Auraaura

Privacy Policy

Effective date: 1 May 2026 · Last updated: 1 May 2026

This Privacy Policy explains how Aura Technology Limited ("Aura", "we", "us", or "our"), a company incorporated in Hong Kong, collects, uses, and protects information when you use the Aura property management platform and related services (the "Service").

We are committed to protecting the privacy of our customers and their guests. Please read this policy carefully. By using the Service you agree to the practices described here.

1. Who This Policy Applies To

This policy applies to two categories of people:

  • Operators — hotels, villas, and other property businesses that subscribe to Aura and use it to manage their properties.
  • Guests — individuals whose data operators input into Aura in the course of managing reservations, check-ins, and communications.

Operators are data controllers in respect of their guests' personal data. Aura acts as a data processor on the operator's behalf when processing guest data. Operators are responsible for ensuring they have a valid legal basis for sharing guest data with Aura.

2. Information We Collect

2a. Information operators provide

  • Account registration details: name, email address, company name, billing address.
  • Property information: property name, address, room types, rates, and settings.
  • Guest data entered into the system: names, email addresses, phone numbers, nationality, passport or ID details (for digital check-in), arrival and departure dates.
  • Payment information: billing details collected by our payment processor (Stripe). We do not store full card numbers — card data is handled directly by Stripe.

2b. Information we collect automatically

  • Log data: IP addresses, browser type, pages visited, and timestamps when you access the Service.
  • Cookies and similar technologies: session cookies required for authentication. We do not use tracking or advertising cookies.

2c. Information from third parties

  • Online travel agency (OTA) booking data received via channel manager integrations (e.g. Booking.com, Airbnb). This data is provided to us in accordance with the OTA's data sharing arrangements with you as the operator.

3. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process payments and manage your subscription.
  • Send transactional emails on behalf of operators (booking confirmations, pre-arrival emails, check-in instructions).
  • Send service-related communications to operators (account notices, invoices, product updates, security alerts).
  • Respond to support requests.
  • Comply with legal obligations.

We do not sell your data or your guests' data to any third party. We do not use guest data for any purpose beyond operating the Service on your behalf.

4. Legal Bases for Processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, our legal bases for processing personal data are:

  • Contract performance — processing necessary to provide the Service to operators.
  • Legitimate interests — improving the Service, preventing fraud, ensuring security.
  • Legal obligation — complying with applicable laws.
  • Consent — where you have given consent (e.g. marketing emails, which you can withdraw at any time).

5. Data Sharing

We share data only in the following circumstances:

  • Service providers. We use trusted third-party vendors to operate the Service, including cloud infrastructure (hosting), email delivery, and payment processing (Stripe). These vendors process data only on our instructions and under confidentiality obligations.
  • OTA integrations. Reservation and availability data is shared with the online travel agencies you connect to through the channel manager, as directed by you.
  • Legal requirements. We may disclose information where required by law, court order, or government authority, or where necessary to protect the rights and safety of Aura, our customers, or the public.
  • Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain operator account data for as long as your subscription is active and for 30 days after account closure, after which it is permanently deleted. You may export your data at any time via the CSV export features in the Service.

We may retain certain data for longer where required by law (e.g. financial records for tax compliance purposes).

7. Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. Payment card data is handled exclusively by Stripe and is never stored on our servers.

No system is completely secure. In the event of a data breach that affects your rights and freedoms we will notify you without undue delay and in accordance with applicable law.

8. International Data Transfers

Aura is operated from Hong Kong. Our infrastructure providers may process data in other jurisdictions. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place (such as standard contractual clauses) in accordance with applicable data protection law.

9. Your Rights

Depending on your location and applicable law, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data ("right to be forgotten").
  • Object to or restrict certain processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at hello@aurapms.io. We will respond within 30 days.

Guests: if you are a hotel guest and wish to exercise rights over data an operator has stored in Aura, please contact the operator directly. They are the data controller for your personal data.

10. Cookies

We use only strictly necessary cookies — session cookies required for authentication and security. We do not use analytics, advertising, or tracking cookies. No cookie consent banner is required for strictly necessary cookies under most jurisdictions.

11. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data without parental consent, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The updated policy will be posted at this URL with a revised effective date.

13. Contact

Questions, concerns, or requests regarding this Privacy Policy should be directed to:

Aura Technology Limited
hello@aurapms.io