Legal

Privacy Policy

Effective May 28, 2026 · Last updated May 27, 2026

Plain-language summary: auro is a clinical nutrition workspace. We collect the minimum we need to make the apps work — your account info, your interactions with the app, and (if you're a patient) your clinical data, which is visible only to you and your dietitian. We don't sell your data, ever. We use a small number of subprocessors (Supabase, Anthropic, LiveKit), each under a Business Associate Agreement. You can export everything we have on you, and delete your account at any time.

1. Who we are

auro Health, Inc. is a Texas corporation headquartered in Austin, Texas. We provide auro Provider (a macOS application for registered dietitians) and auro Wellness (an iOS application for the patients of those dietitians). Throughout this policy, "auro," "we," "our," and "us" refer to auro Health, Inc.

2. What this policy covers

This policy describes how we collect, use, store, and share information when you use auro Provider, auro Wellness, or visit theaurohealth.com. It does not cover information collected by your dietitian's practice outside of auro (those records are governed by that practice's own Notice of Privacy Practices, which you should have received when you became their patient).

3. Information we collect

3.1 Account information

When you create an account (provider or patient), we collect your name, email address, role, and the practice you're associated with. Providers additionally provide a credential number (e.g., RD/RDN registration) and the state(s) in which they practice.

3.2 Clinical information (patients only)

If you are a patient, the following may be stored in your record:

  • Food logs (meals, photos, voice notes, parsed macros, USDA matches)
  • Anthropometric data (weight, body measurements)
  • HealthKit-imported data (activity, sleep, heart rate, blood glucose if connected) — only if you grant the permission
  • Symptom logs, mood/energy logs, hydration logs
  • Meal plans and recipes assigned to you by your dietitian
  • Session notes, transcripts, and care-plan goals written by your dietitian
  • Secure messages between you and your dietitian

3.3 Clinical information (providers only)

If you are a dietitian using auro Provider, we store the charts, meal plans, recipes, notes, and messages you create about your patients. We also store your practice's branding (logo).

3.4 Technical information

We collect basic telemetry: app version, OS version, device model, anonymized crash reports, and aggregated feature-usage counts. Telemetry never includes PHI.

4. How we use information

  • To operate the apps. Display your data to you, your dietitian, and your practice's Lead RD (where applicable).
  • To power AI features. Food parsing, charting drafts, recipe summarization, and the in-app assistant use Claude (Anthropic). Every prompt is sanitized to remove PHI identifiers before transmission.
  • To send service communications. Magic-link emails, session reminders, security alerts, and (if you've opted in) marketing communications about new features.
  • To improve the apps. Aggregated, de-identified usage data informs prioritization. We never train AI models on your data.
  • To comply with the law. Including responding to legitimate subpoenas, court orders, and HIPAA/state privacy disclosures.

5. How information is shared

We share information only as follows:

  • With your care team. Patient PHI is visible to the dietitians at your practice and to your practice's Lead RD (for supervision).
  • With subprocessors under BAA. Supabase (hosting, database, auth, storage), Anthropic (Claude API for AI), LiveKit (video sessions), Cloudflare (network/DNS/static asset delivery), Resend (transactional email).
  • For legal compliance. When required by law and subject to challenge where appropriate.
  • In a business transaction. If auro is acquired or merges, your data may transfer to the successor entity under the same protections.

We do not sell or rent your data. We do not share it with advertisers. We do not use it to train third-party models.

6. Your rights and choices

  • Access. View and export everything we hold about you, in machine-readable form, from the in-app Settings → Export My Data.
  • Correction. Edit your account info in Settings. For clinical records authored by your dietitian, ask them to amend (HIPAA requires the originating practice handle amendments).
  • Deletion. Request deletion at privacy@theaurohealth.com. We will delete your auro account and remove your data within 30 days, subject to legal retention obligations (audit logs may be retained for the HIPAA-required minimum).
  • Withdrawal of HealthKit / camera / mic permissions. Adjust at any time in iOS Settings — auro will stop receiving that data immediately.

7. Data retention

Patient clinical records are retained for the period required by your practice's record-retention policy and applicable state law (typically 7 years for adults, longer for minors). Provider account data is retained while your account is active and deleted within 30 days of account closure. Audit logs are retained for 6 years as required by HIPAA.

8. Security

See our Security & HIPAA page for the full overview. In short: Postgres row-level security, TLS 1.3 in transit, AES-256 at rest, MFA for admins, immutable audit logs, and a Business Associate Agreement required of every subprocessor that touches PHI before production data flows through it.

9. Children

auro is intended for use by patients aged 13 and older, and providers aged 18 and older. We do not knowingly collect data from children under 13. If a dietitian provides care to a minor under 13, the parent or guardian is the auro account holder.

10. International users

auro is operated from the United States and data is stored in U.S. data centers. If you access auro from outside the U.S., your data will be transferred to and processed in the U.S.

11. Changes to this policy

We will notify all account holders by email at least 30 days before any material change takes effect. Past versions of this policy are available on request.

12. Contact

Privacy questions or requests: privacy@theaurohealth.com
Security issues: security@theaurohealth.com
General: hello@theaurohealth.com

auro Health, Inc.
Austin, Texas