Aurabase Privacy Policy

Aurabase ("we," "us," or "our") is a product of Stack Digital. We operate a HIPAA-compliant patient operations platform ("the Platform") designed for medspa and wellness clinic operators ("Clinics"). This Privacy Policy describes how we collect, use, store, and protect information when you visit our website at aurabase.io or when Clinics use our Platform.

We take privacy seriously. If you have any questions about this policy, contact us at admin@aurabase.io.

This policy applies to:

• Visitors to the public-facing Aurabase website (aurabase.io)
• Clinic administrators and staff who use the Aurabase Platform on behalf of their organization
• Patients whose information is entered into the Platform by a Clinic

If you are a patient of a medspa or clinic that uses Aurabase, your Protected Health Information (PHI) is handled under a Business Associate Agreement (BAA) between Aurabase and your Clinic. Your Clinic is the Covered Entity under HIPAA and is responsible for their own privacy practices and patient-facing notices. Please refer to your Clinic's Notice of Privacy Practices for information about how your health data is used.

2a. Website Visitors

When you visit aurabase.io, we may collect:

• Usage data - pages visited, time on site, referring URL, browser type, device type
• Analytics data - via Google Analytics (see Section 6)
• Contact information - only if you voluntarily submit a contact or inquiry form (name, email, message)

We do not collect PHI from website visitors.

2b. Clinic Administrators and Staff

When a Clinic account is created and staff members are onboarded, we collect:

• Name, email address, and role within the organization
• Login credentials (passwords are hashed and never stored in plain text)
• Login timestamps and session activity for security and audit purposes

2c. Patient Data (PHI)

Patient data entered into the Platform by Clinic staff may include:

• Name, date of birth, contact information
• Lead and membership status
• Medication names, doses, and treatment dates
• Lab and bloodwork records
• Consult notes and outcomes
• Payment and billing records
• Referral relationships

This data constitutes Protected Health Information (PHI) under HIPAA. Aurabase acts as a Business Associate to each Clinic. We process and store this data solely on behalf of the Clinic and in accordance with our BAA obligations.

Website visitors

• To operate and improve the Aurabase website
• To respond to inquiries and support requests
• To analyze usage patterns and improve user experience via analytics

Clinic staff accounts

• To authenticate users and manage access control
• To maintain audit logs as required under HIPAA
• To send transactional emails (account setup, password resets, system notifications) via AWS SES

Patient data

• Solely to provide the Platform services to the Clinic
• We do not use patient data for advertising, marketing, or any purpose beyond providing the contracted service
• We do not sell, rent, or share patient data with any third party except as required to provide the Platform (see Section 5) or as required by law

For users in jurisdictions with applicable data protection laws (including GDPR), our legal bases for processing are:

• Contract - processing necessary to provide the Platform under our agreement with Clinics
• Legal obligation - processing required to comply with HIPAA, applicable law, or court orders
• Legitimate interests - processing necessary to operate, secure, and improve our services, where not overridden by individual rights
• Consent - where you have provided explicit consent (e.g. marketing communications, if applicable)

We do not sell personal information. We share information only in the following circumstances:

Service providers

We use a limited set of third-party service providers to operate the Platform. Each provider is bound by a data processing agreement and, where applicable, a BAA:

We do not share PHI with any provider that has not signed a BAA.

Legal requirements

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Aurabase, our users, or the public.

Business transfers

If Aurabase is acquired, merged, or undergoes a change of ownership, data may be transferred as part of that transaction. We will notify affected Clinics in advance and ensure successor entities maintain equivalent privacy protections.

Cookies

We use essential cookies to operate the Platform, including session authentication cookies. These are strictly necessary and cannot be disabled without affecting Platform functionality.

We may use analytics cookies on the public marketing site. You can opt out of analytics cookies via our cookie consent tool or by installing a browser opt-out extension.

Google Analytics

We use Google Analytics to understand how visitors use the aurabase.io marketing website. This data is anonymized and does not include PHI. You can opt out at tools.google.com/dlpage/gaoptout.

Analytics are not active inside the authenticated Platform - only on the public-facing marketing site.

We implement industry-standard and HIPAA-required security measures to protect all data on the Platform:

• Encryption at rest - all database data encrypted at rest on AWS RDS
• Encryption in transit - all data transmitted over HTTPS/TLS
• Access controls - role-based access control limits staff to only the data they need
• Audit logging - all access to PHI is logged with user, timestamp, and action
• Session timeouts - authenticated sessions expire after 8 hours of inactivity
• Password security - passwords are hashed using bcrypt and never stored in plain text
• Backups - encrypted automated daily backups with point-in-time recovery

Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately at admin@aurabase.io.

Upon termination of a Clinic's subscription, we will provide a data export window of 30 days. After that window, data is securely deleted unless retention is required by law.

Clinic administrators and staff

You have the right to:

• Access the personal information we hold about your staff account
• Request correction of inaccurate information
• Request deletion of your account (subject to legal retention requirements)
• Export your organization's data during the offboarding window

Patients

Patient rights regarding PHI - including the right to access, amend, and receive an accounting of disclosures - are governed by HIPAA and are exercised through the Clinic, not directly through Aurabase. Please contact your Clinic directly to exercise these rights.

Website visitors (GDPR / CCPA)

If you are located in the EU, UK, or California, you may have additional rights including:

• Right to access data we hold about you
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to object to processing
• Right to withdraw consent

To exercise any of these rights, contact us at admin@aurabase.io. We will respond within 30 days.

Aurabase is designed and operated as a HIPAA-compliant Business Associate. We:

• Enter into a Business Associate Agreement (BAA) with each Clinic before PHI is processed
• Implement all required Technical, Physical, and Administrative Safeguards under the HIPAA Security Rule
• Maintain breach notification procedures under the HIPAA Breach Notification Rule
• Do not use or disclose PHI beyond what is permitted by our BAA and applicable law

In the event of a breach of unsecured PHI, we will notify affected Clinics within the timeframe required by HIPAA so they can fulfill their own notification obligations.

The Aurabase Platform and website are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child's information has been submitted to the Platform, please contact us at admin@aurabase.io.

The Aurabase website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify Clinic administrators via email at least 14 days before the change takes effect.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated policy.

For privacy-related questions, data requests, security issues, or to report a concern:

Email: admin@aurabase.io