1. Who we are (Data Controller)

For the purposes of EU and UK data protection law, the data controller for the Services is ARI THE AI LTD, Republic of Cyprus. You can contact us at any time at support@aritheai.com for any privacy-related question or to exercise your rights.

When AriOps is deployed on a brokerage’s own infrastructure under a separate commercial agreement, the brokerage is generally the controller of any personal data processed inside that deployment, and AritheAI acts as processor on the brokerage’s behalf. In those cases, the data processing agreement signed with the brokerage prevails over this Policy for that deployment.

2. Personal data we collect

Depending on which Service you use and how you interact with it, we may collect and process the following categories of personal data:

Account data— name, email address, password (hashed), organisation, role, and similar information you provide when creating an account.
Billing data— billing name, billing address, VAT number, plan, and limited payment metadata (such as the last four digits and brand of a payment card). Full card details are handled by our payment processor and are not stored on our servers.
Customer Content— documents, files, prompts, chat messages, quiz responses, and other content you submit to the Services. Customer Content may itself contain personal data (for example, names of staff in an uploaded manual).
Usage data— pages viewed, features used, requests made, request and response sizes, error events, device and browser information, IP address, and approximate location derived from your IP address.
Support data— the contents of any communications you send to us (for example, emails to support).

3. How we use personal data (purposes and legal bases)

We process personal data only where we have a lawful basis to do so under the GDPR:

To provide and operate the Services — including authentication, processing your prompts, generating responses, storing your Customer Content, and delivering the features of your plan. Legal basis: performance of a contract.
To bill and take payment— including issuing invoices, processing card payments via our payment processor, and managing renewals and cancellations. Legal basis: performance of a contract; compliance with legal obligations.
To secure and improve the Services — including detecting and preventing fraud, abuse, and security incidents, monitoring performance, and improving features and reliability. Legal basis: legitimate interests in running a secure and reliable service.
To communicate with you— including service announcements, security notices, and responses to support enquiries. Legal basis: performance of a contract; legitimate interests.
To send marketing— where you have opted in, or where permitted by applicable law to existing customers about similar products. You can opt out at any time. Legal basis: consent or legitimate interests, as applicable.
To comply with legal obligations — including tax, accounting, and responding to lawful requests from authorities. Legal basis: compliance with legal obligations.

We do not use Customer Content to train foundation models. We do not sell personal data.

4. Cookies and similar technologies

We use strictly necessary cookies and similar technologies to keep you signed in, to remember your preferences, and to secure the Services. Where we use analytics or non-essential cookies, we do so on the basis of your consent and you can withdraw consent at any time through your browser settings or any cookie banner we display.

5. Service providers and recipients

We share personal data only with categories of recipients who need it to help us operate the Services, and only under appropriate contractual protections (including, where applicable, GDPR Article 28 data processing agreements). Those categories include:

cloud hosting and infrastructure providers;
database, authentication, and storage providers;
AI model and inference providers;
payment processors;
email and customer communication providers;
error monitoring, analytics, and product-telemetry providers;
professional advisers (such as lawyers, auditors, and accountants); and
competent authorities, regulators, or courts where we are legally required to do so.

You can request our current list of subprocessors by emailing support@aritheai.com.

6. International transfers

Some of our service providers are located outside the European Economic Area or the United Kingdom. Where we transfer personal data outside those regions, we rely on recognised transfer mechanisms under the GDPR, such as the European Commission’s Standard Contractual Clauses (and the UK addendum where applicable), and we apply additional safeguards where appropriate.

7. Data retention

We keep personal data only for as long as needed to provide the Services to you, comply with our legal obligations (for example, accounting and tax rules), resolve disputes, and enforce our agreements. When you delete your account, we delete or anonymise associated Customer Content and account data within a reasonable period, except where we are required to retain it by law or where it is held in routine backups, which are rotated and deleted on a regular schedule.

8. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including encryption in transit, access controls, network isolation, logging and monitoring, and least-privilege access for our personnel. No system is perfectly secure, and we cannot guarantee absolute security; if we become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority where required by law.

9. Your rights under the GDPR

Subject to applicable law, you have the right to:

access the personal data we hold about you and receive a copy of it;
have inaccurate or incomplete personal data corrected;
have your personal data erased (the “right to be forgotten”);
restrict or object to certain processing of your personal data;
receive your personal data in a portable, machine-readable format and transmit it to another controller (data portability);
withdraw any consent you have given us at any time, without affecting the lawfulness of processing carried out before withdrawal; and
lodge a complaint with a supervisory authority. In Cyprus, this is the Office of the Commissioner for Personal Data Protection. You may also complain to the supervisory authority in your country of residence.

To exercise any of these rights, please email support@aritheai.com. We may need to verify your identity before acting on a request. We will respond within the timeframes required by applicable law (typically within one month).

10. Children

The Services are not directed at children. You must be at least 16 years old to use the Services. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to us, please contact us and we will take steps to delete it.

11. Automated decision-making and AI output

The Services use AI models to generate responses, summaries, quizzes, and other output. While AriOps can automate certain dealer-operation actions when configured to do so by the brokerage, the design intent is that a human remains responsible for configuration, supervision, and review of automated actions. We do not use Customer Content to make decisions about you that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or by posting a notice within the Services) before the changes take effect. The “Effective date” at the top of this Policy indicates when it was last updated.

13. Contact

ARI THE AI LTD
Republic of Cyprus
Email: support@aritheai.com