Privacy Policy

This Privacy Policy explains how Aurora Technologies and Verixos collect, use, disclose, retain, and protect information in connection with Verixos websites, SaaS products, APIs, SDKs, CLI tools, MCP integrations, webhooks, documentation, support, billing, academic access, enterprise services, and self-host license workflows.

This Policy applies to personal information and operational data processed by Verixos. Customer Content inside an organization workspace is also governed by the applicable customer agreement, organization settings, and any data processing addendum.

For account administration, marketing, billing, website operation, security, support, and product-improvement data, Verixos may act as an independent controller or business depending on applicable law.

For Customer Content processed inside a workspace on behalf of an organization, Verixos generally expects to act as a processor or service provider under the customer agreement and any Data Processing Addendum.

Organization administrators control user invitations, roles, teams, SSO settings, MFA requirements, API keys, webhook endpoints, project sharing, restricted-project settings, and retention/export choices available in the product.

Account and identity data, including name, email address, organization, role, team membership, authentication provider, SSO/SAML attributes, domain, profile settings, security settings, and login state.

Workspace and engineering data, including projects, thermal models, CAD-derived geometry metadata, nodes, conductors, heat loads, materials, optical properties, simulation configurations, solver outputs, advisor analyses, validation artifacts, reports, exports, comments, audit events, and review status.

Billing and procurement data, including plan, subscription status, customer identifiers, invoice metadata, payment status, billing contacts, tax metadata, procurement notes, and Stripe customer or subscription references. Verixos does not intentionally store full payment-card numbers.

Operational and security data, including IP address, user agent, device/browser metadata, session cookies, request logs, audit logs, error logs, API-key metadata, webhook metadata, delivery logs, rate-limit events, feature usage, and diagnostics needed to operate and secure the service.

Support, sales, academic-access, security, procurement, and legal communications that users or customers send to Verixos.

Self-host and license data, including license files, renewal request metadata, deployment identifiers, seat counts, organization identifiers, license status, and support diagnostics when shared by the customer.

We collect information directly from users, organization administrators, customer procurement teams, academic applicants, support requests, product usage, API calls, webhook configuration, SSO identity providers, payment processors, and customer-managed deployment workflows.

We may receive limited information from third-party services connected by the customer, such as identity providers, payment processors, email providers, analytics, error monitoring, support tooling, AI providers where enabled, and customer webhook endpoints.

To provide the service, including account access, project storage, thermal model authoring, simulation workflows, exports, collaboration, comments, reports, advisor analysis, SSO, API access, webhooks, billing, license validation, and support.

To secure the service, including authentication, authorization, MFA-related enforcement, restricted-project checks, audit logging, abuse detection, incident response, vulnerability remediation, API-key governance, and webhook-secret handling.

To administer plans and commercial relationships, including academic-access review, trials, checkout, invoicing, renewals, procurement, enterprise onboarding, self-host licensing, and customer success.

To improve reliability and usability, including debugging, performance analysis, support investigation, quality assurance, feature prioritization, and aggregated product analytics.

To satisfy legal, contractual, tax, accounting, export-control, sanctions, security, and compliance obligations.

Where GDPR, UK GDPR, or similar laws apply, processing may rely on contract performance, legitimate interests, consent, legal obligations, vital security interests, or customer instructions as processor.

Examples include contract performance for account and workspace operation, legitimate interests for service security and product improvement, consent for optional marketing or non-essential cookies where required, and legal obligations for tax, accounting, sanctions, export-control, or compliance records.

Customer Content is used to provide and support the service, including simulation, storage, export, reporting, collaboration, troubleshooting, billing-limit enforcement, and customer-requested support.

Verixos should not use Customer Content to train general-purpose AI models unless a separate written agreement or explicit product setting permits that use.

Customers are responsible for classifying engineering data before upload and for confirming that the selected deployment is approved for the applicable data category.

Verixos may provide deterministic advisor checks and optional external AI-assisted analysis. If external AI is enabled, relevant model summaries, simulation context, diagnostics, and user prompts may be sent to the configured AI provider to generate analysis.

For restricted projects, the app is designed to disable external LLM synthesis and use deterministic checks only. Customers should verify organization settings, deployment controls, and contractual terms before using AI features with sensitive or regulated data.

AI-provider availability, retention, training, region, and security terms depend on the provider and the applicable Verixos configuration or enterprise agreement.

Verixos uses cookies and similar technologies for authentication, session security, CSRF protection, preferences, routing, and service operation.

Verixos does not use non-essential advertising cookies or sell cross-context behavioral advertising data unless this Privacy Policy and any required consent or opt-out mechanism state otherwise.

We share information with service providers and subprocessors needed for hosting, database, storage, authentication, email, billing, analytics, error monitoring, security, AI processing where enabled, support, and customer communications.

We share information with organization administrators according to workspace roles and administrator controls.

We may share information with customer-selected integrations, such as identity providers, webhook endpoints, API clients, SDK/CLI/MCP workflows, procurement systems, and support channels.

We may disclose information to comply with law, enforce agreements, protect rights and security, investigate abuse, respond to lawful requests, or support a merger, financing, acquisition, reorganization, or sale of assets.

The current public subprocessor list is available at /subprocessors. Actual subprocessors may differ for SaaS, enterprise, GovCloud, self-host, air-gapped, or customer-managed deployments.

For self-host, GovCloud, or air-gapped deployments, customers may control the infrastructure, network, storage, identity provider, monitoring, backup, and security tooling. The customer agreement should define which party is responsible for each processing activity.

Verixos and its providers may process information in the United States and other countries unless a signed agreement or deployment configuration requires otherwise.

International-transfer mechanisms, regional hosting commitments, data-residency commitments, and restricted-data handling requirements are handled through applicable enterprise agreements, DPAs, or deployment-specific terms.

We retain information for as long as needed to provide the service, maintain engineering records requested by customers, support billing and tax requirements, secure the service, resolve disputes, enforce agreements, preserve auditability, and comply with law.

Retention periods may differ for account data, Customer Content, simulation results, exports, audit logs, billing records, support communications, security logs, license files, backups, and deleted accounts.

Backup, legal-hold, security, audit, and compliance records may persist for a limited period after deletion from active systems.

Verixos uses technical and organizational safeguards designed to protect account, workspace, billing, and engineering data, including authentication controls, role-based access, audit logs, encryption-oriented deployment patterns, restricted-workflow controls, webhook-secret encryption, and least-privilege practices.

No system is perfectly secure. Customers should use SSO, MFA, least-privilege roles, API-key rotation, webhook-secret hygiene, endpoint security, secure networks, and independent review procedures for sensitive engineering programs.

Security commitments for enterprise, GovCloud, self-host, air-gapped, regulated, or government deployments should be stated in a signed security addendum, DPA, MSA, order form, or ATO package.

Depending on location and account type, users may have rights to access, correct, delete, export, restrict, object to, or appeal certain processing of personal information.

For users in customer organizations, Verixos may refer privacy requests to the organization administrator or customer controller when Verixos acts as processor.

Verixos does not sell personal information or share it for cross-context behavioral advertising as those terms are commonly used in U.S. state privacy laws.

Privacy requests can be sent to support@auroratechnologies.xyz. Verixos may need to verify identity and authority before acting on a request.

Verixos is intended for professional, university, and organizational use, not for children under 13 or equivalent local minimum ages.

Academic access is intended for eligible higher-education use. Institutions are responsible for obtaining any required approvals before assigning Verixos to students or research personnel.

Customers are responsible for determining whether data is subject to ITAR, EAR, sanctions, CUI, classified-information rules, government procurement restrictions, or other restricted handling obligations.

Do not upload Restricted Data into the public SaaS or any deployment not approved by the customer for that category of data. Technical gates in the product support restricted workflows but do not replace legal classification, export authorization, agency approval, or customer compliance review.

For customer-managed deployments, the customer may be responsible for local administrators, infrastructure security, physical security, network controls, backups, monitoring, patching, incident response, data residency, and local legal compliance.

Offline license validation is designed to run locally without online license checks. Renewal request files may contain license and deployment metadata and should be reviewed by the customer before transfer out of an isolated environment.

Verixos may update this policy as the product, subprocessors, deployments, laws, or business practices change. Material changes should be communicated through the website, product, email, contract notice, or another appropriate channel.

Prior versions may be archived for procurement and audit traceability.

Questions or privacy requests can be sent to support@auroratechnologies.xyz.