Effective Date: April 19, 2026 | Last Updated: April 19, 2026
This Privacy Policy explains how GoShapers L.L.C-FZ ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Auralyo application and related services (the "Service"). It describes your rights under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA") as amended by the CPRA, and the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection ("UAE PDPL").
GoShapers L.L.C-FZ is the sole data controller for all users of the Service worldwide.
3.1 Directly from you
We collect data you provide when you: (a) register an account; (b) complete the focus quiz; (c) make a purchase; (d) contact our support team; or (e) subscribe to marketing communications.
3.2 Automatically
When you use the Service, we automatically collect: IP address, device and browser information, operating system, app version, session events, and in-app behaviour via analytics tools.
3.3 From third parties
We may receive information from: (a) payment processors (Stripe, Paddle, PayPal — transaction confirmation and fraud signals); (b) subscription entitlement services (RevenueCat — purchase validation and subscription state); (c) marketing automation platforms (Klaviyo — email engagement data); (d) advertising platforms (Meta, Google — ad attribution); and (e) app stores (Apple, Google — in-app purchase validation).
We share your data only with trusted service providers who process it on our behalf under written data processing agreements compliant with GDPR Article 28. We do not sell your personal information. Our current processors include:
We may also disclose your data: (a) to comply with a legal obligation or court order; (b) to protect the rights, property, or safety of Auralyo, our users, or the public; (c) in connection with a merger, acquisition, or sale of assets; or (d) to respond to a payment chargeback or dispute, in which case relevant transaction data, session logs, and account information may be shared with the applicable payment processor as set out in our Terms of Use and Service, Section 6.6.
GoShapers L.L.C-FZ is based in Dubai, UAE. Your data may be transferred to and processed in countries outside your home jurisdiction. We rely on the following safeguards:
EU-US Data Privacy Framework (DPF): Processors certified under the EU-US DPF (approved by the European Commission in July 2023) provide adequate protection under GDPR.
Standard Contractual Clauses (SCCs): Where DPF certification is unavailable, we use EU Commission-approved SCCs (2021 edition) together with supplementary measures as required by the EDPB's transfer assessment guidance.
UK IDTA: For transfers from the UK, we use the UK International Data Transfer Agreement or the UK Addendum to SCCs.
UAE transfers: Transfers to or from the UAE are governed by UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection. GoShapers L.L.C-FZ complies with all applicable requirements of this law.
You may request a copy of the relevant safeguards by contacting privacy@auralyo.com.
6.1 EEA / UK Users — GDPR Rights
If you are located in the EEA or UK, you have the following rights:
• Right of access — to obtain a copy of the personal data we hold about you
• Right to rectification — to correct inaccurate or incomplete data
• Right to erasure — to request deletion of your data, subject to legal retention obligations
• Right to restriction — to limit how we process your data in certain circumstances
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — where processing is based on consent, withdraw at any time
• Right to lodge a complaint — with your local supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)
To exercise these rights, email privacy@auralyo.com. We will respond within 30 days, extendable by a further two months where the request is complex, in which case we will notify you of the extension.
6.2 California Residents — CCPA / CPRA Rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
• Right to know — categories and specific pieces of personal information collected in the prior 12 months
• Right to delete — request deletion of personal information, subject to certain exceptions
• Right to correct — request correction of inaccurate personal information
• Right to opt-out of sale or sharing — Auralyo does not sell personal information for monetary consideration. For cross-context behavioural advertising ("sharing" under CPRA), you may opt out via Cookie Policy settings.
• Right to limit use of sensitive personal information — we do not use sensitive personal information (as defined under CPRA §1798.140(ae)) for purposes that would trigger an opt-out right under CPRA §1798.121
• Right to non-discrimination — we will not discriminate against you for exercising CCPA/CPRA rights
To exercise CCPA/CPRA rights, email privacy@auralyo.com with "California Privacy Rights Request" in the subject line. We will respond within 45 days, extendable by an additional 45 days where reasonably necessary under CCPA §1798.130(a)(2), in which case we will notify you of the extension. You may designate an authorised agent by providing written authorisation.
6.3 UAE Residents — PDPL Rights
If you are a resident of the United Arab Emirates, you have the following rights under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL):
• Right to be informed about the processing of your personal data
• Right of access to your personal data
• Right of correction of inaccurate personal data
• Right of erasure of personal data in defined circumstances
• Right to restrict processing
• Right to cease or restrict automated processing
• Right to object to processing
• Right to data portability
To exercise UAE PDPL rights, email privacy@auralyo.com. We will respond within 30 days.
6.4 All Users
Regardless of location, you may contact us to: (a) access your data; (b) correct inaccurate data; (c) delete your account; or (d) opt out of marketing communications at any time.
We retain personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required by law. Specific retention periods are set out in the GDPR Article 6 table in Section II. When data is no longer needed, it is securely deleted or anonymised.
We use cookies and similar tracking technologies on our website and web quiz funnel. For full details, please see our Cookie Policy at auralyo.com/legal/cookie-policy. We use a Consent Management Platform (CMP) that requires your explicit consent before placing non-essential cookies. You can update your cookie preferences at any time via "Cookie Settings" in the footer.
The Service is intended for users aged 18 and older. We do not knowingly collect personal data from individuals under 18.
Under-13s (COPPA compliance). In particular, we do not knowingly collect personal data from children under 13 in the United States, in compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506). If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will delete that information promptly. Parents or guardians who believe their child has submitted personal data to us may contact privacy@auralyo.com for immediate deletion.
Other jurisdictions. For other jurisdictions, the minimum age may be higher under local law (for example, certain EU member states set the age of digital consent at 16 under GDPR Article 8; UAE PDPL contains specific protections for children under 21 in defined circumstances). We apply the strictest applicable standard based on the user's stated jurisdiction.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, including encryption in transit (TLS 1.2+), encrypted storage, access controls, and periodic security reviews. No transmission over the internet is 100% secure, and we cannot guarantee absolute security.
In the event of a security breach reasonably likely to result in harm to users, we will notify affected users and relevant supervisory authorities as required by applicable law. Under GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach. We will notify affected users without undue delay via email and/or prominent in-app notice where the breach is likely to result in a high risk to their rights and freedoms.
Your quiz responses are used to generate a personalised audio session plan. This involves automated processing and a form of profiling within the meaning of GDPR Article 4(4). However, this processing does not produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Article 22(1), as:
• The recommendation is advisory and does not determine any legal right or contractual benefit;
• You retain full control to accept, modify, or ignore the recommendation;
• The recommendation does not affect pricing, service availability, or any other material aspect of your relationship with Auralyo.
You may request human review of any quiz-generated recommendation, or request that the recommendation be regenerated, by contacting privacy@auralyo.com. We do not use any other form of automated decision-making that produces legal or similarly significant effects.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. Continued use of the Service after changes take effect constitutes acceptance.
This Privacy Policy is governed by and incorporated into our Terms of Use and Service. Governing law, venue, and dispute resolution are set out in Sections XII and XIII of the Terms of Use. Nothing in this Privacy Policy limits your mandatory consumer or data protection rights under the law of your country of residence.
Email: privacy@auralyo.com
Response times: 30 days (EEA/UK/UAE users, extendable where permitted);
45 days (California users, extendable by 45 days where permitted)
Registered address: GoShapers L.L.C-FZ, Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
Postal address for formal data subject requests: As above, marked for the attention of "Privacy / Data Protection"