Legal

Privacy Policy

AroraLabs is built with privacy in mind. Here's exactly what we collect across our websites and subdomains, why, and your complete rights.

Last Updated: 27 May 2026 Controller: AroraLabs contact@aroralabs.org

01

Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person, including online identifiers, IP addresses, location data, and browsing behaviour.
  • "Processing" — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Controller" — AroraLabs, the entity that determines the purposes and means of Processing Personal Data collected through our websites.
  • "Data Processor" — any third-party service provider that Processes Personal Data on our behalf, including Cloudflare, Google, and Zoho.
  • "Websites" — aroralabs.org and all subdomains operated by AroraLabs, as listed in Section 3.
  • "Visitor" — any individual who accesses our Websites, regardless of location.

02

Data Controller Identity and Contact

AroraLabs ("we", "us", "our") is the Data Controller for all Personal Data collected through our Websites.

We endeavour to respond to all substantive privacy enquiries within 30 calendar days of receipt.

03

Websites and Subdomains Covered

This Privacy Policy applies to all websites operated under the aroralabs.org domain, including:

  • aroralabs.org — main studio website (you are here)
  • hub.aroralabs.org — free tools and utilities
  • thinko.aroralabs.org — Thinko brain training app landing page
  • visaify.aroralabs.org — Visaify product page
  • Any other current or future *.aroralabs.org subdomains
Thinko App (iOS & Android) — the Thinko mobile application has its own privacy policy covering in-app data collection, authentication, and AI-powered features. See the Thinko Privacy Policy for details.

04

What We Collect and Why

4.1 — CDN and Network-Level Data (Cloudflare Zone Analytics)

All traffic to our Websites passes through Cloudflare's Content Delivery Network. Cloudflare processes the following at the network level as part of normal CDN operation:

  • IP address — used for routing and geographic region inference only
  • Request path, HTTP method, and response status code
  • Bytes transferred and cache status
  • Country of origin (aggregated)
  • User-Agent string (browser/OS type)

We see only aggregated statistics — total requests, bandwidth, country breakdowns — never individual visitor records. No cookies are set on your device by this system.

4.2 — Session Analytics (Cloudflare Web Analytics)

We use Cloudflare Web Analytics, a privacy-preserving JavaScript beacon, to measure page views, session duration, referrer sources (where you came from), and device type. This service:

  • Does not set cookies or use localStorage to track you
  • Does not fingerprint your device
  • Does not track you across different websites
  • Reports only aggregated, anonymised statistics to us

4.3 — Usage Analytics (Google Analytics 4)

We use Google Analytics 4 (GA4) on all AroraLabs websites to understand how visitors use our sites and improve our content and tools. GA4 collects:

  • Pages visited and time spent on each page
  • Approximate geographic location (country and city level — not precise)
  • Device type, operating system, and browser
  • Referral source (how you arrived at our site)
  • Session and engagement metrics (scroll depth, clicks)

GA4 uses cookies and similar technologies to collect this data. Data is processed by Google LLC and is subject to Google's Privacy Policy. You may opt out at any time via the Google Analytics Opt-out Browser Add-on.

4.4 — Advertising (Google AdSense)

Some pages on aroralabs.org load Google AdSense, a third-party advertising service. The AdSense script is present in the website code, and when it loads, Google may process visitor data — including IP address and browsing context — for advertising purposes, even if no ad is visually displayed. See Section 5 for full details.

4.5 — Contact Form Submissions

When you submit a contact enquiry via the "Say Hello" or "Start a Project" forms on aroralabs.org, we collect:

Voluntarily provided:

  • Full name and email address (required)
  • Message content or project brief (required)
  • Phone/WhatsApp number, company name, project type, budget range, currency, preferred timeline, existing website URL, launch platform, decision stage, preferred technology stack, and referral source (optional fields, submitted only if you complete them)

Automatically collected at submission time (client-side metadata):

  • Timezone (e.g. "Europe/London")
  • Browser language setting
  • Device category (mobile, tablet, or desktop)
  • Operating system name
  • Browser name
  • Screen resolution and device pixel ratio
  • Effective network connection type (4G, WiFi, etc.)
  • Referring URL (the page you came from)
  • Page path where the form was submitted
  • Submission timestamp (ISO 8601)

Server-side geographic enrichment:

When your submission reaches our servers, Cloudflare's edge network automatically infers your approximate geographic location from your IP address. We extract the following from this inference and store it alongside your submission:

  • Country (ISO 3166-1 alpha-2 code)
  • Region or state
  • City (approximate, typically accurate to metropolitan area)

Your IP address itself is not stored; only the derived geographic data is retained.

Lawful basis (GDPR): Legitimate interest (Art. 6(1)(f)) to understand the geographic context of enquiries and improve service quality; and to respond to your message (pre-contractual steps, Art. 6(1)(b)).

Storage and retention: Submissions are stored in our cloud database (Google Cloud Firestore) and retained for up to 12 months from the date of submission, after which they are permanently deleted.

4.6 — Newsletter Subscriptions

If you subscribe to the AroraLabs newsletter, we collect and store:

  • Email address
  • Subscription source (the page or product from which you subscribed)
  • Subscription timestamp
  • A SHA-256 hash of your IP address (for abuse prevention — this hash cannot be reversed to recover your IP)
  • A unique, randomly generated unsubscribe token (embedded in every email footer)

We do not collect your name for newsletter purposes. The newsletter list is separate from any contact form submission.

Lawful basis (GDPR): Consent (Art. 6(1)(a)). You may withdraw consent at any time by clicking the unsubscribe link in any newsletter email. Withdrawal is irreversible and immediate — your record is permanently hard-deleted from our database within seconds. We do not archive, archive-flag, or soft-delete unsubscribed records.

Storage: Google Cloud Firestore. Retained until unsubscription.

4.7 — Hub Tool Feedback

The AroraLabs Hub includes a feedback button on tool pages. If you voluntarily submit feedback, we collect the free-text feedback you enter. No personally identifying information is required or requested; however, any personal data you choose to include in your feedback text will be stored as part of the submission.

Lawful basis (GDPR): Legitimate interest (Art. 6(1)(f)) to identify bugs and improve tools.

Storage: Google Cloud Firestore. Retained for up to 6 months from submission.

4.8 — Visaify Feedback

Visaify (visaify.aroralabs.org) includes a feedback widget on tool pages. If you voluntarily submit feedback, we collect:

  • Feedback type (feedback, bug, suggestion, other) and your message text
  • Submission timestamp (ISO 8601)
  • Browser metadata: timezone, language, device type, OS, browser, screen resolution, network connection type, referrer URL, and the page where you submitted

IP-derived geolocation (third-party lookup):

To understand the geographic distribution of feedback and improve regional content, the widget performs a client-side lookup against ipapi.co when it loads. This request sends your IP address to ipapi.co. The response — and the data we retain alongside your submission — includes:

  • Your public IP address
  • Country, region/state, city, and postal code
  • Approximate latitude and longitude (ISP-registered, not GPS-precise)
  • Timezone (IANA identifier)
  • Your ISP's organisation name and ASN

If the ipapi.co request fails or is blocked (e.g. by an extension), the submission still goes through without the geolocation fields.

Lawful basis (GDPR): Legitimate interest (Art. 6(1)(f)) to understand the geographic and technical context of feedback so we can prioritise fixes and regional improvements; balanced against your interest in privacy by limiting retention and never combining this data with marketing.

Storage and retention: Google Cloud Firestore (collection visaify-feedback), retained for up to 12 months from submission. Public reads are disabled by Firestore security rules; only AroraLabs administrators can read submissions.

Your rights: You may request deletion of any feedback submission by contacting contact@aroralabs.org with the approximate submission date and message; we will locate and delete matching records within 30 days. See Section 9 for full rights.

4.9 — Browser Local Storage (Client-Side Only)

AroraLabs websites store the following data in your browser's localStorage to persist your preferences between sessions:

  • Theme preference (light or dark mode)
  • Pinned tools (Hub)
  • Recently viewed tools (Hub)
  • PWA install prompt dismissal state
  • Newsletter prompt dismissal state

This data resides exclusively in your browser. It is never transmitted to our servers, not linked to any identifier, and is not Personal Data. You can clear it at any time by clearing browser site data for the relevant domain.

05

Third-Party Services and Data Processors

Cloudflare, Inc. — CDN & Analytics

No cookies

Cloudflare provides DNS, CDN, DDoS protection, and web analytics for our Websites. Cloudflare acts as a data processor under a Data Processing Addendum (DPA). Network-level data (IPs, request metadata) is processed in accordance with Cloudflare's Privacy Policy. Cloudflare Web Analytics is cookieless and does not set tracking cookies.

Google LLC — Analytics (GA4)

Uses cookies

Google Analytics 4 is used across all AroraLabs websites to measure usage and improve our services. GA4 sets first-party cookies (e.g. _ga, _ga_*) to distinguish visitors and sessions. Data is retained for 14 months (Google's default). You can opt out via the Google Analytics Opt-out Browser Add-on or by adjusting your browser's cookie settings. Google processes this data under its Privacy Policy.

Google LLC — AdSense

Uses cookies

Google AdSense may display advertisements on this website. The AdSense script loads on page visits and may set cookies or use similar technologies for ad personalisation, even when no ad is visually rendered. Google processes this data under its own Privacy Policy and Advertising Policy.

You can opt out of personalised advertising via Google Ad Settings or by installing the Google Analytics Opt-out Browser Add-on.

Google LLC — Firebase / Cloud Firestore (cloud database)

No cookies

Google Cloud Firestore (part of Firebase) is our managed cloud database, used to store newsletter subscriptions, contact form submissions, Hub feedback, and Visaify feedback. Data is encrypted at rest and in transit. Firebase operates under Google's Privacy Policy and participates in applicable cross-border transfer frameworks (SCCs). Firestore holds data in the us-central1 (Iowa, USA) region unless otherwise configured. Google is certified under ISO 27001, SOC 1, SOC 2, and SOC 3.

Zoho Corporation — Transactional Email

No cookies

Zoho Mail is used to deliver transactional email on behalf of AroraLabs, including newsletter broadcasts and contact form notifications. Zoho processes your email address and the content of messages delivered to you. Emails are sent with SPF and DKIM authentication to prevent spoofing. Zoho processes data under its Privacy Policy and is ISO 27001 certified.

ipapi.co — IP Geolocation Lookup (Visaify only)

No cookies

ipapi.co is invoked client-side from the Visaify feedback widget to look up approximate geolocation from your IP address. The request leaves your browser and goes directly to ipapi.co — AroraLabs servers do not proxy it. ipapi.co receives your IP and returns location data which is then attached to your feedback submission if you submit one. See Section 4.8 for the full list of fields retained. ipapi.co processes data under its Privacy Policy. This processor is used only on visaify.aroralabs.org and only when the feedback widget loads.

AroraLabs does not sell, rent, or otherwise commercially transfer your Personal Data to any third party for their own independent marketing or advertising purposes. Data shared with Google Firebase (Firestore) and Zoho is shared solely for the operational purposes described above, under data processor relationships.

06

Cookies and Tracking Technologies

AroraLabs itself does not set any first-party cookies on our Websites.

6.1 — First-Party Cookies (Google Analytics 4)

Google Analytics 4 sets the following first-party cookies on your device when you visit our websites:

  • _ga — distinguishes unique visitors; expires after 2 years
  • _ga_<stream-id> — maintains session state; expires after 2 years

You can block or delete these cookies through your browser settings or by using the Google Analytics Opt-out Browser Add-on.

6.2 — Third-Party Cookies (Google AdSense)

Google AdSense may set additional third-party cookies used for ad targeting and measurement. You can manage these through:

  • Your browser's built-in cookie controls
  • A browser extension such as uBlock Origin
  • Google's Ad Settings
  • Your device's privacy settings

6.3 — What We Don't Use

We do not use: Meta Pixel, HotJar, Mixpanel, Segment, or any session recording or behavioural fingerprinting tools beyond those listed in Section 5.

Cloudflare Web Analytics is cookieless — it does not require cookie consent under GDPR or ePrivacy Directive, as it sets no persistent identifiers on your device.

07

Data Retention

  • Cloudflare Zone Analytics: aggregated CDN statistics, per Cloudflare's plan defaults (typically 3–12 months); no individual records retained by us.
  • Cloudflare Web Analytics: aggregated session data retained for up to 6 months.
  • Google Analytics 4: event and session data retained for 14 months from collection (Google's default). GA4 cookies persist on device for up to 2 years.
  • Google AdSense: per Google's retention policies.
  • Contact form submissions (Google Cloud Firestore): up to 12 months from the date of submission, then permanently deleted.
  • Contact form geographic metadata (city, region, country): retained as part of the submission record, deleted on the same schedule (12 months).
  • Newsletter subscriptions (Google Cloud Firestore): until you unsubscribe. Unsubscription results in immediate, permanent hard-deletion of your record.
  • Hub feedback (Google Cloud Firestore): up to 6 months from submission.
  • Visaify feedback (Google Cloud Firestore): up to 12 months from submission, including the IP-derived geolocation fields described in Section 4.8.
  • Email correspondence: retained for as long as reasonably necessary to resolve the enquiry and for legitimate record-keeping purposes.
  • Local Storage data: retained in your browser until you clear browser data; never stored on our servers.

Across most AroraLabs surfaces, individual visitor IP addresses are not stored by us — they are processed by Cloudflare as our data processor and discarded after geographic inference. The two exceptions are: (a) newsletter subscriptions, where a SHA-256 hash of the IP is retained for abuse prevention (the hash cannot be reversed); and (b) Visaify feedback submissions, where the raw IP and ipapi.co-derived geolocation are retained for up to 12 months — see Section 4.8 for the full disclosure and lawful basis.

08

Data Sharing and Disclosure

We do not share Personal Data with third parties except as follows:

  • Cloudflare — as a data processor providing CDN and analytics infrastructure, under a Data Processing Addendum.
  • Google LLC (Analytics) — usage and session data is processed by Google under their Privacy Policy as part of GA4 measurement.
  • Google LLC (AdSense) — as a third-party advertising service operating under its own privacy policy.
  • Google LLC (Firebase / Cloud Firestore) — contact form submissions, newsletter subscriptions, Hub feedback, and Visaify feedback are stored in Cloud Firestore, a Google Cloud service, acting as a data processor under Google's DPA.
  • Zoho Corporation — email addresses and message content are processed by Zoho Mail when we send transactional emails (newsletter broadcasts and contact form notifications).
  • ipapi.co — when the Visaify feedback widget loads, your IP address is sent client-side to ipapi.co for geolocation lookup. AroraLabs does not proxy this request. See Section 4.8 and Section 5.
  • Legal requirements — if required by law, regulation, court order, or governmental authority with competent jurisdiction, we may disclose information as required.

We do not sell, license, or commercially share Personal Data for any other purpose.

09

Your Privacy Rights

Right of Access (Art. 15 GDPR)

Request confirmation of whether we hold Personal Data about you and obtain a copy of it.

Right to Rectification (Art. 16 GDPR)

Request correction of inaccurate Personal Data we hold about you.

Right to Erasure (Art. 17 GDPR)

"Right to be Forgotten" — request deletion of your Personal Data where it is no longer necessary.

Right to Object (Art. 21 GDPR)

Object to Processing based on legitimate interests on grounds relating to your particular situation.

Right to Restrict (Art. 18 GDPR)

Request restricted Processing in specified circumstances, such as while accuracy is contested.

Data Portability (Art. 20 GDPR)

Receive your Personal Data in a structured, machine-readable format where technically feasible.

To exercise any right, contact contact@aroralabs.org. Note that because we collect minimal data and do not maintain individual visitor records, most rights may be best exercised directly with Cloudflare or Google for data they independently hold.

10

GDPR — EEA and UK Residents

10.1 — Legal Basis for Processing

  • Consent (Art. 6(1)(a)): Newsletter subscriptions — explicit opt-in required; freely withdrawable at any time via unsubscribe link. Also applies where Google AdSense sets cookies for personalised advertising — you may withdraw consent at any time through your browser or Google Ad Settings.
  • Contract / Pre-contractual steps (Art. 6(1)(b)): Processing contact form submissions to respond to service enquiries and project requests.
  • Legitimate interests (Art. 6(1)(f)): Operating and securing our Websites; analysing usage patterns via Google Analytics 4 to improve performance and content; protecting against attacks and abuse; geographic enrichment of contact form data to understand enquiry context; Hub feedback processing to identify product issues. Balancing tests conducted internally; overriding interests apply for EU data subjects who may object under Art. 21.

10.2 — Supervisory Authority

You have the right to lodge a complaint with the data protection supervisory authority in your EU member state or the UK ICO if you believe our Processing infringes applicable data protection law.

10.3 — International Transfers

Data processed by Cloudflare and Google may be transferred to the United States. Both companies participate in applicable cross-border transfer frameworks and implement Standard Contractual Clauses where required.

11

CCPA — California Residents

11.1 — Right to Know

You have the right to request disclosure of the categories and specific pieces of Personal Information we collect, the sources, our business purpose, and any third parties with whom we share it.

11.2 — Right to Delete

You have the right to request deletion of Personal Information collected from you, subject to exceptions under Cal. Civ. Code § 1798.105.

11.3 — Non-Discrimination

We will not discriminate against you for exercising any CCPA rights.

We do not sell Personal Information as defined under Cal. Civ. Code § 1798.140(t)(1), nor do we share Personal Information for cross-context behavioural advertising. We have not sold or shared Personal Information within the preceding 12 months.

To submit a verifiable consumer request, contact contact@aroralabs.org with subject line "CCPA Request".

12

Children's Privacy

Our Websites are not directed at children under 13 years (COPPA, US) or 16 years (GDPR, EEA). We do not knowingly collect Personal Data from children within these age thresholds.

If you are a parent or guardian and believe your child has provided Personal Data to us, contact us at contact@aroralabs.org and we will promptly delete the relevant data.

13

Security

We implement the following technical and organisational measures to protect Personal Data:

  • Encryption in transit: all communications are encrypted via TLS 1.2 or higher, enforced by Cloudflare at the network edge. All API communications to Firebase use HTTPS.
  • Encryption at rest: data stored in Google Cloud Firestore is encrypted at rest using AES-256 by default, managed by Google.
  • Access controls: access to Firestore data is restricted to authenticated AroraLabs staff via Firebase security rules and service account credentials. No public read access is permitted to any collection containing personal data.
  • Minimal data collection: we collect only the data described in Section 4 and nothing beyond it. No server-side session recording, keystroke logging, or behavioural profiling is performed.
  • No third-party access: our cloud database is not accessible to third parties except where explicitly described as data processors in Section 5.

Data breach notification: In the event of a personal data breach that is likely to result in risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware (Art. 33 GDPR). Where the breach is likely to result in high risk, we will also notify affected data subjects without undue delay (Art. 34 GDPR).

No security framework guarantees absolute protection. We cannot warrant that any data transmission is entirely risk-free.

14

Changes to This Policy

We may update this Privacy Policy at any time. Material changes — such as new categories of data collection or new third-party processors — will be communicated by updating the "Last Updated" date at the top of this page.

Continued use of our Websites following any modification constitutes acceptance of the revised Policy. Prior versions are available upon written request.

15

Contact and Data Subject Requests

All privacy-related enquiries, data subject access requests, and correspondence should be directed to:

We are committed to responding to all substantive privacy enquiries within 30 calendar days of receipt, in compliance with applicable data protection law.