AriPrivacy Policy
Last updated: June 9, 2026.
1. Who we are
Ari is an email/admin assistant for small businesses. It reads a business's inbound email, calendar, files, and dictated notes; drafts replies; and helps file and organize the business's documents — always with a human approving any outbound message. “We”/“Ari” is the operator of the service; “you” is the business that connects its accounts.
2. What data we access, and why
We access only what's needed to run the assistant for your business:
- Google / Microsoft account identity (name, email) — to sign you in and gate access to your business's workspace.
- Email (Gmail / Outlook) — to read inbound mail for context and to send the replies you approve.
- Calendar — to read and (on your confirmation) write events.
- Files (Google Drive / OneDrive) — to file your uploads into your drive and to help organize it (create folders, rename, move, recycle-bin), only when you confirm each change, and to read files you point us to for context.
- Voice memos and photos you capture — to transcribe and extract project facts.
- A single essential session cookie — to keep you signed in. We set no advertising, analytics, or cross-site tracking cookies.
We request the minimum scopes that support these features. We do not crawl your whole drive or mailbox indiscriminately; file and mail access is on demand and scoped to what the task needs.
3. How we use it
Your data is used only to provide and improve the assistant features for your own business — drafting, routing, filing, organizing. Specifically, we do not:
- use your data for advertising;
- sell your data or share it except with the subprocessors below (to run the service), for security, or to comply with law;
- let our staff read your content except where you've consented (e.g. an operator reviewing a flagged draft as part of the service, through a VPN-only, audited console), where required for security, or where the law requires it;
- use your Google or Microsoft data to train generalized AI/ML models.
This reflects Google's API Services User Data Policy Limited Use requirements, including the Limited Use requirements for Workspace APIs.
4. Who processes it (subprocessors)
We run on third-party services. As of the date above:
| Subprocessor | Role |
|---|---|
| Google Cloud (GCP) | Hosting (Cloud Run, Cloud SQL/Postgres, GCS, Secret Manager); also your Google mailbox/calendar/Drive |
| Microsoft | Your Outlook mailbox/calendar/OneDrive (if you connect Microsoft) |
| Anthropic | Reasoning, drafting, summarizing |
| OpenAI | Text embeddings |
| Groq | Voice transcription |
| Twilio | SMS / RCS notifications |
Our AI subprocessors are used under commercial terms that do not train on our inputs, with zero-data-retention where available. A material change to this list is disclosable to you.
5. How we protect it
- US data location. Your data is processed and stored in the United States (Google Cloud, US region).
- Encryption at rest. Your connection credentials (OAuth refresh tokens, app-specific passwords) are encrypted with AES-256-GCM using a key derived per business — one business's data can't be decrypted with another's key.
- Least access. Decryption is limited to a single narrow internal capability; our AI/drafting components never receive your tokens or raw file bytes — they work from derived context.
- Isolation. Every data access is fenced to your business; sign-in is limited to email addresses your administrator approved.
- Human-in-the-loop + reversible writes. No email sends and no file change happens without your confirmation; deletions go to the recycle bin (recoverable), never a permanent delete.
- Audit. Actions are recorded in an append-only audit log.
- Incident notice. If your data is ever accessed, lost, or leaked without authorization, we notify you without undue delay — and within 72 hours of confirming the incident — with what was involved, the likely cause, and how we're remediating it.
6. Retention & deletion
- We keep your encrypted credentials and connection status (provider, address, scopes) while your account is connected — connection metadata only, never plaintext secrets.
- Email and Drive content is processed transiently — read on demand for the task at hand and not kept in a long-term index or content cache.
- Voice memos: the raw audio is transcribed and then discarded; we keep only the transcript. Photos and files you capture are kept in your project's media store for the life of the project, then purged or cold-archived when the project closes.
- Your uploads are stored as your business's record (in our US storage) and written to a copy in your own Drive / OneDrive.
- Disconnect any time. Disconnecting revokes our access and deletes the stored credential — not just a status flag.
- On cancellation, we export your data to you and purge our copies within 30 days. A “delete everything” request is honored and actually completes — every record for your business is removed.
7. Your choices
- Disconnect a provider at any time from the app, or revoke access from your Google/Microsoft account security settings.
- Request export or deletion of your data.
- Contact us at [email protected] for any privacy request (export, deletion, or questions). For legal notices, contact [email protected].
8. Children
Ari is a tool for businesses and is not directed to children. We do not knowingly collect personal information from anyone under 16.
9. Changes
We'll update this policy as the service changes and update the “last updated” date. Material changes are disclosable to connected businesses.