Privacy Policy

Aurum is built on the principle that financial information is among the most personal data a person can share. This policy explains, in plain English, what we collect, why we collect it, how we protect it, what your rights are, and how to exercise them.

Effective

June 4, 2026

Version

2.0

Jurisdiction

United States · GDPR · CCPA

Data Controller

Perseverance Factor

01 Overview & Who We Are

The entity behind Aurum, what we do, and our guiding principles.

Aurum is a private wealth-tracking service offered through Perseverance Factor, a privately held consulting business based in the United States and owned by Lital Gilad and Eran Gilad (collectively, "we," "us," or "Perseverance Factor"). The Aurum product is operated and developed by Michael Gilad. Throughout this policy, "Aurum" refers to the products and services we offer at useaurum.app and through our iOS application "Aurum Reserve" distributed via the Apple App Store.

For purposes of the European General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA"), Perseverance Factor is the data controller of personal information collected through Aurum.

Our guiding principles are:

Minimum necessary data. We collect only what the product genuinely needs to function.
No selling, no advertising. We do not sell, rent, or share your personal information with advertisers. Aurum's revenue comes exclusively from paid subscriptions.
Encryption everywhere. Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
You own your data. You can export, correct, or permanently delete your data at any time, for any reason, without explanation.

02 Information We Collect

A full inventory of the categories of personal information processed by Aurum.

Account Information

Email address (required for account creation and authentication)
Name (optional; used for personalized greetings and AI Advisor context if you use Aurum Private)
Hashed password (we use bcrypt; we never see or store your plaintext password)
Two-factor authentication codes (six-digit codes valid for ten minutes, then permanently deleted)
Account creation date, last login, and authentication session metadata

Financial & Portfolio Data

Asset entries you create — category, name, value, purchase price, purchase date, condition, notes, ticker symbols, quantities, prices per unit
Historical valuations of each asset (one snapshot per change, used to draw your performance charts)
Liabilities you record — category, label, amount, interest rate, notes
Daily net worth snapshots (one row per user per day)
Wealth goals you set — target value, target date (optional), label (optional)
Milestones automatically recorded when your net worth crosses notable thresholds

Subscription & Billing Data

Plan tier (Free, Aurum Premium, or Aurum Private)
Subscription status, renewal date, source (Apple In-App Purchase or Stripe), and Apple original transaction ID for verification
We do not store payment card details. All card processing is handled by Apple (StoreKit 2) or Stripe; we receive only a token confirming payment.

Communications

If you message our Live Concierge (concierge@useaurum.app), we retain the email thread to provide ongoing support
Logs of transactional emails we send to you (waitlist confirmation, two-factor codes, weekly reports, account alerts) — recipient, subject, send status, and timestamp
If you use the AI Wealth Advisor (Aurum Private), your chat messages with the assistant are stored to maintain conversation history

Technical Data

IP address (briefly, for security and abuse prevention)
Browser type, operating system version, app version
Session tokens stored in httpOnly cookies (inaccessible to client-side JavaScript)
Web push notification subscriptions if you opt in (endpoint URL, browser-issued keys)
Apple push notification device tokens if you grant permission in the iOS app

Referral Data

Your personal referral code (auto-generated)
Pairings of referrers and referees, along with redemption status and timestamps

03 Information We Never Collect

A non-exhaustive list of things Aurum will never ask for, store, or transmit.

Bank account credentials — login passwords, account numbers, routing numbers
Brokerage credentials — Aurum is a manual-entry wealth ledger, not an aggregator like Plaid or Yodlee
Social Security numbers, government IDs, passport numbers, tax IDs
Payment card numbers, CVV codes, or expiration dates — these are handled exclusively by Apple or Stripe
Precise location data — Aurum does not request GPS, geolocation, or location-history access
Contacts — we do not read or upload your address book
Microphone or audio — Aurum has no voice features
Health, fitness, or biometric data
Browsing or web-history data — Aurum does not track you across other sites or apps
Mobile advertising identifiers (IDFA, AAID) — Aurum does not request App Tracking Transparency permission

04 How We Use Your Data

The specific, limited purposes for which personal information is processed.

To create and maintain your Aurum account, authenticate you, and prevent unauthorized access.
To calculate and display your consolidated net worth, asset performance, and historical trends.
To fetch live market data for the public assets in your portfolio (stocks, crypto, commodities, watches) so that valuations stay current.
To deliver optional weekly net worth summary emails and push notifications (you can disable both in Settings).
To send transactional messages essential to the service (two-factor codes, waitlist updates, billing receipts, security alerts).
To process your subscription, verify Apple In-App Purchase receipts, and sync subscription status across web and iOS.
To enable the AI Wealth Advisor (Aurum Private) to reason about your portfolio when you query it.
To investigate, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
To measure aggregate product usage in order to improve Aurum (which screens are visited, which features are used, error rates) — analytics are aggregated and pseudonymized.
To comply with legal obligations, court orders, and lawful requests from law enforcement.

We do not use your personal information for behavioral advertising, automated decision-making with legal effects, or profiling for sale to third parties.

05 Legal Basis for Processing

Under GDPR, we rely on the following lawful bases depending on the activity.

Activity	Lawful Basis
Creating and maintaining your account; delivering the core wealth tracking features	Performance of a contract (GDPR Art. 6(1)(b))
Processing your subscription payment and verifying Apple IAP transactions	Performance of a contract (Art. 6(1)(b))
Sending you transactional emails (2FA codes, receipts, security alerts)	Performance of a contract (Art. 6(1)(b))
Optional marketing communications, weekly net worth reports, push notifications	Your consent (Art. 6(1)(a)) — revocable any time in Settings
AI Wealth Advisor processing of your portfolio context and chat history	Your consent (Art. 6(1)(a)) — only activated on the Private tier
Aggregate product analytics, fraud prevention, security monitoring	Our legitimate interest (Art. 6(1)(f)) in operating a secure, functional product, balanced against your privacy rights
Responding to lawful requests from authorities or court orders	Compliance with a legal obligation (Art. 6(1)(c))

06 Third-Party Processors

The vendors that process data on our behalf, and what each one sees. We sign Data Processing Agreements with every processor.

Processor	Purpose	Data Shared
Apple Inc.	iOS In-App Purchase processing & receipt verification	Apple transaction ID, product ID, purchase timestamp
Stripe, Inc.	Web payment processing for Premium & Private tiers	Card details (collected by Stripe, never seen by us), email, subscription ID
Neon (PostgreSQL on AWS)	Primary application database	All account, portfolio, and chat data (encrypted at rest)
Vercel Inc.	Frontend hosting and edge delivery for useaurum.app	Request logs (IP, user agent, URL) used only for delivery and security
Render	Backend Node.js hosting	Request logs and runtime metadata; no portfolio data persisted on Render
Resend	Transactional email delivery (2FA, receipts, weekly reports)	Recipient email, subject, message body
Anthropic, PBC	AI Advisor responses (Aurum Private)	Your name, plan tier, portfolio summary, and chat messages — sent at query time only
Groq, Inc.	Alternative AI inference provider for the Advisor	Same payload as above when this provider is in use
Yahoo Finance (Yahoo)	Live equity and commodity price quotes	Public ticker symbols only — no user data is sent
CoinCap (Messari)	Live cryptocurrency price quotes	Public coin identifiers only — no user data is sent
Google LLC (Google Analytics 4)	Aggregate website analytics	Pseudonymous device identifier, page visited, anonymized IP (IP anonymization enabled)
Meta Platforms, Inc. (Meta Pixel)	Conversion measurement for marketing campaigns	Pseudonymous events: PageView, Lead, Purchase; no email or financial data

None of these processors are authorized to use your personal information for their own purposes, to sell it, or to share it further except as required to perform the service to us.

07 Device Permissions (iOS)

The Aurum Reserve iOS app requests the following permissions. Each is optional and can be revoked at any time in iOS Settings.

Permission	Why We Request It	Required?
Camera	To scan documents you choose to upload for asset valuation (e.g., an appraisal letter)	Optional
Photo Library	To attach images to asset entries (e.g., a photo of a watch or artwork)	Optional
Push Notifications	To send weekly net worth updates and important portfolio alerts	Optional

We do not request Location, Contacts, Microphone, Bluetooth, Calendar, Reminders, Health, Motion & Fitness, or App Tracking Transparency.

08 Cookies & Tracking Technologies

A small number of cookies are essential to authentication. A few additional cookies are used only with your consent.

Strictly Necessary

Session cookie — an httpOnly JWT cookie that proves you're logged in. Expires after the configured session length or when you sign out. Without this, the app cannot function.
Accepted-seen flag — a localStorage entry that prevents re-showing the "you're accepted" screen after you've passed it the first time.

Analytics (Aggregate, Pseudonymized)

Google Analytics 4 (_ga, _ga_*) — measures aggregate visitor flow. IP anonymization is enabled.
Vercel Analytics & Speed Insights — first-party performance metrics (page load times, Core Web Vitals).

Marketing

Meta Pixel (_fbp) — measures conversion of marketing campaigns. Fires PageView, Lead (when you join the waitlist), and Purchase (when you subscribe).

You can clear cookies at any time through your browser settings. Doing so will sign you out.

09 Analytics & Advertising Pixels

Aurum runs marketing campaigns. To know which ones work, we measure conversions through a small number of pixels — but never the underlying financial data.

The pixels fire on the public marketing pages (e.g., the home page and waitlist) and report only aggregate events. They are not active on the authenticated dashboard, on /app, or on any page where your portfolio data is visible.

The complete list:

Google Analytics 4 (measurement ID G-G96M93ND82): pageviews, anonymized IP, session duration
Meta Pixel (ID 1976681182936806): PageView, Lead, Purchase events
Vercel Analytics & Speed Insights: first-party, no third-party cookies

If you prefer to opt out, your browser's standard tracking-prevention features and OS-level privacy controls (e.g., Safari Intelligent Tracking Prevention, Brave Shields, "Limit Ad Tracking") will block these pixels without affecting the functionality of Aurum.

10 AI Wealth Advisor

A specific data flow for Aurum Private subscribers who chat with the in-app advisor.

The AI Wealth Advisor is available only on the Aurum Private tier. When you send a message to the Advisor, the following payload is transmitted to our AI inference provider (currently Anthropic, PBC for the Claude API; Groq, Inc. is used as an alternative or fallback in some configurations):

Your first name (if provided)
A condensed summary of your current portfolio (asset categories, totals, top holdings — used as context so responses are personalized)
The current chat message and the prior messages in this conversation

We do not transmit your email address, your full account record, or your password to any AI provider. The providers we use are bound by their respective terms not to train their models on your data. Chat history is stored in our database (Neon, encrypted at rest) so you can resume the conversation later. You can clear your chat history at any time from the Advisor screen.

Not Financial Advice

The AI Wealth Advisor is an AI assistant, not a licensed financial advisor. Its outputs are informational only and should not be interpreted as personalized investment recommendations, tax advice, legal advice, or accounting advice. Always consult a qualified professional before making financial decisions.

11 Data Storage & Security

Where your data lives and how we protect it.

Primary database: Neon PostgreSQL, hosted on AWS infrastructure in the United States (us-east region)
All data encrypted in transit with TLS 1.3
All data encrypted at rest with AES-256
Passwords hashed using bcrypt with a per-password salt — never stored in plaintext, never recoverable
Authentication tokens issued as JWTs stored in httpOnly, Secure, SameSite=Lax cookies (inaccessible to client-side JavaScript and immune to common XSS exfiltration)
Two-factor authentication available, with rate limiting and lockouts on the verification endpoint
Administrative access to production systems is restricted to a small number of authorized engineers, requires individual SSH keys, and is logged
Apple IAP receipts are verified server-side against Apple's signed JWS payloads
Webhook endpoints (Apple App Store Server Notifications, Stripe events) are signature-validated

No security system is impenetrable, and no service provider can guarantee absolute security. We take industry-standard precautions and continuously review our practices.

12 Data Retention & Deletion

How long we keep things, and how to make them go away.

While Your Account Is Active

We retain your data for as long as your account is active so that the product can function.

After Account Deletion

You can delete your account at any time from Settings → Security → Delete Account in the app. Upon deletion:

Your account record, portfolio, chat history, and personalization preferences are permanently deleted within 30 days
Backups containing your data are overwritten in the normal backup rotation within 90 days
Anonymous, aggregate analytics data (e.g., "a user added an asset") that cannot be tied to you is retained indefinitely
Records we are legally required to retain (e.g., tax records, fraud-prevention logs) are kept for the minimum period required by law

Inactive Accounts

Accounts that have been inactive for 36 consecutive months may be deleted following written notice to the email on file.

13 International Data Transfers

If you're not in the United States, your data crosses a border to reach our servers.

Aurum's primary infrastructure is located in the United States. If you access the service from outside the U.S. — including from the European Economic Area, the United Kingdom, or Switzerland — your personal information will be transferred to, stored in, and processed in the United States.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss instruments as the legal mechanism for cross-border transfers. We additionally implement supplementary measures including encryption in transit and at rest.

14 Your Rights

Depending on where you live, you have the following rights regarding your personal information.

For Everyone

Access — request a copy of the personal data we hold about you
Correction — request that we fix inaccurate or incomplete data (you can correct most fields directly in Settings)
Deletion — request permanent erasure of your account and data
Portability — receive your data in a machine-readable format (CSV / JSON export available in Settings)
Withdraw consent — opt out of optional communications, AI Advisor, push notifications at any time

For EU/EEA, UK, and Swiss Residents (GDPR)

Object to processing based on our legitimate interests
Restrict processing while a dispute is resolved
Lodge a complaint with your local Data Protection Authority
Not be subject to a decision based solely on automated processing (we do not engage in this)

For California Residents (CCPA / CPRA)

Right to know what personal information we have collected, used, disclosed, or sold
Right to delete personal information we have collected from you
Right to correct inaccurate personal information
Right to opt out of "sales" or "sharing" of personal information (Aurum does not sell or share personal information as those terms are defined under the CCPA, so there is nothing to opt out of, but we honor Global Privacy Control signals)
Right to limit the use of sensitive personal information (Aurum does not use sensitive personal information for any purpose beyond what is reasonably expected to provide the service)
Right to non-discrimination for exercising your privacy rights

15 How to Exercise Your Rights

Two paths: in-app self-service, or contact our Live Concierge.

Self-service (fastest). Most rights are exercisable directly in the app: Settings → Account for correction, Settings → Export Data for portability, Settings → Security → Delete Account for deletion, Settings → Notifications for consent withdrawal.
Written request. Email privacy@useaurum.app (or concierge@useaurum.app) with the subject "Privacy Request" and tell us what you'd like us to do. We may need to verify your identity, which we will do by sending a verification code to the email address on your account.
Response window. We respond to verifiable requests within 30 days (45 days under CCPA, extendable once with notice if the request is unusually complex). There is no fee for the first request in any 12-month period.
Authorized agents. California residents may designate an authorized agent. We will require written authorization signed by you and proof of the agent's identity.

16 Children's Privacy

Aurum is not for children.

Aurum is intended for adults and is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact privacy@useaurum.app and we will delete the data promptly. We comply with the Children's Online Privacy Protection Act ("COPPA") in the United States.

17 California Residents Notice (CCPA & CPRA)

A consolidated California-specific notice.

In the preceding 12 months, Perseverance Factor has collected the categories of personal information described in Section 02 for the purposes described in Section 04, from the sources described in Section 02, and disclosed it to the categories of recipients described in Section 06.

We have not sold personal information for monetary or other valuable consideration. We have not shared personal information for cross-context behavioral advertising as defined under the CPRA. We do not knowingly sell or share personal information of consumers under 16 years of age. To exercise your rights, see Section 15.

18 European Residents Notice (GDPR & UK GDPR)

A consolidated EU / UK / Swiss notice.

Perseverance Factor is the data controller for purposes of GDPR and UK GDPR. We have no establishment within the EU or UK; for matters concerning your rights, you may contact us at privacy@useaurum.app. You have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office; in EU member states, your country's Data Protection Authority).

19 Breach Notification

What happens if something goes wrong.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and notify affected users without undue delay via the email address on file, describing the nature of the breach, the categories of data affected, the likely consequences, and the measures we are taking to address it.

20 Changes to This Policy

How we'll let you know if anything material changes.

We may update this policy from time to time to reflect changes in our practices, our service, or applicable law. The "Effective" date at the top of the page reflects the most recent revision. For material changes — changes to the categories of data we collect, the purposes for which we use it, or the third parties with whom we share it — we will provide reasonable advance notice via email and an in-app banner before the changes take effect.

An archive of prior versions is available upon request from privacy@useaurum.app.

21 Contact & Data Protection

Talk to a human.

Questions, requests, or concerns about how Aurum handles your data should go to:

Data Controller

Perseverance Factor

Owners: Lital Gilad & Eran Gilad · Operator of Aurum: Michael Gilad

Privacy & Data Requests: privacy@useaurum.app

General Concierge: concierge@useaurum.app

Web: useaurum.app