Privacy Policy — Arelis AI

Arelis AI UG (haftungsbeschränkt) ("Arelis AI", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services. We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable German data protection legislation.

1. Data Controller

The data controller responsible for processing your personal data is:

Arelis AI UG (haftungsbeschränkt)

Im Zollhafen 18, 3rd Floor

50678 Cologne, Germany

Managing Director: Ramon Marrero

Handelsregister: Amtsgericht Köln, HRB 123721

Email: contact@arelis.digital

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

Full name, email address, and company name provided during registration
Organization and project identifiers created within the platform
Authentication credentials managed through Firebase Authentication

2.2 Payment Information

Billing details (name, billing address, VAT ID) processed by Stripe, our payment processor
We do not store credit card numbers or full payment credentials on our servers

2.3 Usage Data

API call logs, metered usage events, and feature usage patterns
Audit events, compliance proofs, risk decisions, and replay records
Dashboard activity and interaction data

2.4 Technical Data

IP address, browser type and version, operating system
Device identifiers and screen resolution
Referring URLs and pages visited within the platform
Timestamps and session duration

2.5 Communication Data

Content of emails, support requests, and other correspondence you send to us

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Processing Activity	Legal Basis	GDPR Article
Account creation and management	Performance of contract	Art. 6(1)(b)
Providing platform services (audit, compliance, risk)	Performance of contract	Art. 6(1)(b)
Payment processing and invoicing	Performance of contract	Art. 6(1)(b)
Usage metering and quota enforcement	Performance of contract	Art. 6(1)(b)
Analytics cookies and website analytics	Consent	Art. 6(1)(a)
Marketing cookies and communications	Consent	Art. 6(1)(a)
Platform security and fraud prevention	Legitimate interest	Art. 6(1)(f)
Technical infrastructure monitoring	Legitimate interest	Art. 6(1)(f)
Tax and accounting record-keeping	Legal obligation	Art. 6(1)(c)
Responding to legal requests or court orders	Legal obligation	Art. 6(1)(c)

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

4. How We Use Your Data

We use your personal data for the following purposes:

Service delivery: To provide, maintain, and improve the Arelis AI governance platform, including audit event processing, compliance proof generation, risk decision routing, and replay verification
Account management: To create and manage your account, authenticate your identity, and manage your organization and projects
Billing and payments: To process payments, manage subscriptions, track metered usage, and enforce quotas
Communication: To send transactional emails (account verification, password resets, usage alerts) and, with your consent, marketing communications
Analytics and improvement: To understand how users interact with our platform and to improve functionality, performance, and user experience
Security: To detect, prevent, and respond to security incidents, fraud, and abuse
Legal compliance: To comply with applicable laws, regulations, and legal processes

5. Cookies & Tracking Technologies

We use cookies and similar technologies on our platform:

5.1 Strictly Necessary Cookies

These cookies are essential for the platform to function. They include session cookies for authentication and CSRF protection tokens. They cannot be disabled.

5.2 Analytics Cookies

We use Google Analytics to understand how visitors interact with our website and platform. Google Analytics collects information such as pages visited, time on site, and referral source. This data is aggregated and anonymized where possible. These cookies are placed only with your consent.

5.3 Marketing Cookies

We may use marketing cookies to deliver relevant advertisements and measure campaign effectiveness. These cookies are placed only with your consent.

5.4 Managing Cookies

You can manage your cookie preferences through our cookie consent banner when you first visit our site, or at any time through your browser settings. Blocking certain cookies may affect the functionality of our platform.

6. Third-Party Sub-Processors

We share personal data with the following third-party service providers who process data on our behalf. Each sub-processor is bound by a Data Processing Agreement (DPA) and processes data only for the purposes specified.

Sub-Processor	Purpose	Data Processed	Location
Google Cloud Platform (GCP)	Infrastructure and hosting	All platform data	EU (default)
Firebase (Google)	User authentication	Email, auth tokens, user ID	EU
Stripe	Payment processing	Billing name, address, payment method	EU
Google Analytics	Website analytics	Usage data, IP address (anonymized)	EU

We regularly review our sub-processors and ensure they maintain adequate data protection standards. We will notify you of any material changes to our sub-processor list.

7. International Data Transfers

All platform data, including data processed by our sub-processors, is stored and processed within the European Union. Our infrastructure is hosted on Google Cloud Platform servers in EU regions, and our sub-processors (Firebase, Stripe, Google Analytics) are configured to process data within the EU.

For enterprise customers, the data region is configurable and may be set to EU, USA, or other regions as specified in the service agreement, with servers located as close to the customer's operations as possible. Where data is transferred outside the EU at an enterprise customer's request, we rely on the following safeguards:

Adequacy decisions: Transfers to countries with an adequacy decision from the European Commission
Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we use the European Commission's Standard Contractual Clauses
Supplementary measures: Encryption in transit and at rest, access controls, and regular security assessments

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

Data Category	Retention Period	Basis
Account information	Duration of account + 30 days after deletion	Contract performance
Governance data (audit events, proofs, risk decisions)	90 days to indefinite, per subscription plan	Contract performance
Payment and billing records	10 years (German tax law, AO §147)	Legal obligation
Usage and metering data	Duration of active subscription + 90 days	Contract performance
Server and access logs	90 days	Legitimate interest (security)
Analytics data	26 months (Google Analytics default)	Consent

Governance data retention varies by subscription plan. Available retention periods are 90 days, 1 year, 3 years, 5 years, or indefinite. Your specific retention period is determined by your active plan and can be reviewed in your account settings.

9. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): You may request a copy of the personal data we hold about you
Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data
Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations
Right to restriction (Art. 18): You may request that we restrict the processing of your data in certain circumstances
Right to data portability (Art. 20): You may request to receive your data in a structured, machine-readable format
Right to object (Art. 21): You may object to processing based on legitimate interest, including profiling
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

How to Exercise Your Rights

You can exercise your data access and deletion rights directly through the platform's self-service tools in your account settings under Settings > Privacy. For all other requests, or if you prefer not to use the self-service tools, email us at contact@arelis.digital. We will respond within 30 days.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for Arelis AI is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Kavalleriestraße 2–4, 40213 Düsseldorf, Germany

Website: www.ldi.nrw.de

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls and tenant isolation at the database level
Regular security assessments and penetration testing
Incident response procedures in accordance with Art. 33 and Art. 34 GDPR
API key authentication with automatic rotation capabilities for programmatic access
CSRF protection on all state-changing operations

11. Our Role as Data Processor

When you use the Arelis AI platform to process governance data (audit events, compliance proofs, risk decisions, replay verifications) about your own end users or systems, we act as a data processor under Article 28 GDPR. You remain the data controller for that data.

In this capacity, we process your data only according to your documented instructions and the terms of our service agreement. We offer a Data Processing Agreement (DPA) to enterprise customers, which specifies:

The scope, nature, and purpose of processing
Data subject categories and personal data types
Our obligations as processor, including sub-processor management
Assistance with data subject requests and security incidents
Data deletion or return upon termination

For platform account data (your login credentials, billing information, and usage of our dashboard), we act as the data controller.

To request a copy of our DPA, contact us at contact@arelis.digital.

12. Children's Privacy

Our platform is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via email or a prominent notice on our platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

14. Contact Us

If you have questions about this Privacy Policy or our data protection practices, please contact us:

Arelis AI UG (haftungsbeschränkt)

Im Zollhafen 18, 3rd Floor

50678 Cologne, Germany

Email: contact@arelis.digital

← Back to home Terms of Service →