← Back to Aurli
Privacy Policy
Effective Date: May 15, 2026 · Last Updated: May 15, 2026
Plain-Language Summary
Aurli is designed with privacy as a foundation:
- We do not ask for your name, email, or phone number. No account signup is required to use Aurli.
- Your audio recordings are never stored on our servers. They pass through briefly during transcription, then are deleted within seconds.
- Your transcripts and notes stay on your device. We never store the text of your recordings on our servers.
- We do not use any advertising or tracking SDKs. Your data is not shared with advertisers.
- An anonymous random ID is created when you first install the app. It allows us to track usage limits but is not connected to your identity, your Apple ID, or any device fingerprint. Reinstalling the app gives you a new anonymous ID.
If you want technical details, the rest of this document explains everything we do and don't do with data.
1. About Aurli
Aurli is a voice-to-text note-taking app for iOS. It records your voice, transcribes it to text, and offers AI-powered features (summarization, translation, chat with your transcript).
Aurli is built and operated by Brandon Kwai, an independent developer. This privacy policy describes how Aurli handles information when you use the app.
2. Information We Collect
2.1 Audio Recordings
When you record audio in Aurli and request transcription:
- The audio is recorded on your device.
- The audio is uploaded over an encrypted (HTTPS) connection to our servers.
- Our servers receive the audio file in memory and create a temporary copy on disk.
- The audio file is forwarded to OpenAI's Whisper API for transcription.
- Once transcription is complete, the temporary file is deleted from our servers (this happens within seconds).
- The audio file is never written to our database, never stored long-term, and never associated with any identifying information.
2.2 Transcripts
When transcription completes:
- The transcript text is returned to your device.
- The transcript is stored locally on your device using Apple's SwiftData framework.
- The transcript is not stored on our servers.
When you use AI features (chat with transcript, summarize, translate, rewrite):
- The transcript text is sent to our servers over HTTPS.
- Our servers forward the text to OpenAI's GPT-4o-mini API.
- The AI response is returned to your device.
- The transcript text is not stored on our servers during this process — it exists only in memory during the request.
2.3 Anonymous Device Identifier
When you first launch Aurli, the app generates a random identifier (a UUID combined with a timestamp). This identifier:
- Is created entirely on your device by random number generation.
- Is not derived from your Apple ID, your phone number, your email, your IP address, or any Apple device identifier (IDFA, IDFV, etc.).
- Is sent to our servers only to register an anonymous account for tracking your usage limits (such as recording quotas).
- Is stored in your device's UserDefaults and on our servers in a database row.
- Cannot be linked to you personally or to other apps you use.
If you reinstall Aurli, a new identifier is created — your previous usage history cannot be linked to your new install.
2.4 Authentication Token
After registering an anonymous account, our server issues a JWT (JSON Web Token) authentication token. This token:
- Contains the random user UUID and expiration timestamp — no personal information.
- Is stored securely in your device's iOS Keychain.
- Is sent with each request to our servers to verify your anonymous account.
2.5 Usage Metadata
When you use Aurli's features, our servers record metadata about your usage:
- What action was performed (transcription, AI summarization, chat, etc.)
- Duration in seconds (for audio transcriptions)
- Token counts (for AI features — used to track API costs)
- Estimated cost in USD (for our internal cost monitoring)
- Timestamp
This metadata is associated with your anonymous device identifier. It is not associated with any personal information because we don't have any.
We do not record:
- The content of your recordings
- The content of your transcripts
- The content of your AI chat messages
- Your IP address (in our application code)
- Your device model, OS version, or app version (in our application code)
- Your name, email, phone number, or any contact information
2.6 Information Captured by Our Hosting Provider
Our backend is hosted on Railway. Like all internet services, Railway captures standard HTTP access logs that include:
- Source IP address
- Timestamp
- Request path and HTTP method
- Response status code
- User-Agent header (which iOS sets automatically — typically includes the app name, app version, and iOS version)
These logs are retained by Railway for approximately 7 days, after which they are automatically deleted. We do not access, analyze, or use these logs except for diagnosing service issues.
We also use a rate limiter that temporarily holds IP addresses in memory to prevent abuse. This data is cleared whenever our service restarts and is never written to a database.
3. Information We Do NOT Collect
We want to be explicit about what Aurli does not collect:
- ❌ Your name
- ❌ Your email address
- ❌ Your phone number
- ❌ Your physical address
- ❌ Your location (we do not request location permissions)
- ❌ Your contacts (we do not request contacts access)
- ❌ Your photos (we do not request photo library access)
- ❌ Your calendar (we do not request calendar access)
- ❌ Apple's IDFA (Identifier for Advertisers)
- ❌ Apple's IDFV (Identifier for Vendor)
- ❌ Device serial numbers or hardware identifiers
- ❌ Browsing history or search history
- ❌ Health, fitness, or financial data
We do not use any third-party advertising or analytics SDKs. We do not share data with advertisers.
4. How We Use Information
We use the information we collect for these purposes only:
- Audio recordings: To transcribe them via OpenAI's Whisper API.
- Transcripts (when AI features are used): To process AI requests via OpenAI's GPT API.
- Anonymous device ID: To enforce usage limits (e.g., daily recording quotas) and to differentiate between trial and paid users.
- Usage metadata: To monitor service costs, prevent abuse, and inform service improvements.
We do not sell, rent, or share your information with third parties for marketing purposes.
5. Third-Party Services
Aurli relies on the following third-party services:
5.1 OpenAI
- Used for: Audio transcription (Whisper API) and AI features (GPT-4o-mini API).
- What is sent: Your audio recordings (for transcription) and your transcripts (for AI features).
- OpenAI's policy: Per OpenAI's API data usage policy, audio and text submitted via their API are not used to train OpenAI models. OpenAI may retain submitted data for up to 30 days for abuse monitoring, after which it is deleted.
- More information: OpenAI Privacy Policy
5.2 Railway
- Used for: Hosting our backend servers.
- What is captured: Standard HTTP access logs (see Section 2.6).
- More information: Railway Privacy Policy
5.3 Apple
- Used for: App distribution via the App Store and TestFlight; in-app purchases via StoreKit; iOS system features (Keychain, UserDefaults, SwiftData).
- What is captured: Apple may collect data per its standard App Store and iOS policies. We do not have access to this data.
- More information: Apple Privacy Policy
6. Data Retention
| Data | Retention |
|---|
| Audio recordings | Deleted within seconds of transcription |
| Transcripts on our servers | Not stored |
| Anonymous device ID | Until you reinstall the app or we delete the account record |
| JWT auth token | Until expiration (currently set with no expiration) or until you reinstall |
| Usage metadata | Up to 365 days, then automatically deleted |
| Hosting access logs (Railway) | Approximately 7 days |
| Rate limiter IP data | In-memory, cleared on service restart |
7. Data Security
We take reasonable measures to protect your information:
- All communication between the app and our servers uses HTTPS encryption.
- Authentication tokens are stored in iOS Keychain (Apple's secure storage).
- Our backend uses standard authentication via JWT tokens.
- We do not store sensitive personal information that could be compromised — the strongest security is collecting less data.
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
8. Your Rights and Choices
8.1 Stop Using the App
You can stop using Aurli at any time. Simply delete the app from your device. When you delete the app:
- All transcripts and notes stored on your device are deleted with it.
- Your anonymous device ID and authentication token are removed.
- Your usage history on our servers will be retained for up to 365 days (per Section 6) and then automatically deleted.
8.2 Reset Your Anonymous Account
Reinstalling Aurli creates a new anonymous device ID, effectively resetting your account. Your old usage history will remain on our servers (per the 365-day retention) but cannot be linked to your new install.
8.3 Request Deletion
Because we don't collect identifying information, we cannot identify your specific data without you providing your anonymous device ID. If you wish to request deletion of usage records associated with a specific device ID, you can contact us (see Section 13). However, simply uninstalling the app and waiting 365 days achieves the same result automatically.
8.4 European Users (GDPR)
If you are in the European Economic Area, the United Kingdom, or other regions with similar data protection laws, you have specific rights including the right to access, rectify, or delete personal information we hold about you. To exercise these rights, contact us using the information in Section 13. Note that we collect minimal information, and most data is automatically deleted under our retention schedule.
8.5 California Users (CCPA)
If you are a California resident, you have rights regarding personal information under the California Consumer Privacy Act. Aurli does not "sell" personal information as defined under the CCPA. You may request access to or deletion of personal information by contacting us.
9. Children's Privacy
Aurli is not directed at children under the age of 13 (or 16 in some jurisdictions). We do not knowingly collect information from children. If you believe a child has used Aurli, please contact us so we can take appropriate action.
10. International Users
Aurli is operated from the United States. By using the app, you understand that information is processed and stored in the United States and other jurisdictions where our service providers operate. If you are accessing Aurli from outside the United States, you acknowledge that information may be transferred to and processed in the United States.
11. Changes to This Privacy Policy
We may update this privacy policy from time to time. When we do, we will:
- Update the "Last Updated" date at the top of this document.
- For material changes, we will provide notice within the app or through other means we consider reasonable.
We encourage you to review this policy periodically.
12. Subprocessors and Service Providers Summary
| Service | Purpose | Data Shared |
|---|
| OpenAI | Transcription and AI features | Audio recordings, transcript text |
| Railway | Backend hosting | Standard HTTP access logs |
| Apple | App distribution and platform | Per Apple's policy |
13. Contact
For questions about this privacy policy or our data practices, contact:
Brandon Kwai
Email: brandonkk0103@gmail.com
We aim to respond to privacy inquiries within 30 days.
This privacy policy applies to Aurli iOS application v1.0. Aurli is an independent product of Brandon Kwai.