How Digital PA handles your information

Who operates Digital PA

Digital PA is operated by Aurora Bright Steps. Aurora Bright Steps is the controller for the personal information processed through the service for account management, billing-backed access, support, security, and day-to-day product delivery.

If you have privacy questions or want to exercise your data rights, use the Support page and choose the privacy or data rights option so your request can be handled through the correct process.

Information we collect

• Account information such as your name, email address, password hash, verification status, and two-factor authentication state.
• Planning and workspace data you create in the app, including tasks, meetings, notes, staff records, steps, tags, schedules, and review history.
• Subscription and billing-linked identifiers needed to manage access, such as Stripe customer references, subscription references, and entitlement status.
• Operational security data such as sign-in history, password reset requests, verification tokens, email change tokens, two-factor backup codes, and session records.
• Support data you submit, including your name, email address, topic, and the content of support requests.
• Technical and preference data such as strictly necessary cookies, local storage values for themes and interface preferences, CSRF tokens, and session continuity records.

How we use information

• To create and manage your account and keep your workspace data available across sessions and devices.
• To manage subscriptions, licensing, billing-backed access, cancellations, repurchases, and customer support relating to billing.
• To send service communications such as verification emails, password reset emails, email change confirmations, security alerts, and account recovery notices.
• To maintain service security, prevent fraud or misuse, protect account access, investigate incidents, and troubleshoot operational issues.
• To respond to support requests, privacy requests, and rights requests.

Lawful bases for processing

• Contract: where processing is needed to provide your account, workspace, subscription-backed access, and related service functionality.
• Legitimate interests: where processing is needed for platform security, fraud prevention, support handling, audit trails, and service improvement that does not override your rights and freedoms.
• Legal obligations: where records need to be retained or disclosed to comply with applicable law, tax rules, accounting duties, or lawful requests.
• Consent: if Aurora Bright Steps introduces optional non-essential cookies or similar technologies in future, they will be handled on a consent basis where the law requires it.

Billing, processors, and service providers

Aurora Bright Steps uses trusted service providers to operate Digital PA. These include:

• Stripe for checkout, subscriptions, billing management, invoices, and payment-related customer records.
• Resend for transactional email delivery such as password resets, verification messages, and support routing.
• Cloudflare Turnstile for support-form anti-bot and anti-spam verification.
• Microsoft Azure for application hosting, infrastructure, and managed database services.

Digital PA stores the minimum billing-linked identifiers needed to manage entitlements and access. Card details are not stored directly inside the app.

International transfers

Some service providers may process data outside the United Kingdom. Where this happens, Aurora Bright Steps expects appropriate safeguards to be used, such as adequacy regulations, standard contractual clauses, or equivalent lawful transfer mechanisms offered by the provider.

Cookies and similar technologies

Digital PA uses strictly necessary cookies and similar storage technologies to keep the service secure and usable, including account sessions, CSRF protection, sign-in continuity, and saved interface preferences such as your theme selection. The app also uses local storage and session storage for functional interface behavior.

For more detail, read the Cookies & Storage Notice.

Storage, security, and access controls

Digital PA uses account-linked hosted storage for core product data and applies technical and organizational measures designed to reduce unauthorized access risk. These include password hashing, access-controlled account flows, email verification, optional two-factor authentication, CSRF protection, audit logging, application security headers, support-form bot protection, and protected billing integration patterns.

How long we keep information

Aurora Bright Steps keeps personal information only for as long as it is reasonably needed for the purpose it was collected, including running your account, maintaining subscription access, handling support issues, resolving disputes, and meeting legal or accounting obligations.

• Active account and workspace data is retained while the account is in use.
• Security, support, and audit records may be retained for a limited period after account closure where needed for fraud prevention, dispute handling, or legal compliance.
• Billing and accounting-linked records may be retained for longer where tax, accounting, or legal obligations require it.

Your rights

Depending on the circumstances and applicable law, you may have rights to:

• request access to your personal information;
• request correction of inaccurate or incomplete information;
• request deletion of information that no longer needs to be kept;
• request restriction of certain processing;
• object to certain processing based on legitimate interests;
• request a portable copy of information you have provided, where applicable; and
• withdraw consent where processing depends on consent.

Aurora Bright Steps may need to verify your identity before completing a request. Privacy requests can be submitted through the Support page.

Complaints

If you have concerns about how Aurora Bright Steps handles your personal information, please use the support route first so the issue can be investigated. If you remain dissatisfied and you are in the United Kingdom, you can also raise a complaint with the Information Commissioner's Office (ICO).

Children

Digital PA is intended for workplace and operational use. It is not designed as a service for children.

Changes to this policy

Aurora Bright Steps may update this policy from time to time as Digital PA evolves, legal requirements change, or operational processes are refined. Material updates will be reflected through the app and public pages where appropriate.