Privacy Policy

Last updated: 07/01/2026

1. Who We Are

Auripath is a SaaS product that helps customers turn written content into audio and publish it using an embeddable player, optional email gate, cover artwork generation, and analytics (the “Service”).

Controller (website and app): Christopher Hall trading as Auripath.com (“Auripath”, “we”, “us”).

Address: 2 Malwood Close, Havant, United Kingdom, PO9 5JY
Email: [email protected]

2. How This Policy Works (Important)

Auripath can involve multiple “controllers” depending on how it is used:

  • When you use auripath.com or the Auripath app (app.auripath.com): Auripath is the data controller for your personal data under this Privacy Policy.
  • When an end user enters their email in a lead form shown inside a customer’s embed on the customer’s website: the customer is the data controller for that end user’s personal data, and Auripath acts as a data processor for the customer (we store the lead for the customer and provide tools to view/export/delete it). The customer’s privacy policy governs how the customer uses that lead data (including marketing emails).

If you are an end user submitting your email on a customer’s site, you should read the customer’s privacy policy. Where available, the embed may show an optional link labelled Customer Privacy that points to the customer’s policy.

3. What Personal Data We Collect

Depending on how you use Auripath, we may collect the following:

3.1 Website and app account data (customers and prospects)

  • Account details: email address, password (stored as a secure hash), and basic account settings.
  • Profile details (optional): name and other profile fields you choose to provide.
  • Support and communications: messages you send to us, including via chat (tawk.to) and email.

3.2 Customer content and generated outputs

  • Content you provide: text you paste or upload (including extracted PDF text where you use PDF tools).
  • Generated outputs: audio files, transcripts (if enabled), and cover images generated using third party providers.
  • Document metadata: titles, settings, player configuration, lead capture settings, and publish/embed settings.

Sensitive content note: Please do not upload or include special category or highly sensitive personal data (for example, health data) unless you have a lawful basis to do so. Auripath is not designed for handling sensitive personal data.

3.3 Lead capture data (end users submitting email on embeds)

  • Lead email address: we collect an email address when a lead form is enabled by the customer.
  • Consent field: embeds can include an optional consent checkbox with an editable label set by the customer.
  • Security and abuse data: IP address and user agent may be collected to prevent abuse and protect the Service.

Note: Auripath is designed to collect minimal lead data. By default, the lead field is email-only.

3.4 Usage data and analytics

  • In-app analytics: actions within the app (for example, creating documents, generating audio, publishing).
  • Embed/player analytics: events such as loads, plays, progress, and completions to produce analytics for customers.
  • Technical data: IP address and user agent may be processed for security, rate limiting, and anti-abuse.

3.5 Cookies and similar technologies

We use cookies and similar technologies (including localStorage and sessionStorage) to provide the Service, remember preferences, and (with consent where required) measure usage and improve marketing performance.

4. How We Use Personal Data

We use personal data for the following purposes:

  • Provide the Service: create accounts, authenticate users, deliver app functionality, generate outputs, and display embeds.
  • Operate lead capture: store lead submissions for customers and provide tools to view/export/delete them.
  • Analytics and performance: show customers how their audio lead magnets perform and improve the Service.
  • Security and abuse prevention: rate limiting, fraud prevention, and protecting the Service from misuse.
  • Support: respond to messages, troubleshoot, and improve reliability.
  • Marketing (Auripath only): if someone submits their email on an Auripath-owned page or Auripath-owned embed, we may send marketing emails about Auripath (subject to consent and opt-out rules that apply to their region).

5. Legal Bases (UK GDPR and similar laws)

Where UK GDPR or similar laws apply, we rely on the following legal bases:

  • Contract: to provide the Service to customers who create an account and use paid or free plans.
  • Legitimate interests: to secure, maintain, and improve the Service; prevent abuse; and understand aggregate product performance.
  • Consent: for marketing emails in some cases, and for non-essential cookies/tracking where required.
  • Legal obligation: where we must comply with applicable laws and enforce our terms.

6. Marketing Emails

6.1 Auripath marketing

If someone submits their email on an Auripath-owned page or Auripath-owned embed, Auripath may send them marketing emails about Auripath. We will provide an unsubscribe link in marketing emails and honour opt-out requests.

Email service provider: {{EMAIL_PROVIDER_NAME}}

6.2 Customer marketing (customer embeds)

If a customer uses Auripath lead capture on their website, the customer decides how they use those leads (including whether they send marketing emails). In that scenario, the customer is responsible for their own compliance and privacy notices.

We recommend customers configure the consent label so it clearly states the customer brand name (so the end user knows who will email them).

Customers are responsible for configuring their lead capture notice and consent text, and for providing their own privacy policy link where required by applicable law.

7. Payments (Paddle)

We use Paddle to process payments and manage subscriptions. Where applicable, Paddle acts as the merchant of record (seller) and processes billing and payment details in order to complete your purchase.

Auripath does not store full payment card details. We receive and store limited information from Paddle such as your purchase and subscription status, the plan you purchased, transaction identifiers, and similar metadata needed to provide the Service, manage access, handle refunds or chargebacks, and support customers.

Paddle processes personal data in accordance with its own privacy policy.

8. Cookies, Local Storage, and Tracking

Auripath uses:

  • Strictly necessary cookies/storage for login, session management, security, and core app functionality.
  • Non-essential tracking for product analytics and marketing performance (for example, Google Analytics, HubSpot tracking, Hotjar), which we load only after user consent where required.

Cookie Policy: See Cookie Policy for details and how to change your preferences.

8.1 Tools we use (current)

  • Marketing site (auripath.com): Google Analytics, HubSpot tracking (marketing)
  • App (app.auripath.com): Google Analytics, HubSpot tracking, Hotjar
  • Support chat (both): tawk.to

8.2 Embed behaviour (local storage note)

When a lead form is used on an embed, the embed may store information in the end user’s browser (for example, in localStorage/sessionStorage) to remember that the user has unlocked playback. We aim to minimise what is stored and may store an unlock token or flag rather than personal data. Customers can also choose to place their lead magnet behind other links or systems.

9. Sharing Personal Data and Subprocessors

We share personal data with service providers (“subprocessors”) that help us run Auripath, such as hosting, analytics, support, payment processing, and AI generation providers. We only share what is necessary for them to perform the services.

Subprocessors list: See Subprocessors for the current list and purposes.

Data Processing Addendum (DPA): If you are a customer and Auripath processes personal data on your behalf (for example, lead capture), our DPA is available at /dpa/.

9.1 Payments

Payments and subscriptions are processed by Paddle. Paddle may process billing and payment details as part of checkout and subscription management. Auripath receives limited purchase and subscription information from Paddle to provide the Service.

9.2 AI and media generation providers

Auripath uses third party providers to generate outputs. Depending on your usage, your content may be sent to:

  • Text to speech: ElevenLabs
  • Cover generation: OpenAI
  • PDF to Audio Script (Basic): OpenAI
  • PDF to Audio Script (Premium): OpenAI

10. International Data Transfers

Auripath is operated from the United Kingdom and our primary hosting is in the UK. Some of our service providers may process personal data outside the UK and EEA. Where required, we use appropriate safeguards for international transfers, such as Standard Contractual Clauses and the UK Addendum or UK International Data Transfer Agreement, and we may rely on other lawful transfer mechanisms where available.

11. Security

We use reasonable technical and organisational measures to protect personal data, including access controls, encryption where appropriate, and abuse prevention controls. No system is 100% secure, but we work to reduce risk and improve safety over time.

12. Data Retention

We keep personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law. Our approach is broadly “customer-controlled retention” similar to many SaaS platforms: customers can delete documents and leads themselves.

If you close your account, we retain personal data only as needed for legal, accounting, dispute prevention, and security purposes, and then delete or anonymise it where appropriate (subject to backup rotation).

12.1 Leads

  • Customer leads (customer embeds): retained until the customer deletes them (or until account closure, subject to backup retention).
  • Auripath leads (Auripath-owned pages/embeds): retained until the person unsubscribes and we apply suppression, or until we no longer need the data for the purposes described.

We may include helpful guidance in the product to encourage customers to periodically delete inactive or old lead data if it is no longer needed.

12.2 IP address and user agent

We may collect IP address and user agent for security and abuse prevention. We retain raw IP addresses for up to 90 days, then delete or anonymise them unless we need to keep them longer to investigate abuse, enforce our terms, or comply with law.

12.3 Analytics

Analytics events are retained to provide dashboards and help customers understand performance. Customers can delete their documents, and related analytics may no longer be available after deletion.

We may also create and retain aggregated or de-identified data that does not identify you, for example to improve the Service and understand overall product performance.

12.4 Billing and accounting

We and our payment providers may retain transaction and billing records as required for accounting, tax, compliance, and dispute handling.

12.5 Backups

We may keep encrypted backups for resilience and recovery. Deleted data may persist in backups until they are rotated. Backup retention target: daily backups retained up to 30 days.

13. Your Rights

Depending on your location, you may have rights over your personal data, including the right to access, correct, delete, restrict or object to processing, and to receive a portable copy of your data. You may also have the right to withdraw consent where processing is based on consent.

To exercise your rights (or to submit a subject access request), contact: [email protected]. We aim to respond within one month where UK GDPR applies, and within applicable timelines in other regions.

We may need to verify your identity before responding to certain requests.

If you are an end user who submitted your email on a customer’s embed, you should contact the customer directly, since the customer is the controller. We will assist customers where required as their processor.

You also have the right to lodge a complaint with a data protection authority. In the UK, this is the Information Commissioner’s Office (ICO). If you are in the EEA, you can complain to your local supervisory authority.

Some US state privacy laws may provide additional rights. You can exercise your rights by contacting us at [email protected]. We may also recognise certain browser-based privacy signals (such as Global Privacy Control) where applicable.

14. Children

Auripath is not intended for children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to Auripath, contact us and we will take appropriate steps.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last updated” date and may provide additional notice in the app or on our website where appropriate.

16. Contact

For data protection related queries: [email protected].