Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect personal information you voluntarily provide when you:

• Create an account: name, email address, password (hashed), company name, business address, phone number, account type, and location.
• Complete a manufacturer profile: business headline, service capabilities, lead times, minimum order values, and capability tags.
• Submit a CAD design request: text descriptions of design requirements, reference images, jewelry specifications (metal type, gemstone, dimensions), and uploaded 2D design files.
• List materials: product descriptions, pricing, stock quantities, material certifications, supplier location, and product photography.
• Use the photography studio: text descriptions of jewelry pieces and uploaded reference images.
• Make a payment: billing name, billing address, and payment method details (processed and stored by Stripe; AurumFlow does not store complete card numbers).
• Contact support: the content of your communications with us.
• Create team accounts: names and email addresses of team members you invite.

1.2 Information Collected Automatically

When you use the Platform, we automatically collect certain technical information, including:

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, and session duration.
• Device information: device type, unique device identifiers, screen resolution, and hardware configuration.
• Usage data: features used, designs generated, files uploaded and downloaded, manufacturing requests submitted, messages sent, and search queries.
• Cookies and similar technologies: session cookies (for authentication), preference cookies, and analytics cookies. See Section 9 for our cookie policy.

1.3 Information from Third Parties

We may receive information about you from third-party sources, including:

• Stripe: payment confirmation data, customer IDs, and fraud signals related to your transactions.
• AI generation providers (Meshy AI, Tencent Hunyuan): generation status, output metadata, and error logs related to your design requests.
• Metals pricing providers: real-time commodity price feeds displayed on the Platform (not linked to your personal identity).
• Analytics providers: aggregated behavioral data used to improve Platform performance.

2. How We Use Your Information

We use the personal information we collect for the following purposes:

2.1 Platform Operations

• Creating and managing your account and authenticating your sessions;
• Processing and fulfilling CAD design requests, manufacturing quotes, and materials marketplace transactions;
• Generating AI design outputs and photography using your prompts and reference images;
• Processing payments through Stripe and managing subscriptions and credits;
• Displaying live metals pricing and dynamic cost calculations;
• Facilitating messaging and transactions between Jewelers, Manufacturers, and Dealers.

2.2 AI Model Training

AurumFlow uses anonymized and de-identified pairs of design inputs (text prompts, reference images) and approved AI-generated or human-made outputs (STL files) to train and improve our proprietary jewelry AI models (GenCAD). Specifically:

• We use aggregated, non-personally-identifiable design data to improve generation quality;
• We do not use your personally identifying information (name, email, company) in model training;
• You may opt out of having your design inputs and outputs used for model training by emailing privacy@aurumflow.ai with the subject line "AI Training Opt-Out." Opt-out requests are honored prospectively.

2.3 Communications

• Sending transactional emails (account confirmations, payment receipts, order updates, CAD delivery notifications);
• Sending platform notifications (new message alerts, request status updates, manufacturing quote responses);
• Sending marketing and product update emails (with your consent; you may opt out at any time via the unsubscribe link or account settings).

2.4 Safety, Security, and Compliance

• Detecting and preventing fraud, abuse, and unauthorized access;
• Enforcing our Terms of Service and Acceptable Use Policy;
• Complying with applicable laws, regulations, and legal processes, including responding to valid legal requests from law enforcement.

2.5 Business Analytics and Improvement

• Analyzing Platform usage patterns to improve features and user experience;
• Measuring the performance of design generation, manufacturing matching, and marketplace functions;
• Conducting internal research and development.

3. How We Share Your Information

3.1 With Other Platform Users

• Manufacturer profiles (business name, headline, capabilities, location, lead times, ratings) are visible to Jeweler/Designer users searching the manufacturing network.
• Materials listings (product descriptions, pricing, seller name, location) are visible to marketplace buyers.
• Design requests, reference images, and specifications are shared with the specific Manufacturer or AurumFlow CAD team member assigned to fulfill the request.
• Messages you send through the Platform are visible to the intended recipient.

3.2 With Service Providers

We share information with trusted third-party service providers who assist us in operating the Platform, subject to confidentiality agreements and data processing agreements:

• Stripe, Inc. (payment processing and fraud prevention) — https://stripe.com/privacy
• Meshy AI (3D model generation) — subject to Meshy's data processing terms
• Tencent Hunyuan (3D model generation) — subject to Tencent's data processing terms
• Amazon Web Services or equivalent (cloud hosting and file storage)
• SendGrid or equivalent (transactional email delivery)
• Analytics providers (anonymized Platform usage data only)

3.3 For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request;
• Enforce our Terms of Service;
• Protect the rights, property, or safety of AurumFlow, our users, or the public;
• Detect, prevent, or address fraud, security, or technical issues.

3.4 Business Transfers

If AurumFlow is involved in a merger, acquisition, financing, reorganization, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent Platform notice of any such change and any choices you may have.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specifically:

• Account data: retained for the duration of your account and for 3 years after account closure for legal and fraud prevention purposes.
• Design request files and CAD outputs: retained for 2 years after delivery, then deleted unless you request earlier deletion.
• Payment and billing records: retained for 7 years as required by U.S. tax law.
• AI training data pairs (de-identified): retained indefinitely as part of model training datasets, unless you have opted out.
• Communication logs and support tickets: retained for 2 years.
• Server logs: retained for 90 days.

You may request deletion of your personal information at any time. See Section 7 for your rights.

5. Data Security

AurumFlow implements administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, use, alteration, or disclosure, including:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of sensitive data at rest using AES-256;
• Hashing of passwords using industry-standard algorithms (bcrypt or equivalent);
• Role-based access controls limiting employee access to personal data to those with a legitimate business need;
• Regular security assessments and penetration testing;
• Secure file storage for uploaded design files and CAD deliverables.

No security measure is perfect. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

6. File Storage and Design Data

Files you upload to the Platform (reference images, design briefs, STL files) are stored in encrypted cloud storage. Access to your files is restricted to:

• You and members of your team (if applicable);
• AurumFlow CAD team members assigned to your request;
• The specific Manufacturer or Dealer you have engaged for a transaction;
• AurumFlow system administrators for support and security purposes.

You may request deletion of uploaded files at any time through account settings or by contacting privacy@aurumflow.ai. Note that files incorporated into completed training datasets may not be individually removable in de-identified form.

7. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to Access: request a copy of the personal information we hold about you.
• Right to Correction: request correction of inaccurate or incomplete personal information.
• Right to Deletion: request deletion of your personal information, subject to legal retention obligations.
• Right to Restrict Processing: request that we limit processing of your data in certain circumstances.
• Right to Data Portability: request your data in a structured, machine-readable format.
• Right to Object: object to processing of your personal information for direct marketing purposes.
• Right to Opt Out of AI Training: request that your design inputs and outputs not be used to train AI models.

To exercise any of these rights, please contact us at privacy@aurumflow.ai. We will respond within 30 days (or the timeframe required by your jurisdiction's law). We may require verification of your identity before processing your request.

8. Children's Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a minor, please contact us at privacy@aurumflow.ai and we will promptly delete the information.

9. Cookies and Tracking Technologies

9.1 Cookies We Use

• Strictly Necessary Cookies: required for Platform authentication, session management, and security. Cannot be disabled.
• Functional Cookies: remember your preferences (language, timezone, currency display, notification settings).
• Analytics Cookies: collect anonymized usage data to help us understand how users interact with the Platform (e.g., page views, feature usage, error rates). We use privacy-respecting analytics tools.

We do not use third-party advertising or tracking cookies.

9.2 Managing Cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Platform. You can opt out of analytics cookies through your account preferences or by using browser privacy extensions.

10. Third-Party Services

Our Privacy Policy does not apply to the data practices of third-party services integrated with the Platform. We encourage you to review the privacy policies of:

• Stripe, Inc.: https://stripe.com/privacy
• Meshy AI: https://www.meshy.ai/privacy
• Tencent (Hunyuan): https://www.tencent.com/en-us/privacy-policy.html

AurumFlow is not responsible for the privacy practices of these third parties.

11. International Data Transfers

AurumFlow is based in the United States. If you are accessing the Platform from outside the United States, your personal information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country. By using the Platform, you consent to such transfer.

For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses approved by the European Commission as the lawful mechanism for transferring personal data to the United States.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes, and the categories of third parties with whom we share it.
• Right to Delete: request deletion of personal information we have collected, subject to legal exceptions.
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: AurumFlow does not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: AurumFlow uses sensitive personal information (payment data) only to provide services, not for inferencing or advertising.
• Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@aurumflow.ai or via the Platform's account settings. You may designate an authorized agent to make requests on your behalf.

During the preceding 12 months, AurumFlow has collected the following categories of personal information: identifiers (name, email, IP address); commercial information (transaction records, billing data); professional or employment-related information (business name, role); and internet or network activity (Platform usage data).

13. European and UK Privacy Rights (GDPR/UK GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal information under the following legal bases:

• Performance of a contract: processing necessary to provide Platform services you have requested.
• Legitimate interests: security monitoring, fraud prevention, Platform improvement, and business analytics, balanced against your privacy rights.
• Consent: AI model training using your design data; sending marketing emails.
• Legal obligation: retaining financial records as required by law.

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal. You also have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national supervisory authority in the EEA).

Our representative in the EU for GDPR purposes can be contacted at privacy@aurumflow.ai.

14. Changes to This Privacy Policy

AurumFlow may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a new effective date, and by sending an email notification to your registered email address at least 14 days before changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the revised policy.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact: