

9. Changes

We update this policy when our practices change. Material changes are emailed to account holders at least 14 days before they take effect.