1. Scope and relationship to other documents

Owner: @platform
Doc Class: Content-Ops
Status: Active
Component: content.legal.aurora.2026_03_15.12_privacy_policy
Scope: 1. Scope and relationship to other documents as legal or public-policy content maintained with the product but excluded from the engineering knowledgebase's default authoritative set.
Change Domains: legal, privacy, content, disclosure
Review Cycle: 90 days
Knowledgebase Role: Excluded
Repo Commit/Branch: master
Last Verified Against Repo: 2026-03-23
Sources: content/legal, SECURITY.md, backend/php-api/production/data/policy_templates

Status note: This content-ops surface is excluded from the engineering knowledgebase by default. Use the owning canonical engineering docs for runtime truth.

This Privacy Policy applies when you visit the Aurora Command website, request a demo or downloadable resource, open a Trust Center or procurement request, create or administer an account, use the Aurora Command platform, connect integrations, participate in onboarding or setup, contact support, receive marketing communications, or access customer-shared materials as a reviewer or recipient.

This public policy supplements, and does not amend, any separate customer agreement, order form, or data processing addendum that governs Customer Data in a paid workspace. Aurora Command is operated as a U.S.-first business service unless Borealis expressly agrees otherwise in writing.

2. Categories of personal information we collect

• Business contact and identity data, including name, work email, company name, title, department, phone number, billing contact details, and account owner or administrator identifiers.
• Account, authentication, and profile data, including usernames, protected credentials, single sign-on identifiers, password reset and MFA events, role assignments, user preferences, and account settings.
• Billing and transaction data, including billing contact information, payment method tokens or masked payment details supplied by our payment processor, subscription plan, invoices, renewal status, payment history, credits, and collections notes.
• Onboarding, support, and correspondence data, including emails, tickets, chat messages, support recordings or notes, implementation requests, uploaded sample documents, screenshots, and training artifacts.
• Reviewer and recipient data, including reviewer names, business emails, organizations, invite status, access timestamps, views, downloads, approvals, comments, and related access logs.
• Customer content and workspace data, including policies, procedures, evidence files, mappings, tasks, approvals, exports, and other materials a customer uploads, creates, imports, or generates within the workspace.
• Integration and imported data, including configuration, content, metadata, and status information imported from third-party systems at the customer's direction.
• AI interaction and configuration data, including prompts, retrieved context, outputs, message counts, selected provider, model settings, safety flags, and customer-supplied API key configuration where enabled.
• Usage, device, cookie, telemetry, and audit-log data, including IP address, browser type, device identifiers, pages viewed, session events, diagnostics, analytics identifiers, file access history, permission changes, login history, anomaly alerts, and system logs.

3. Sources of personal information

We collect personal information directly from you, from your employer or account administrator, automatically from your device or browser, from third-party systems your organization connects to Aurora Command, and from service providers or vendors that support our operations such as hosting, payments, communications, analytics, and security vendors.

4. How we use personal information

• Provide, host, configure, support, secure, maintain, and improve the Aurora Command website, workspace, Trust Center, onboarding services, and reviewer-sharing workflows.
• Create and administer accounts, authenticate users, enforce permissions and product limits, and manage subscriptions, billing, taxes, collections, and renewals.
• Process and organize customer-submitted content, evidence, integrations, mappings, reports, and customer-directed sharing workflows.
• Respond to inquiries, schedule demos, deliver requested materials, provide training and setup assistance, and communicate about service, billing, security, and administrative matters.
• Operate AI-assisted features, including routing prompts, retrieved context, outputs, and related metadata through Borealis systems and, where applicable, third-party model providers.
• Detect, prevent, and investigate fraud, abuse, unauthorized access, suspicious activity, security incidents, and violations of our agreements or policies.
• Measure performance, troubleshoot defects, conduct quality assurance, generate usage analytics, develop product insights, and create aggregated or de-identified information where permitted.
• Comply with legal obligations, enforce agreements, protect rights and safety, defend claims, and support corporate transactions where permitted by law.

5. How we disclose personal information

We do not sell personal information for money. We may disclose personal information to:

• Service providers and contractors that help us operate hosting, infrastructure, storage, communications, support, analytics, payment processing, CRM, error monitoring, and security functions.
• Third-party model or AI service providers where a customer uses AI-assisted features and the workflow requires prompts, supporting context, configuration, or outputs to be processed through that provider.
• Integration partners or connected third-party systems when a customer directs Aurora Command to connect, import, export, or synchronize information.
• Reviewers, auditors, insurers, procurement teams, counterparties, or other external recipients when a customer administrator or authorized user chooses to share materials, invite reviewers, or generate a review link or export.
• Professional advisers, investors, financing sources, and counterparties to an actual or proposed merger, acquisition, financing, reorganization, bankruptcy, or similar corporate transaction.
• Law enforcement, regulators, courts, and other parties where required by law or where disclosure is reasonably necessary to protect rights, property, safety, or the service.
• Affiliates or successor entities if Borealis reorganizes its corporate structure, provided the recipient uses the information consistently with this policy or otherwise as permitted by law.

We may also create and use aggregated or de-identified information that does not identify a person, provided we maintain it in de-identified form where required by law.

6. Cookies, similar technologies, and website analytics

Aurora Command and its service providers use cookies, local storage, pixels, session identifiers, SDKs, and similar technologies to support security, authentication, preferences, analytics, and limited marketing or attribution functions.

• Strictly necessary technologies support core site and service functions such as authentication, session continuity, fraud prevention, and user-preference storage.
• On public Aurora marketing pages, optional analytics technologies currently include Google Analytics and Microsoft Clarity. They load only after analytics consent is granted.
• Functional technologies may preserve user settings or product preferences.
• On public Aurora marketing pages, optional marketing or attribution technologies currently include Reb2B and Borealis's first-party marketing attribution runtime. They load only after marketing consent is granted.
• Optional analytics and marketing technologies are not loaded on sensitive routes such as login, dashboard, admin, registration, reset-password, or Trust Center paths.
• Supported Global Privacy Control browser signals are treated as requests to keep optional analytics and marketing technologies off.

Use our cookie tools and browser settings to manage optional cookies. Blocking cookies can affect performance or feature availability.

7. AI features and customer-supplied API keys

Aurora Command may offer AI-assisted features with limited monthly usage, and some customers may be permitted to configure a customer-supplied API key or customer-selected model provider.

• Prompts, context, outputs, and related metadata may be processed by Borealis and its service providers to provide, secure, and administer the feature.
• If Borealis provides the model workflow, relevant content may be transmitted to approved OpenAI-hosted or Anthropic-hosted APIs, or to another provider documented for the customer environment.
• If a customer elects to use a customer-supplied API key, request data may be transmitted using that customer's credentials to the designated provider under the customer's own account and provider terms.
• Borealis may log message counts, timestamps, feature selections, guardrail events, abuse indicators, and similar metadata to enforce quotas, protect the service, and troubleshoot or improve the feature as permitted by the applicable agreement.
• Unless a customer expressly opts in through a Borealis-approved mechanism or a separate Borealis-signed agreement says otherwise, Borealis does not use Customer Data from Aurora Command workspaces to train generalized or shared AI models.

Customers remain responsible for reviewing AI-generated content before relying on or sharing it.

8. Security

We use administrative, technical, and organizational measures designed to protect personal information appropriate to the nature of the service and the information at issue. These measures may include role-based access controls, encryption in transit, safeguards for data at rest, logging, backup processes, vendor oversight, and incident response procedures.

No method of storage or transmission is completely secure, and Borealis cannot guarantee absolute security. Customers are also responsible for maintaining the security of their own credentials, administrators, endpoints, and connected systems.

9. Retention

We retain personal information for as long as reasonably necessary for the purposes described in this policy, the duration of the applicable customer relationship, and any additional period reasonably necessary to comply with law, enforce agreements, resolve disputes, prevent fraud, or maintain backup, security, and audit records.

Retention periods vary based on the type of information and context. For example:

• Contact, walkthrough, download, and Trust Center access requests are retained for request handling, follow-up, suppression-list management, and related business records.
• Reviewer activity, Trust Center access logs, and security or audit records may remain longer where needed for attribution, incident review, legal compliance, fraud prevention, or dispute handling.
• Billing, tax, and transaction records are retained as needed for accounting, legal, and collections obligations.
• Backups, disaster-recovery media, archives, and security logs may operate on a different deletion cycle than live production data.

When a self-service subscription ends, the customer is responsible for exporting data before the paid term ends. After the paid term ends, Borealis targets deletion of the terminated workspace from primary production systems within fourteen (14) days, subject to legal retention, backup retention, security logging, disaster-recovery media, fraud prevention, and other protected archival systems that are deleted later in the ordinary course.

10. U.S. state privacy rights and choices

Depending on where you reside and subject to applicable exemptions and verification requirements, you may have rights under U.S. state privacy laws with respect to personal information Borealis processes about you in its role as a business or controller.

• Right to know, access, or obtain categories and in some cases specific pieces of personal information, subject to legal limits.
• Right to delete personal information we collected from you, subject to exceptions such as security, legal compliance, and transaction completion.
• Right to correct inaccurate personal information.
• Right to opt out of sale, sharing, or targeted advertising where applicable law treats a disclosure that way, most likely in connection with optional website marketing or attribution technologies rather than core product operations.
• Right to limit certain sensitive information uses where applicable.
• Right to appeal a denied privacy-rights request in jurisdictions that require it.
• Right to non-discrimination for exercising privacy rights, except as permitted by law.

To exercise privacy rights, contact privacy@auroracommand.ai. Borealis may need to verify your identity and authority before acting on a request. Where Borealis processes workspace data on behalf of a customer, it may direct you to the relevant customer or work with that customer to respond.

11. Reviewers, referrals, and customer-directed sharing

If a customer invites you as a reviewer or shares materials with you through Aurora Command, Borealis processes your contact details, access status, and activity logs as necessary to deliver that customer-directed sharing workflow. The customer that invited you controls the materials it shares and the scope of your authorized access.

If you refer another person to us, or if your employer or a customer administrator gives us your information to set up an account or schedule a walkthrough, Borealis will use that information to contact you about the relevant request or relationship.

12. Children's privacy and restricted data

Aurora Command is intended for business use and is not directed to children. Borealis does not knowingly collect personal information from children in a context where parental notice or consent is required by law.

Unless expressly authorized in a separate written agreement, customers should not submit highly regulated or prohibited categories of data through the self-service service, including payment card data subject to PCI DSS, protected health information subject to HIPAA, children's data, sensitive government identifiers, or other restricted data that the service is not designed to support.

13. International access and U.S. processing

Aurora Command is operated from the United States and is offered on a U.S.-first basis. If you access the website or services from outside the United States, your information may be processed in the United States or other jurisdictions where Borealis or its service providers operate, subject to the applicable agreement and law.

14. Changes and contact information

Borealis may update this Privacy Policy from time to time to reflect changes in its practices, technologies, legal requirements, or service offerings. When it does, Borealis will update the effective date or last-updated date and, where required by law, provide additional notice.

Privacy questions, rights requests, and data-protection inquiries may be sent to privacy@auroracommand.ai. Security reports should be sent to security@auroracommand.ai. General support requests may be directed to support@auroracommand.ai.

15. Public subprocessor disclosures and live procurement artifacts

Borealis may maintain a current public subprocessor register, security-document repository, retention summary, and related procurement artifacts on its website or through another written disclosure process. Authenticated Trust Center materials may supplement that public disclosure with review-specific detail, but they do not replace the public Privacy Policy, Notice at Collection, or website-posted subprocessor information.

Customers are responsible for keeping their privacy, legal, procurement, or administrative contacts current if they want operational notices, courtesy updates, or controlled-access invitations relating to subprocessors or other trust materials.