Aurovia
Join the waitlist

Aurovia Systems Ltd.

Privacy Policy

Version 1.0 · effective as of its publication date on aurovia.pro

1. Who we are and scope

1.1 This Privacy Policy explains how AUROVIA SYSTEMS LTD., a corporation incorporated under the Business Corporations Act (British Columbia, Canada) on 7 January 2026 under incorporation number BC1571664, with its registered and records office at c/o INCORP PRO, 170-422 Richards St, Vancouver BC V6B 2Z4, Canada ("Aurovia", "we", "us", "our"), processes personal data.

1.2 This Privacy Policy applies to the personal data we process in connection with:

  • our website at aurovia.pro and any successor domains (the Site);
  • the Aurovia Creator Program (the Program), including onboarding, contracting and the operation of the Creator Dashboard;
  • our commercial relationships with business clients ("Brands") and with suppliers and service providers;
  • business and marketing communications we exchange with you.

1.3 This Privacy Policy does not apply to the processing of personal data carried out by our Payment Partner in connection with Card Services. The Payment Partner acts as a separate, independent controller of that data under its own privacy notice and contractual terms. Where applicable, the Payment Partner's privacy notice is available via the Creator Dashboard and on the Payment Partner's website.

1.4 This Privacy Policy is intended to be read together with the Aurovia Creator Program Terms, and capitalised terms not defined in this Privacy Policy have the meaning given to them in those Creator Program Terms.

2. Definitions

2.1 For the purposes of this Privacy Policy, the following definitions apply.

  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission and erasure.
  • Controller — the entity that determines the purposes and means of Processing Personal Data.
  • Processor — the entity that processes Personal Data on behalf of the Controller.
  • Data Subject — the natural person to whom the Personal Data relates.
  • GDPR — Regulation (EU) 2016/679 of 27 April 2016.
  • UK GDPR — the GDPR as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018.
  • PIPEDA — the Personal Information Protection and Electronic Documents Act (Canada).
  • PIPA BC — the Personal Information Protection Act (British Columbia).

3. Categories of data subjects

3.1 We process Personal Data relating to the following categories of Data Subjects:

  • Site Visitors — individuals who visit or interact with the Site;
  • Applicants — individuals who submit an Application to participate in the Program;
  • Creators — individuals who have been admitted to the Program;
  • Brand Representatives — contact persons, employees, directors and beneficial owners of our Brands and prospective Brand clients;
  • Business contacts — representatives of suppliers, service providers, advisers and other counterparties.

4. Personal data we collect

4.1 The categories of Personal Data we collect depend on your relationship with us. The categories below are illustrative; not every category will apply to every Data Subject.

4.2 Site Visitors: technical data such as IP address, device and browser information, operating system, referrer URL, pages viewed, duration of visit, and cookie identifiers; any information you submit through forms on the Site (for example, the waitlist form).

4.3 Applicants: identification and contact data (name, surname, email address, telephone number, country of residence); social media handles, profile data, audience size and audience demographics; content samples and creator portfolio data; responses to the onboarding questionnaire; notes from interviews and screening calls; date of birth or age confirmation; sanctions, PEP and adverse-media screening results.

4.4 Creators: all of the categories listed for Applicants, and, in addition: identification documents and KYC data (to the extent we receive it from you or from the Payment Partner, or to the extent we collect it directly for our own due diligence); tax residence, tax identification number and self-certifications (including FATCA / CRS where applicable); banking or payout account references (typically limited, because most of this data is held by the Payment Partner); Campaign deliverables and content; Campaign performance and analytics data; communications with us and with Brands; Creator Dashboard usage data; complaint and dispute records.

4.5 Brand Representatives and Business contacts: name, role, business email and phone number, company affiliation, signatory and beneficial-owner information where required for KYC of the Brand, contract and order data, payment data, communications, and meeting records.

4.6 Special categories of Personal Data. We do not seek to collect special categories of Personal Data (such as data concerning health, sexual orientation, religious or philosophical beliefs, racial or ethnic origin, or political opinions). Sanctions, PEP or adverse-media screening may, however, include information that touches on political exposure or criminal convictions. We process such data only to the extent strictly necessary for compliance with our anti-money-laundering, sanctions and fraud-prevention obligations, on the legal bases set out in Section 7.

5. How we collect personal data

5.1 We collect Personal Data from the following sources:

  • directly from you, when you visit the Site, submit a form, complete the onboarding questionnaire, attend an interview, sign the Creator Agreement, use the Creator Dashboard, communicate with us, or otherwise interact with our services;
  • from third parties, including identity-verification providers, sanctions and PEP screening providers, fraud-prevention services, social media platforms (with your authorisation), Brands, Payment Partners, public registers (such as corporate, tax or court registers), and publicly available sources;
  • automatically, through cookies and similar technologies on the Site, server logs, analytics tools and security logs.

6. Purposes of processing

6.1 We process Personal Data for the following purposes:

  • operating, maintaining and improving the Site and the Creator Dashboard;
  • evaluating Applications, conducting interviews and selecting Creators;
  • performing customer due diligence, including identity verification, sanctions and PEP screening, and ongoing monitoring required by anti-money-laundering law;
  • entering into and performing the Creator Agreement, Brand contracts and other contracts;
  • organising, managing and reporting on Campaigns;
  • communicating with you, including responding to questions and providing support;
  • handling complaints and disputes;
  • complying with legal obligations, including obligations under anti-money-laundering, sanctions, tax, accounting and corporate law in Canada, the European Union and other applicable jurisdictions;
  • preventing fraud, securing our systems and protecting our rights, the rights of Creators, Brands and third parties;
  • conducting analytics, market research and product development;
  • sending business and marketing communications, where permitted by law or with your consent;
  • establishing, exercising or defending legal claims;
  • preparing for, and carrying out, mergers, restructurings, financings and similar corporate transactions, including the transfer of data to a successor.

7. Legal bases for processing

7.1 Where the GDPR or UK GDPR applies to our Processing, we rely on the following legal bases:

  • performance of a contract (Art. 6(1)(b) GDPR) — for Processing necessary to enter into and perform the Creator Agreement, Brand contracts and Campaign briefs;
  • compliance with a legal obligation (Art. 6(1)(c) GDPR) — for Processing required by anti-money-laundering, sanctions, tax, accounting and other applicable laws;
  • legitimate interests (Art. 6(1)(f) GDPR) — for Processing in pursuit of our legitimate interests, including fraud prevention, network and information security, business management, product improvement and B2B marketing, in each case subject to a balancing of interests against your rights and freedoms;
  • consent (Art. 6(1)(a) GDPR) — for certain Processing operations, including non-essential cookies, direct marketing to individuals where required by law, and transfers of Personal Data in specific situations.

7.2 Where we process special categories of Personal Data in the context of sanctions, PEP or AML screening, we rely on Art. 9(2)(g) GDPR (substantial public interest, on the basis of applicable Union or Member State law) and Art. 10 GDPR (data relating to criminal convictions or offences, where authorised by Union or Member State law).

7.3 Where Canadian privacy law applies, we rely on your express or implied consent and on the exceptions to consent provided in PIPEDA and PIPA BC, including for Processing required for the performance of a contract, for compliance with applicable law, for fraud prevention and investigation, and for business transactions.

7.4 You may withdraw any consent you have given at any time. Withdrawal of consent does not affect the lawfulness of Processing carried out before withdrawal. Where Processing is necessary for compliance with a legal obligation or for the performance of the Creator Agreement, withdrawal of consent may mean that we are unable to continue providing the Program to you.

8. Recipients of personal data

8.1 We share Personal Data only as necessary for the purposes set out in Section 6, and only with the following categories of recipients:

  • Payment Partners — licensed financial institutions providing Card Services and related payment processing, which act as separate, independent Controllers of the Personal Data they receive;
  • Brands — business clients of Aurovia, to the limited extent necessary for the relevant Campaign, under contractual data-protection terms;
  • service providers acting as Processors — including hosting and cloud providers, email and messaging providers, CRM providers, analytics providers, identity-verification and KYC providers, sanctions and PEP screening providers, fraud-prevention services, customer support tooling, and accounting software;
  • professional advisers — lawyers, auditors, tax advisers and other consultants, bound by professional confidentiality;
  • competent authorities — tax authorities, financial intelligence units, regulators, law-enforcement agencies and courts, where disclosure is required by law, by a binding court order, or in connection with a regulatory request;
  • card schemes and acquirers — Visa, Mastercard and similar card schemes, and the acquiring banks of our Payment Partners, where required for chargeback, fraud or scheme compliance purposes;
  • successors and counterparties in a merger, acquisition, sale of business or similar transaction, subject to confidentiality undertakings;
  • other persons with your consent or at your direction.

8.2 We do not sell Personal Data. We do not share Personal Data with third parties for those third parties' own marketing or advertising purposes, except with your prior consent.

9. International transfers

9.1 Aurovia is established in Canada. Our service providers and other recipients may be established in Canada, the European Union, the United Kingdom, the United States and other countries. As a result, Personal Data may be transferred to, and Processed in, countries outside the European Economic Area (EEA) and outside the United Kingdom.

9.2 Transfers of Personal Data from the EEA to Aurovia in Canada take place on the basis of the European Commission's adequacy decision regarding the protection of personal data by Canadian private-sector organisations subject to PIPEDA (Commission Decision 2002/2/EC), to the extent applicable. Transfers from the United Kingdom to Aurovia in Canada take place on the basis of the corresponding UK adequacy regulations.

9.3 For transfers to recipients in countries that do not benefit from an adequacy decision, we rely on appropriate safeguards in accordance with Art. 46 GDPR / Art. 46 UK GDPR, in particular the European Commission's Standard Contractual Clauses (2021/914/EU) and the UK International Data Transfer Addendum, supplemented by technical and organisational measures where required by the results of our transfer impact assessments.

9.4 You may request a copy of the relevant safeguards by contacting us at privacy@aurovia.pro.

10. Retention periods

10.1 We retain Personal Data only for as long as necessary for the purposes for which it was collected, taking into account applicable legal, regulatory, accounting and reporting requirements.

10.2 Indicative retention periods are:

  • Applicant data, where the Applicant is not admitted to the Program: deleted within one (1) month from the date of the rejection decision, or within four (4) months from the date of receipt of the data, whichever comes first, unless retention is required by law (for example, by anti-money-laundering record-keeping rules);
  • Creator account and contract data: for the duration of the Creator's participation in the Program and for the longer of (i) six (6) years from the end of that participation and (ii) the applicable limitation period for legal claims;
  • KYC, sanctions screening and AML records: for at least five (5) years from the end of the business relationship, in accordance with applicable Canadian and European anti-money-laundering law (and longer where required by a competent authority);
  • Tax and accounting records: for the period required by applicable tax and accounting law (typically six (6) years);
  • Brand contract data: for the duration of the contract and for the longer of (i) six (6) years from the end of the contract and (ii) the applicable limitation period for legal claims;
  • Communications and complaint records: for the longer of (i) three (3) years from the date of the communication or the closure of the complaint and (ii) the applicable limitation period;
  • Marketing data: until you withdraw consent or object, and for a reasonable period thereafter for record-keeping and proof of consent;
  • Cookies and similar technologies: in accordance with their respective lifespans, in any event not exceeding thirteen (13) months;
  • Server and security logs: typically for up to twelve (12) months, except where retention for a longer period is necessary for security or legal-claim purposes.

10.3 After the relevant retention period, Personal Data is deleted or anonymised, except where retention is required by law or necessary for the establishment, exercise or defence of legal claims.

11. Your rights

11.1 Subject to applicable law, you have the following rights in relation to your Personal Data:

  • right of access — to obtain confirmation of whether we process your Personal Data and, if so, to receive a copy of that data and related information;
  • right to rectification — to have inaccurate Personal Data corrected and incomplete data completed;
  • right to erasure — to have your Personal Data deleted in the cases specified by applicable law;
  • right to restriction of Processing — to limit the way we use your Personal Data in the cases specified by applicable law;
  • right to data portability — to receive your Personal Data in a structured, commonly used and machine-readable format, and to transmit it to another controller, where Processing is based on consent or contract and is carried out by automated means;
  • right to object — to object to Processing based on legitimate interests, including profiling, and to object at any time to Processing for direct-marketing purposes;
  • right to withdraw consent — where Processing is based on consent;
  • right not to be subject to solely automated decisions producing legal or similarly significant effects, in the cases specified by applicable law;
  • right to lodge a complaint with a competent supervisory authority (see Section 17).

11.2 To exercise any of these rights, please contact us at privacy@aurovia.pro or at the postal address set out in Section 19. We may need to verify your identity before responding.

11.3 We respond to requests without undue delay and in any event within one (1) month of receipt (or within thirty (30) days, where Canadian privacy law applies). That period may be extended where the request is complex or where we receive a high volume of requests, in which case we will inform you of the extension and of the reasons for it.

11.4 Exercising these rights is free of charge, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, as permitted by applicable law.

12. Cookies and tracking technologies

12.1 The Site uses cookies and similar tracking technologies. Cookies are small text files stored on your device that allow the Site to recognise your device and remember information about your visit.

12.2 We use the following categories of cookies:

  • strictly necessary cookies — required for the operation of the Site and the Creator Dashboard, including session management and security. These cookies do not require your consent;
  • functional cookies — used to remember your preferences and to enhance your experience on the Site;
  • analytics cookies — used to collect aggregated information about how visitors use the Site, so that we can improve it;
  • marketing cookies — used to deliver advertising relevant to you and to measure the effectiveness of our marketing campaigns, only where you have given consent.

12.3 Where required by applicable law, we obtain your prior consent for non-essential cookies through a cookie banner displayed on the Site. You can withdraw your consent at any time by adjusting your cookie preferences via the banner or your browser settings.

12.4 Detailed information about each cookie, including its purpose, provider, duration and category, is available in the cookie banner on the Site.

13. Marketing communications

13.1 We may send you marketing communications about Aurovia, the Program and related services where you have consented or where we are otherwise permitted by applicable law to do so.

13.2 You can opt out of marketing communications at any time by using the unsubscribe link included in each marketing email, by adjusting your preferences in the Creator Dashboard (where available), or by contacting us at privacy@aurovia.pro.

13.3 Opting out of marketing communications does not affect transactional or service messages that we need to send you in connection with the Program, the Creator Agreement or our legal obligations.

13.4 Where we send commercial electronic messages to recipients in Canada, we comply with Canada's Anti-Spam Legislation (CASL).

14. Security measures

14.1 We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access. These measures include access controls, encryption of data in transit, segregation of environments, logging and monitoring, secure development practices, vendor management and incident-response procedures.

14.2 No method of transmission or storage is absolutely secure. While we use commercially reasonable measures to protect Personal Data, we cannot guarantee absolute security. You are responsible for keeping confidential the credentials you use to access the Creator Dashboard.

14.3 In the event of a Personal Data breach affecting your Personal Data, we will notify the competent supervisory authority and, where required by applicable law, the affected Data Subjects, in accordance with applicable legal requirements.

15. Children

15.1 The Site and the Program are intended for individuals aged 18 or older. We do not knowingly collect Personal Data from children under 18. If we become aware that we have collected Personal Data from a child under 18 without verified parental consent, we will delete that data as soon as possible.

15.2 If you believe that a child has provided Personal Data to us, please contact us at privacy@aurovia.pro.

16. Automated decision-making and profiling

16.1 We do not make decisions affecting you on the basis of solely automated Processing, including profiling, that produce legal or similarly significant effects on you, except where authorised by applicable law and subject to appropriate safeguards.

16.2 We use limited automated screening tools for fraud prevention, sanctions and PEP screening, and AML monitoring. Where such tools generate a match or alert, the outcome is reviewed by a member of our team before any decision is taken that materially affects you.

16.3 Where automated decision-making is used in a manner that produces legal or similarly significant effects, you have the right to obtain human intervention, to express your point of view and to contest the decision, in accordance with applicable law.

17. Region-specific provisions

17.1 European Economic Area and United Kingdom. If you are located in the EEA or the United Kingdom, you have the right to lodge a complaint with the supervisory authority of the EEA Member State or the United Kingdom of your habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available from the European Data Protection Board (edpb.europa.eu). In the United Kingdom, the competent authority is the Information Commissioner's Office (ico.org.uk).

17.2 Canada. If you are located in Canada, you may lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca). If you are located in British Columbia, Alberta or Quebec, you may also lodge a complaint with your provincial privacy commissioner, including the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca).

17.3 California, United States. If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the CCPA/CPRA), grants you the following rights, subject to certain exceptions: the right to know what Personal Data we have collected about you and to receive a copy of it; the right to request deletion or correction of your Personal Data; the right to opt out of the sale or sharing of your Personal Data; the right to limit the use or disclosure of sensitive Personal Data; and the right not to be discriminated against for exercising these rights. We do not sell Personal Data and we do not share Personal Data for cross-context behavioural advertising within the meaning of the CCPA/CPRA. To exercise your rights, contact us at privacy@aurovia.pro.

17.4 Other jurisdictions. Where local data-protection law grants you additional rights or imposes additional obligations on us, we will comply with those requirements to the extent applicable.

18. Updates to this Privacy Policy

18.1 We may update this Privacy Policy from time to time. The current version is published on the Site, with the version number and effective date indicated.

18.2 Where the update materially affects your rights or our Processing, we will notify you in advance by email at the address you have provided, or by a prominent notice on the Site, in each case in accordance with applicable law.

18.3 Continued use of the Site, the Creator Dashboard or the Program after the effective date of an updated Privacy Policy constitutes acknowledgement of the updated version, without prejudice to any consent that may be separately required.

19. Contact and complaints

19.1 For any question, request or complaint relating to this Privacy Policy or to our Processing of your Personal Data, please contact us at:

  • email: privacy@aurovia.pro;
  • postal address: AUROVIA SYSTEMS LTD., Privacy Contact, c/o INCORP PRO, 170-422 Richards St, Vancouver BC V6B 2Z4, Canada.

19.2 We will use commercially reasonable efforts to address your request or complaint promptly. If you are not satisfied with our response, you may lodge a complaint with the competent supervisory authority in your jurisdiction (see Section 17).

Aurovia Systems Ltd.

BC1571664 · c/o INCORP PRO, 170-422 Richards St, Vancouver BC V6B 2Z4, Canada