Privacy Policy
This policy explains what personal data AURUM collects, why, and your rights under GDPR, UK GDPR, India DPDPA, UAE PDPL, PIPEDA, PDPA, POPIA, and other applicable privacy laws.
1. Who We Are (Data Controller)
AURUM operates aurumrates.com — a real-time commodity price intelligence platform. For GDPR and equivalent purposes, AURUM is the data controller for personal data processed through this website.
Contact: privacy@aurumrates.com
Data Protection Officer / Privacy contact: legal@aurumrates.com
AURUM does not knowingly collect personal data from individuals under the age of 18. If you are under 18, please do not use this website or provide any personal data. If we become aware we have collected data from a minor, we will delete it promptly.
2. Data We Collect
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| IP address | Country/city detection to show local gold prices in your currency and units | Legitimate interest (geo-pricing); passed to geojs.io / ipinfo.io — not stored by AURUM | Session only — not persisted |
| Browser timezone | Fallback geo-detection if IP APIs are unavailable | Legitimate interest | Session only |
| Google Analytics cookies (_ga, _gid) | Aggregate traffic analysis — page views, sessions, device type. IP is anonymised before storage. | Consent (where required by GDPR/UK GDPR/DPDPA/PDPA) | 26 months (_ga) / 24 hours (_gid) |
| Microsoft Clarity cookies (_clsk, _clck) | Heatmaps and aggregate session behaviour analysis. No individual user identification. | Consent | 1 year |
| aurum_geo (localStorage) | Remembers your preferred region/currency so you don't need to re-select on each visit | Legitimate interest (functional) | 30 days |
| aurum_portfolio (localStorage) | Stores your portfolio holdings locally in your browser — never transmitted to our servers | Consent / functional necessity | Until you clear browser data |
| _aurum_ab (sessionStorage) | A/B test assignment for pricing display — anonymous, no personal data linked | Legitimate interest | Session only |
| Email address (alerts) | Sending you price alerts you have subscribed to | Consent / contract performance | Until you unsubscribe or delete account |
| Server logs | Security, error monitoring, DDoS protection (via Netlify) | Legitimate interest | 30 days (Netlify standard) |
3. Third-Party Data Processors
We share limited data with the following processors who act on our behalf:
| Processor | Purpose | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| Netlify, Inc. | Website hosting and CDN | Server logs, IP addresses | USA / Global CDN | Netlify DPA; SCCs for EEA transfers |
| Google Analytics 4 (Google LLC) | Aggregate traffic analytics | Anonymised usage data, device info | USA (IP anonymised) | Google DPA; EU-US Data Privacy Framework |
| Microsoft Clarity (Microsoft Corp.) | Heatmaps & session analysis | Click/scroll data (anonymised) | USA | Microsoft DPA; SCCs |
| geojs.io | IP-based country/city detection | IP address (single API call) | USA | Open public API; minimal data; not stored |
| ipinfo.io | IP geo-detection (fallback) | IP address (single API call) | USA | ipinfo.io privacy policy; not stored by AURUM |
| Stripe (planned) | Payment processing for Pro subscriptions | Payment data, email, name | USA / EU | Stripe DPA; PCI-DSS Level 1 |
4. International Data Transfers
AURUM is hosted on Netlify's global CDN. Data may be processed in the United States and other countries that may not have data protection laws equivalent to those in your jurisdiction. Where we transfer data from the EEA or UK, we rely on:
- EU-US Data Privacy Framework (for Google/Microsoft)
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Netlify's Data Processing Agreement
For India (DPDPA): geojs.io and ipinfo.io receive your IP address for a single lookup. This constitutes a cross-border transfer under the DPDPA. We minimise this by using timezone-based detection as a fallback that involves no external network call.
5. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
| Right | Who it applies to | How to exercise |
|---|---|---|
| Right of access — see what data we hold about you | EU/UK (GDPR), India (DPDPA), UAE (PDPL), Canada (PIPEDA), Singapore (PDPA), Australia (Privacy Act), South Africa (POPIA), all others | Email privacy@aurumrates.com |
| Right to rectification — correct inaccurate data | All jurisdictions | Email privacy@aurumrates.com |
| Right to erasure / deletion | EU/UK, India, California (CCPA), South Africa, Thailand | Email privacy@aurumrates.com |
| Right to data portability | EU/UK, India, California | Email privacy@aurumrates.com |
| Right to object / opt out | EU/UK (object to legitimate interest), California (opt out of sale — we do not sell data), India (withdraw consent) | Email privacy@aurumrates.com or use cookie settings |
| Withdraw consent — for analytics cookies | All jurisdictions | Use the cookie preference centre (footer link) or email us |
| Lodge a complaint with a regulator | All jurisdictions | See Section 6 below |
We will respond to rights requests within 30 days (or 1 calendar month for EU/UK GDPR). We may ask you to verify your identity before acting on a request.
6. Supervisory Authorities
If you are unhappy with how we handle your data, you can complain to your national data protection authority:
- EU / Germany: Your national DPA (e.g. BfDI — bfdi.bund.de)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- India: Data Protection Board of India (when operational) — MeitY
- UAE: UAE Data Office — uaedataoffice.gov.ae
- Canada: Office of the Privacy Commissioner (OPC) — priv.gc.ca
- Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- South Africa: Information Regulator — inforegulator.org.za
7. Data Security
We implement appropriate technical and organisational measures to protect your data including:
- HTTPS / TLS encryption on all connections (HSTS enforced)
- Content Security Policy (CSP) to prevent XSS attacks
- No storage of sensitive financial data on our servers
- Portfolio data stored only in your browser (localStorage), never transmitted
- Regular security header audits via Netlify configuration
8. Data Breach Notification
In the event of a personal data breach affecting your data, we will notify the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR; 72 hours under India DPDPA rules; promptly under UAE PDPL and Singapore PDPA). We will notify affected individuals where there is a significant risk of harm to your rights and freedoms.
9. Changes to This Policy
We may update this policy periodically. The "last modified" date at the top of this page indicates when it was last revised. Significant changes will be highlighted via a notice on the homepage. Continued use of the site after changes constitutes acceptance of the updated policy.
Policy reference: AURUM-POLICY-001 v3.0 · Effective 26 February 2026 · Contact: privacy@aurumrates.com