Privacy Policy

Privacy Policy

Last updated: 09/03/2026

1. Who We Are

Auripath is a SaaS product that helps customers turn written content into audio and publish it using an embeddable player, optional email gate, cover artwork generation, and analytics (the “Service”).

Controller (website and app): Auripath.com (“Auripath”, “we”, “us”).

2. How This Policy Works (Important)

Auripath can involve multiple “controllers” depending on how it is used:

  • When you use auripath.com or the Auripath app (app.auripath.com): Auripath is the data controller for your personal data under this Privacy Policy.
  • When an end user enters their email in a lead form shown inside a customer’s embed on the customer’s website: the customer is the data controller for that end user’s personal data, and Auripath acts as a data processor for the customer (we store the lead for the customer and provide tools to view/export/delete it). The customer’s privacy policy governs how the customer uses that lead data, including marketing emails.
  • If you are an end user submitting your email on a customer’s site, you should read the customer’s privacy policy. Where available, the embed may show an optional link labelled Customer Privacy that points to the customer’s policy.

3. What Personal Data We Collect

Depending on how you use Auripath, we may collect the following:

3.1 Website and app account data (customers and prospects)

  • Account details: email address, password (stored as a secure hash), and basic account settings.
  • Profile details (optional): name and other profile fields you choose to provide.
  • Support and communications: messages you send to us, including via chat (tawk.to) and email.

3.2 Customer content and generated outputs

  • Content you provide: text you paste or upload, including extracted PDF text where you use PDF tools.
  • Generated outputs: audio files, transcripts (if enabled), and cover images generated using third party providers.
  • Document metadata: titles, settings, player configuration, lead capture settings, and publish/embed settings.

Sensitive content note: Please do not upload or include special category or highly sensitive personal data, for example health data, unless you have a lawful basis to do so. Auripath is not designed for handling sensitive personal data.

3.3 Lead capture data (end users submitting email on embeds)

  • Lead email address: we collect an email address when a lead form is enabled by the customer.
  • Consent field: embeds can include an optional consent checkbox with an editable label set by the customer.
  • Security and abuse data: IP address and user agent may be collected to prevent abuse and protect the Service.

Note: Auripath is designed to collect minimal lead data. By default, the lead form is email-only, and we aim not to store lead email addresses in browser storage used for embed unlock state.

3.4 Usage data and analytics

  • In-app analytics: actions within the app, for example creating documents, generating audio, and publishing.
  • Embed/player analytics: events such as loads, plays, progress, and completions to produce analytics for customers.
  • Technical data: IP address and user agent may be processed for security, rate limiting, and anti-abuse.

3.5 Cookies and similar technologies

We use cookies and similar technologies, including localStorage and sessionStorage, to provide the Service, remember preferences, maintain security, and, where permitted, measure usage and improve marketing performance.

Some browser storage is used for core functionality. For example, where a lead form is enabled on an embed, the embed may store a small browser-side flag to remember that playback has already been unlocked on that browser for a particular document. We aim to minimize what is stored and avoid storing unnecessary personal data in browser storage.

4. How We Use Personal Data

We use personal data for the following purposes:

  • Provide the Service: create accounts, authenticate users, deliver app functionality, generate outputs, and display embeds.
  • Operate lead capture: store lead submissions for customers and provide tools to view, export, or delete them.
  • Analytics and performance: show customers how their audio content performs and improve the Service.
  • Security and abuse prevention: rate limiting, fraud prevention, and protecting the Service from misuse.
  • Support: respond to messages, troubleshoot, and improve reliability.
  • Marketing (Auripath only): if someone submits their email on an Auripath-owned page or Auripath-owned embed, we may send marketing emails about Auripath, subject to consent and opt-out rules that apply to their region.

5. Legal Bases (UK GDPR and similar laws)

Where UK GDPR or similar laws apply, we rely on the following legal bases:

  • Contract: to provide the Service to customers who create an account and use paid or free plans.
  • Legitimate interests: to secure, maintain, and improve the Service, prevent abuse, and understand aggregate product performance.
  • Consent: for marketing emails in some cases, and for non-essential cookies or tracking where required.
  • Legal obligation: where we must comply with applicable laws and enforce our terms.

6. Marketing Emails

6.1 Auripath marketing

If someone submits their email on an Auripath-owned page or Auripath-owned embed, Auripath may send them marketing emails about Auripath. We will provide an unsubscribe link in marketing emails and honour opt-out requests.

Email service provider: {{EMAIL_PROVIDER_NAME}}

6.2 Customer marketing (customer embeds)

If a customer uses Auripath lead capture on their website, the customer decides how they use those leads, including whether they send marketing emails. In that scenario, the customer is responsible for their own compliance and privacy notices.

We recommend customers configure the consent label so it clearly states the customer brand name, so the end user knows who will email them.

Customers are responsible for configuring their lead capture notice and consent text, and for providing their own privacy policy link where required by applicable law.

7. Payments

Payments and subscriptions are processed by our Merchant of Record and payment providers. The seller of record will be displayed at checkout and on your receipt.

Auripath does not store full payment card details. We receive and store limited information from our payment providers such as your purchase and subscription status, the plan you purchased, transaction identifiers, and similar metadata needed to provide the Service, manage access, handle refunds or chargebacks, and support customers.

Our payment providers process personal data in accordance with their own privacy policies.

8. Cookies, Local Storage, and Tracking

Auripath uses cookies and similar technologies, including localStorage and sessionStorage, for the following purposes:

Strictly necessary cookies and storage

Used for login, session management, security, abuse prevention, saving consent choices, and core Service functionality.

Functional cookies and storage

Used to remember settings and improve how the Service works, such as player or app preferences.

Analytics and marketing technologies

Used to understand usage and measure marketing performance. Where required by law, we load non-essential analytics and marketing technologies only after user consent.

Cookie Policy: See our Cookie Policy for more detail about the technologies we use and how to manage your preferences.

8.1 Tools we use (current)

  • Marketing site (auripath.com): Google Analytics, HubSpot tracking
  • App (app.auripath.com): Google Analytics, HubSpot tracking, Hotjar
  • Support chat (both): tawk.to

8.2 Embed behavior and browser storage

When a lead form is used on an Auripath embed, the embed may store a small item in the end user’s browser, such as a document-specific unlock flag, to remember that playback has already been unlocked on that browser and avoid repeatedly showing the same lead form after a refresh or return visit.

We aim to minimize what is stored in browser storage. Where possible, we store a minimal unlock state rather than the visitor’s email address. Browser storage may be cleared by the user through their browser settings at any time.

9. Sharing Personal Data and Subprocessors

We share personal data with service providers (“subprocessors”) that help us run Auripath, such as hosting, analytics, support, payment processing, and AI generation providers. We only share what is necessary for them to perform the services.

Subprocessors list: See Subprocessors for the current list and purposes.

Data Processing Addendum (DPA): If you are a customer and Auripath processes personal data on your behalf, for example lead capture, our DPA is available at /data-processing-addendum/.

9.1 Payments

Payments and subscriptions are processed by our Merchant of Record and payment providers. They may process billing and payment details as part of checkout and subscription management. Auripath receives limited purchase and subscription information from them to provide the Service.

9.2 AI and media generation providers

Auripath uses third party providers to generate outputs. Depending on your usage, your content may be sent to:

  • Text to speech: ElevenLabs
  • Cover generation: OpenAI
  • PDF to Audio Script (Basic): OpenAI
  • PDF to Audio Script (Premium): OpenAI

10. International Data Transfers

Auripath is operated from the United Kingdom and our primary hosting is in the UK. Some of our service providers may process personal data outside the UK and EEA. Where required, we use appropriate safeguards for international transfers, such as Standard Contractual Clauses and the UK Addendum or UK International Data Transfer Agreement, and we may rely on other lawful transfer mechanisms where available.

11. Security

We use reasonable technical and organisational measures to protect personal data, including access controls, encryption where appropriate, and abuse prevention controls. No system is 100% secure, but we work to reduce risk and improve safety over time.

12. Data Retention

We keep personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law. Our approach is broadly customer-controlled retention similar to many SaaS platforms: customers can delete documents and leads themselves.

If you close your account, we retain personal data only as needed for legal, accounting, dispute prevention, and security purposes, and then delete or anonymise it where appropriate, subject to backup rotation.

12.1 Leads

  • Customer leads (customer embeds): retained until the customer deletes them, or until account closure, subject to backup retention.
  • Auripath leads (Auripath-owned pages or embeds): retained until the person unsubscribes and we apply suppression, or until we no longer need the data for the purposes described.

We may include helpful guidance in the product to encourage customers to periodically delete inactive or old lead data if it is no longer needed.

12.2 IP address and user agent

We may collect IP address and user agent for security and abuse prevention. We retain raw IP addresses for up to 90 days, then delete or anonymise them unless we need to keep them longer to investigate abuse, enforce our terms, or comply with law.

12.3 Analytics

Analytics events are retained to provide dashboards and help customers understand performance. Customers can delete their documents, and related analytics may no longer be available after deletion.

We may also create and retain aggregated or de-identified data that does not identify you, for example to improve the Service and understand overall product performance.

12.4 Billing and accounting

We and our payment providers may retain transaction and billing records as required for accounting, tax, compliance, and dispute handling.

12.5 Backups

We may keep encrypted backups for resilience and recovery. Deleted data may persist in backups until they are rotated.

Backup retention target: daily backups retained up to 30 days.

12.6 Browser storage retention

Where Auripath uses browser storage such as localStorage or sessionStorage for core embed functionality, the data remains on the user’s device until it expires, is overwritten, or is cleared by the user or browser. Where we use browser storage to remember that a lead form has already been unlocked, we aim to keep that data minimal and retain it only for a limited period appropriate to the functionality.

13. Your Rights

Depending on your location, you may have rights over your personal data, including the right to access, correct, delete, restrict or object to processing, and to receive a portable copy of your data. You may also have the right to withdraw consent where processing is based on consent.

To exercise your rights, or to submit a subject access request, contact: [email protected]. We aim to respond within one month where UK GDPR applies, and within applicable timelines in other regions.

We may need to verify your identity before responding to certain requests.

If you are an end user who submitted your email on a customer’s embed, you should contact the customer directly, since the customer is the controller. We will assist customers where required as their processor.

You also have the right to lodge a complaint with a data protection authority. In the UK, this is the Information Commissioner’s Office (ICO). If you are in the EEA, you can complain to your local supervisory authority.

Some US state privacy laws may provide additional rights. You can exercise your rights by contacting us at [email protected]. We may also recognise certain browser-based privacy signals, such as Global Privacy Control, where applicable.

14. Children

Auripath is not intended for children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to Auripath, contact us and we will take appropriate steps.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last updated” date and may provide additional notice in the app or on our website where appropriate.

16. Contact

For data protection related queries: [email protected].