Legal

Privacy Policy

Effective date: To be determined upon legal review. Operator: Arkmurus Limited.
DRAFT — pending legal counsel review This document is a working draft. It describes ARIA's actual data flows as implemented in the codebase, but it has not yet been reviewed or approved by external counsel. Do not rely on it for compliance decisions. Email support@arkmurus.com with any questions while the final policy is being prepared.

1. Who we are

ARIA is operated by Arkmurus Limited, a company registered in England & Wales. ARIA is a domain-specialised AI assistant for security and defence due-diligence work — see the model card for the capability statement.

Contact for any privacy enquiry, data subject access request (DSAR), or data deletion request: privacy@arkmurus.com (alias of support@arkmurus.com until a dedicated mailbox is provisioned).

2. What this policy covers

This policy covers personal data we process when you:

  • Sign up for or use the ARIA web product, WhatsApp interface, or the (forthcoming) public API.
  • Submit a registration request that requires admin approval.
  • Send us an email at any address we operate (support@arkmurus.com, privacy@arkmurus.com, aria@arkmurus.com).
  • Receive a daily intelligence briefing or watchlist alert from us.

It does not cover personal data about third parties that you ask ARIA to research (e.g. counterparty due-diligence subjects). That content is processed under your instructions; you are the controller of that data and we act as your processor — see §10.

3. What personal data we collect

From you, directly

CategoryExamplesRequired?
Account identifiersUsername, full name, email address, hashed passwordYes
Organisation contextAccount type (individual / company), company name + country + size, sector, job titleOptional
Use-case contextPrimary use cases, region focus, languages, volume estimate, compliance needs, free-text purpose statementOptional
Conversation contentThe messages you send to ARIA + ARIA's repliesGenerated when you use the product
Document uploadsPDFs, DOCX, XLSX, images you upload for analysisGenerated when you upload
Communication preferencesNotification toggles (digest, flash, push, Telegram), Telegram usernameOptional
Billing identifiersStripe customer ID + subscription ID once you subscribe (no card data — Stripe holds those)Optional / generated on subscribe

Automatically

CategoryExamples
Usage telemetryDaily message counts, daily upload counts, monthly DD-run counts (the per-user quota counters in lib/billing/quotas.mjs and aria_service/intel/user_quota.py)
Audit-log entriesEach material claim ARIA produces with timestamp, source citations, confidence tag, source-tier breakdown — hash-chained and HMAC-signed (see model card §7)
Cost telemetryPer-call LLM cost (provider, model, input/output tokens, latency) — used for the monthly cap enforcement
Server logsHTTP request method / path / status / IP address / user-agent for the duration the host (fly.io / seenode) retains them

4. Why we process this data (legal bases)

  1. Performance of contract (UK GDPR Art. 6(1)(b)) — we process account identifiers, conversation content, and document uploads to provide ARIA's service to you.
  2. Legitimate interests (Art. 6(1)(f)) — we process telemetry, audit-log entries, and cost data to operate, secure, and improve the service. Our legitimate interest is balanced against your privacy by quota caps, audit-log access controls, and minimisation (see §6).
  3. Legal obligation (Art. 6(1)(c)) — we retain audit-log entries to support compliance audits that you (or your customer's compliance officer) may need to evidence.
  4. Consent (Art. 6(1)(a)) — for optional fields (organisation context, use-case context, communication preferences) and for marketing communications. You may withdraw consent at any time via privacy@arkmurus.com or the in-product settings.

5. Who we share data with

We use the following third-party processors. Each receives the minimum data necessary to perform its function:

ProcessorPurposeWhat's shared
Anthropic (Claude)Primary LLM provider for chat reasoningConversation content + system prompt, sent at request time. Subject to Anthropic's terms.
DeepSeek, OpenAI, Mistral, Groq, OpenRouterFallback LLM providersSame as Anthropic when a fallback is invoked.
OpenSanctionsSanctions screeningCounterparty entity names submitted via DD orchestrator.
Companies House (UK)Corporate registry lookupUK company numbers / names submitted during DD.
StripeSubscription billing (when activated)Email + name (for the Stripe customer object); Stripe stores card data directly.
Fly.io (LHR region)Hosting the Python brain + persistent volumeAll your data at rest.
SeenodeHosting the Node front-end + sweep + WhatsApp listenerAll your data at rest.
Upstash RedisCache + dual-write store for sessions, watchlist, intel ledgerCached content (conversation summaries, fact records, audit-log entries); content is at rest in Redis.
Twilio / Baileys WhatsAppWhatsApp message transport (when WA channel is active)Your messages and our replies; subject to Meta's WhatsApp Business terms.
Email providers (operator's IMAP/SMTP)Inbound email ingestion + transactional emailEmail content sent to aria@arkmurus.com; outbound notifications.

We do not sell personal data. We do not use your conversation content to train external LLMs (we have no agreement to send training data to providers — the chat round-trip alone is in scope).

6. How long we keep data

Data typeRetention
Conversation historyUntil you delete it (per-conversation delete via DELETE /api/aria/conversations/:id) or you close your account.
Account recordUntil you close your account; then 30 days for backup before deletion.
Document uploadsBound to the conversation that ingested them; deleted when that conversation is deleted.
Audit-log entriesRetained as long as the account exists for evidentiary integrity (these are the hash-chained entries; deleting them would break the chain). On account closure, your audit-log entries are retained in pseudonymised form (user_id only, no email) for 6 years to satisfy potential compliance/legal hold periods.
Telemetry countersDaily counters keyed by UTC date with TTL of 36 hours; monthly counters with 35-day TTL.
Server logsPer host retention (fly.io / seenode default; typically 7–30 days).
Backup snapshotsOff-host email backups retained per ARIA_BACKUP_RETENTION_DAYS (default 30 days).

7. Your rights

Under UK GDPR / EU GDPR you have the right to:

  • Access your personal data — request a copy via privacy@arkmurus.com.
  • Rectify inaccurate data — most fields are editable in the account page (/account.html). Others can be corrected via the same email.
  • Erase your data — close your account by emailing privacy@arkmurus.com. We will delete your account record + conversations + uploads within 30 days; audit-log entries pseudonymise on the same schedule.
  • Restrict processing — pause specific processing categories (e.g. opt out of telemetry) by contacting us.
  • Portability — receive your data in a machine-readable format (JSON) within 30 days of request.
  • Object — object to processing based on legitimate interests; we will weigh and respond.
  • Withdraw consent — for any processing based on consent.
  • Lodge a complaint — with the UK ICO (ico.org.uk) or your local supervisory authority.

8. International transfers

Our primary infrastructure is in the United Kingdom (fly.io LHR region) and the EU (Upstash, seenode). LLM provider calls may transfer your conversation content to the United States (Anthropic, OpenAI), other EU regions (Mistral, DeepSeek), or Singapore (Groq). All transfers rely on the UK / EU Standard Contractual Clauses (SCCs) where applicable, and on the UK / EU adequacy regulations for the relevant jurisdiction where adequacy applies. We do not transfer data to jurisdictions without an adequacy decision or SCC coverage.

9. Security

  • Passwords are hashed with PBKDF2-SHA-512 (100,000 iterations) — we never see your plaintext password.
  • Authentication uses HMAC-SHA-256 signed JWTs; the signing secret is mandatory in production (JWT_SECRET env var; the codebase hard-fails at boot if unset).
  • Audit-log entries are HMAC-SHA-256 signed; the production fingerprint is published in the model card.
  • API endpoints are bearer-token protected; tokens are constant-time compared.
  • 2FA (TOTP) is available on every account.
  • We monitor for sustained authentication failures + signal-bridge misconfiguration via boot self-checks (R-F45) and surface them on the public status page.

No system is unbreachable. If we discover a breach affecting your data, we will notify you within 72 hours of becoming aware, in line with UK GDPR Art. 33.

10. Counterparty data (you-as-controller)

When you ask ARIA to investigate a third-party entity (a company, a director, a beneficial owner), ARIA processes that personal data under your instructions. In legal terms, you are the data controller for that processing and we act as your processor.

We will execute a Data Processing Agreement (DPA) with you on request. The DPA aligns with the UK ICO's standard processor terms and includes:

  • Specific processing purposes (DD, sanctions screening, programme research);
  • Sub-processor list (the third parties listed in §5);
  • Notification obligations on breach;
  • Audit rights;
  • Return-or-delete obligations on contract end.

Contact privacy@arkmurus.com to request a DPA.

11. Children

ARIA is a defence-industry tool intended for professional adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, contact privacy@arkmurus.com and we will delete the account.

12. Changes to this policy

We will publish material changes here and notify registered users by email at least 30 days before they take effect. Non-material changes (clarifications, formatting) take effect on publication.

Companion documents: Terms of service · Model card · Status page

Operator: Arkmurus Limited, England & Wales · Privacy contact: privacy@arkmurus.com