AureusBack to home

Last updated · May 12, 2026

Privacy Policy

This policy explains what personal data Aureus collects, why, how it is protected, and the rights you have over it under the Brazilian LGPD (Law 13.709/2018) and applicable international frameworks.

1. Who controls your data

Aureus is the data controller for personal information processed through the platform. While our legal entity is being constituted, the responsible natural person is the founder operating the service. For privacy enquiries, write to privacy@aureusdesk.com.

2. Personal data we collect

We collect the minimum data needed to operate the service, grouped as follows:

  • Account data — name, email address, password hash, profile image (via Clerk authentication).
  • Usage data — the tickers you query, agent runs you trigger, the outputs we generate, timestamps, and aggregate token counts for billing.
  • Device data — a HttpOnly cookie used to associate anonymous analyses with your browser until you sign in, plus the IP address and user-agent attached to each request for security and rate-limit purposes.
  • Payment data — when paid plans are active, billing details are processed by our payment processor (Stripe or local equivalent). We do not store card numbers.
  • Communications — content of any support exchange you initiate by email.

3. Purposes and legal bases (LGPD Art. 7)

We process data only when one of the following legal bases applies:

  • Performance of the contract you accept (Terms of Service): account creation, running analyses, storing and exporting your results.
  • Legitimate interest: security, fraud prevention, abuse detection, product analytics in aggregated form.
  • Consent: optional features such as marketing emails, analytics cookies (PostHog), and session-replay error tracking (Sentry).
  • Legal obligation: tax records, response to lawful requests by Brazilian authorities.

4. Third-party processors

Aureus relies on the following sub-processors. Each operates under its own DPA and security posture; their data centres are predominantly in the United States.

  • Anthropic (anthropic.com) — generates analytical outputs from your input. Anthropic does not train on your data per its commercial agreement.
  • Clerk (clerk.com) — authentication, identity, and session management.
  • Neon (neon.tech) — managed PostgreSQL storing your analyses and account data.
  • Vercel (vercel.com) — web hosting and edge delivery (after deployment).
  • Yahoo Finance — public market data source (we read; we do not send your data there).
  • Sentry (sentry.io) — server-side error monitoring; we mask UI text by default.
  • PostHog (posthog.com) — product analytics; only loaded after explicit consent (see Cookies section).

5. International transfers

Most of our sub-processors are headquartered in the United States. Cross-border transfers are conducted under standard contractual clauses and equivalent mechanisms recognised by the LGPD as ensuring an adequate level of protection (LGPD Art. 33).

6. Retention

Account data is retained for the duration of your account plus 30 days for export and recovery. Saved analyses are retained as long as your account is active; they can be deleted individually at any time from the dashboard.

Aggregate, non-identifying usage logs may be retained longer for product analytics and security audit purposes.

7. Your rights under LGPD (Art. 18)

You may at any time exercise the following rights:

  • Confirmation of the existence of processing.
  • Access to your data.
  • Correction of incomplete, inaccurate or outdated data.
  • Anonymisation, blocking or deletion of unnecessary or excessive data.
  • Portability of your data to another provider.
  • Deletion of personal data processed on the basis of consent.
  • Information on the public and private entities with which we share data.
  • Information on the possibility of refusing consent and its consequences.
  • Revocation of consent at any time.

8. Cookies

Essential cookies are necessary for the service to operate (HttpOnly device cookie, Clerk session). They are set without consent on the legal basis of contract performance.

Optional cookies (analytics, error monitoring) are loaded only after you grant consent through the banner shown on first visit. You may revoke consent at any time from the Cookies preferences link in the footer.

9. Security

All traffic is encrypted in transit with TLS. Data at rest is encrypted by our cloud providers. Access to production systems is restricted to the founders, behind multi-factor authentication. We follow the OWASP top-10 mitigation guidelines in our application code.

No system is perfectly secure. In the unlikely event of a confirmed personal-data incident, we will notify affected users and the ANPD within the reasonable timeframe defined by LGPD Art. 48.

10. Children

The service is not directed to children under 18. We do not knowingly collect data of minors. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy as the service evolves. Material changes are notified by email and via a banner on the dashboard at least 15 days before they take effect.

Data Protection Officer

Privacy requests, LGPD rights requests, and breach reports should be sent to privacy@aureusdesk.com. We respond to LGPD Art. 19 requests within 15 days, subject to legal extensions.