Privacy policy.

This Policy applies to personal information we process as a data controller when you interact with our websites, documentation, and marketing communications, and as a data processor when we provide Services to enterprise customers.

For processing performed on behalf of enterprise customers, our Data Processing Addendum governs the relationship. Customer organizations maintain control over personal data processed within their AuraOne environments.

We collect the categories of information below in the course of providing our websites, products, and services. Specific items vary by product surface and customer configuration.

Category

Account & contact

Name, email, company, job title, and authentication credentials.

Category

Usage & telemetry

Feature usage patterns, interaction events, performance metrics, and error rates.

Category

Support data

Ticket content, help desk communications, and troubleshooting logs.

Category

Technical logs

IP addresses, browser type, device identifiers, and security logs.

Category

Payment info

Billing contact and transaction history processed via Stripe.

We use the information described above to operate, secure, and improve the Service, and to meet our legal and contractual obligations.

• ·Service delivery and operations
• ·Security and fraud prevention
• ·Service improvement and analytics
• ·Legal compliance and obligations
• ·Contractual enforcement
• ·Communications and notifications
• ·Safety research using anonymized data
• ·Business administration

Where GDPR applies, we rely on the following lawful bases for processing personal data.

Basis

Contractual necessity

Processing required to perform our contract with you, including providing the Service.

Basis

Legitimate interests

Service improvement, security monitoring, fraud prevention, and internal administration.

Basis

Legal obligations

Compliance with tax laws, financial reporting, and data protection regulations.

Basis

Consent

Where required, we obtain explicit consent, including for marketing communications.

Rubric Studio Open is designed as a local-first authoring tool. These controls apply to the desktop app, browser editor, CLI companion, telemetry controls, crash reporting, and AuraOne intake export flow.

Control

Local-first authoring

Desktop projects stay on the user's machine unless the user explicitly exports, shares, or connects a hosted service. Browser edition projects use browser storage and user-provided provider keys where configured.

Control

Telemetry controls

Rubric Studio Open telemetry is opt-in and transparent. Users can keep it off, review the event log, and disable submission without losing local authoring functionality.

Control

Intake export

AuraOne intake export sends rubric packages only after an explicit user action. The export preview and redaction flow is designed to avoid silent background transfer.

Control

Crash reporting

Crash reporting is default-off for the open app until enabled by the user. Crash payloads are intended to exclude API keys, credentials, and user-authored rubric content.

We implement technical and organizational measures designed to protect personal information, including encryption in transit and at rest, access controls, and security monitoring.

Specific controls and configurations vary by deployment and customer requirements. We can share details during a security review.

• ▸Full encryption
• ▸Access controls and MFA
• ▸VPC network segmentation
• ▸Vulnerability management
• ▸Incident response team

View full security documentation →

We do not use customer data to train internal AI models without explicit consent.

• ✓Customer-controlled training: you retain full ownership of your models and training data.
• ✓Aggregated analytics: we use anonymized telemetry for platform improvement.
• ✓Safety research: conducted using synthetic or public data only.