Arro AI LTD ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at arroai.app, our web application at web.arroai.app, and all related services (collectively, the "Service"). Please read this policy carefully. By using the Service, you consent to the practices described herein.
01 Information We Collect
1.1 Account Information
When you register for an account, we collect:
- Full name and email address.
- Password (stored in hashed form; we never store plaintext passwords).
- Organization name and role within your organization (owner, admin, or member).
- Billing and payment information (processed and stored by our payment processor; we do not store full credit card numbers).
1.2 Advertising Platform Data
When you connect your advertising accounts (currently Meta Ads), we access and store:
- Ad account identifiers and names.
- Campaign, ad set, and ad structures, configurations, and statuses.
- Performance metrics including impressions, clicks, conversions, spend, revenue, CPA, ROAS, CTR, and CPM.
- Audience targeting information associated with your campaigns.
- Creative assets linked to your ads (images, videos, copy text).
- Historical performance data for trend analysis and reporting.
1.3 User-Generated Content
We store content you create or upload through the Service, including:
- Creative assets uploaded or generated through the Service (images, videos, audio, logos, brand materials).
- Business context information you provide (business description, brand profile, target audience, competitors).
- Agent conversations and deliverables (strategy documents, ad copy, video projects).
- Content calendar items and publishing schedules.
- Team invitations and communications initiated through the Service.
1.4 Usage and Technical Data
We automatically collect certain information when you use the Service:
- IP address and approximate geolocation.
- Browser type, version, and operating system.
- Pages visited, features used, and actions taken within the Service.
- Date, time, and duration of sessions.
- Referring URLs and search terms that led you to our site.
- Device identifiers and screen resolution.
1.5 AI Interaction Data
When the AI agent operates on your behalf, we log:
- Monitoring reports generated for your campaigns.
- Recommendations made and actions taken (e.g., pausing, scaling, budget adjustments).
- Decision audit trails including timestamps, reasoning, and outcomes.
- Prompts and parameters used in creative generation.
02 How We Use Your Information
We use the information we collect for the following purposes:
| Purpose |
Data Used |
| Provide the Service |
Account info, ad platform data, user content |
| AI creative production & analytics |
Ad platform data, brand profile, business context |
| Generate creative assets |
Uploaded assets, business context, template parameters |
| Send reports & notifications |
Email address, campaign performance data |
| Process payments |
Billing information, subscription tier |
| Improve the Service |
Usage data, aggregated performance metrics |
| Ensure security |
IP addresses, session data, authentication logs |
| Communicate with you |
Email address, account preferences |
| Comply with legal obligations |
As required by applicable law |
03 AI Processing of Your Data
A core component of Arro is the use of artificial intelligence to create content and analyze your business and advertising data. It is important that you understand how this works:
- AI Agent Conversations: Your business context, brand profile, and project details are processed by AI models to generate strategy documents, ad copy, video scripts, and other creative deliverables.
- Third-Party AI Providers: We use OpenRouter to route AI requests to large language models, FAL AI for image and video generation, and Google Gemini for video analysis. When processing your data, business context and relevant assets are sent to these AI providers as part of structured requests. These providers process the data according to their own privacy policies and data processing agreements.
- Creative Production: When generating videos, images, voiceovers, or other media, your uploaded assets, brand guidelines, and provided parameters are processed through our production pipeline. AI is used to create, edit, and enhance creative content.
- Campaign Analytics: When you connect ad platform accounts, campaign performance data is retrieved and analyzed by AI to provide insights and inform creative strategy.
- Data Minimization: We transmit only the data necessary for each AI operation. We do not transmit your full account data for every AI interaction.
04 Third-Party Services
We share data with the following categories of third-party services to operate the platform:
| Service |
Purpose |
Data Shared |
| Meta (Facebook) |
Ad platform API integration |
API credentials, campaign management commands |
| OpenRouter |
AI model routing |
Campaign metrics, business context for AI analysis |
| Resend |
Transactional email delivery |
Email addresses, email content (invitations, reports) |
| Railway |
Infrastructure hosting |
All application data (hosted on their infrastructure) |
| Payment Processor |
Subscription billing |
Billing details, subscription status |
We require all third-party service providers to maintain appropriate security measures and to process data only as necessary to provide their services to us. We do not sell your personal information to third parties.
05 Data Retention
We retain your data as follows:
- Account Data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
- Campaign & Insights Data: Performance metrics and campaign data are retained for the duration of your account plus 90 days after deletion to allow for data export.
- AI Decision Logs: Audit logs of AI actions are retained for 12 months from the date of the action, or longer if required for dispute resolution.
- Creative Assets: Uploaded and generated creative files are retained for the duration of your account. Upon deletion, files are removed from storage within 30 days.
- Usage Logs: Technical and usage logs are retained for 12 months for security and analytical purposes.
- Billing Records: Payment and billing records are retained for 7 years as required by tax and financial regulations.
06 Cookies & Tracking Technologies
We use the following cookies and tracking technologies:
- Essential Cookies: Required for authentication (JWT tokens stored in localStorage) and core functionality. These cannot be disabled without affecting the Service.
- Analytical Cookies: Used to understand how you interact with the Service, including page views and feature usage. These help us improve the platform.
- Preference Cookies: Store your settings and preferences (such as theme and dashboard layout) for a better user experience.
We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings, though disabling essential cookies may impair functionality.
07 Your Rights
7.1 General Rights
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Export: Request your data in a portable, machine-readable format.
- Objection: Object to certain processing of your personal data.
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
7.2 European Economic Area (GDPR)
If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Legal Basis: We process your data based on: (a) your consent, (b) performance of our contract with you, (c) our legitimate interests (such as platform improvement and security), or (d) legal obligations.
- Data Portability: You may request transfer of your data to another service provider in a structured, commonly used format.
- Restriction: You may request restriction of processing while we verify accuracy or assess an objection.
- Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.
- International Transfers: Your data may be transferred to and processed in the United States. We implement appropriate safeguards, including standard contractual clauses, to protect your data during international transfers.
7.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: You may request details about the categories and specific pieces of personal information we collect, the purposes of collection, and the categories of third parties with whom we share data.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt Out: We do not sell personal information. We do not use personal information for cross-context behavioral advertising.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Categories of Information: We collect identifiers, commercial information (subscription data), internet activity (usage data), and professional information (business context). We do not collect sensitive personal information as defined by the CPRA.
To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).
08 Security Measures
We implement industry-standard technical and organizational measures to protect your data, including:
- Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL. Database connections are encrypted in transit.
- Authentication: JWT-based authentication with secure token handling. Passwords are hashed using industry-standard algorithms before storage.
- Access Control: Role-based access controls ensure team members only access data appropriate to their role. All API endpoints are authenticated and authorized.
- Infrastructure: Our application is hosted on Railway with managed PostgreSQL and Redis instances that include automated backups and security patches.
- Data Isolation: Multi-tenant architecture with organization-level data scoping ensures your data is logically isolated from other customers' data.
- Monitoring: We monitor for security incidents and unauthorized access attempts.
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users in the event of a data breach as required by applicable law.
09 Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].
10 International Data Transfers
Arro AI LTD is based in the United Kingdom, and our primary data processing occurs in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers, including:
- Standard Contractual Clauses approved by the European Commission.
- Data processing agreements with all sub-processors.
- Regular assessment of the legal frameworks in recipient countries.
11 Do Not Track Signals
Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. Since there is no accepted standard for how to respond to DNT signals, we do not currently respond to them. However, we do not engage in cross-site tracking of our users.
12 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy.
- Notify you by email or through a prominent notice in the Service at least 30 days before changes take effect.
- Where required by law, obtain your consent before implementing material changes.
We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.
13 Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
For data protection inquiries from the European Economic Area, you may also contact our designated representative at the email address above. We will respond to all privacy-related inquiries within 30 days.