Privacy Policy

Effective: April 25, 2026 · Last updated: May 18, 2026

This Privacy Policy explains what personal data we collect through Auryn, how we use it, who we share it with, where it goes, how long we keep it, and the rights you have to control it. Auryn is operated by SeventwoTwo LLC, a U.S. limited liability company. We wrote it in plain English because we think you should actually be able to read it. If anything is unclear, email privacy@auryn.travel.

The highlights: SeventwoTwo does not sell personal information, does not run third-party behavioral ad networks monetizing unrelated browsing histories, aligns with Sections 13.3–13.5 on CPRA-covered cross-context behavioral advertising claims, limits GPS collection to pinned memories, foreground “use current location”, and explicit active-trip route recording (Section 4.3), confines precise coordinates to Sections 4.2–4.4, relies on narrowly scoped telemetry (Section 4.7) absent ad-tech resale, and otherwise limits collection materially to powering the travel-memory functionality described herein.

Notice. This Privacy Policy explains how SeventwoTwo LLC intends to comply with GDPR, CPRA-linked regimes and comparable statutes. It is descriptive—not individualized legal counsel—and storefront data practices (Apple, Google), processor subprocessors or municipal privacy ordinances occasionally evolve faster than refreshed HTML. Maintain privacy labels in App Store Connect / Play Console concurrently with substantive code changes.

1. Scope

This policy applies to the Auryn mobile app (iOS and Android), the auryn.travel website, and any related services we operate (collectively, the "Service"). It does not apply to third parties whose products or websites you reach through the Service — those are governed by their own policies, which we link to where relevant.

2. Definitions

3. Who we are

SeventwoTwo LLC ("SeventwoTwo," "we," "us," "our") operates the Auryn Service (the mobile app, auryn.travel, and related offerings). For purposes of the EU GDPR, UK GDPR, California's CCPA/CPRA, and other applicable privacy laws, SeventwoTwo LLC is the data controller for the personal data described in this policy.

If you have any questions, requests, or complaints, contact our privacy team at privacy@auryn.travel.

4. Personal data we collect

4.1 Account and profile

4.2 Content you create

4.3 Location data

Auryn is a travel-memory app, so location matters. We are deliberately conservative about it.

4.4 Device and technical data

4.5 Subscription and billing

If you subscribe to Auryn Pro, payment is processed by Apple App Store or Google Play — never by us. We never see your credit card or full payment instrument. We receive a subscription status (active, expired, refunded), the product purchased, and an anonymous subscription ID via Apple's StoreKit / Google Play Billing and our subscription manager, RevenueCat.

4.6 Communications and support

If you email us, we keep the email and any attachments to provide and improve support, and to maintain a record of the issue. Support correspondence is retained for up to 24 months unless a longer period is required (e.g., to defend legal claims).

4.7 Analytics and product telemetry

When Auryn ships with an enabled PostHog project key, we send first-party usage analytics to our vendor PostHog, Inc. acting as our processor. Event names illustrate how you navigate the Service (examples: pin creation checkpoints, entitlement surfaces, exporter open attempts without implying every event persists personally). Typical properties include pseudonymous identifiers, coarse device/OS/app-version metadata, and parameters you voluntarily trigger inside flows—not your email address or raw keystrokes as a default payload.

If you authenticate, PostHog identify calls may synchronize your Auryn user id with events so funnel analytics remain meaningful; ancillary profile fields such as username and display name may accompany that identifier. Signing out terminates that session linkage on-device. For erasure/portability spanning analytics stores, email privacy@auryn.travel; we endeavor to cascade deletion into PostHog's hosted environment consistent with contractual retention safeguards.

If PostHog is not configured, production builds generally emit no analogous cloud analytics; engineer-only consoles may retain short-lived breadcrumbs during QA.

Processing purposes: operate, troubleshoot, prioritize features, understand adoption, reinforce security/abuse safeguards, comply with bookkeeping obligations relating to entitlement abuse. Analytics are not leveraged to sell personal data nor to personalize ads on third-party properties; disclosures to PostHog are described in Sections 9.1 and 13.3.

4.8 Information from other sources

If a friend invites you to a trip, we receive your email or username from them so we can send the invitation. If you make an in-app purchase, we receive purchase metadata from Apple/Google and RevenueCat as described above. We do not buy personal data from data brokers.

5. Sources of personal data

6. How we use your data

7. Legal bases for processing (EU / UK)

If you are in the EU, UK, or another GDPR-aligned jurisdiction, we rely on the following legal bases:

8. Sensitive personal data

Auryn does not deliberately collect "special category" or "sensitive" data such as race, religion, health, sexual orientation, biometric IDs, or financial account credentials. The only category that may be considered sensitive under some laws (notably California's CPRA and Colorado's CPA) is precise geolocation, which we collect only as described in Section 4.3. You can use the app without ever granting location permission — the photo-EXIF path produces verified pins without on-device location access.

We do not "process sensitive personal information for the purpose of inferring characteristics about a consumer" within the meaning of the CPRA.

9. Who we share your data with

We share data with service providers (sub-processors) who help us run Auryn, and only the minimum each one needs. We do not sell personal data. We do not run ads. We do not share your data with advertisers, ad networks, or data brokers.

9.1 Sub-processor list

A current, machine-readable sub-processor list is available on request from privacy@auryn.travel. We will notify users of material additions to this list at least 14 days in advance, where practical.

9.2 Other recipients

10. International data transfers

The Auryn Service is operated from the United States, and your data is stored on US infrastructure (primarily Google Cloud regions in the US). If you access the Service from the EU, UK, Switzerland, or another region with cross-border restrictions, your personal data is transferred to and processed in the US.

For these transfers we rely on lawful mechanisms, including the EU Standard Contractual Clauses (Module 2 / Module 3 as appropriate), the UK International Data Transfer Addendum, the Swiss-US Data Privacy Framework, and equivalent safeguards. Where required, we conduct transfer-impact assessments and apply supplementary measures (encryption in transit and at rest, strict access controls).

11. How long we keep your data

12. Your rights (GDPR / UK GDPR)

If you are in the EU, UK, Switzerland, or another GDPR-aligned jurisdiction, you have the right to:

To exercise any of these rights, email privacy@auryn.travel. We respond within 30 days (extendable by up to 60 days for complex requests, with notice). We may need to verify your identity by matching information against the Account record before fulfilling a request.

13. California privacy rights (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

13.1 Categories of personal information collected (last 12 months)

13.2 Sources, purposes, recipients

Sources, business purposes, and categories of third parties for each category are described in Sections 4 through 9 above. Categories of recipients are listed in Section 9.1.

13.3 Sale and sharing

We do not sell personal information for monetary value. We do not disclose personal information to third parties for cross-context behavioral advertising as regulated under CPRA. Disclosures of pseudonymous telemetry to PostHog support service measurement, troubleshooting, entitlement enforcement, reliability engineering, fraud prevention—they are expressly not made for individualized cross-site or cross-app ad targeting elsewhere. We have not sold personal information within the CPRA twelve-month lookback framing used in this subsection, nor have we knowingly shared it for CPRA-defined cross-context behavioral advertising.

13.4 Sensitive personal information

The only "sensitive personal information" we process is precise geolocation, used solely to operate the Service (verifying pins, showing your map). We do not use or disclose it to infer characteristics about you. As such, the right to limit sensitive PI use does not change our processing.

13.5 California consumer rights

To exercise these rights, email privacy@auryn.travel. We respond within 45 days, extendable to 90 with notice. Authorized agents must provide written authorization signed by the consumer.

14. Other US state privacy rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), and other states with comprehensive consumer-privacy laws have rights similar to those described in Sections 12–13, including the rights to access, delete, correct, port, and opt out of targeted advertising and certain profiling. Because we do not sell personal data, do not share it for targeted advertising, and do not engage in profiling that produces legal effects, those opt-out rights have no impact on our processing. To exercise other rights, contact privacy@auryn.travel.

15. Do Not Track and Global Privacy Control

The auryn.travel marketing site does not run third‑party behavioral ad cookies or affiliate pixels consistent with Section 22. Where California or other statutes require honoring Global Privacy Control (and similar sanctioned browser mechanisms) as a request to limit sale or CPRA-covered sharing originating from auryn.travel page loads, SeventwoTwo does so notwithstanding limited industry consensus on voluntary DNT headers historically.

Native Auryn builds rely on HTTPS sessions—not cross-site cookie dossiers—with usage analytics articulated in Sections 4.7 and 9.1 confined to SeventwoTwo’s product measurement program.

16. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects on you. The only automated processing we perform is (a) lightweight content recommendations (e.g., suggested trips), (b) abuse-prevention heuristics (rate limiting, EXIF anomaly detection), and (c) basic personalization. None of these decisions are binding or legally significant; you can request human review of any automated action that affects your Account.

17. Children and teens

Auryn is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an Account, contact privacy@auryn.travel and we will delete the Account and associated data without undue delay.

In the EU, UK, and other regions where the digital-consent age is 16 (or otherwise higher than 13), users between 13 and the local minimum age require verifiable parental consent. Auryn does not currently offer a verifiable parental-consent flow, so if you are in that age range and that jurisdiction, please ask your parent or guardian before signing up.

For users between 13 and 18 in the United States, we apply additional protective defaults (no public profile by default, conservative friend suggestions) and honor any restrictions imposed by applicable state law.

18. Marketing communications

We send only the marketing emails you have explicitly opted into (e.g., a quarterly product digest). Every marketing email includes an unsubscribe link. Transactional emails (receipts, security alerts, account notices) are not opt-out for as long as you have an Account.

19. Push notifications

Push notifications are sent only if you have granted notification permission on your device. Categories include friend activity, trip invitations, reminders, security alerts, and (rarely) product news. You can disable any category in Settings → Notifications in the app, or all notifications in your device's system settings.

20. Mobile permissions we may request

You can revoke any permission in your device's system settings at any time. Revoking a permission does not delete data already stored — to delete that, use the in-app deletion flow (Section 24).

21. Apple App Tracking Transparency (ATT)

Apple's App Tracking Transparency (ATT) regulates certain cross-app / cross-site tracking linked to Apple's Identifier for Advertising (IDFA). Auryn does not access IDFA nor engage in Apple's ATT-triggering tracking practices—and therefore ordinarily does not show Apple’s ATT permission prompt. Nonetheless, authenticated usage analytics routed to PostHog (Section 4.7) are first-party telemetry for Service operations and sit outside Apple's ATT paradigm even though pseudonymous identifiers may be processed. Maintain App Store disclosures consistent with Sections 4, 9, and 13.

22. Cookies and similar technologies (website only)

The Auryn marketing website uses no third-party tracking cookies, no advertising pixels, no social-media trackers, and no cross-site analytics. We may set strictly necessary first-party cookies (e.g., to remember a dark/light theme preference). The mobile app does not use cookies.

If we ever introduce optional analytics on the website, we will display a consent banner that complies with the EU ePrivacy Directive and equivalent laws.

23. Security

No system is 100% secure. If we discover a personal-data breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours where required by law, and we will provide information about the breach and the steps you can take.

24. Account deletion process

To delete your Account and personal data:

  1. Open the app → Settings → Danger zone → Delete account.
  2. Confirm twice in-app (this cannot be undone). If you subscribed to Auryn Pro, cancel recurring billing separately in Settings → Apple ID → Subscriptions (iOS) or Google Play subscriptions (Android)—we cannot cancel App Store/Play receipts on your behalf.
  3. You may optionally email privacy@auryn.travel; data removal follows the timelines below.

Alternatively, email privacy@auryn.travel from the address registered to your Account. After confirmation:

25. Data export / portability

You can request a machine-readable JSON export of your Account, profile, pins, trips, and comments by emailing privacy@auryn.travel. We deliver the export via a time-limited secure download link within 30 days. Photos are provided as a separate ZIP archive.

26. Third-party links and services

The Service may link to or integrate with third-party services (e.g., Mapbox tiles, Wikipedia thumbnails). Those third parties have their own privacy practices, which we do not control. We encourage you to review their policies.

27. Aggregated and de-identified data

We may create aggregated or de-identified data from personal data — for example, "X% of users have at least one verified pin." Once data is irreversibly de-identified, it is not subject to this policy. We commit to maintaining and using such data in de-identified form and not attempting to re-identify it, except for security testing.

28. Changes to this policy

If we make material changes to this policy, we will notify you in-app and/or by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after a change constitutes acceptance of the updated policy. If you don't agree, you may delete your Account.

29. EU / UK representative

If we are required to designate a representative in the EU or UK under Article 27 of the GDPR or UK GDPR, we will publish their contact details here. Until then, you may contact our privacy team directly at privacy@auryn.travel.

30. Contact and complaints

If you are in the EU, UK, or Switzerland and unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EU authorities is available at edpb.europa.eu; the UK ICO is at ico.org.uk.