01Scope
This Privacy Policy explains how CreedStack Motions Limited handles information related to the Web Aura mobile application, the Web Aura website, and related support or account requests.
It is written to match the app's current behaviour more closely than the previous site copy. In particular, it avoids blanket statements such as "no analytics", "no logs" or "no tracking" where the app is in fact integrated with third-party services for analytics, crash reporting, messaging, advertising, purchases or account features.
02Data we collect
Depending on which features you use, Web Aura may process the following categories of information:
| Category | Examples | Why it is used |
|---|---|---|
| On-device browsing data | Browsing history, bookmarks, open tabs, link storage items, preferences, selected engines, extensions or scripts, locally available media and cached page data | To provide the browser experience and keep your data available on your device |
| Anonymous browser identity | Anonymous code, nickname, chosen emoji avatar, chosen avatar colour | To let you use browser account features without a conventional account |
| Google-linked account data | Name, email address, profile photo, Firebase Auth account identifiers, selected sync toggles | To support Google sign-in and cloud-linked sync where that option is used |
| Synced browser data | Bookmarks, history, tabs, extensions, link storage items or other categories you choose to sync | To restore and sync browser state across supported sessions or devices |
| Technical & diagnostics data | App events, crash diagnostics, device and runtime information, notification token refresh events | To improve reliability, diagnose issues and support messaging |
| Advertising & rewarded-ad data | Ad requests, device-level ad identifiers or related ad-serving metadata handled by ad providers | To fund the free app and support rewarded Aura Points flows where used |
| Purchase & entitlement data | Product identifiers, transaction identifiers, subscription state, receipt or entitlement logs, Aura Points balance and restore events | To activate Pro access, restore purchases and manage points-related features |
| Support & contact data | Messages you send us, email address, screenshots or device details you choose to include | To respond to support, privacy and deletion requests |
| Aura assistant prompts | Text or voice-transcribed messages you send to Aura inside the app, the language code we detect on your device, the active tab URL when you ask Aura to summarise the current page | To match your message against the on-device intent router and knowledge base, and (only when needed) to forward a short query to a free public source so Aura can answer general questions or summarise a page |
| Aura conversation memory | The recent back-and-forth between you and Aura during one chat session | Held in app memory only so Aura can give context-aware answers in the same session — discarded when the chat sheet is closed or the app is killed |
| Voice input transcripts | The text produced by your phone's own speech-to-text engine when you tap Aura's microphone button | To let you talk to Aura instead of typing — only the resulting text reaches Aura, the raw audio is handled by your OS and not stored by Web Aura |
Privacy by feature
A feature-by-feature breakdown of where each piece of Web Aura data lives and what (if anything) leaves your device.
Locked folder
Files moved into the locked folder are encrypted with a key derived from your PIN/biometric and never leave your device. We can't read them. We don't index, count or back them up.
100% localBiometric unlock
Fingerprint and Face ID/Face Unlock data never reach Web Aura — your OS handles it and only tells us "yes / no". We store no biometric template, no hash, no fallback.
OS-handledIncognito tabs
No history, no cookies, no cache, no autofill, no thumbnails written to disk. Tabs and downloaded media are flagged so device gallery scanners skip them.
Per-session localAd / tracker blocker
Filter lists are matched on-device. We don't send the URLs you visit to a remote checker. The blocker stat ("3,000+ trackers blocked this week") is computed locally.
On-device matchAI page summary
The visible page text is sent to our summarisation backend (Koyeb), processed, summary returned. The full page text is not stored. No persistent log past 24h debug retention.
Cloud · ephemeralAI search engines
You pick which AI engine handles your query. The query goes directly to that engine (e.g. Bing, Perplexity, ChatGPT search). We don't intermediate or log the query.
3rd-party directMusic player + auto-mix
Saved music files are local. Cover art and metadata are extracted on-device. BPM detection for auto-mix runs locally. No track names sent anywhere.
100% localUniversal downloader
The link you paste is sent to our extraction backend to resolve direct media URLs. The downloaded file streams from the source server straight to your device — we never store it.
Resolve only · no storageUserscripts & extensions
Each script runs sandboxed against the sites it declares in @match. Scripts you install can read those pages. We do not see what scripts you install or what they do.
Link safety check
Before opening a suspicious URL, we check it against an on-device filter list. For deeper checks we may query a remote safe-browsing API. The URL hash is sent, not the full URL.
Hash-only lookupRead-later sync
Off by default. Enable in Settings → Sync. Articles you mark for later are stored encrypted in Firestore tied to your Google account. Disable any time → server copy purged within 7 days.
Optional · cloud1000+ themes
Theme images are bundled with the app or fetched from our CDN as static assets. Your theme choice is stored locally. Custom photos you upload as theme stay on-device.
Local pickAura — app commands
Asking Aura to "open downloads", "switch to dark mode", "go incognito", "summarise this page" or to play a song from the music library is matched on your phone by an on-device intent router. The command never leaves your device.
100% localAura — knowledge base
Questions about Web Aura itself ("what can you do", "how do I change theme") are answered from a bundled, on-device knowledge base. No network call.
Bundled · offlineAura — general questions
For real-world questions, Aura queries free public sources directly: DuckDuckGo Instant Answer, your locale's Wikipedia REST API, and (as a last resort) the Jina AI Reader. Only your typed query is sent — no account, no profile, no API key.
Free public APIsAura — page summarise
When you ask Aura to summarise the page you're on, it first tries to read the visible text from the WebView locally and run an extractive summary on-device. If the page is long or blocked, the URL (only the URL — not your cookies or session) is sent to the Jina AI Reader and a short summary is returned. The full page text is never stored.
Local-first · cloud fallbackAura — voice input & speech
Aura uses your device's built-in speech-to-text (Apple Speech / Android SpeechRecognizer) — Web Aura never sees the audio. Speech replies use your device's built-in text-to-speech. Both are OS-level features you can disable in system settings.
OS-handledAura — conversation memory
Aura keeps a short transcript of the current chat in app memory so it can refer back to what you said. This memory is never written to disk and is wiped automatically when the chat sheet closes or the app is killed.
In-RAM only03How we use data
- To operate Web Aura's browser, media preview, link storage, playback and settings features
- To maintain anonymous or Google-linked account state
- To sync selected categories such as bookmarks, history, tabs, extensions or link storage when sync features are enabled
- To process subscriptions, one-time purchases, Aura Points balances and restore events
- To deliver push notifications or local notifications if you enable them
- To measure stability, app usage and crash patterns so we can improve the product
- To deliver ads and rewarded-ad flows in the free version where applicable
- To answer support, privacy and deletion requests
- To comply with legal obligations, protect users and prevent abuse
05Ads, analytics & notifications
Web Aura's current app code integrates analytics, crash reporting, cloud messaging and mobile advertising services on iOS. That means some technical, diagnostics, token and ad-delivery information may be processed by those providers when the related features are active.
- Analytics. The iOS app enables Firebase Analytics collection in the current AppDelegate setup.
- Crash reporting. Crashlytics is included for release builds.
- Notifications. Firebase Messaging and iOS notification permissions are used for push notifications.
- Advertising. Google Mobile Ads is registered, including native ad factories, and rewarded ads are used in Aura Points flows.
You can usually limit or control relevant permissions and preferences through your device settings, notification settings, account settings, ad/privacy settings and in-app browser/privacy controls.
06Purchases & store processing
Web Aura offers subscriptions, a lifetime purchase and Aura Points consumables. Store billing is processed by Apple or Google, while the app keeps local entitlement state and may send receipt-related or points-related server requests for restore or validation flows.
- iOS App Store page: apps.apple.com/app/id6763145076
- Google Play page: play.google.com/store/apps/details?id=com.creedmotions.webaura
- Android package: com.creedmotions.webaura
- We receive store product or transaction references needed to verify and manage access.
- We do not store your full payment card number.
07Retention & deletion
Retention depends on the feature involved:
- On-device browsing data. Retained on your device until you clear it, reset the app, or uninstall.
- Anonymous profile cache. Retained until cleared from app storage or through supported delete/reset flows.
- Google-linked or synced data. Retained until you disable sync, sign out, request deletion, or it is otherwise removed from the relevant service.
- Purchases and entitlement records. Some records may be retained as needed for restore, compliance, fraud prevention or financial reporting.
- Support messages. Retained as needed to handle the request and keep a support record.
08Your choices & rights
- Review and adjust privacy, ad blocking, safe browsing and notification settings inside the app or device settings
- Clear local browsing data from Web Aura settings
- Use the iOS delete-all-data flow where available
- Request access, correction or deletion by contacting us at info.creedmotions@gmail.com
- Manage store purchases through your App Store or Google Play account
- Choose whether to use anonymous account tools or Google-linked sync features
Depending on your location, you may have additional rights under local privacy law, including access, deletion, correction or objection rights.
09Security
We use reasonable technical and organisational measures intended to protect information handled by Web Aura. However, no app, website, network or storage system can promise absolute security.
10Children
Web Aura is not intended for children under the age required by applicable law to provide their own consent for these services. If you believe a child has provided personal data improperly, contact us so we can review the situation.
11International processing
Because Web Aura uses third-party providers such as Apple, Google, Firebase and hosting services, information may be processed in countries other than your own. Those providers apply their own infrastructure and transfer practices.
12Extensions & userscripts
Web Aura is a mobile WebView-based browser, not desktop Chrome. Because of that, the range of browser extensions it can run is intentionally limited and is described in honest detail below.
.user.js files) and Chrome Web Store extensions whose work is mainly injecting JavaScript or CSS into a page. It does not support extensions that require Chrome's background service workers, request-blocking APIs or other desktop-only browser internals.
What Web Aura can run:
- Userscripts from Greasy Fork, OpenUserJS or any direct
.user.jsURL - Pasted or imported local
.user.jsfiles via the built-in script manager - Chrome Web Store extensions that are primarily content-script based — page customisers, theme/dark-mode scripts, YouTube / X / Reddit helpers, image & link helpers, copy/selection tools, reader enhancers, cookie-banner hiders, shortcut utilities, media-detection helpers and other site-specific UI enhancers
- Web Aura's own built-in extension-style tools — ad blocker, script manager, reader mode, page translation, find-in-page, save-page, desktop-mode / UA spoof, long-press image tools, media detection and a quick downloader bridge
What Web Aura cannot fully run:
- Userscript managers themselves (Tampermonkey, Tampermonkey Beta / Dev / Next, Violentmonkey, Greasemonkey) — Web Aura already includes its own built-in script manager, so installing these would create a hollow shell
- Network-level request blockers such as uBlock Origin, AdBlock, AdBlock Plus and Ghostery — these depend on Chrome's request-blocking APIs that aren't available inside a WebView; Web Aura redirects these to its built-in ad blocker instead
- Any extension that depends on Manifest V3 background service workers, native messaging hosts, or other Chrome-only browser-level APIs
For a full breakdown of what is and isn't supported, plus example userscripts and extensions you can install today, see the dedicated page at Supported extensions.
Behind the scenes, Web Aura's behaviour is consistent with public guidance from Google: Android WebView shares the Chromium rendering engine with Chrome but does not include all Chrome-specific browser features, and modern Chrome extensions increasingly depend on Manifest V3 background service workers and extension APIs that page scripts simply cannot replicate.
If you install a userscript or extension, the script is sandboxed and runs against the sites it declares in its @match / @include rules. You can disable, delete or reset any installed item from Settings → Extensions in the app at any time.
13Aura assistant
Aura is the in-app assistant that lives behind the floating orb. Because it's built into the privacy story of Web Aura, it gets its own section.
No paid AI vendor
Aura is a "no-LLM" assistant by design. Web Aura does not pay any AI provider, send your messages to a chat-AI service, or use your chats to train any model. There is no Aura account and no Aura sign-in.
How a single Aura message is handled
- Local intent matching. Your message is first checked on-device against an intent router that recognises commands like "open downloads", "go incognito", "switch to dark mode", "summarise this page", "play X in the music library", "open quick downloader", "open support", "unlock home page" and dozens more — translated into ten languages so the matching works offline in your language.
- Local knowledge base. If your message looks like a question about Web Aura itself ("what can you do", "how do I add a script", "how do themes work"), Aura answers from a knowledge base bundled with the app. No network call.
- Free public sources, only if needed. If the message is a real-world question, Aura asks (in this order): DuckDuckGo Instant Answer, your locale's Wikipedia REST API, then Jina AI Reader as a last resort. Each of these is a free public endpoint — only your typed query (and a language/region hint derived from your app locale) is sent.
- Page summary. When you tap "summarise this page", Aura first tries to read visible text from the WebView locally and run an extractive summary on-device. If the page is blocked, behind a CAPTCHA, or empty, it falls back to fetching a clean text version of the URL via Jina AI Reader and summarises that on-device.
- Voice in, voice out. Tapping the microphone uses your phone's own speech-to-text (Apple Speech / Android SpeechRecognizer). Aura's spoken replies use your phone's built-in text-to-speech. Audio never leaves your device.
- Session memory. A short transcript of the current chat is held in app memory so Aura can keep context within one chat. It is never written to disk and is wiped when the chat sheet closes or the app is killed.
What Aura does not do
- It does not silently send your messages anywhere when it can answer locally.
- It does not read your tabs, history, bookmarks, locked-folder media or downloaded files in order to answer questions.
- It does not use your typed prompts to train any model — neither ours nor a third party's.
- It does not record or upload your microphone audio.
- It does not maintain a long-term Aura profile of you, and does not link Aura messages to your Google account, anonymous browser identity, ad identifier or any other identifier.
Honest limits
Because Aura uses free public APIs and on-device extractive summarisation rather than a large language model, it can miss tasks it doesn't recognise, or return summaries that don't match the page perfectly. Aura tells you this in the chat sheet itself ("Aura can miss tasks or give inaccurate answers"). Treat its answers as a starting point, especially for anything important.
Turning Aura off
You can hide the floating orb and disable Aura entirely from Settings → Aura assistant. When Aura is off, no Aura-related processing happens at all.
14Contact
If you have questions, privacy concerns or deletion requests, contact:
- Email: info.creedmotions@gmail.com
- Developer: CreedStack Motions Limited
- App: Web Aura
- iOS App Store ID: 6763145076
- Android package: com.creedmotions.webaura
- Google Play: play.google.com/store/apps/details?id=com.creedmotions.webaura
We may update this policy from time to time. When we do, we will update the effective date on this page.