Legal · Document 01

Privacy policy

How Arborr collects, uses, and safeguards information about visitors to this website and people who request access to the platform. We treat data like the people it describes — carefully.

Effective: 28 April 2026 Last updated: 28 April 2026 Version: 1.0

01 Who we are

Arborr ("Arborr", "we", "us") provides an AI-assisted reporting platform that turns natural-language questions into shareable reports backed by customer-authorised data sources. This policy covers the marketing website at arborr.ai and the "Request access" form that lets you join our private beta.

Use of the Arborr product itself — once you have access — is governed by a separate Data Processing Agreement and Terms of Service, because in that context we act as a processor of your customer data.

02 What we collect

Information you give us

When you submit the "Request access" form, we collect what you type into it:

  • Company name — to qualify and route the request.
  • Work email address — so we can reply.
  • Company size — for capacity planning during the private beta.
  • Industry — to understand which use cases are landing.

If you email us, the contents of that email and any attachments become part of our records for as long as we need them to handle the request.

Information collected automatically

  • Technical data — IP address, user-agent, referrer, and timestamps logged by our hosting and edge providers for security and abuse prevention.
  • Usage data — pages viewed, sections you interact with, broad device characteristics. Aggregated, never tied to your identity unless you've also submitted a form.

What we do not collect on this site

We don't ask for, and don't want, sensitive categories of personal data (health, financial account numbers, government IDs, etc.) on this website. If you accidentally include any in a free-text field or email, tell us and we'll delete it.

03 How we use it

  • To respond to access requests — review your submission, schedule a conversation, send beta credentials.
  • To improve the product and the website — understand which capabilities resonate, fix issues, prioritise the roadmap.
  • To keep things safe — detect abuse, rate-limit, prevent fraud and spam against our forms and infrastructure.
  • To meet legal obligations — respond to lawful requests, keep records required by tax, contract, or compliance regimes that apply to us.

We do not sell personal data. We do not use your data to train large language models. We do not run third-party advertising on this site.

05 Sharing & processors

We share personal data only with vetted service providers acting on our instructions, under written contracts that bind them to confidentiality and appropriate safeguards. The current list:

  • Cloudflare — edge hosting, DNS, DDoS protection, and the Worker that receives form submissions.
  • Notion — internal record of access requests so the team can follow up.
  • Email providers — to deliver and receive correspondence.
  • Anthropic — LLM provider used inside the Arborr product (not on this marketing website). Mentioned here for completeness; product-side processing is governed by your separate agreement with us.

We may also disclose information when we reasonably believe it is necessary to comply with law, enforce our terms, or protect the rights, property, or safety of Arborr, our users, or others.

If Arborr is involved in a merger, acquisition, or sale of assets, personal data may be transferred. We will provide notice and, where required, the opportunity to object before personal data becomes subject to a different privacy policy.

06 Cookies

We use a small number of first-party cookies and similar technologies:

  • Necessary — remember your cookie choice, preserve form state, mitigate abuse. Always on; the site won't work without them.
  • Analytics — measure aggregate usage so we can prioritise improvements. Loaded only after you accept.

The first time you visit, a banner asks you to accept all or only the necessary set. You can change your mind any time by clearing the arborr_cookie_choice entry in your browser's local storage and reloading the page.

07 Retention

  • Access-request submissions — kept for up to 24 months from your last interaction, after which they are deleted or anonymised, unless we still have an active relationship.
  • Email correspondence — kept for up to 36 months for service and legal-record purposes.
  • Server and security logs — typically 30–90 days, longer if needed to investigate a specific incident.
  • Cookie preferences — stored in your browser until you clear them.

08 Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data, subject to legal retention obligations.
  • Restrict or object to certain processing.
  • Receive a portable copy of data you provided.
  • Withdraw consent for cookies or marketing at any time.
  • Lodge a complaint with your data protection authority.

To exercise any of these, email privacy@arborr.ai. We respond within 30 days; if your request is complex we may extend by another 60 days and tell you why.

09 Security

Across both the marketing site and the product we apply layered safeguards:

  • TLS in transit, AES-256-GCM for sensitive credentials at rest.
  • Least-privilege access for staff, audit-logged.
  • Read-only database roles for any customer source connected to the product.
  • Secrets stored in managed secret vaults — never in source control.
  • Routine review of provider security posture and SOC 2 / ISO 27001 attestations where available.
No method of transmission or storage is 100% secure. If we ever discover a breach affecting your personal data, we will notify the relevant authorities and you, where required, without undue delay.

10 International transfers

Our service providers may process data outside your country, including in the European Union, the United States, and the United Arab Emirates. Where required, transfers are protected by Standard Contractual Clauses, adequacy decisions, or equivalent safeguards.

11 Children

Arborr is a B2B platform. The website and product are not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

12 Changes to this policy

We will post any updates here and revise the "Last updated" date above. For material changes we'll do more than that — typically an in-product notice or an email, depending on the relationship we have with you.

13 Contact

Questions, requests, or concerns about this policy:

If you'd rather request access to the platform, jump to the form.