Privacy Statement
Our commitment to transparency and data protection
Last updated: 27 June 2025
Who we are
ArmsLength AI sp. z o.o. ("ArmsLength AI", "we", "our", "us") is a company registered in Poland under KRS 0001130933 (REGON 529860865, NIP 676-267-86-89).
Registered office: ul. Czerwone Maki 45A/58, 30-392 Kraków, Poland.
Questions about this notice? Email privacy@armslength.ai or write to the address above.
Personal data we process
| Data category | What we collect | Purpose | Retention |
|---|---|---|---|
| Account details | Name, business-email address, password hash | Create and secure user accounts; essential service emails | Deleted within 90 days of account closure |
| Usage logs | IP address, timestamps, browser metadata, in-app actions | Fraud prevention, service analytics, incident response | 30 days (raw), then anonymised |
| Support data | Content of tickets or emails you send us | Resolve technical issues | Up to 24 months, then deleted/anonymised |
⚠ Benchmarking inputs are public-domain company data, not personal data.
Legal bases
- Contractual Necessity (Art. 6 (1)(b) GDPR) – to deliver the service you subscribe to.
- Legitimate Interest (Art. 6 (1)(f)) – for security logging and product analytics.
- Consent (Art. 6 (1)(a)) – for optional marketing emails (you can withdraw anytime).
Where and how we store data
All production data is hosted exclusively in Germany:
- Microsoft Azure – Germany West Central (Frankfurt)
- Supabase – AWS eu-central-1 (Frankfurt)
- Vercel Frontend & Edge Functions – EU edge (primary Frankfurt POP)
Each provider applies AES-256 encryption at rest and TLS 1.2+ in transit and holds independent security attestations (ISO 27001, SOC 2 Type II, CSA STAR, as applicable).
We do not transfer customer data outside the European Economic Area.
Sharing and transfers
We never sell or rent personal data. Access is limited to:
- ArmsLength AI personnel with need-to-know duties.
- The sub-processors listed above (Azure, Supabase, Vercel) under GDPR-compliant Data Processing Agreements.
No other third-party transfers occur unless required by law.
Your rights
You may access, correct, erase, restrict, port or object to the processing of your personal data at any time and can lodge a complaint with your supervisory authority (in Poland: UODO).
Contact privacy@armslength.ai—we respond within 30 days.
Security
We enforce:
- Strong encryption in transit and at rest
- Role-based access control
- Multi-factor authentication on admin accounts
- Continuous vulnerability scanning
- 24 × 7 infrastructure monitoring
Production data is never used to train AI models.
Cookies
We only set:
- Essential session cookies – required for login.
- A privacy-friendly analytics cookie (
_plausible.io) that collects no personal identifiers.
You can disable non-essential cookies in your browser with no impact on core functionality.
Changes
Future updates will appear here. For material changes we will notify registered users by email at least 30 days before they take effect.
© 2025 ArmsLength AI sp. z o.o.