Aurora Beauty Connect - Privacy Policy

We collect information you provide directly including name, email, phone number, payment details (M-Pesa), business information for service providers, profile photos, service preferences, and review content. We also automatically collect location data (with permission), device information, app usage analytics, booking history, and transaction records for service delivery and platform improvement.

Your information is used for specific and legitimate purposes that we communicate to you, including: facilitating bookings and payments; processing M-Pesa transactions and payouts; providing optional location-enabled services for mobile appointments; sending operational notifications; improving service quality and security; and meeting legal obligations. We do not process personal data for unrelated new purposes without an appropriate lawful basis and, where required, additional notice or consent.

We share personal data only where necessary for service delivery, legal compliance, or security. This includes sharing relevant booking details with selected providers and payment-related details with licensed payment partners. We do not sell personal data. Third-party processors are contractually required to process data only on our instructions, maintain confidentiality, and implement appropriate safeguards.

We implement bank-level security measures including data encryption at rest and in transit, secure API connections for M-Pesa integration, regular security audits and penetration testing, access controls and authentication systems, and secure data centers with backup systems. All team members undergo security training and sign confidentiality agreements. We maintain incident response procedures for potential security events.

Aurora processes personal data only where a lawful basis exists, including contract performance, legal obligation, legitimate interests, vital interests, public-interest grounds where applicable, and consent where required. We identify and document the applicable lawful basis for each processing purpose and provide notice to users accordingly.

With your permission, we collect precise location data for: finding nearby service providers; facilitating mobile beauty services; calculating accurate travel times and fees; providing directions to appointment locations; and ensuring user safety during appointments. Location sharing is always optional and can be disabled in settings. We use privacy-friendly OpenStreetMap instead of tracking-enabled mapping services. Location history is retained only as long as necessary for service delivery.

Our M-Pesa integration collects: phone numbers for payment processing; transaction IDs and status information; payment amounts and timestamps; and payout preferences for service providers. All financial data is encrypted and processed through licensed payment partners. We never store complete M-Pesa PINs or sensitive payment credentials. Transaction history is maintained for tax and business purposes as required by Kenyan law.

For beauty professionals, we collect: business registration documents; professional certifications and licenses; business addresses and service areas; service pricing and availability; customer reviews and ratings; earnings and transaction history; and verification photos. This information is used for platform safety, service quality, and regulatory compliance. Business data may be shared with clients for booking decisions.

We use your contact information to send: appointment confirmations and reminders; payment notifications and receipts; service updates and cancellations; loyalty program communications; platform security alerts; and customer support responses. Push notifications can be controlled through device settings. We comply with anti-spam regulations and provide easy unsubscribe options for marketing communications.

We collect anonymized usage analytics to: improve platform performance and user experience; identify popular services and features; optimize booking and payment processes; enhance security and fraud detection; and develop new features based on user needs. Analytics data is aggregated and cannot be used to identify individual users. We use privacy-respecting analytics tools that comply with data protection standards.

We apply data minimization and storage limitation principles. Personal data is retained only for as long as necessary for service delivery, legal obligations, security, and dispute handling. Some records (such as financial or tax records) may be retained for statutory periods. We maintain a retention schedule and periodic review process. When retention is no longer required, data is deleted, anonymized, or securely archived according to policy.

Subject to applicable law, including the Kenya Data Protection Act, you may request to be informed about processing, access your data, object to certain processing, request correction or deletion of inaccurate or unnecessary data, withdraw consent where processing is consent-based, and request data portability in a structured, commonly used format where applicable. You may also manage communications and location permissions from app settings. To exercise rights, contact us using the privacy channels listed below.

Aurora is designed for adults (18+) seeking and providing professional beauty services. We do not knowingly collect information from children under 18. If we discover that a child's information has been collected, we will immediately delete it and terminate the account. Parents who believe their child's information may have been collected should contact us immediately for prompt resolution.

Aurora primarily serves users in Kenya, but some processing infrastructure or vendors may be outside Kenya. Where cross-border transfers occur, we apply safeguards required by law, including contractual protections, technical controls, and transfer assessments. Depending on circumstances, transfer may rely on adequate safeguards, necessity for service delivery, or explicit consent with risk notice where required.

Aurora integrates with trusted third-party services including: M-Pesa and other payment processors; mapping and location services (OpenStreetMap); cloud storage and computing services; communication and notification systems; and analytics and security tools. All third-party partners undergo security and privacy assessments. We maintain written data processing agreements with third parties and require approved processors to use authorised sub-processors only.

With permission, we may collect device fingerprinting information for security purposes, including device type, operating system, and unique device identifiers. Biometric authentication (fingerprint, facial recognition) is processed locally on your device and never transmitted to our servers. This information helps prevent fraud and unauthorized account access.

We may use your information to send promotional offers, loyalty program updates, new feature announcements, and relevant beauty service recommendations. Where required, we seek consent before direct marketing and provide a clear opt-out mechanism in each message and in settings. We respect your communication preferences and comply with anti-spam and data protection obligations.

In the event of a personal data breach, we will investigate and contain the incident, assess risk to data subjects, and take remediation steps. Where required by law, we will notify the Office of the Data Protection Commissioner (ODPC) without undue delay and within applicable timelines (including 72 hours where applicable), and notify affected users with practical guidance on protective actions.

Aurora may use automated systems for risk scoring, fraud detection, service ranking, and personalised recommendations. Where legally required, we provide meaningful information about such logic and allow users to request human review where a solely automated decision significantly affects them.

We may disclose personal information when required by Kenyan law, court orders, or regulatory requirements. We cooperate with law enforcement for legitimate investigations involving platform safety or illegal activities. When legally permitted, we will notify users of such requests unless prohibited by law or when immediate safety concerns exist.

In the event of a merger, acquisition, or sale of Aurora, user data may be transferred as part of business assets. Users will be notified of any such transfer with at least 30 days advance notice. The acquiring entity will be required to honor existing privacy commitments and provide users with choices about their data use under new ownership.

This privacy policy may be updated to reflect service changes, legal requirements, ODPC guidance, or enhanced protections. We will provide notice of material updates through app, website, and/or email channels. For privacy questions, rights requests, or complaints, contact privacy@hivelabtech.com. You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) where applicable.