Privacy Policy

This policy describes what personal data AuraPharmLab collects, why, who else sees it, and what rights you have over it. We try to keep this short and honest. AuraPharmLab is operated by Dr. Harshad Ramineni from Mumbai, Maharashtra, India.

1. What we collect

Data	Source	Why
Email address, name, profile photo URL	Google Sign-In (when you sign in)	To identify you, to display your name in the watermark, to look up your subscription status.
Payment details (card number, UPI ID, billing address)	Razorpay (during checkout)	To process subscription payments. We never see or store these directly — Razorpay handles them as the payment processor.
Subscription record (your email, plan, status, subscription ID, activation/expiry timestamps)	Generated when you subscribe	To check whether you can access subscriber-only content.
Server request logs (IP address, user agent, timestamp, requested URL, country)	Cloudflare (our hosting/edge layer)	Standard web operations, debugging, and abuse prevention. Retained per Cloudflare's defaults.
Session cookie (encrypted Google ID token, HttpOnly, 1-hour lifetime)	Set after sign-in	To keep you signed in across pages without re-prompting Google every request.

We do not use any analytics tracker, advertising tracker, social pixel, heatmap tool, or similar. The site has no third-party trackers beyond what's listed above.

2. How we use your data

• To deliver the service. Sign-in, subscription gating, watermarking, and serving the content you paid for.
• To send transactional notifications. Subscription receipts, renewal reminders, expiry warnings — only related to your subscription. (Stage C — not yet active as of May 2026.)
• To prevent abuse. If we see content from your account being redistributed, we use the watermark + logs to confirm and may suspend your subscription.

We do not sell, rent, or share your data with third parties for marketing. Ever.

3. Who else sees your data

To run the service, we use these third-party services. Each has its own privacy policy that you should review separately:

• Google — for Sign in with Google. Receives the same information any "Sign in with Google" implementation does. Google Privacy Policy.
• Razorpay — for payment processing. Receives your name, email, billing address, and payment instrument details. Razorpay Privacy Policy.
• Cloudflare — for hosting, edge serving, and storing your subscription record in Cloudflare KV. Cloudflare Privacy Policy.

4. Where data is stored

Your subscription record (email + status + timestamps) is stored in Cloudflare KV, replicated globally. Cloudflare's edge servers may be in various regions; in practice for users in India, traffic is usually served from Cloudflare's Mumbai edge. Razorpay processes payment data in India per RBI requirements.

5. How long we keep it

• Subscription record: for the duration of your subscription, plus a reasonable period afterward (typically up to 12 months) for accounting and dispute resolution. After that, the record is deleted or anonymised.
• Server request logs: per Cloudflare's defaults (typically a few weeks).
• Session cookies: 1 hour, then they expire on their own.

6. Your rights

You can:

• See what we have on you — email aurapharmlab@gmail.com and we'll reply within a reasonable time.
• Correct it — your name and email come from Google; correct them there and they propagate next time you sign in.
• Delete it — cancel your subscription and email us asking for full deletion. We'll remove your subscription record and any associated data, except where we're required to retain something for accounting (typically minimal — invoice copies for a few years per Indian tax law).
• Withdraw consent / sign out — click "Sign out" anywhere on the site. We disable Google's auto-select and clear your session cookie. To stop the recurring subscription itself, see the Refund & Cancellation Policy.

7. Cookies

We use a single cookie called apl_session. It's set after you sign in, lives for 1 hour, is HttpOnly (so JavaScript can't read it), is Secure (only sent over HTTPS), and SameSite=Lax. Its only purpose is to keep you signed in. There are no advertising or tracking cookies.

8. Children

The site is intended for medical postgraduate students (typically aged 23+). It is not directed at children under 18, and we don't knowingly collect data from children.

9. Changes to this policy

We may update this policy as the service evolves. The "Last updated" date at the top will reflect the most recent change. Material changes will be communicated by email to active subscribers.