Privacy Policy
Last Updated: April 3, 2025
Stencil Labs, Simon Turkovič s.p. (“Company,” “we,” “us,” or “our”), a sole proprietor registered in the Republic of Slovenia, is committed to protecting your privacy. This Privacy Policy explains what information the Aura: Protocol mobile application (“App”) collects, how it is used, stored, and protected, and what rights you have regarding your data.
This policy complies with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679) and applicable Slovenian data protection law.
1. Data Controller
The data controller for information processed through the App is:
Stencil Labs, Simon Turkovič s.p.
Kotnikova Ulica 5, 1000 Ljubljana, Slovenia
VAT: SI29984688
Email: support@earnaura.app
Website: earnaura.app
2. Information We Collect
a) Health Data (via Apple HealthKit)
With your explicit permission, the App reads the following HealthKit data types:
- Step count
- Sleep analysis
- Workout sessions
- Apple Watch stand hours
- Flights climbed
- Walking and running distance
- Mindful minutes
- Dietary water intake
- Time in daylight
- Dietary energy consumed (calories)
- Dietary protein intake
The App also writes dietary water intake to HealthKit when you log water consumption within the App.
This data is used exclusively to calculate your daily Aura score and display habit progress. Health data remains on your device and is never transmitted to any server or third party.
b) Screen Time Data (via Apple FamilyControls and DeviceActivity)
With your explicit permission, the App uses the Screen Time API to block selected apps on your device via ManagedSettings and monitor scheduled activity intervals via DeviceActivity. The App stores opaque app tokens (FamilyActivitySelection) that you choose to block. The App does not access or read the names, categories, or usage statistics of other apps beyond what is necessary for the blocking features you configure.
c) Motion Data (via CoreMotion)
The App uses the CoreMotion pedometer to count steps in real time for the Walk to Unlock feature. This data is processed locally and is not stored beyond the active session.
d) Account Data
The App supports two authentication methods via Supabase:
- Sign in with Apple: your Apple identity token is sent to Supabase to create your account. This token may contain your Apple ID email address, which Supabase stores as part of your auth record. Your email is used solely for account identification and is never displayed in the App or shared with other parties.
- Anonymous sign-in: a session is created with no personally identifiable information.
In both cases, a randomly generated install ID (UUID) is created and sent to Supabase to identify your device session.
e) Onboarding Analytics (sent to Supabase)
During onboarding, the App collects and sends the following analytics data to our Supabase backend:
- Install ID (UUID)
- Onboarding funnel step progression (which steps were completed, whether onboarding was finished)
- Quiz answers (screen time habits, motivation preferences)
- Selection counts (number of habits and feelings chosen)
- Whether the subscription call-to-action was tapped
- Permission grant statuses (HealthKit, Screen Time, notifications)
- Total time spent in onboarding and start/completion timestamps
This data is used to improve the onboarding experience and understand how users set up the App. It does not include health data, personal identifiers, or app usage statistics.
f) User Profile (local only)
The App stores your display name, entered during onboarding. This is stored locally in UserDefaults and is not sent to any server.
g) Preferences and Settings (local only)
The following are stored locally on your device:
- Enabled habits and custom goal targets
- Notification preferences
- Appearance settings
- Sleep schedule configuration
- Blocked app selections (opaque tokens)
3. What We Do NOT Collect
The App does not collect, transmit, or store:
- Email addresses beyond what Apple provides in the identity token during Sign in with Apple (see Section 2d)
- Location data (GPS, IP-based, or otherwise)
- Contacts, photos, microphone, or camera data
- Browsing history or app usage statistics
- Advertising identifiers (IDFA) or device fingerprints
- Crash reports or diagnostics sent to us
4. Legal Basis for Processing (GDPR Article 6)
We process your data on the following legal bases:
| Data | Legal Basis |
|---|---|
| Health data (HealthKit) | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — via iOS HealthKit authorization prompt |
| Screen Time data | Explicit consent (Art. 6(1)(a)) — via iOS Screen Time authorization prompt |
| Account data (auth) | Performance of contract (Art. 6(1)(b)) — necessary to provide the service |
| Install ID & onboarding analytics | Legitimate interest (Art. 6(1)(f)) — to improve onboarding; data is pseudonymous and limited in scope |
| User profile (display name) | Performance of contract (Art. 6(1)(b)) — to personalize your experience |
5. How Your Data Is Used
- Health data: to calculate your daily Aura score and display habit progress (local only)
- Screen Time data: to manage app blocking, sleep schedules, and timed sessions (local only)
- Motion data: to count steps for Walk to Unlock (local, ephemeral)
- Account data: to authenticate you and enable account management (synced to Supabase)
- Onboarding analytics: to understand and improve the onboarding flow (synced to Supabase)
- User profile: to display your name in the App (local only)
- Preferences: to persist your settings across sessions (local only)
6. Data Storage and Transfer
Local Storage
Most data is stored locally on your device using:
- SwiftData: Aura transactions (points earned and spent) and streak logs
- UserDefaults and AppGroup UserDefaults: preferences, enabled habits, custom goals, and settings shared with App extensions
Cloud Storage (Supabase)
The following data is transmitted to and stored on our Supabase backend:
- Install ID (UUID)
- Authentication session data
- Onboarding analytics (funnel steps, quiz answers, permission statuses, timing)
Supabase may host data in data centers located outside the European Economic Area. Where data is transferred outside the EEA, appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) adopted by the European Commission.
7. Data Sharing
We do not sell, rent, or trade your data with any third party. Your data is shared only with:
- Supabase (data processor): provides authentication and database services for account data and onboarding analytics. Supabase processes data on our behalf under a Data Processing Agreement.
- Apple: HealthKit, FamilyControls, DeviceActivity, ManagedSettings, CoreMotion, StoreKit, and WidgetKit data is exchanged with Apple frameworks locally on your device, governed by Apple’s Privacy Policy.
8. Data Retention
| Data | Retention |
|---|---|
| Local data (scores, transactions, streaks, preferences) | Until you delete via “Delete My Account” or uninstall the App |
| Supabase data (install ID, analytics, auth) | Until you delete your account, which triggers server-side deletion |
We do not retain data longer than necessary for the purposes described in this policy.
9. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): request a copy of the personal data we hold about you
- Right to rectification (Art. 16): request correction of inaccurate data
- Right to erasure (Art. 17): request deletion of your data (“right to be forgotten”) — you can exercise this directly via “Delete My Account” in the App
- Right to data portability (Art. 20): request your data in a structured, commonly used, machine-readable format
- Right to restrict processing (Art. 18): request that we limit how we use your data
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time (e.g., revoke HealthKit or Screen Time permissions in your device Settings) without affecting the lawfulness of processing carried out before withdrawal
- Right to lodge a complaint: you may lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec):
Dunajska cesta 22, 1000 Ljubljana, Slovenia
Website: ip-rs.si
Email: gp.ip@ip-rs.si
To exercise any of these rights, contact us at support@earnaura.app. We will respond within 30 days.
10. Children’s Privacy
The App is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child under 13 is using the App, please contact us at support@earnaura.app and we will promptly delete the associated data.
11. App Extensions
The App includes three extensions that share data via the App Group container:
- DeviceActivityMonitor Extension: monitors scheduled sleep and session intervals to trigger app blocking and unblocking
- ShieldConfiguration Extension: provides the visual shield displayed when a blocked app is opened
- AuraWidget Extension: displays your current Aura score and streak on the home screen
These extensions access only the shared UserDefaults within the App Group. No data leaves your device through these extensions.
12. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Auth, onboarding analytics | Install ID, auth token, onboarding analytics |
| Apple HealthKit | Read/write health data | Health metrics (local only) |
| Apple Screen Time | App blocking & scheduling | Opaque app tokens (local only) |
| Apple CoreMotion | Walk to Unlock | Step count (local, ephemeral) |
| Apple StoreKit | Subscriptions | Payment data (handled by Apple) |
| Apple WidgetKit | Home screen widgets | Score & streak (local only) |
| Apple ActivityKit | Lock screen Live Activities | Session countdown timer (local only) |
The App contains no advertising SDKs, no third-party analytics SDKs (beyond Supabase for onboarding), and no tracking frameworks.
13. Data Security
Your locally stored data is protected by your device’s built-in security, including device passcode, Face ID or Touch ID, and iOS data encryption at rest. Data transmitted to Supabase is encrypted in transit using TLS/HTTPS and encrypted at rest on Supabase’s infrastructure.
14. International Data Transfers
Your local data remains on your device and is not transferred internationally. Data sent to Supabase may be processed in data centers outside the European Economic Area. Where such transfers occur, they are protected by appropriate safeguards as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs).
15. Changes to This Policy
We may update this Privacy Policy from time to time. Updated versions will be reflected within the App with a revised “Last Updated” date. For material changes, we will make reasonable efforts to notify you within the App.
16. Contact
If you have questions or concerns about this Privacy Policy, your data, or wish to exercise your rights, please contact us at:
Stencil Labs, Simon Turkovič s.p.
Kotnikova Ulica 5, 1000 Ljubljana, Slovenia
VAT: SI29984688
Email: support@earnaura.app
Website: earnaura.app