Privacy Policy

Auri collects personal data in three contexts.

Marketing website (auri-system.com): demo and contact form submissions (name, work email, property name, country, source attribution). Anonymised analytics via Google Analytics 4 with Consent Mode v2 — no tracking fires until you accept, and IPs are anonymised.

Hotel SPA management system (one isolated deployment per client): each client tenant collects guest personal data — names, contact details, treatment histories, payment tokens, reservation records — under the client's own privacy policy. Auri is the processor; the hotel is the controller.

Customer admin accounts: admin names, work emails, and credentials (passwords stored as bcrypt hashes — never plain text). Audit logs of administrative actions are retained for traceability.

Demo and contact submissions are used to reply to your inquiry. We do not sell, rent, or share marketing data with third parties. Records live in a private markdown CRM, not third-party SaaS.

Analytics improves the marketing site only. Aggregated, never per-user. No remarketing, no advertising pixels, no AI-training extraction.

Admin account data authenticates access, writes an audit trail, and lets us send service notices (planned maintenance, security advisories).

Strictly-necessary cookies (session, CSRF) are set without consent — the site cannot function without them.

Analytics cookies fire only after the consent banner is accepted. Consent Mode v2 means GA4 receives no identifiers until you allow it. You can change your choice anytime via the footer link.

We do not set advertising, marketing, or remarketing cookies. If that ever changes the banner and this policy will be updated 30 days in advance.

Cookie behaviour inside the hotel SPA management system is configured per client and disclosed in each hotel's own privacy notice.

Marketing inquiries: 24 months from last contact, then deleted unless you opt into longer retention.

Analytics: 14 months (GA4 default). Aggregated counts retained for trend analysis.

Admin accounts: duration of the customer contract + 12 months (legal hold / audit window), then anonymised.

Tenant data inside the system: configured per client. Each hotel's own privacy notice sets the actual retention windows for guest records.

Under GDPR, UAE PDPL, and Saudi Arabia PDPL you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate data.
Erasure — request deletion ("right to be forgotten"), subject to legal retention obligations.
Restrict processing — limit how we use your data.
Data portability — receive your data in machine-readable JSON.
Object — object to processing based on legitimate interest.
Withdraw consent — for anything we process based on consent.

To exercise any right, email privacy@auri-system.com. We respond within 30 days. If we refuse a request we explain why and you may complain to your national supervisory authority (in Poland, UODO).

Auri runs on Google Cloud Platform. Default regions: Frankfurt (europe-west3) for European clients, Bahrain (me-central1) for GCC clients. Other regions are configurable per deployment.

For EU/EEA data transferred outside the EU/EEA we use Standard Contractual Clauses (SCCs). For UAE data we honour PDPL data-localisation requirements where they apply.

Sub-processors (Stripe, Tap Payments, Twilio, Resend, SMSAPI.pl) operate under their own data-transfer mechanisms — documented in the Data Processing Agreement.

Email: privacy@auri-system.com
Postal: Maciej Adamski Sp. z o.o., Poland (registered address provided on request).
Data Protection Officer: Maciej Adamski (founder, acting DPO).

For supervisory authority complaints, contact your national data protection authority — UODO (Poland), the relevant EU DPA, or the UAE Data Office.