Privacy Policy

Scope

This policy applies to visits to ariaa.ai and its subdomains, requests to our public API, and the ARIAA platform delivered to enterprise customers under contract. Where a customer controls the data being processed (the typical case for platform use), that customer is the data controller and ARIAA is the data processor; the Data Processing Addendum governs that relationship.

What we collect on ariaa.ai

• Analytics — Plausible, a privacy-preserving analytics product. No cookies, no cross-site tracking, no personally-identifying fingerprints. Plausible records the URL visited, referrer, device category, and country (derived from IP then discarded).
• Demo requests — name, work email, company, role, and the free-text fields you provide. Used to schedule a demo, respond to your enquiry, and (if you opt in) to send occasional product updates.
• Server logs — nginx access logs with IP, user-agent, request path, and response code. Retained 30 days for security and abuse investigation, then rotated and deleted.

We do not use third-party advertising cookies, remarketing pixels, or social-media tracking tags on ariaa.ai.

What we collect in the Platform

The Platform processes signal data, entity data, and customer-submitted content as directed by the customer. ARIAA does not access that content for our own purposes. We collect operational telemetry (request counts, latencies, error rates, queue depths) to run the Platform and to produce SLA reports. Operational telemetry is not linked to individual end users.

Legal bases — PIPEDA (Canada)

ARIAA is headquartered in Toronto, Ontario. Our primary data- protection regime is Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), applied together with applicable provincial legislation (including Quebec's Law 25, Alberta PIPA, and British Columbia PIPA where relevant). Personal data is collected, used, and disclosed for identified purposes with knowledge and consent as required by PIPEDA Principles 2, 3, and 4.

Legal bases — GDPR / UK GDPR

• Contract performance — for platform operation and customer support.
• Legitimate interest — for security, abuse detection, and operational analytics.
• Consent — for marketing communications, and for any optional features that process personal data beyond contract scope.

Legal bases — LGPD (Brazil)

Where personal data of Brazilian data subjects is processed, ARIAA operates under the bases of execução de contrato (art. 7, V), legítimo interesse (art. 7, IX) for security and operational analytics, and consentimento (art. 7, I) for marketing. Data subjects in Brazil may exercise the rights enumerated in art. 18 by emailing the address at the bottom of this page.

Your rights

You have the right to request access to, correction of, deletion of, or portability of your personal data, and to object to processing or request restriction. Rights are exercised via marko@intellimento.com. We respond within 30 days. Customers acting as data controllers should direct their own data subjects' rights requests to themselves and use our controller-to-processor APIs to fulfil those requests against Platform data.

Sharing and transfers

We do not sell personal data. We share personal data only with:

• Service providers processing data on our behalf under written data- processing agreements — hosting, email delivery, CRM, analytics. A current sub-processor list is available on request.
• Authorities, when compelled by a valid legal order, or to protect our or our customers' rights, property, or safety.

ARIAA is Canadian-incorporated and personal data may be processed in Canada and in customer-chosen deployment regions. Transfers out of the EEA, UK, or Switzerland rely on the Standard Contractual Clauses and, where required, supplementary technical and organisational measures. Transfers involving Brazilian data subjects rely on the mechanisms in art. 33 LGPD. Canada holds a European Commission adequacy decision for commercial activities under PIPEDA, which governs transfers from the EEA to Canada in that scope.

Retention

• Demo requests and commercial correspondence — up to 36 months after last interaction, unless the customer becomes active, in which case the retention window of the customer record applies.
• Server logs — 30 days.
• Platform data — per the customer's Order Form and DPA; the default is return-or-delete within 30 days of contract termination.

Security

We apply industry security best practices across the product lifecycle and align our controls with SOC 2 and ISO/IEC 27001 (both on the 2026 certification roadmap). Encryption in transit and at rest, least- privilege access, end-to-end audit logging, and secure development practices are table stakes we operate against by default. Specifics of the control implementation are shared with customers and auditors under NDA rather than disclosed publicly. See /security for the customer-facing posture.

Cookies

ariaa.ai uses no analytics cookies and no marketing cookies. We may set a strictly-necessary session cookie when you log into the platform at app.ariaa.ai; that cookie is HttpOnly, Secure, and SameSite=Lax.

Children

The Platform is a B2B offering. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us for immediate deletion.

Changes

We will post changes here and, for material changes affecting customers, notify the administrator contact on record at least 30 days in advance.

Contact

Data protection: marko@intellimento.com. For EEA, UK, Swiss, and LGPD data subjects, the controller contact is the same email; we will designate a local representative as soon as our data-processing volume requires it under the applicable threshold.