Privacy Policy

Last Updated: January 25, 2025

At Arepo, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI knowledge assistant service.

            Quick Summary: We collect only the data necessary to provide our service (documents you upload and questions you ask). We use Uplink for AI processing and Cloudflare for secure storage. We never sell your data or train models on it.
        

1. Information We Collect

Information You Provide

Account Information: Email address, company name, and passphrase (encrypted)
Documents: Files you upload (PDF, DOCX, TXT, MD) and their content
Messages: Questions you ask and conversations with our AI assistant
Metadata: File names, upload dates, document purposes, and tags

Information Collected Automatically

Usage Data: Features used, documents accessed, chat frequency
Technical Data: IP address, browser type, device information
Performance Data: Response times, error logs, system diagnostics

Slack Integration Data (if connected)

Workspace Information: Workspace ID, team name, channel names
User Information: User IDs, display names (for attribution)
Messages: Direct messages to Arepo bot and @mentions in channels
Files: Documents shared with Arepo in Slack

2. How We Use Your Information

We use your information to:

Provide Our Service: Process documents, generate AI responses, and deliver accurate answers
RAG Processing: Create embeddings and semantic search indexes via Uplink AI infrastructure
Improve Quality: Monitor response accuracy and system performance
Account Management: Authenticate users, manage subscriptions, and provide support
Security: Detect fraud, prevent abuse, and protect user data
Communications: Send service updates, security alerts, and support responses
Legal Compliance: Comply with applicable laws and regulations

3. How We Store Your Data

Storage Infrastructure

Cloudflare D1: Account information and document metadata (encrypted at rest)
Cloudflare R2: Original document files (encrypted)
Cloudflare Vectorize: Document embeddings for semantic search (via Uplink)
Uplink Infrastructure: AI processing and RAG pipeline management

Data Encryption

All data is encrypted in transit using TLS 1.3
Data at rest is encrypted using AES-256 encryption
API keys and passphrases are hashed using industry-standard algorithms
Documents are stored in isolated tenant namespaces

Data Retention

Active Accounts: Data retained while account is active
After Deletion: 30-day grace period, then permanent deletion
Backups: Deleted data removed from backups within 90 days
Legal Holds: Data may be retained longer if required by law

4. Third-Party Services

We use the following third-party services:

Uplink (AI Infrastructure)

Purpose: AI processing, embeddings, and RAG pipeline
Data Shared: Document content, chat messages, metadata
Privacy: Uplink does not train models on your data

Cloudflare (Hosting & Infrastructure)

Purpose: Database, storage, CDN, and edge computing
Data Shared: All service data (encrypted)
Privacy: Subject to Cloudflare's privacy policy

Slack (if connected)

Purpose: Bot integration and workspace communication
Data Shared: Bot messages, uploaded files, user interactions
Privacy: Subject to Slack's privacy policy

5. Data Sharing and Disclosure

We do NOT sell your personal information.

We may share your data only in these limited circumstances:

Service Providers: Third-party infrastructure (Uplink, Cloudflare) as described above
Legal Requirements: When required by law, court order, or government request
Business Transfers: In connection with a merger, acquisition, or sale of assets
Consent: When you explicitly authorize sharing
Security: To protect rights, property, or safety of Arepo, users, or others

6. Your Privacy Rights

You have the right to:

Access: Request a copy of your personal data
Correction: Update or correct inaccurate information
Deletion: Request deletion of your account and data
Export: Download your data in a portable format
Opt-Out: Unsubscribe from marketing emails
Restrict Processing: Limit how we use your data
Object: Object to certain data processing activities

To exercise these rights, email us at [email protected]

7. International Data Transfers

Your data may be processed in countries outside your residence. We ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the EU Commission
Adequacy decisions for data transfers to approved countries
Encryption and security measures for all transfers

8. Children's Privacy

Arepo is not intended for children under 13. We do not knowingly collect information from children. If you believe we have collected data from a child, contact us immediately at [email protected]

9. Security Measures

We implement industry-standard security measures:

Multi-tenant isolation with namespace-based access control
Encrypted storage (AES-256) and transmission (TLS 1.3)
Regular security audits and penetration testing
Access logging and monitoring
Incident response procedures

Note: No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Cookies and Tracking

We use minimal cookies for:

Authentication: Session tokens to keep you logged in
Preferences: Theme, language, and UI settings
Analytics: Anonymous usage statistics (no personal identification)

You can disable cookies in your browser, but this may limit functionality.

11. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify you via:

Email to your registered address
In-app notification
Prominent notice on our website

Continued use of Arepo after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions or concerns, contact us at:

Privacy Team
Email: [email protected]
Support: [email protected]
Website: arepo.cloud/help

13. GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

Legal Basis: We process data based on consent, contract performance, and legitimate interests
Data Protection Officer: Contact [email protected]
Supervisory Authority: You may lodge complaints with your local data protection authority
Cross-Border Transfers: Protected by Standard Contractual Clauses

14. California Privacy Rights (CCPA)

California residents have the right to:

Know what personal information is collected and how it's used
Request deletion of personal information
Opt-out of the sale of personal information (we don't sell data)
Non-discrimination for exercising privacy rights

To exercise CCPA rights, email [email protected] with "California Privacy Request" in the subject line.