Aurora Privacy Policy

This Privacy Policy explains how Aurora collects, uses, shares, and protects personal data when you use the Aurora mobile application and related services (the "App").

Data controller / publisher: Marton Boldizsar Intreprindere Individuala
Registered address: Romania, Harghita, Tomesti, Strada Principala, 14
Privacy contact email: contact@monochrome-works.com
App privacy URL: https://monochrome-works.com/clients/aurora/privacy_policy/

1. Who We Are

Aurora is a mobile application for discovering local beauty providers, creating client and provider accounts, managing provider profiles, booking beauty services, receiving booking notifications, and submitting reviews after completed appointments.

For privacy questions, account deletion requests, access requests, correction requests, objections, or other data-rights requests, contact us at contact@monochrome-works.com.

2. Scope

This Privacy Policy applies to personal data processed through the App, including the iOS App Store version, the Google Play version, Firebase backend services, cloud functions, push notifications, and related account support operations.

This Privacy Policy does not apply to third-party websites, social media pages, external calendar apps, external map services, or other services that are not controlled by Aurora. If you open or use a third-party service from the App, that third party's own terms and privacy policy apply.

3. Summary of Data Practices

Aurora collects personal data to provide account access, provider discovery, provider onboarding, service listings, appointment booking, notifications, reviews, fraud prevention, security, app diagnostics, analytics, and customer support.

Aurora does not sell personal data. Aurora does not use personal data for third-party advertising or cross-app tracking. Aurora does not knowingly collect personal data from children under 13. Users must confirm that they are at least 13 years old before creating an account.

Some data is visible to other App users because it is necessary for the booking marketplace to work. For example, approved provider profile information is visible to clients, and a provider can see the name and phone number of a client who books that provider.

4. Data We Collect

4.1 Account and Registration Data

When you create or use an account, we collect:

• Firebase user ID and account identifiers.
• Name or display name.
• Email address.
• Phone number.
• Password authentication data, handled by Firebase Authentication. We do not store your plaintext password.
• Account role, such as client, provider, or superadmin.
• Account status, such as active, blocked, or deletion requested.
• Terms and privacy acceptance status and timestamps.
• Confirmation that you are at least 13 years old and the related timestamp.
• Preferred language or locale.
• Account creation and update timestamps.
• Environment tag used for MVP/test operations.

4.2 Provider Profile Data

If you register as a provider or manage a provider profile, we collect:

• Provider owner user ID.
• Owner name.
• Provider contact email and contact phone number.
• Business name.
• City and business address.
• Provider categories.
• Profile description.
• Provider profile photos and photo URLs.
• Social media links, including Instagram, Facebook, and TikTok links if provided.
• Whether the provider phone number should be publicly visible.
• Provider approval status, public visibility status, setup completion status, readiness issues, suspension/deletion flags, rejection reason, and related timestamps.
• Provider terms acceptance status and timestamp.
• Provider latitude and longitude if the provider saves map coordinates for the business location.
• Rating average and rating count.

Approved provider profiles may be shown publicly in the App. Public provider profile data can include business name, city, address, category, description, photos, rating information, services, availability, and the provider contact phone number if the provider chooses to make it visible.

4.3 Service Listing Data

Providers can create service listings. We collect service data including:

• Provider ID.
• Service name.
• Search keywords generated from the service name.
• Category.
• Duration.
• Price type, minimum price, maximum price, and currency.
• Service description.
• Service image and image URL.
• Active/inactive status.
• Confirmation mode, such as instant confirmation or provider approval.
• Sort order and timestamps.

Active public service listings may be visible to clients.

4.4 Availability and Booking Data

To show available slots and manage bookings, we collect:

• Provider weekly working hours.
• Custom working days.
• Breaks, blocked times, unavailable date ranges, and other availability restrictions.
• Booking interval, minimum booking notice, booking horizon, cancellation deadline, and timezone.
• Appointment ID.
• Client user ID and provider user ID.
• Selected service ID or service IDs.
• Appointment start and end time.
• Appointment status, such as pending, confirmed, completed, rejected, cancelled, or rescheduled.
• Booking locks used to prevent double booking.
• Provider, service, client, and price snapshots used to preserve appointment details.
• Client name and phone number for the provider to manage the appointment.
• Provider business name, service name, address, and price label for client appointment history.
• Cancellation reasons, provider status reasons, reschedule information, and related timestamps.

Clients can see their own appointments. Providers can see appointments made with them, including the client's name and phone number. Superadmin access to appointment data is restricted in the current MVP.

4.5 Reviews and Moderation Data

After a completed appointment, a client may submit a review. We collect:

• Appointment ID.
• Provider ID.
• Client user ID.
• Client first name or display name used for public review display.
• Rating.
• Review text, if provided.
• Review creation timestamp.
• Hidden/unhidden moderation status.
• Moderation reason, moderator user ID, and moderation timestamp if a superadmin hides a review.

Public reviews show limited client identity information, such as first name, rating, review text, and date. Reviews may be hidden for moderation or policy reasons, but may remain stored for audit, dispute, and integrity purposes.

4.6 Photos and Files

Providers may upload profile photos and service photos from their device gallery. The App uploads the selected image file and stores it in Firebase Storage. Uploaded provider and service photos may become public if the provider profile and service are public. We do not request access to all photos unless the operating system requires permission for gallery selection. We process only the image selected by the provider for upload.

4.7 Location Data

The App may request location permission to show nearby providers and calculate distance to providers on the map. When a client grants location permission, the App may access the device's last known location or current location with low accuracy settings. In the current implementation, client device location is used locally in the App for map display, provider sorting, and distance calculation and is not stored in Firestore as part of the user account.

Providers may save a business address and optional latitude/longitude for their business location. Provider business address and map location may be visible to clients when the provider profile is public.

You can disable location access in your device settings. If location access is denied, the App can still show providers, but distance and nearby-provider features may be limited.

4.8 Push Notification Data

If push notifications are enabled, we collect and store:

• Firebase Cloud Messaging token.
• User ID associated with the token.
• Role, such as client or provider.
• Preferred locale.
• Device platform.
• Notification authorization status.
• Active/inactive token status.
• Last seen, update, and token refresh timestamps.

We use this data to send booking confirmations, cancellations, reschedules, appointment reminders, provider approval notifications, and related service messages. You can turn off push notifications in the App settings where available and in your device settings.

4.9 Local Device Preferences

The App stores some preferences locally on your device using shared preferences, including:

• Whether the client intro screen was seen.
• Whether a push permission prompt was shown.
• Preferred app language.
• Client notification preferences, such as booking confirmation alerts, cancellation alerts, reschedule alerts, reminder alerts, and reminder timing preferences.

These local preferences help the App remember your settings. Some preferences, such as preferred locale, may also be stored in Firestore when you are signed in so notifications and account experience can match your language choice.

4.10 Calendar and Contacts-Related Data

The App can offer an option to add a booked appointment to your device calendar. If you use this feature, appointment details such as provider name, service name, time, description, and location are passed to the operating system calendar flow. Aurora does not control how your device calendar provider stores or uses that calendar event after you add it.

The iOS app includes contacts permission text because the operating system calendar event flow may offer location or contact search features. Aurora does not collect your contacts list for App account, booking, provider discovery, marketing, or analytics purposes.

4.11 Diagnostics, Analytics, Performance, Security, and Device Data

The App uses Firebase and Google services for app operation, analytics, security, crash diagnostics, performance monitoring, messaging, storage, cloud functions, and abuse prevention. These services may process:

• App instance identifiers.
• Device and platform information.
• IP address and network information.
• App version and operating system version.
• Authentication and security signals.
• Crash reports and diagnostic logs.
• Performance metrics and traces.
• Basic usage events and feature interaction data.
• Push delivery and token information.

We use this data to authenticate users, secure the App, prevent abuse, monitor reliability, diagnose crashes, measure performance, understand feature usage, and improve the service.

5. How We Use Data

We use personal data for the following purposes:

• Create and manage client, provider, and superadmin accounts.
• Authenticate users and protect account security.
• Validate Romanian-format phone numbers during registration and profile updates.
• Confirm terms/privacy acceptance and age eligibility.
• Route users to the correct App experience based on role and account status.
• Show public provider profiles, services, prices, photos, availability, reviews, and ratings.
• Let clients find providers, view services, select appointment times, book appointments, cancel appointments, reschedule appointments, and submit reviews.
• Let providers manage profiles, photos, services, availability, appointment status, and booking requests.
• Prevent double bookings and enforce booking rules.
• Send push notifications about appointments, reminders, provider approval, and other operational updates.
• Moderate reviews and support platform integrity.
• Provide customer support and respond to legal or account requests.
• Maintain admin logs and operational audit records.
• Detect, prevent, and investigate fraud, abuse, security incidents, policy violations, and technical issues.
• Analyze aggregate or usage-level App behavior to improve reliability, performance, and product design.
• Comply with applicable law, legal process, and app store requirements.

6. Legal Bases for Processing

Where European Economic Area, United Kingdom, or similar data protection laws apply, we rely on the following legal bases:

• Contract: to create accounts, authenticate users, provide provider discovery, enable bookings, manage appointments, provide provider tools, and deliver requested App features.
• Consent: where required for push notifications, device location, selected photo upload, calendar access, optional provider public phone visibility, and other permission-gated features.
• Legitimate interests: to maintain security, prevent fraud and abuse, debug crashes, improve performance, moderate reviews, support users, maintain audit logs, and operate the App efficiently.
• Legal obligation: to comply with applicable laws, regulatory duties, valid legal requests, and app store compliance obligations.

You may withdraw consent for permission-gated processing by changing App settings or device settings. Withdrawing consent does not affect processing that occurred before withdrawal.

7. How We Share Data

We share personal data only as needed for the App and related services:

• With other users as part of App functionality. For example, public provider profiles are visible to clients, providers receive client appointment details, and public reviews may show limited client identity information.
• With service providers that process data for us, including Google Firebase and Google Cloud services for authentication, Firestore database, cloud functions, storage, cloud messaging, App Check, analytics, diagnostics, crash reporting, and performance monitoring.
• With operating system and device services when you choose to use permission-gated features, such as push notifications, calendar event creation, image selection, or location services.
• With support, operations, or administrative personnel who need access to respond to support requests, approve providers, moderate reviews, investigate abuse, or maintain the service.
• With legal, regulatory, law enforcement, or government authorities if required by law or if necessary to protect rights, safety, security, or legal interests.
• In connection with a merger, acquisition, financing, reorganization, sale of assets, or transfer of service operations, subject to appropriate notice and safeguards where required.

We do not sell personal data. We do not share personal data with third-party advertising networks for targeted advertising. We do not use personal data to track users across apps and websites owned by other companies for advertising purposes.

8. Third-Party Service Providers

The App currently uses third-party SDKs and service providers, including:

• Google Firebase Authentication.
• Google Cloud Firestore.
• Google Firebase Storage.
• Google Cloud Functions for Firebase.
• Google Firebase Cloud Messaging.
• Google Firebase App Check.
• Google Firebase Analytics.
• Google Firebase Crashlytics.
• Google Firebase Performance Monitoring.
• Operating system services from Apple and Google for permissions, push notifications, calendar functions, and device-level controls.

These providers process data according to their own service terms and privacy documentation. We require service providers to protect personal data consistently with this Privacy Policy and applicable app store and data protection requirements.

9. International Data Transfers

Aurora uses Firebase and Google Cloud services. Firestore for the configured Firebase project is set to Europe region infrastructure in the current MVP configuration. Some Firebase, Google, Apple, support, analytics, diagnostics, authentication, security, or messaging processing may occur in other countries depending on the service, user location, device platform, and provider infrastructure.

Where required, we use appropriate safeguards for international transfers, such as contractual safeguards, service provider data processing terms, and other lawful transfer mechanisms.

10. Data Retention

We retain personal data for as long as necessary to provide the App, maintain accounts, support bookings, preserve appointment history, handle disputes, comply with legal obligations, maintain security, prevent abuse, and operate support and audit workflows.

General retention practices include:

• Account data is retained while the account is active and for a reasonable period after closure if needed for legal, security, fraud prevention, dispute, or audit purposes.
• Provider profile, service, availability, and photo data is retained while the provider account or profile is active, pending, rejected, suspended, or retained for operational audit purposes.
• Appointment data is retained to support booking history, provider operations, client records, dispute handling, review eligibility, and fraud prevention.
• Review data is retained while public or hidden and may be retained for moderation, dispute, and integrity purposes.
• Notification tokens may be marked inactive or removed when invalid, when permission changes, or when no longer needed.
• Local device preferences remain on the device until changed by the user, cleared by the App, or removed by uninstalling or clearing App data.
• Crash, diagnostics, analytics, and performance data is retained according to Firebase/Google retention settings and our operational needs.

We do not currently provide hard self-service deletion for all App records because some records, such as appointments, reviews, moderation records, and admin logs, may need to be retained for legitimate business, legal, fraud prevention, audit, or dispute purposes. You can request deletion as described below.

11. Your Rights and Choices

Depending on your location, you may have rights to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete personal data.
• Request deletion of personal data.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Request a copy of your data in a portable format.
• Lodge a complaint with a data protection authority.

You can update some account and profile information in the App. You can disable location and push permissions in device settings. You can change notification preferences in the App where available. Providers can choose whether their contact phone number is publicly visible.

To request access, correction, deletion, restriction, portability, or other privacy action, contact contact@monochrome-works.com. We may need to verify your identity before processing the request. Some requests may be limited where data must be retained for legal, security, fraud prevention, dispute, contract, audit, or legitimate business reasons.

12. Account Deletion Requests

To request account deletion, contact contact@monochrome-works.com from the email address associated with your account and include "Account deletion request" in the subject.

When we process a deletion request, we may delete, de-identify, restrict, or retain data depending on the type of data and our legal or operational obligations. For example, we may retain appointment records, review moderation records, provider approval records, admin logs, fraud prevention records, or legal compliance records where necessary.

If you are a provider, deleting or restricting your account may affect your public profile, service listings, availability, appointments, photos, reviews, and client access to historical booking information.

13. Children's Privacy

The App is not intended for children under 13. Users must confirm that they are at least 13 years old before creating an account. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data through the App, contact contact@monochrome-works.com so we can review and take appropriate action.

14. Security

We use technical and organizational measures designed to protect personal data, including Firebase Authentication, Firestore security rules, Firebase Storage security rules, App Check, access controls, role-based restrictions, and modern encrypted network transport. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

15. Automated Decisions

The App uses rules and automated checks to support ordinary App functionality, such as role routing, provider readiness checks, appointment slot availability, double-booking prevention, provider public visibility checks, blocked-account access restrictions, notification routing, and review eligibility. These checks are used to operate the service and do not involve third-party advertising profiling.

Provider approval, review moderation, and account support actions may involve superadmin review.

16. Changes to This Privacy Policy

We may update this Privacy Policy when the App changes, when our data practices change, or when legal, operational, or app store requirements change. The updated policy will show a new "Last updated" date. If required by law, we will provide additional notice or request consent.

17. Contact

For privacy questions or requests, contact:

Marton Boldizsar Intreprindere Individuala
Romania, Harghita, Tomesti, Strada Principala, 14
Email: contact@monochrome-works.com