AURAXIO PRIVACY POLICY

Effective Date: [LAUNCH DATE] Last Updated: [LAUNCH DATE]

WHO WE ARE

Auraxio ("Auraxio," "we," "us," or "our") is a software platform that helps licensed real estate agents generate, deliver, and store buyer representation agreements in compliance with applicable state law. We operate at app.auraxio.com.

For privacy questions, contact us at: privacy@auraxio.com

WHAT THIS POLICY COVERS

This Privacy Policy explains:

What personal information Auraxio collects
Why we collect it
How we use and protect it
Who we share it with
Your rights regarding your information
How long we retain it

This policy applies to all users of auraxio.com and app.auraxio.com, including real estate agents ("Agents") who hold accounts and buyers ("Buyers") who access the platform solely to sign agreements.

1. INFORMATION WE COLLECT

1a. Information Agents Provide Directly

When you create an Auraxio account and use the platform, we collect:

Account Information

Full name
Email address
Password (stored as a bcrypt hash — we never store your plain-text password)
Brokerage name
Real estate license number
Licensed state(s): Texas, California, and/or Florida

Professional Settings

Default compensation rate or fee
Default agreement type preference
Default agreement term preference

Payment Information

Subscription status and plan
Subscription ID from Dodo Payments We do NOT collect, store, or process credit card numbers or banking information. All payment processing is handled by Dodo Payments, our Merchant of Record. See their privacy policy at dodopayments.com.

1b. Information Collected When Generating Agreements

When an Agent generates a buyer representation agreement, we collect:

Buyer Information (entered by the Agent)

Buyer first name and last name
Buyer phone number (encrypted at rest using AES-256 encryption)
Buyer type: individual or corporate/entity

Agreement Information

Agreement type (full representation, showing only, etc.)
State (TX, CA, or FL)
Compensation amount or rate
Agreement start and end dates
Property address (if provided, via GPS or manual entry)

1c. Information Collected During Buyer Signing

When a Buyer signs an agreement via the unique signing link, we automatically collect:

IP address at the time of signing (encrypted at rest)
Device type (e.g., iPhone, Android, desktop browser)
Browser user agent string
Date and time of signing (UTC timestamp)
Drawn signature image (stored as base64-encoded PNG, embedded in the PDF)

This information is collected to establish a legally valid audit trail for the electronic signature under the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001).

1d. Information Collected Automatically

When you use the Auraxio platform, we automatically collect:

Usage Analytics (via PostHog)

Pages visited within the app
Features used
Button interactions
Time spent on each screen
Funnel progression (e.g., form started vs. agreement sent)

Buyers are never identified in PostHog. All buyer-side analytics are anonymous session data only. Agents are identified by a PostHog identifier that we control and can delete.

Error and Performance Data (via Sentry)

JavaScript errors and stack traces
API response times
Browser and device information at time of error Sentry data contains no PII beyond what is necessary for debugging. We configure Sentry to scrub sensitive fields.

Session Data (via Supabase Auth)

Authentication session tokens stored as encrypted browser cookies
Session expiry timestamps

2. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

To Provide the Service

Generate legally compliant buyer representation agreements using Claude AI (Anthropic)
Deliver agreements to buyers via SMS (Twilio)
Send signed agreement notifications and expiry alerts to agents via email (Resend)
Store signed agreements permanently in the agent's legal vault
Track agreement status (pending, signed, expired, cancelled)

To Maintain Legal Compliance

Create and preserve a legally valid audit trail for electronically signed documents
Enforce state-specific legal requirements (Texas SB 1968, California AB 2992, Florida Chapter 475)
Retain signed agreements as legally required documents

To Operate and Improve the Platform

Monitor product usage to improve features (PostHog)
Detect and fix errors (Sentry)
Keep our development database active (GitHub Actions heartbeat)

To Communicate With Agents

Send transactional emails: agreement signed, agreement expiring, agreement expired, payment confirmation, payment failed
Send optional operational emails: weekly digest, first month summary
Send optional lifecycle emails: onboarding tips Agents can opt out of optional emails at any time. Transactional emails (legally or financially significant) cannot be opted out of while the account is active.

To Process Payments

Verify subscription status to enforce the freemium tier (3 free agreements) and paid tier
Record subscription activation and cancellation events

We do NOT use your information for:

Selling or renting personal data to any third party
Targeted advertising or behavioral marketing
Training AI models on your agreement content or personal data
Any purpose incompatible with the purposes described above

3. WHO WE SHARE YOUR INFORMATION WITH

Auraxio shares personal information only with the service providers necessary to operate the platform. We do not sell personal information. We do not share personal information with advertisers.

| Service Provider | What They Receive | Why | Their Privacy Policy | |---|---|---|---| | Supabase | All stored data (encrypted) | Database and file storage hosting | supabase.com/privacy | | Anthropic (Claude API) | Agreement context: state, type, compensation, term dates | AI agreement text generation. No buyer PII is sent. | anthropic.com/privacy | | Twilio | Buyer phone number, SMS message text | Delivering agreements via SMS | twilio.com/legal/privacy | | Resend | Agent email address, email content | Delivering notifications to agents | resend.com/legal/privacy-policy | | PostHog | Anonymous usage events, agent identifier | Product analytics | posthog.com/privacy | | Sentry | Error logs, browser/device info | Error monitoring and debugging | sentry.io/privacy | | Dodo Payments | Agent email, subscription details | Payment processing and Merchant of Record | dodopayments.com/privacy | | Vercel | Web request data (standard server logs) | Application hosting | vercel.com/legal/privacy-policy |

Legal Disclosures We may disclose personal information if required to do so by law, court order, subpoena, or other legal process. We will notify affected users where legally permitted to do so.

Business Transfers If Auraxio is acquired, merged, or its assets are sold, personal information held by Auraxio may be transferred to the acquiring entity. We will notify users via email and/or a prominent notice on the platform before data is transferred and becomes subject to a different privacy policy.

4. DATA RETENTION

| Data Type | Retention Period | Reason | |---|---|---| | Signed agreement PDFs | Permanent | Legal documents — the agent's legal protection | | Agreement audit trail (IP, timestamp, signature) | Permanent | Required for legal enforceability | | Agent account data | Active period + 30 days after cancellation | Account management | | Buyer names and phone numbers | Retained with their agreement | Cannot be separated without destroying the legal record | | Payment records | 7 years | Standard financial record-keeping | | PostHog analytics | 1 year rolling | Product improvement | | Sentry error logs | 90 days | Debugging | | Email logs | 1 year | Delivery confirmation and support |

Important Note on Signed Agreements: Because signed buyer representation agreements are legal documents that protect agents from commission disputes and regulatory fines, Auraxio retains them permanently. If you close your Auraxio account and request deletion, your signed agreements will be retained in our archive unless you explicitly request their deletion AND acknowledge in writing that deletion removes your documented legal protection for those transactions. We will fulfill deletion requests that include this acknowledgment.

5. DATA SECURITY

We implement the following security measures to protect your information:

Encryption

All data in transit: TLS 1.3 (HTTPS everywhere)
Buyer phone numbers: AES-256 encryption at rest
Signing IP addresses: AES-256 encryption at rest
Passwords: bcrypt hashing with salt (never stored in plain text)
PDF storage: Supabase private buckets (not publicly accessible)

Access Controls

Row Level Security (RLS) on all database tables: agents can only access their own data
Buyer signing page: buyers can only access the specific agreement sent to them
No agent can access another agent's agreements, buyers, or settings
Service role key (admin database access) is never exposed to the frontend

Infrastructure

Database hosted on Supabase (SOC 2 Type II certified)
Application hosted on Vercel (SOC 2 Type II certified)
All third-party processors are reviewed for security practices

Monitoring

Sentry monitors for unexpected errors and potential security incidents
Audit log records all significant actions (agreement generated, signed, downloaded)
Founder is alerted immediately for any new error class or security anomaly

Despite these measures, no system is completely secure. We encourage agents to use strong, unique passwords and to notify us immediately at security@auraxio.com if they suspect unauthorized access to their account.

6. BUYERS — SPECIAL NOTICE

If you are a buyer who received an SMS link from your real estate agent and used that link to sign a buyer representation agreement, please note:

You were not required to create an Auraxio account
Your name and phone number were entered by your agent
We collected your IP address, device type, and signature at the time of signing
This information forms the legal audit trail for your electronically signed agreement
Your signed agreement is accessible via your unique link permanently
We do not use your contact information to market to you
We do not share your information with any third party except as required for the signing process
To request a copy of your signed agreement, use the download button on the signing page or contact your agent

7. YOUR RIGHTS

Agents (Account Holders)

You have the right to:

Access: Request a complete export of all personal data we hold about you. Email privacy@auraxio.com. We will respond within 30 days.

Correction: Update your account information at any time via Settings in the app. For information you cannot update yourself, email privacy@auraxio.com.

Deletion: Request deletion of your account and associated data. See the note in Section 4 regarding signed agreements. Email privacy@auraxio.com.

Email Opt-Out: Unsubscribe from optional emails using the unsubscribe link in any email. Transactional emails cannot be opted out of while your account is active.

Data Portability: Request your agreement data in a machine-readable format. Email privacy@auraxio.com.

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information
Right to correct inaccurate personal information
Right to opt-out of the sale or sharing of personal information (Auraxio does not sell or share personal information for advertising purposes)
Right to non-discrimination for exercising CCPA rights

To exercise any of these rights, contact privacy@auraxio.com. We will respond within 45 days.

Note: As of the date of this policy, Auraxio does not meet the CCPA revenue or data volume thresholds that trigger mandatory compliance. We nonetheless comply voluntarily because we serve California real estate agents and believe these protections are right.

All Users

We do not discriminate against any user for exercising their privacy rights.

8. COOKIES

Auraxio uses a limited number of cookies:

Essential Cookies (cannot be disabled)

Supabase authentication session cookie: keeps you logged into the app. Without this, the app does not function.

Analytics Cookies (can be disabled)

PostHog: tracks anonymous usage patterns to help us improve the product. No personal information is stored in these cookies. Buyers are never cookied.

Auraxio does NOT use advertising cookies, retargeting pixels, or any third-party tracking beyond what is listed above. See our full Cookie Policy at auraxio.com/cookies.

9. CHILDREN'S PRIVACY

Auraxio is a professional platform for licensed real estate agents. It is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected such information, we will delete it promptly.

10. INTERNATIONAL USERS

Auraxio is currently operated for and targeted at real estate agents in the United States (Texas, California, and Florida). If you access Auraxio from outside the United States, your information will be processed and stored in the United States. By using Auraxio, you consent to the transfer of your information to the United States.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy as our practices change or as laws evolve. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy
Send an email notification to all active account holders
Display a notice in the app for 30 days after the change

Continued use of Auraxio after a policy update constitutes acceptance of the updated policy. If you do not agree to the updated policy, you may close your account.

12. CONTACT US

For privacy questions, requests, or concerns:

Email: privacy@auraxio.com Response Time: Within 30 days for standard requests. Within 48 hours for urgent security matters.

Mailing Address: Auraxio [REGISTERED ADDRESS] [CITY, STATE, ZIP]

This Privacy Policy was written in plain language intentionally. If any provision is ambiguous, we will interpret it in favor of greater privacy protection.