Your Privacy Matters to Us

Privacy Policy

We are committed to protecting the privacy and security of your personal information. This Privacy Policy outlines how we collect, use, and safeguard your data when you use our website, services, or third-party integrations such as Meta platforms and Google Calendar.

Introduction

Last Updated: 8 March 2026

This Privacy Policy explains how Auroo (“we”, “us”, or “our”) collects, uses, stores, and protects your information when you use the Auroo platform (“Service”), including our website (tryauroo.com) and our integrations with Meta platforms (Facebook and Instagram) and Google Calendar.

By using our Service, you agree to the collection and use of information as described in this policy.

Who We Are

Auroo provides a business dashboard that helps organisations manage customer conversations, leads, and appointments. Our Service integrates with third-party platforms including Facebook Messenger, Instagram Direct Messages, Facebook Lead Ads, and Google Calendar to enable businesses to communicate with their customers and manage their schedules from a single interface.

We do not sell your data to any third parties. We may share data only with service providers who assist in delivering our services.

Information We Collect

Data Collection

Account Information

When you register an account or use our services, we collect:

  • Name and email address (via Clerk authentication)
  • Phone number and company information (business name, website)
  • Organisation and business details provided during onboarding
  • Payment information (processed securely by Stripe — we do not store card details)

Facebook & Instagram Data

When you connect a Facebook Page or Instagram Business account to Auroo, we collect and process:

  • Page information: Facebook Page name, Page ID, and page access tokens
  • Messages: Inbound and outbound messages between your Facebook Page/Instagram account and your customers via Messenger and Instagram Direct Messages
  • Customer profile information: Names and profile pictures of people who message your Page (accessed via Business Asset User Profile Access)
  • Lead Ad submissions: Name, email, phone number, and any other fields submitted by users through your Facebook Lead Ads forms
  • Webhook data: Real-time notifications from Meta about new messages and lead submissions

Google Calendar Data

When you connect your Google Calendar account to Auroo, we collect and process:

  • Google account email: The email address associated with your Google account, used to identify the connected account
  • Calendar events: Event details such as titles, dates, times, and attendees for appointments synced between Auroo and Google Calendar
  • OAuth tokens: Access and refresh tokens used to maintain the connection and access calendar data on your behalf

Auroo’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google Calendar data to provide and improve the calendar sync feature within Auroo.

Usage Data

We collect certain information automatically, such as:

  • Log data (IP address, browser type, pages visited, device information)
  • Feature usage within the dashboard
  • Error and performance data

Cookies

We use cookies and similar tracking technologies to enhance your experience and gather data about your preferences and browsing behaviour.

How We Use Your Data

Data Usage

We use the information we collect for the following purposes:

  • Account information: To create and manage your account, process payments, and provide customer support
  • Facebook/Instagram messages: To display conversations in your Auroo inbox, enable you to reply to customers, and — when you choose to use AI-powered features — to extract contact details and generate conversation summaries using our AI service provider (OpenAI)
  • Customer profile information: To display customer names and photos in conversation threads so you can identify who you are communicating with
  • Lead Ad submissions: To display leads in your dashboard so you can follow up with potential customers
  • Page information & access tokens: To maintain the connection between your Facebook Page and Auroo, subscribe to webhooks, and send/receive messages on your behalf
  • Google Calendar data: To sync appointments between your Auroo dashboard and Google Calendar, so that changes made in either platform are reflected in the other
  • Google OAuth tokens: To maintain the connection between your Google Calendar and Auroo and access calendar data on your behalf
  • Usage data: To improve our Service, troubleshoot issues, analyse usage trends, and optimise our website

What We Do Not Do

We do not:

  • Sell your data or your customers’ data to third parties
  • Use message content for advertising purposes
  • Share data with third parties for their own marketing purposes
  • Use Facebook, Instagram, or Google Calendar data for purposes unrelated to providing our Service
  • Use your data to train AI models — our AI provider (OpenAI) processes data strictly to deliver responses and does not use it for training, advertising, or any other purpose

Legal Basis for Processing

GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:

  • Performance of a contract: Processing your account data and connected platform data to provide the Service you signed up for
  • Legitimate interest: Usage analytics to improve our Service, security monitoring
  • Consent: Connecting your Facebook Page, Instagram account, or Google Calendar to Auroo (you explicitly authorise this via the respective OAuth flow)

Data Sharing & Third Parties

Disclosure

We share data with the following categories of service providers, solely to operate our Service:

  • Meta (Facebook/Instagram): Send and receive messages, retrieve leads. Data shared: messages, Page tokens.
  • Google (Google Calendar API): Sync calendar events. Data shared: event details, OAuth tokens.
  • Clerk: Authentication. Data shared: email, name.
  • Stripe: Payment processing. Data shared: payment details (handled directly by Stripe, PCI-DSS compliant).
  • Supabase: Database hosting. Data shared: all stored application data (encrypted at rest).
  • OpenAI: AI-powered conversation parsing and data extraction. Data shared: when you use AI features, conversation transcripts from Facebook Messenger or Instagram Direct Messages are sent to OpenAI’s API to extract contact details (such as name, email, and phone number) and generate conversation summaries. OpenAI processes this data solely to deliver the requested output and does not use it for advertising, model training, or any purpose beyond providing the service. See OpenAI’s Privacy Policy for more details.

We may also share your information in the following circumstances:

  • You request or authorise it
  • To comply with legal obligations or respond to legal requests
  • In connection with a merger, acquisition, or sale of assets

We never sell, rent, or trade your personal information to any third party.

Data Security

Protection

We take reasonable measures to protect your data:

  • All data is transmitted over HTTPS/TLS encryption
  • Database data is encrypted at rest
  • Facebook Page access tokens and Google OAuth tokens are stored securely
  • Authentication is handled by Clerk with industry-standard security practices
  • Payment processing is handled by Stripe (PCI-DSS compliant)
  • Access to user data is restricted to authorised personnel
  • We use secure cloud infrastructure with rate limiting to prevent abuse

We do not use your data to train AI models. Our AI-powered features are provided by OpenAI, which processes conversation data strictly to extract information and generate summaries at your request. OpenAI does not use this data for advertising, model training, or any other purpose. We also use technologies like Retrieval-Augmented Generation (RAG) to process data securely without training on it.

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

Storage

We retain your data for as long as your account is active and as needed to provide our Service:

  • Account data: Until you delete your account
  • Messages & conversations: Until you disconnect the Facebook Page, delete your account, or request deletion
  • Lead Ad data: Until you delete your account or request deletion
  • Google Calendar data: Until you disconnect Google Calendar, delete your account, or request deletion
  • Google OAuth tokens: Until the Google Calendar integration is disconnected or the token is revoked
  • Page access tokens: Until the page is disconnected or the token expires
  • Usage & log data: Up to 12 months

When data is no longer needed, it is deleted or anonymised. If you request that we delete your data, we will comply unless retention is required by law.

Data Deletion

Removal

You can request deletion of your data at any time through any of these methods:

  1. Disconnect your Facebook Page or Google Calendar in Auroo Settings > Integrations — this deactivates the connection and associated data
  2. Delete your account — contact us at [email protected] to request full account deletion
  3. Email us directly at [email protected] with a deletion request

If you remove the Auroo app from your Facebook account (via Facebook Settings > Business Integrations), Meta will automatically notify us via our data deletion callback, and we will deactivate all associated data.

We do not charge any fee for data deletion requests. No approval is required — your request will be processed promptly.

Your Rights

Choices

Regardless of where you are located, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request that we correct any inaccurate data
  • Deletion: Request that we delete your personal data
  • Portability: Request your data in a machine-readable format
  • Objection: Object to our processing of your data where we rely on legitimate interest
  • Withdraw consent: Withdraw your consent for data processing at any time (e.g., by disconnecting your Facebook Page or Google Calendar)
  • Opt-out: Opt out of receiving promotional communications

To exercise any of these rights, contact us at [email protected]. We will respond to all requests within 30 days. There is no fee to exercise your rights.

Additional Rights for EEA/UK Residents

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

Additional Rights for California Residents (CCPA)

California residents have the right to know what personal information is collected, request deletion, and opt out of data sales. We do not sell personal information.

Children's Privacy

Age Restriction

Our Service is not directed to individuals under the age of 13. We do not knowingly collect or solicit personal information from children. If we become aware that we have collected data from a child under 13, we will take steps to delete it promptly. If you believe that a child has provided us with personal information, please contact us immediately at [email protected].

Changes & Contact

Updates

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the “Last Updated” date at the top of this page. We encourage you to review this policy periodically.

Contact Us

If you have any questions about this Privacy Policy, your data, or your rights, please contact us: