We were careful when we built this site to ask for as little as possible. This section is the complete picture.
Data controller
The data controller for everything on this site is Anna — sole proprietor (Norwegian ENK), operating as Aurin. Contact: info@prulesoul.site.
What we collect, why, and the legal basis
- Account (email, name if given) — to let you sign in and to deliver what you bought. Legal basis: contract (GDPR Art. 6(1)(b)).
- Voice-minute ledger + conversation memory — to keep your room continuous from one session to the next. Legal basis: contract (Art. 6(1)(b)).
- Payment record (transaction ID, amount, SKU) — to fulfil the order and to keep VAT records. Legal basis: legal obligation (Art. 6(1)(c)) and contract.
- Hearth letters list (email) — to send the three opening letters and any future invitations. Legal basis: consent (Art. 6(1)(a)), withdrawable any time via the unsubscribe link.
- Support inbox (Reach Out form) — to reply to your question. Legal basis: legitimate interest in answering support requests (Art. 6(1)(f)).
- Anonymous visit counts (Plausible) — to know which pages help. No cookies, no cross-site tracking, no profiling. Legal basis: legitimate interest (Art. 6(1)(f)).
Processors
We use a small number of carefully chosen processors. Each has a signed Data Processing Agreement (DPA) on file:
Creem.io
Merchant of Record · subscription & one-shot payments · VAT/MVA compliance · European Union · GDPR DPA in place
Their privacy policy →ElevenLabs Inc.
Real-time voice synthesis (Conversational AI keepers) · United States · GDPR DPA in place
Their privacy policy →Resend, Inc.
Transactional email (refund notes, magic links, replies) · United States · GDPR DPA in place
Their privacy policy →MongoDB Atlas (MongoDB, Inc.)
Database — your account, intakes, voice-minute ledger · European Union (Frankfurt region)
Their privacy policy →Emergent (hosting + AI text inference)
Application hosting and LLM relay for the written keepers · European Union
Their privacy policy →Plausible Analytics (Plausible Insights OÜ)
Privacy-first, cookieless visitor counts · European Union (Estonia)
Their privacy policy →
International transfers
Some processors (ElevenLabs, Resend) are established in the United States. Transfers to those providers are covered by Standard Contractual Clauses under GDPR Art. 46 and, where applicable, the EU–US Data Privacy Framework.
Retention
- Account + room memory — kept while your account is active; deleted within 30 days of account deletion.
- Payment record — kept for 5 years as required by Norwegian accounting law (Bokføringsloven §13).
- Email list — kept until you unsubscribe; then marked inactive and removed at the next quarterly clean-up.
- Support messages — kept for 24 months so we can answer follow-up questions.
- Plausible analytics — anonymous, aggregated, no individual record.
Your rights
Under EU GDPR you have the right to:
- access the data we hold about you (Art. 15)
- have it corrected (Art. 16)
- have it deleted — the right to be forgotten (Art. 17)
- receive it as a portable file (Art. 20)
- object to processing based on legitimate interest (Art. 21)
- lodge a complaint with a supervisory authority (Art. 77)
You can exercise the export and deletion rights directly from your account page. Or write to info@prulesoul.site from the address tied to the account. We reply within 5 working days.