ARIAS AI Inc., a Delaware Corporation (operating at www.tryarias.com), is committed to protecting the privacy of enterprise customers, authorized users, and any individuals whose data may be processed through the ARIAS platform. This Privacy Statement explains what information we collect, how we use it, how we protect it, and the rights available to you.
1. Scope and Application
This Privacy Statement applies to the ARIAS enterprise AI agent governance platform — the Control Plane for AI Agents — including the web-based interface, API services, scanner client software, and all related documentation and support channels (collectively, the “Platform”). It governs the collection and processing of information from:
- Enterprise customers that have entered into a Master Subscription Agreement or equivalent contract with ARIAS (“Customers”)
- Authorized users designated by Customers to access the Platform (“Users”)
- Visitors to www.tryarias.com and any other ARIAS-operated web properties
- Individuals whose personal data may be incidentally included in metadata or documentation submitted to the Platform
This statement does not govern the data practices of third-party integrations, version control platforms, CI/CD systems, or agent deployment environments that Customers connect to the Platform. The ARIAS scanner client runs entirely within the Customer’s own environment; Section 3.3 describes what data the scanner transmits.
2. Definitions
For the purposes of this Privacy Statement:
“Agent Specification” means any configuration file, prompt template, workflow definition, tool manifest, policy document, or related artifact that exists within a Customer’s environment and is analyzed locally by the ARIAS scanner client. Agent Specifications are never transmitted to the ARIAS Platform.
“Behavioral Fingerprint Data” means structured metadata computed locally by the ARIAS scanner client from Agent Specifications, comprising component scores, risk indicators, drift metrics, and associated version identifiers. This is the data transmitted to the Platform — not the underlying Agent Specifications.
“Customer Data” means all data, content, and information submitted by or on behalf of a Customer through the Platform, including Behavioral Fingerprint Data, assessment results, and account configuration.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
“Processing” means any operation performed on data, including collection, storage, use, transmission, analysis, and deletion.
3. Information We Collect
3.1 Account and Identity Information
When a Customer establishes an account, we collect:
- Organization name and contact details
- Names and business email addresses of designated administrators and Users
- Authentication credentials (passwords are stored in hashed form; plaintext passwords are never stored or transmitted)
- Billing contact information for invoicing purposes
ARIAS does not store credit card numbers, bank account details, or other payment instrument data. Subscription payments are processed by our third-party payment processor, which retains and secures payment credentials in accordance with its own PCI-compliant practices.
3.2 Platform Usage Data
In the course of providing the Platform, we automatically collect:
- Log data including IP addresses, browser type, operating system, session timestamps, and API request metadata
- Feature interaction data recording which Platform capabilities are accessed and how frequently
- Error reports and diagnostic information to support troubleshooting and service improvement
- CI/CD pipeline integration events, including trigger timestamps and scan completion status
3.3 Behavioral Fingerprint Data — What the Scanner Transmits
The ARIAS scanner client operates entirely within the Customer’s own environment (on-premise servers, cloud infrastructure, or CI/CD pipelines). The scanner analyzes Agent Specifications locally and computes Behavioral Fingerprint Data from them. Only the resulting Behavioral Fingerprint Data — structured numeric and categorical metadata — is transmitted to the ARIAS Platform. Agent Specifications themselves are never transmitted to or stored by ARIAS.
Behavioral Fingerprint Data transmitted to the Platform includes:
- Computed component scores across defined behavioral dimensions
- Drift indicators relative to prior fingerprint baselines
- Risk classification outputs
- Agent and version identifiers supplied by the Customer
- Scan timestamps and pipeline context metadata
ARIAS does not monitor running AI agents, collect runtime behavioral telemetry, or process data generated by deployed agents in production. All assessment occurs at design time, on specifications, within the Customer’s environment, before deployment.
3.4 Cookies and Tracking Technologies
We use cookies and similar tracking technologies on www.tryarias.com and the web-based Platform interface. Cookies are small text files stored on your device that help us operate and improve the Platform. We use the following categories of cookies:
- Strictly Necessary Cookies: Required for the Platform to function, including authentication session management and security tokens. These cannot be disabled.
- Functional Cookies: Remember your preferences and settings to personalize your experience.
- Analytics Cookies: Collect aggregated, de-identified data about how users interact with the Platform to help us improve it. We use privacy-focused analytics tools and do not share individual-level analytics data with third parties.
- Marketing Cookies: We do not currently use marketing or advertising cookies on the Platform.
You can manage cookie preferences through your browser settings or our cookie preference center accessible via the Platform footer. Disabling strictly necessary cookies will impair Platform functionality. Cookie data is retained for up to 13 months.
Do Not Track: California law requires us to disclose how we respond to Do Not Track (DNT) browser signals. We do not currently alter our data collection practices in response to DNT signals, as there is no universally accepted standard for what DNT requires. If a standard is adopted, we will revisit this policy.
3.5 Communications Data
If you contact us for support, provide feedback, or engage with our sales or marketing channels, we collect the content of those communications together with associated contact information.
4. How We Use Your Information
4.1 Service Delivery
- Provide, operate, and maintain the Platform
- Process Behavioral Fingerprint Data and generate certification and drift assessment outputs
- Maintain historical fingerprint records to enable version-to-version drift detection
- Authenticate users and enforce access controls
- Manage billing and invoicing through our payment processor
- Deliver contracted support services
4.2 Platform Improvement
Subject to the restrictions in Section 5, we may use aggregated and de-identified data to improve our assessment methodologies, develop new Platform features, and conduct internal research and quality assurance.
4.3 Legal and Compliance
We may process Personal Data to comply with applicable laws, respond to lawful requests from public authorities, enforce our contractual rights, or protect against fraud, security incidents, or harmful activity.
5. Customer Data — Confidentiality and Use Restrictions
ARIAS treats Customer Data, including Behavioral Fingerprint Data and assessment outputs, as strictly confidential:
- We do not use Behavioral Fingerprint Data or Assessment Outputs to train, fine-tune, or benchmark any AI or machine learning model without explicit written consent from the relevant Customer.
- We do not sell, license, or otherwise commercialize Customer Data to third parties.
- We do not use Customer Data for our own competitive intelligence purposes.
- Access to Customer Data by ARIAS personnel is limited to those with a legitimate operational need and is logged and subject to internal review.
6. Data Sharing and Disclosure
We do not sell Personal Data. We may share information in the following limited circumstances:
6.1 Service Providers
We engage vetted third-party service providers for infrastructure hosting, payment processing, identity management, analytics, and customer support. These providers are contractually bound to process data only on our behalf and in accordance with our instructions.
6.2 Customer-Directed Integrations
Customers may configure the Platform to transmit Assessment Outputs to third-party systems such as ticketing platforms, SIEM tools, or CI/CD orchestrators. Such integrations are Customer-controlled; ARIAS is not responsible for the privacy practices of those downstream systems.
6.3 Legal Requirements
We may disclose information if required by law, court order, or in response to a lawful government request. Where permitted, we will notify the affected Customer prior to disclosure.
6.4 Third-Party Links
The Platform and www.tryarias.com may contain links to third-party websites or services. ARIAS is not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.
6.5 Business Transfers
In the event of a merger, acquisition, or sale of substantially all assets, Customer Data may be transferred to a successor entity that will be bound by this Privacy Statement or an equivalent policy. We will notify Customers prior to any such transfer.
7. Data Retention
We retain different categories of data based on operational necessity and legal obligation:
| Data Category | Default Retention | Notes |
|---|---|---|
| Account & Identity Data | Subscription term + 2 years | Billing and audit purposes |
| Behavioral Fingerprint Data | Subscription term + 1 year | Required for drift analysis history |
| Assessment Outputs | Subscription term + 1 year | Customer may export at any time |
| Platform Usage & Access Logs | 13 months rolling | Standard security log retention |
| Support & Communications | 3 years from last contact | Quality assurance and disputes |
| Cookie & Analytics Data | Up to 13 months | Per cookie consent settings |
Customers may request deletion of Customer Data at any time, subject to legal retention obligations. Upon subscription termination, we will securely delete or return Customer Data within 60 days unless otherwise agreed.
8. Security
We implement administrative, technical, and physical safeguards to protect information against unauthorized access, disclosure, alteration, or destruction. Key measures include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of Behavioral Fingerprint Data and Assessment Outputs at rest using AES-256 or equivalent
- Role-based access controls with principle of least privilege
- Multi-factor authentication for internal administrative access
- Regular security assessments and penetration testing by qualified third parties
- Incident response procedures with defined notification timelines
Because Agent Specifications never leave the Customer’s environment, the primary attack surface for raw agent logic resides entirely within Customer’s own infrastructure. No security program can guarantee absolute protection. In the event of a breach affecting Personal Data, we will notify affected Customers in accordance with applicable law and our contractual obligations.
9. International Data Transfers
ARIAS is based in California, United States. If you access the Platform from outside the United States, Behavioral Fingerprint Data and Account Data may be transferred to and processed in the United States or other jurisdictions where our service providers operate. We implement appropriate safeguards for international transfers, including standard contractual clauses where required. Customers with specific data residency requirements should contact us prior to deployment.
10. Children’s Privacy
The ARIAS Platform is a business-to-business enterprise service not directed at, and not intended for use by, individuals under the age of 18. We do not knowingly collect Personal Data from minors. If we become aware that we have inadvertently received Personal Data from a minor, we will delete it promptly. If you believe we have collected information from a minor, please contact us at privacy@tryarias.com.
11. Your Privacy Rights
11.1 Rights Available to All Users
Subject to applicable law and the terms of the relevant Customer agreement, Users and individuals may have the following rights with respect to their Personal Data:
- Access: Request confirmation of whether we hold Personal Data about you and obtain a copy
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request erasure of Personal Data, subject to legal retention obligations
- Portability: Receive a copy of certain data in a structured, machine-readable format
- Objection and Restriction: Object to or request restriction of certain processing activities
- Withdrawal of Consent: Where processing is based on consent, withdraw that consent at any time
11.2 California Residents — CCPA / CPRA
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of Personal Data we have collected, the categories of sources, our business purposes for collecting it, and categories of third parties with whom we share it.
- Right to Delete: Request deletion of Personal Data we have collected, subject to exceptions under applicable law.
- Right to Correct: Request correction of inaccurate Personal Data.
- Right to Opt-Out of Sale or Sharing: ARIAS does not sell Personal Data or share it for cross-context behavioral advertising. No opt-out is required, but we will honor any Global Privacy Control (GPC) or other opt-out signal we receive.
- Right to Limit Use of Sensitive Personal Data: We do not use sensitive personal data for purposes beyond those permitted under the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.
- Authorized Agent Requests: You may designate an authorized agent to submit a request on your behalf. We may require written proof of authorization and may verify your identity directly.
Categories of Personal Data collected: identifiers (name, email, IP address); commercial information (subscription and billing records); internet or network activity (usage logs); and inferences drawn from usage data for account management purposes. We do not sell any of these categories.
To exercise your California rights, contact us at privacy@tryarias.com. We will verify your identity before processing requests and respond within 45 days (extendable by a further 45 days with notice).
11.3 California Shine the Light
California Civil Code Section 1798.83 permits California residents to request information about any disclosures we may have made to third parties for their direct marketing purposes. ARIAS does not share Personal Data with third parties for their direct marketing purposes. For questions, contact us at privacy@tryarias.com.
12. Changes to This Privacy Statement
We may update this Privacy Statement from time to time. Material changes will be communicated to Customers via email or in-Platform notification at least 30 days before taking effect. The current version is always available at www.tryarias.com/privacy. Continued use of the Platform following the effective date constitutes acceptance of the revised statement.
13. Contact Information
ARIAS AI Inc., a Delaware Corporation Email: privacy@tryarias.com Website: www.tryarias.com/privacy
Questions about this Privacy Statement? Email: privacy@tryarias.com