Privacy Policy
Effective date: [DATE — update when you publish] Last updated: [DATE]
⚠️ LEGAL REVIEW REQUIRED. This document is a starting draft based on what the AurumX app currently does. Run it past a privacy attorney before publishing, especially the data-sharing, retention, and California/EU sections.
TL;DR
AurumX is a mobile app where you open digital “packs” containing precious metals you can ship to your door or sell back at spot. To make that work we collect your account email, your shipping address (only if you ask us to ship something), and a record of your transactions. We don’t sell your data to anyone. You can delete your account in-app at any time, which permanently removes your profile, vault contents, and addresses.
Who we are
[LEGAL ENTITY NAME] (referred to in this policy as “AurumX,” “we,” “us,” or “our”) operates the AurumX mobile application and the website at https://aurumxgold.app. You can reach us at:
- Email: support@aurumxgold.app
- Mailing address: [STREET, CITY, STATE, ZIP — required for many jurisdictions]
- Data Protection Officer (if applicable): [NAME, EMAIL]
What we collect
Information you give us
| Data | When | Why |
|---|---|---|
| Email address | At sign-up | Account identity, login, transactional emails |
| Display name (optional) | At sign-up or first Apple Sign-In | Personalisation in the app |
| Date of birth | At KYC verification | Verify you’re 18+, comply with sweepstakes/sweepstakes laws |
| Shipping address | When you save one or ship a vault item | Fulfilment of physical shipments |
| Government ID + selfie | At KYC verification (only if shipping > $10k) | Identity verification through our KYC provider |
| Payment information | At top-up (when payments are live) | Process payments through our payment processor |
Information we collect automatically
- Device info: model, OS version, app version, language, timezone
- Usage events: which screens you open, which packs you buy, which features you tap (used to improve the app)
- IP address: logged with each request for security and fraud prevention
- Crash reports: if the app crashes, we get a stack trace (no personal content)
What we DON’T collect
- We don’t access your contacts, photos, or microphone without you tapping a button to use a feature that needs them.
- We don’t use the camera unless you initiate KYC verification.
- We don’t track you across other apps or websites (no third-party tracking SDKs).
How we use your information
- Run the service. Open packs, settle outcomes, fulfill shipments, process payments.
- Verify identity for shipments and to comply with anti-money-laundering law.
- Communicate with you about your account, transactions, and (if you opt in) product news.
- Protect against fraud and abuse — including detecting suspicious sign-up patterns, hot-streak abuse, and high-value-shipment risk.
- Improve the app — aggregated, anonymised usage analytics to figure out what’s working.
- Comply with law — tax reporting, AML/CFT obligations, law-enforcement requests with valid legal process.
Who we share information with
We share information only with the following categories of recipients, and only what they need to do their job:
| Recipient | Purpose | Data shared |
|---|---|---|
| Supabase (US) | Hosts our backend database and authentication | Account email, profile, transactions |
| Apple | Sign In with Apple verification | Apple ID token (we never see your password) |
| Our payment processor [STRIPE / TBD] | Process top-ups and withdrawals | Payment card data goes directly to them; we receive only a token |
| Our KYC provider [PERSONA / STRIPE IDENTITY / TBD] | Identity verification for shipping | Name, date of birth, ID document, selfie |
| Our shipping carrier [TBD] | Deliver physical metal | Name, shipping address |
| MetalpriceAPI | Get live spot prices to value the vault | Nothing personal — read-only price queries |
| Law enforcement | Where required by valid legal process | Only what’s specifically requested |
We do not sell your personal information to anyone, and we do not share it for cross-context behavioural advertising.
How long we keep it
- Active account: as long as your account is open.
- Closed account: profile and addresses are deleted within 30 days of deletion request. Transaction records are retained for 7 years to comply with US anti-money-laundering and tax law (31 U.S.C. § 5311; 26 U.S.C. § 6045). Backups are purged on their normal rotation cycle (max 90 days).
- KYC documents: [TBD per provider’s policy — typically 5 years post-account-closure].
Your rights
Regardless of where you live, you have the right to:
- Access the personal information we hold about you.
- Correct information that’s wrong.
- Delete your account and associated data (we have an in-app delete button; emails to support@aurumxgold.app also work).
- Export your data in a portable format.
You can do all of this in-app via Account → Delete my account, or by emailing support@aurumxgold.app.
If you live in California (CCPA / CPRA)
You also have the right to know which categories of personal information we’ve collected about you in the past 12 months, opt out of any “sale” or “sharing” (we don’t do either), and limit our use of sensitive personal information.
If you live in the European Economic Area, UK, or Switzerland (GDPR / UK GDPR)
You also have the right to: data portability, lodging a complaint with a supervisory authority, withdrawing consent at any time, and objecting to processing based on legitimate interests. Our lawful bases for processing are: contract (running your account), legal obligation (AML/tax), legitimate interest (fraud prevention), and consent (marketing communications).
Children’s privacy
AurumX is for users 18 and older. We don’t knowingly collect information from anyone under 18. If we learn we have collected data from someone under 18, we delete it immediately. Parents/guardians: email support@aurumxgold.app.
Security
We protect your data with TLS in transit, encryption at rest, row-level security in our database, and SECURITY DEFINER functions that scope every operation to the authenticated caller. We require strong passwords or Apple Sign-In. No method is 100% secure; if we have a breach affecting your information, we’ll notify you within the timeframe required by applicable law.
Changes to this policy
If we make material changes, we’ll post the updated policy here and update the “Last updated” date. For significant changes affecting your rights, we’ll notify you in-app or by email at least 30 days before the change takes effect.
Contact us
Email support@aurumxgold.app with any privacy questions or to exercise any of your rights. If you live in the EU/UK/Switzerland and we don’t respond within 30 days, you can complain to your local data-protection authority.