Privacy Policy

Mediaura, Inc.

Last updated: March 30, 2026

Mediaura, Inc. (“Mediaura,” “we,” “us,” or “our”) operates the Aura marketing intelligence platform and the website located at mediaura.io. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our platform, website, and related services (collectively, the “Services”). Our Services include marketing attribution and analytics tools deployed across multiple industry verticals, including restaurant and hospitality, healthcare and behavioral health, and other sectors.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are using the Services on behalf of an organization, you represent that you have authority to bind that organization to these terms.

1. Information We Collect

1.1 Information You Provide

  • Account & Contact Information: Name, email address, company name, phone number, job title, and industry when you request a demo, create an account, or contact us.
  • Platform Credentials: Authentication tokens, OAuth credentials, and API keys for third-party platforms you explicitly authorize us to connect to (e.g., Google Analytics, Google Ads, Meta Ads, CRM systems, point-of-sale systems, loyalty platforms, foot traffic providers, and weather data services).
  • Billing Information: Payment details processed by our third-party payment processor. We do not store full credit card numbers or bank account numbers on our servers.

1.2 Information Collected Through the Platform

When you authorize Aura to connect to your systems, we may access and process the following categories of data depending on the services you have engaged and the platforms you have connected:

  • Marketing & Advertising Data: Campaign performance metrics, ad spend, conversion signals, impression and click data, and tracking configurations from advertising platforms such as Google Ads and Meta Ads.
  • Point-of-Sale (POS) & Transaction Data: Transaction-level records including timestamps, ticket totals, item-level detail, order type (dine-in, takeout, delivery), and location identifiers from POS systems such as Toast, Square, or similar platforms.
  • Loyalty & Customer Engagement Data: Loyalty program enrollment data, reward redemption records, visit frequency, and customer engagement metrics from platforms such as Thanx, Punchh, or similar systems. This data may include hashed or pseudonymized customer identifiers.
  • Foot Traffic & Visitation Data: Aggregated and anonymized visitation patterns, trade area demographics, competitive visitation benchmarks, and location analytics from providers such as Placer.ai or similar platforms.
  • Contextual & Environmental Data: Weather data, local event calendars, and other contextual signals used as control variables in marketing attribution models.
  • Demographic & Market Data: Publicly available or commercially licensed demographic, psychographic, and market data used for site selection analysis, trade area evaluation, and competitive benchmarking. This data is obtained from third-party licensed data providers and public sources such as U.S. Census Bureau data.
  • First-Party Customer Data: For features such as customer matching and transaction attribution, we may process hashed, pseudonymized, or de-identified customer records that you provide or that originate from your authorized platforms.
  • Healthcare Marketing Data: For healthcare and behavioral health clients specifically, we may process website interaction data, session-level behavioral data, conversion events, and multi-touch attribution signals. Where any such data constitutes or may constitute Protected Health Information (“PHI”) under HIPAA, it is handled exclusively in accordance with Section 6 of this Policy and the terms of an executed Business Associate Agreement (“BAA”).

1.3 Information Collected Automatically

  • Website Usage: IP address, browser type and version, device information, operating system, pages visited, referring URLs, and session duration when you visit mediaura.io.
  • Cookies & Similar Technologies: We use essential cookies for site functionality, analytics cookies to improve our website, and, where applicable, first-party tracking cookies for marketing attribution. You may opt out of non-essential cookies through your browser settings or our cookie preference center. See Section 12 for additional detail on our cookie practices.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Aura platform and Services.
  • Connect to, ingest data from, and analyze data across the platforms you have authorized.
  • Build and refine marketing attribution models, including causal inference models, media mix models, and multi-touch attribution models.
  • Generate marketing intelligence reports, performance dashboards, attribution analyses, and tracking audits.
  • Conduct site selection analyses, trade area evaluations, and competitive benchmarking using a combination of your data and third-party licensed or publicly available data.
  • Process and attribute transactions, loyalty engagements, and customer interactions to marketing activities.
  • Communicate with you about your account, provide technical support, and send service-related updates.
  • Process billing transactions and send related financial information.
  • Detect, prevent, and address technical issues, security incidents, and fraudulent activity.
  • Comply with applicable legal obligations and enforce our terms of service.

We do not sell your personal information or your clients’ data to third parties. We do not use your data to build competitive products or share it with other clients. Your data is used solely to deliver the Services to you.

3. Authorized Platform Access

Aura connects only to the third-party platforms and accounts that you explicitly authorize. We access these platforms using industry-standard OAuth 2.0 tokens, server-to-server API credentials, or secure credential exchange mechanisms that you configure during onboarding.

You may revoke access to any connected platform at any time through your Aura account settings, by revoking credentials in the third-party platform’s own settings, or by contacting us directly at privacy@mediaura.io.

We access only the data necessary to deliver the Services you have requested and do not access platforms, accounts, data scopes, or permission levels beyond the scope of your authorization. Where third-party platform APIs provide granular permission scopes, we request only the minimum permissions required.

4. Attribution Models & Derived Insights

A core function of the Aura platform is generating marketing attribution models and derived analytical insights from the data you provide and authorize us to access. This section explains how we handle that process.

4.1 Model Inputs & Outputs

Our attribution models may use a combination of your marketing data, transaction data, loyalty data, environmental signals, and other authorized inputs to produce modeled outputs such as estimated return on ad spend, channel contribution estimates, incrementality assessments, and optimization recommendations. These model outputs are derived analytical products and are owned by you as part of the Services.

4.2 Aggregation & De-Identification

Attribution model outputs are generated at aggregate levels (e.g., by location, channel, campaign, or time period) and do not contain or reveal individual customer identities. Where individual-level data is used as a model input, it is aggregated during processing and individual records are not retained in model outputs unless you have specifically requested individual-level attribution and appropriate safeguards are in place.

4.3 Benchmarking

We may use aggregated, de-identified, and anonymized data across our client base to develop industry benchmarks, improve model accuracy, and enhance the Services generally. Such benchmarked data will never identify you, your business, or your customers. If you prefer to opt out of anonymized benchmarking, you may do so by contacting privacy@mediaura.io.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect the information we process. Our security program includes:

  • Encryption in Transit: All data transmitted between your systems, our platform, and connected third-party platforms is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: All stored data is encrypted at rest using AES-256 encryption.
  • SOC 2 Compliance: Our infrastructure and processes are designed to meet SOC 2 Type II standards for security, availability, and confidentiality.
  • Access Controls: We enforce role-based access controls (RBAC), multi-factor authentication (MFA), and least-privilege principles across all systems and personnel.
  • Credential Management: Third-party API credentials and service account keys are stored in dedicated secrets management infrastructure (e.g., AWS Secrets Manager) and are never stored in application code, version control, or unencrypted configuration files.
  • Security Testing: We conduct regular vulnerability assessments, penetration testing, and security audits of our infrastructure and application layer.
  • Incident Response: We maintain an incident response plan that includes detection, containment, investigation, notification, and remediation procedures. In the event of a confirmed security incident involving your data, we will notify you without unreasonable delay and in accordance with applicable legal requirements.

6. Healthcare Data & HIPAA Compliance

For clients in the healthcare and behavioral health industries, we maintain additional safeguards and commitments to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the HITECH Act and applicable regulations.

6.1 Business Associate Agreement

We will execute a Business Associate Agreement (“BAA”) with any client prior to processing, accessing, or storing any data that constitutes or may constitute Protected Health Information (“PHI”) under HIPAA. No PHI is ingested into the Aura platform until a BAA is fully executed. If you are a healthcare organization or a business associate that needs to engage us as a subcontractor, contact privacy@mediaura.io to arrange a BAA before onboarding.

6.2 PHI Safeguards

When processing data subject to a BAA, we implement the following enhanced safeguards:

  • PHI is logically segregated from non-healthcare client data and subject to enhanced access controls, audit logging, and monitoring.
  • We apply the HIPAA Minimum Necessary Standard, accessing and processing only the minimum PHI required to perform the services specified in the BAA.
  • All team members with access to healthcare client environments receive HIPAA compliance training upon onboarding and at least annually thereafter.
  • PHI is encrypted both in transit (TLS 1.2+) and at rest (AES-256), with encryption keys managed separately from application infrastructure.

6.3 De-Identification

Where feasible and consistent with the services requested, we de-identify healthcare data in accordance with the HIPAA Safe Harbor method (45 C.F.R. § 164.514(b)(2)) by removing or generalizing the eighteen categories of identifiers specified in the regulation. Data that has been properly de-identified under the Safe Harbor method is no longer PHI and is not subject to HIPAA restrictions. We do not re-identify de-identified data.

Where the Safe Harbor method is not feasible for a particular use case, we will work with you to determine whether Expert Determination (45 C.F.R. § 164.514(b)(1)) is appropriate and will engage a qualified statistical expert as needed.

6.4 Session Tracking & Attribution in Healthcare Environments

For healthcare clients using our multi-touch attribution and patient journey tracking features, our technical architecture is designed with the following privacy-preserving characteristics:

  • We use server-side, HttpOnly, secure cookies to maintain session continuity in a manner resilient to browser-level tracking prevention mechanisms (e.g., Safari ITP, Firefox ETP). These cookies do not store PHI.
  • Session identifiers are pseudonymous tokens that are not linked to patient identity within the Aura platform unless explicitly matched by the client through a secure, authenticated integration.
  • Attribution model outputs for healthcare clients (e.g., channel contribution to patient acquisition) are generated at aggregate levels and do not identify individual patients unless the client has specifically requested individual-level reporting and appropriate BAA terms and technical safeguards are in place.

6.5 Breach Notification

In the event of a breach of unsecured PHI (as defined under 45 C.F.R. § 164.402), we will notify the affected client without unreasonable delay and no later than sixty (60) calendar days after discovery of the breach, consistent with 45 C.F.R. § 164.410. Our breach notification will include the information specified in the BAA and applicable regulations, including a description of the breach, the types of information involved, and the steps we are taking in response.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Services. Specific retention periods are as follows:

  • Account Information: Retained for the duration of your account and for up to 90 days following account termination.
  • Marketing & Analytics Data: Retained in accordance with your service agreement. Default retention is the duration of your service term plus 90 days.
  • PHI (Healthcare Clients): Retained and disposed of in accordance with the terms of the executed BAA and applicable HIPAA requirements, including the six-year retention requirement for HIPAA-related documentation.
  • Attribution Model Outputs: Model outputs and derived insights are retained for the duration of your service term. Historical model data may be retained in aggregated, de-identified form for benchmarking purposes unless you opt out.

Upon termination of your account, we will delete or de-identify your data within 90 days, unless a longer retention period is required by law, regulation, or a valid legal obligation. You may request earlier deletion of your data at any time by contacting privacy@mediaura.io.

8. Data Sharing

We do not sell your data. We may share information only in the following limited circumstances:

  • Service Providers & Subprocessors: With trusted vendors who assist in operating our platform (e.g., cloud hosting providers, payment processors, infrastructure services), each bound by written confidentiality agreements and, where applicable, data processing agreements that restrict their use of your data to the services they perform on our behalf.
  • Third-Party Data Providers: We receive data from licensed third-party data providers (e.g., demographic data, foot traffic data, market data) for use in delivering the Services. We do not share your proprietary data with these providers.
  • Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect the rights, safety, or property of Mediaura, our clients, or the public.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with reasonable advance notice to affected clients. Any successor entity will be bound by the terms of this Privacy Policy with respect to data collected prior to the transfer.
  • With Your Consent: We may share information in other circumstances with your explicit prior consent.

9. Data Processing Agreements

For enterprise and franchise clients, we are prepared to execute Data Processing Agreements (“DPAs”) or Data Processing Addenda that govern our processing of your data, including provisions addressing data processing scope, security obligations, subprocessor management, audit rights, and data return or deletion upon termination. Contact privacy@mediaura.io to request a DPA.

10. Your Rights

Depending on your jurisdiction, you may have rights with respect to your personal information, including the rights to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete personal information.
  • Request deletion of your personal information, subject to applicable legal exceptions.
  • Object to or restrict certain processing activities.
  • Receive your personal data in a structured, commonly used, machine-readable format (data portability).
  • Withdraw consent where our processing is based on your consent.
  • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, to the extent applicable.

To exercise any of these rights, contact us at privacy@mediaura.io. We will acknowledge your request within ten (10) business days and will respond substantively within thirty (30) days, or within the timeframe required by applicable law.

11. State-Specific Privacy Rights

11.1 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

11.2 Other U.S. State Privacy Laws

Residents of other states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states that have enacted or may enact consumer privacy legislation) may have similar rights under their respective state laws. We are committed to honoring applicable state privacy rights. If you are a resident of one of these states and wish to exercise your rights, contact us at privacy@mediaura.io.

12. Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly Necessary Cookies: Required for the operation of our website and platform. These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors interact with our website so we can improve the user experience. These are optional and can be disabled.
  • First-Party Attribution Cookies: Used within the Aura platform to support marketing attribution on your digital properties. These cookies are deployed on your properties at your direction and are subject to your own cookie consent practices. Our platform architecture uses server-side, HttpOnly, secure cookies designed to maintain measurement accuracy in environments with browser-level tracking prevention.

You can manage your cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of our website or the accuracy of our attribution Services.

13. International Data

Our Services are primarily directed to users in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to such transfer and processing.

14. Children’s Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete it. If you believe we have inadvertently collected information from a child, please contact us at privacy@mediaura.io.

15. Third-Party Links & Integrations

Our Services may contain links to or integrations with third-party websites, platforms, and services that are not operated by us. We are not responsible for the privacy practices or content of these third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with our platform.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page, updating the “Last updated” date, and, for material changes that affect how we process your data, providing direct notice via email to the address associated with your account. Your continued use of the Services after the effective date of a revised policy constitutes acceptance of the updated terms.

17. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise any of your rights, contact us at:

Mediaura, Inc.
Email: privacy@mediaura.io
Website: mediaura.io