It does not apply to: data you store or process inside your own ARA deployment (Licensee Data). That data stays on your infrastructure. ARA has no access to it.
Section 1 - Who We Are and Scope
1.1 Data Fiduciary / Controller
ARA AI Labs Private Limited ("ARA", "we", "us", "our") is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act") and, where applicable, the Data Controller under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and UK GDPR.
Incorporated in India under the Companies Act, 2013.
Privacy contact: legal@aralabs.ai - https://aralabs.ai
1.2 What This Policy Covers
- Website Data: data collected when you visit https://aralabs.ai, submit forms, register for a download, request a demo, or apply as a design partner.
- Software Telemetry Data: aggregate, non-identifiable operational data emitted by the ARA Software by default - see Section 3 for the opt-out mechanism (
ARA_TELEMETRY_DISABLE=1).
This Policy does not cover Licensee Data - data you store or process within your own ARA deployment. Licensee Data remains on your infrastructure. ARA has no access to it.
1.3 Primary Regulatory Framework
The DPDP Act 2023 is our primary data protection law. For users located in the EEA, United Kingdom, or Switzerland, the GDPR or UK GDPR also applies. Where requirements conflict, we apply the standard that provides greater protection to individuals.
Section 2 - Data We Collect and Why
We collect only what is necessary for the stated purpose. The table below covers every category of personal data we collect.
2A - Download Registration
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Work / personal email | Issue activation token and download link; send security advisories and release notifications | DPDP: Consent · GDPR: Art 6(1)(a) | 3 years or until deletion requested |
| Name (optional) | Personalise communications | DPDP: Consent · GDPR: Art 6(1)(a) | 3 years or until deletion requested |
| Company, role, use case, DV range, platform (optional) | Understand user base; prioritise product features; improve documentation | DPDP: Consent · GDPR: Art 6(1)(a) | 3 years (aggregated for analytics within 12 months) |
2B - Activation Tokens and Download Tokens
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| HMAC-SHA256 token hash, email reference, issue timestamp, IP at issuance, platform | Authenticate download; enforce single-use; detect token sharing and abuse | DPDP: Legitimate use · GDPR: Art 6(1)(f) Legitimate interests | Token hash: 30 days · Server access logs: 90 days |
Tokens are stored only as hashes. The raw token value is never persisted in ARA's database.
2C - Machine Activation
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| machine_id_hash (one-way hash of hardware attributes), email reference, activation timestamp, ARA version, platform | Enforce single-machine activation limits per Community Edition EULA; detect activation abuse | DPDP: Consent (EULA acceptance) · GDPR: Art 6(1)(b) Performance of contract | License duration + 1 year |
2D - License Records
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| License Key (cryptographic artifact, stored as hash), email reference, tier, activation date, expiry date, machine_id_hash reference | Validate active licenses; enable re-activation on machine change; enforce tier limits | DPDP: Consent · GDPR: Art 6(1)(b) Performance of contract | License duration + 3 years (for legal / audit purposes) |
2E - Contact, Demo, and Sales Requests
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Name, work email, company, job title, message content | Respond to enquiry; assess suitability for demo or Enterprise tier | DPDP: Consent · GDPR: Art 6(1)(a) | 2 years from last contact or until deletion requested |
2F - Design Partner Applications
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Company name, email, ML stack description, problem description | Evaluate suitability for Design Partner Programme | DPDP: Consent · GDPR: Art 6(1)(a) | 2 years or until deletion requested |
2G - Documentation Access
| Field | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email (verified), docs access token hash, access timestamp, IP address | Authenticate docs access; detect token sharing; understand documentation usage patterns | DPDP: Consent · GDPR: Art 6(1)(f) Legitimate interests | Token hash: 30 days · Email reference: 2 years |
Section 3 - Software Telemetry
3.1 Telemetry Is On By Default (Opt-Out)
ARA_TELEMETRY_DISABLE=1 before starting the ARA server process. Telemetry never includes Licensee Data, entity identifiers, feature values, decision outputs, or any personally identifiable information.
3.2 What Telemetry Contains (Effective Date)
As of 1 July 2026, telemetry events are written to local stdout and local log file only. No external HTTP calls are made by the Software. This will change as described in Section 3.4 below.
The telemetry events and fields collected are limited to operational metrics: ARA version, tier, worker count, port number, aggregate operations rate ranges, uptime, and crash metadata. Telemetry contains no Licensee Data, no entity identifiers, no feature values, no decision outputs, and no personally identifiable information.
3.3 Telemetry Legal Basis
- DPDP Act: Legitimate use - the processing is necessary for improving and securing the Software and does not cause harm to Data Principals. You may opt out at any time by setting
ARA_TELEMETRY_DISABLE=1. - GDPR: Legitimate interests (Art. 6(1)(f)) - ARA has a legitimate interest in understanding how the Software is used to improve reliability and guide product development. This interest is not overridden by your interests given the strictly anonymous, non-PII nature of the data. You may opt out at any time.
To opt out, set ARA_TELEMETRY_DISABLE=1 in the Software's environment and restart the ARA server process.
3.4 Planned Future Change: External Telemetry Transmission
ARA plans to add external telemetry transmission in a future Software version. When this change is introduced:
- Telemetry events will be transmitted via HTTPS POST to
https://telemetry.aralabs.ai/v1/event. - ARA's backend will forward these events to a PostHog analytics instance operated by PostHog, Inc. PostHog will be added as a Sub-Processor under ARA's Data Processing Agreement.
- The fields transmitted will remain those listed in Section 3.2 above - no additional personal data or Licensee Data will be added.
- ARA will notify all registered users and licensees at least thirty (30) days before this change is released.
- If you are not comfortable with external transmission, you may opt out before upgrading to the version that introduces external telemetry by setting
ARA_TELEMETRY_DISABLE=1.
3.5 What Telemetry Is Never
Telemetry will never include entity identifiers, feature values, or any data passing through ARA's serving path; customer names, email addresses, or personal information about you or your end users; infrastructure details beyond the Software's own version, tier, port, and worker configuration; or any data derived from or correlated with Licensee Data.
Section 4 - Cookies and Tracking
4.1 Cookies We Use
The ARA website uses only technically necessary cookies. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that transmit data to external parties.
4.2 No Third-Party Tracking
We do not embed Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or any other third-party tracking script on the Website. We do not participate in cross-site advertising or behavioural targeting networks.
4.3 Future Changes
If we add optional analytics cookies or third-party tracking in future, we will update this Policy, add a cookie consent banner, and obtain your consent before placing non-essential cookies.
4.4 Server-Side Logging
Our web server maintains standard access logs recording IP addresses, HTTP method, URL path, response code, and timestamp for each request. These logs are used for security monitoring, abuse detection, and debugging. They are retained for up to ninety (90) days and are not shared with third parties for marketing.
Section 5 - How We Use Your Data
5.1 Service Delivery
We use your data to deliver the services you have requested: issuing download activation links; serving the correct binary for your platform; issuing and managing License Keys; responding to contact and demo enquiries; and operating the Documentation portal.
5.2 Communications
- Transactional emails (no opt-out): Activation links, download confirmations, License Key issuance, security advisories, and critical product notices. These are necessary for service delivery and cannot be opted out of while you have an active registration.
- Product communications (opt-out available): Release announcements, feature updates, and product news. You may unsubscribe at any time via the link in any such email or by writing to
legal@aralabs.ai. Unsubscription does not affect transactional emails.
5.3 Product Improvement
We use aggregated, anonymised data derived from registration enrichment fields (use case, role, company size, decision volume range) to understand our user base and prioritise features. We do not use individual-level data for these purposes unless it has been aggregated in a form that cannot identify you.
5.4 Security and Abuse Prevention
We use IP addresses, HTTP referrers, request timestamps, and token usage patterns for rate limiting, fraud prevention, activation abuse detection, and security monitoring. This processing is based on legitimate interests (GDPR) and legitimate use (DPDP Act).
5.5 Legal Compliance
We may process or retain personal data as required by applicable law, including to comply with court orders, government requests, or tax obligations. We will notify you before disclosing your data in response to legal process, unless legally prohibited from doing so.
5.6 No Sale of Data
We do not sell, rent, or lease your personal data to any third party for their own commercial purposes. We do not share personal data with advertising networks, data brokers, or analytics resellers.
Section 6 - Data Sharing and Third-Party Processors
6.1 Our Principle
We share personal data with third parties only where necessary for service delivery, and only with parties that provide appropriate contractual and technical data protection guarantees.
6.2 Current Third-Party Processors
| Processor | Location | Purpose | Safeguard |
|---|---|---|---|
| GitHub, Inc. | USA | Release binary hosting; repository and issue tracking | Standard Contractual Clauses; GitHub DPA |
| Email delivery provider (TBD) | TBD | Transactional and product email delivery | DPA with equivalent protections |
| PostHog, Inc. (planned) | USA | Opt-out Software telemetry analytics (see §3.4) | Will be added 30 days before external telemetry release; SCCs; PostHog DPA |
6.3 No Other Sharing
We do not share personal data with any other third party except: (a) with your explicit consent; (b) as required by applicable law or court order; (c) to protect the rights, property, or safety of ARA, our users, or the public; or (d) in connection with a merger or acquisition, subject to the acquiring entity being bound by this Policy or providing equivalent protections.
6.4 International Transfers
Your data is primarily stored and processed in India. Where we transfer personal data to processors located outside India, we ensure appropriate safeguards:
- For EEA/UK data subjects: Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, or other approved transfer mechanisms.
- For Indian data subjects: Transfers are made in accordance with the DPDP Act's cross-border transfer provisions and applicable government notifications.
- We do not transfer data to jurisdictions subject to a binding government prohibition under Indian law.
Section 7 - Data Retention
7.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Download registration (email, name, enrichment fields) | 3 years from registration or until deletion requested |
| Activation / download token hashes | 30 days (tokens expire and are invalidated) |
| Machine activation records (machine_id_hash) | License duration + 1 year |
| License records | License duration + 3 years (legal / audit) |
| Contact and demo request data | 2 years from last contact or until deletion requested |
| Design partner application data | 2 years or until deletion requested |
| Server access logs (IP, URL, response code) | 90 days |
| Telemetry data (when external transmission is live) | 12 months in aggregate form |
7.2 Deletion on Request
You may request deletion of your personal data at any time by writing to legal@aralabs.ai. We will process deletion requests within thirty (30) days. Deletion may affect your ability to use the ARA Software if your License Key is linked to the deleted registration. We will inform you of any such impact before processing the deletion.
7.3 Retention Beyond Request
We may retain data beyond the periods above where: (a) we are required to do so by law (e.g., tax records for 7 years under Indian law); (b) the data is needed to resolve a pending dispute or legal claim; or (c) the data has been anonymised such that it can no longer identify you. We will inform you if we are unable to delete data for these reasons.
Section 8 - Data Security
8.1 Technical Measures
- TLS 1.2 or higher for all data in transit between your browser/client and our servers.
- Cryptographic hashing (HMAC-SHA256 or SHA-256) for all tokens, activation codes, and machine identifiers - original values are never stored.
- Single-use token enforcement: activation, download, and docs access tokens are invalidated after use.
- Per-IP rate limiting on all API endpoints (100 req/15 min general; 5 req/15 min on email-adjacent routes; 10 req/hour on file download).
- Server-side input validation and sanitisation on all form submissions.
- Security headers (CSP, HSTS, X-Content-Type-Options, etc.) on all responses.
- Admin routes protected by separate authentication middleware; not accessible to regular visitors.
- The GitHub release asset URL is never exposed in any API response - the binary is proxied through our server.
8.2 Organisational Measures
Access to personal data is restricted on a need-to-know basis within ARA. We do not retain unencrypted copies of sensitive tokens. We conduct periodic reviews of access controls and security configurations.
8.3 Breach Notification
In the event of a personal data breach likely to cause harm, ARA will notify the Data Protection Board of India (or relevant supervisory authority) within the timeframe required by applicable law (currently 72 hours under GDPR; under the DPDP Act, per forthcoming rules), and notify affected individuals without undue delay where the breach poses high risk. We maintain records of all breaches, their scope, effects, and remedial actions.
8.4 No Absolute Security
No security measure is perfect. Whilst we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. You are responsible for keeping your activation tokens, download links, and License Keys confidential.
Section 9 - Your Rights
9.1 Rights Under the DPDP Act (India)
| Right | What it means | How to exercise |
|---|---|---|
| Access | Obtain a summary of personal data we hold about you and how it is being processed | legal@aralabs.aiWe respond within 30 days. Identity verification may be required. |
| Correction | Have inaccurate or incomplete personal data corrected or updated | |
| Erasure | Have your personal data erased (subject to lawful retention requirements) | |
| Grievance Redressal | Lodge a grievance with ARA's Grievance Officer; escalate to the Data Protection Board of India if unresolved | |
| Withdraw Consent | Withdraw consent for any processing based on consent. Withdrawal does not affect lawfulness of prior processing. |
9.2 Additional Rights Under GDPR (EEA / UK / Switzerland)
| Right | What it means |
|---|---|
| Portability | Receive your personal data in a structured, machine-readable format and transmit it to another controller (where processing is by consent or contract) |
| Object | Object to processing based on legitimate interests. We will cease unless we demonstrate compelling grounds that override your interests |
| Restrict | Request restriction of processing in certain circumstances (e.g., while accuracy is contested) |
| Lodge a Complaint | Lodge a complaint with your Member State's supervisory authority (see §12.3) |
9.3 Response Timelines
We aim to respond to all rights requests within thirty (30) calendar days. Where a request is complex, we may extend by up to sixty (60) further days (GDPR) or as permitted by the DPDP Act, and will inform you of the extension and reason.
9.4 Verification
To protect against fraudulent requests, we may ask you to verify your identity before processing a rights request. We will only ask for information reasonably necessary to confirm your identity and locate your records.
Section 10 - Children's Privacy
The ARA Website and Software are intended for professional use by adults aged eighteen (18) or older. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected such data, contact legal@aralabs.ai and we will delete it promptly.
Section 11 - Changes to This Policy
11.1 How We Update This Policy
We may update this Privacy Policy to reflect changes in our data practices, applicable law, or the ARA Software. When we make material changes, we will update the Effective Date, email all registered users, and - where required by the DPDP Act - obtain fresh consent if we introduce a new purpose for processing that requires it.
11.2 Version History
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | 1 July 2026 | Initial publication |
Section 12 - Contact and Grievance Officer
12.1 How to Contact Us
For any question, request, or complaint relating to this Privacy Policy or our data practices:
- General privacy enquiries:
legal@aralabs.ai - Grievance Officer:
privacy@aralabs.ai(DPDP Act Grievance Officer designation) - Security vulnerabilities:
security@aralabs.ai - Postal: ARA AI Labs Private Limited, Raheja Woods, Pune, Maharashtra, India
12.2 Grievance Resolution Timeline
ARA's Grievance Officer will acknowledge your grievance within seven (7) business days of receipt and endeavour to resolve it within thirty (30) calendar days, as required by the DPDP Act. If a grievance cannot be resolved within thirty (30) days, we will inform you of the reason and expected resolution timeline.
12.3 Supervisory Authorities
- India: Data Protection Board of India (once constituted and operational under the DPDP Act, 2023)
- European Union: Your Member State's national data protection authority
- United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch