Skip to main content
Aria.

Legal

Privacy Policy

Last updated: January 15, 2025

1. Information We Collect

Account information

When you create an account, we collect your name, email address, and hashed password. If you sign up through a configured third-party identity provider, we receive your name, email, and profile picture from that provider.

Usage data

We automatically collect information about how you interact with Aria, including prompts sent, models selected, features used, timestamps, and performance metrics. This helps us improve the product and debug issues.

Payment information

Payments are processed by our payments provider. We receive a tokenised reference and the last four digits of your card; we do not store full card numbers. Receipts and tax records are retained for seven years for accounting purposes.

Device & log data

We collect IP address, browser fingerprint, page paths, and authentication events. Logs are retained for 90 days for security and 13 months for billing reconciliation, then permanently deleted.

2. How We Use Your Information

Service delivery

We use your data to provide, maintain, and improve Aria — including processing your AI prompts, managing your account, and delivering support.

Communication

We may send transactional emails (password resets, billing receipts) and, with your consent, product updates and tips. You can unsubscribe from marketing emails at any time.

Analytics & improvement

Aggregated, anonymized usage data helps us understand feature adoption, fix bugs, and prioritize our roadmap. We do not sell individual usage data to third parties.

Legal compliance

We may process your data to comply with applicable laws, respond to legal requests, or protect our rights and safety.

3. AI-Specific Data Practices

Prompt data

Prompts and AI outputs are processed by our model providers under contractual data-protection terms that prohibit training on customer data. Inference logs are retained for 30 days for abuse prevention and then permanently deleted.

Model providers

When you select a third-party AI model provider, your prompt is forwarded to that provider under their respective data-processing terms. We recommend reviewing each provider's privacy policy before routing sensitive content through external models.

RAG documents

Uploaded knowledge-base documents are encrypted, permission-scoped to the workspace, and indexed into a dedicated retrieval store. Deleted documents are removed from active retrieval immediately and purged from backups on the next retention cycle.

4. Data Sharing & Third Parties

Service providers

Our current sub-processor list is published at /security/sub-processors and updated within 7 days of any change. We use a Data Processing Agreement with every sub-processor and use Standard Contractual Clauses for any transfer outside the UK/EU.

No selling of data

We do not sell, rent, or trade your personal information to advertisers or data brokers. Period.

Business transfers

If Aria is acquired or merged, your information may be transferred. We will notify you via email and provide options before any such transfer.

5. Security & Data Storage

Encryption

Data in transit is protected by TLS 1.3. Data at rest is encrypted with AES-256. Backups are encrypted with a separate key hierarchy from production. Keys are rotated annually or on suspected compromise.

Infrastructure

Aria's architecture is designed to support common compliance frameworks. We run annual penetration testing, maintain a responsible-disclosure process, and make attestation reports available to Enterprise customers under NDA.

Data residency

Customer data is stored in your selected region (UK, EU-West, or US-East). Backups stay within the same region. Customers may request a data export or deletion at any time from the Workspace settings.

6. Your Rights & Choices (UK & EU GDPR)

Right of access

You may request a copy of the personal data we hold about you. Email privacy@aria.example.invalid and we will respond within one calendar month.

Right to rectification

You may correct inaccurate or incomplete personal data we hold.

Right to erasure ("right to be forgotten")

You may request deletion of your personal data where we no longer need it for the purpose collected, you withdraw consent, or you object to processing without overriding legitimate grounds.

Right to restrict processing

You may ask us to suspend processing while we verify a request or evaluate an objection.

Right to data portability

You may receive the personal data you have provided to us in a structured, machine-readable format and ask us to transmit it to another controller.

Right to object

You may object to processing based on legitimate interests, including direct marketing and profiling.

Rights related to automated decision-making

You may ask for human review of decisions based solely on automated processing where those decisions produce legal or similarly significant effects.

Right to lodge a complaint

You may complain to a supervisory authority — in the UK, the Information Commissioner's Office at ico.org.uk; in the EU, your local DPA.

7. Your Rights — California & US State Privacy Laws

Right to know

California (CCPA/CPRA), Colorado, Connecticut, Texas, Virginia, and other US states with comprehensive privacy laws give residents the right to know what personal information we collect, the categories of sources, and the categories of third parties with whom we share it.

Right to delete

You may request deletion of personal information we have collected from you, subject to limited exceptions (e.g. transactions in progress, legal compliance).

Right to correct

You may request correction of inaccurate personal information.

Right to opt out of sale or sharing

If we sell or share your personal information for cross-context behavioural advertising, you may opt out via our "Do Not Sell or Share My Personal Information" page (linked in the footer when applicable). We honour the Global Privacy Control browser signal as a universal opt-out.

Right to limit use of sensitive PI

You may direct us to limit use of sensitive personal information to only what is necessary to provide the goods or services you requested.

Non-discrimination

We will not discriminate against you for exercising any privacy right.

Verification

Verifiable consumer requests may require us to confirm your identity. CPRA gives us up to 45 days (extendable to 90).

8. Do Not Track Signals (CalOPPA)

Our response

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry consensus on how DNT should be honoured. We treat DNT as a request to disable analytics and behavioural-advertising cookies; functional and essential cookies continue to operate.

Global Privacy Control

We honour the Global Privacy Control (GPC) signal as a universal opt-out from sale or sharing of personal information, as required by California, Colorado, Connecticut, and other US states.

9. Cookies

Essential cookies

Set automatically; required for authentication, security, and basic site function. You cannot opt out without breaking the site.

Optional cookies

Analytics, marketing, and functional cookies are only set with your consent (see our cookie banner). You can withdraw consent at any time. Visitors with Global Privacy Control or Do Not Track signals are auto-opted-out.

Questions about your privacy?

Contact our privacy team at privacy@aria.example.invalid or write to us at REPLACE WITH YOUR REGISTERED ADDRESS.

DemoUI kit preview — content is fictional.