Legal
Privacy Policy
Last updated: April 4, 2026
1. Introduction
Aurora Wealth Oy ("Aurora", "we", "us", or "our") operates the Aurora mobile application and website at auroraapp.fi (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and share your personal data, and describes your rights under applicable law.
We are committed to protecting your privacy and handling your data with care. Aurora is registered in Finland and operates in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Finnish data protection legislation.
2. Data We Collect
2.1 Account Information
When you create an account using Apple Sign In or Google Sign In, we receive:
- Your name (if you choose to share it)
- Your email address (or an Apple-generated relay address if using Apple Sign In)
- Your profile picture (if using Google Sign In and your Google account has one)
- A unique identifier issued by Apple or Google
2.2 Financial Data
With your explicit consent, we connect to your bank accounts via Payment Services Directive 2 (PSD2) account information services. Through our licensed account information service provider, we access:
- Account balances
- Transaction history (amounts, dates, merchant names, categories)
- Account metadata (IBAN, account type, currency)
We access this data in read-only mode. We cannot initiate payments or modify your accounts.
2.3 Usage Data
We collect anonymised data about how you use the Service, including app screens viewed, features used, error logs and crash reports, and device type and operating system version.
2.4 Data You Provide
Any information you voluntarily enter in the app, such as financial goals, notes, or preferences.
3. How We Use Your Data
We use your personal data to:
- Provide the Service — display your financial data, generate insights, and personalise your experience
- Improve the Service — analyse usage patterns to fix bugs and develop new features
- Communicate with you — send service-related notifications and respond to support requests
- Comply with legal obligations — fulfill our obligations under Finnish and EU law
We do not use your financial data to train AI models without your explicit opt-in consent.
4. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b) GDPR) |
| Accessing bank data via PSD2 | Your explicit consent (Art. 6(1)(a) GDPR) |
| Improving the Service (anonymised analytics) | Legitimate interests (Art. 6(1)(f) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
5. Third-Party Services
5.1 Account Information Service Provider
We use a licensed Account Information Service Provider (AISP) to connect to your bank accounts under PSD2. Your bank credentials are never shared with or stored by Aurora — authentication happens directly between you and your bank.
5.2 Apple and Google
When you sign in with Apple, your authentication is handled by Apple Inc. Apple's privacy policy applies to data processed by Apple: apple.com/privacy
When you sign in with Google, your authentication is handled by Google LLC. Google's privacy policy applies to data processed by Google: policies.google.com/privacy
5.3 Infrastructure
We use EU-based cloud infrastructure to store and process your data. All data remains within the European Economic Area. We do not sell your personal data to third parties. We do not share your financial data with advertisers.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Transaction data | Until you disconnect your bank or delete your account |
| Usage analytics (anonymised) | 24 months |
| Support communications | 2 years |
When you delete your account, we permanently delete your personal data within 30 days, except where retention is required by law.
7. Your Rights
Under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — request that we limit processing of your data
- Objection — object to processing based on legitimate interests
- Withdraw consent — withdraw consent for bank data access at any time
To exercise any of these rights, contact us at privacy@auroraapp.fi. We will respond within 30 days. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).
8. Data Security
We protect your data using industry-standard security measures, including encryption in transit (TLS) and at rest (AES-256), per-user encryption key management, access controls and audit logging, and regular security reviews.
9. Children
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from minors.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the app or by email. The date at the top of this page reflects the most recent update.