ARA ARA.
  • Home
  • Architecture
  • Blog
  • Docs
  • Community
  • Enterprise
  • Security
  • Download
Get started
Legal

Privacy Policy

ARA AI Labs Private Limited Version 1.0 Effective: 1 July 2026
Contents
  • 1. Scope & Who We Are
  • 2. Data We Collect
  • 3. Software Telemetry
  • 4. Cookies & Tracking
  • 5. How We Use Data
  • 6. Sharing & Processors
  • 7. Retention
  • 8. Security
  • 9. Your Rights
  • 10. Children
  • 11. Policy Changes
  • 12. Contact & Grievances
This Privacy Policy applies to: the ARA website at https://aralabs.ai and the opt-out telemetry feature in the ARA Software.
It does not apply to: data you store or process inside your own ARA deployment (Licensee Data). That data stays on your infrastructure. ARA has no access to it.

Section 1 - Who We Are and Scope

1.1 Data Fiduciary / Controller

ARA AI Labs Private Limited ("ARA", "we", "us", "our") is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act") and, where applicable, the Data Controller under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and UK GDPR.

Incorporated in India under the Companies Act, 2013.
Privacy contact: legal@aralabs.ai - https://aralabs.ai

1.2 What This Policy Covers

  • Website Data: data collected when you visit https://aralabs.ai, submit forms, register for a download, request a demo, or apply as a design partner.
  • Software Telemetry Data: aggregate, non-identifiable operational data emitted by the ARA Software by default - see Section 3 for the opt-out mechanism (ARA_TELEMETRY_DISABLE=1).

This Policy does not cover Licensee Data - data you store or process within your own ARA deployment. Licensee Data remains on your infrastructure. ARA has no access to it.

1.3 Primary Regulatory Framework

The DPDP Act 2023 is our primary data protection law. For users located in the EEA, United Kingdom, or Switzerland, the GDPR or UK GDPR also applies. Where requirements conflict, we apply the standard that provides greater protection to individuals.

Section 2 - Data We Collect and Why

We collect only what is necessary for the stated purpose. The table below covers every category of personal data we collect.

2A - Download Registration

FieldPurposeLegal BasisRetention
Work / personal emailIssue activation token and download link; send security advisories and release notificationsDPDP: Consent · GDPR: Art 6(1)(a)3 years or until deletion requested
Name (optional)Personalise communicationsDPDP: Consent · GDPR: Art 6(1)(a)3 years or until deletion requested
Company, role, use case, DV range, platform (optional)Understand user base; prioritise product features; improve documentationDPDP: Consent · GDPR: Art 6(1)(a)3 years (aggregated for analytics within 12 months)

2B - Activation Tokens and Download Tokens

FieldPurposeLegal BasisRetention
HMAC-SHA256 token hash, email reference, issue timestamp, IP at issuance, platformAuthenticate download; enforce single-use; detect token sharing and abuseDPDP: Legitimate use · GDPR: Art 6(1)(f) Legitimate interestsToken hash: 30 days · Server access logs: 90 days

Tokens are stored only as hashes. The raw token value is never persisted in ARA's database.

2C - Machine Activation

FieldPurposeLegal BasisRetention
machine_id_hash (one-way hash of hardware attributes), email reference, activation timestamp, ARA version, platformEnforce single-machine activation limits per Community Edition EULA; detect activation abuseDPDP: Consent (EULA acceptance) · GDPR: Art 6(1)(b) Performance of contractLicense duration + 1 year
Important: Raw hardware identifiers (CPU serial, motherboard UUID, MAC address, etc.) are never transmitted to ARA's servers. The ARA binary hashes these locally before sending the result. ARA cannot reverse the hash to identify your hardware. The machine_id_hash is not personally identifiable on its own, but because it is linked to your email, it is treated as personal data.

2D - License Records

FieldPurposeLegal BasisRetention
License Key (cryptographic artifact, stored as hash), email reference, tier, activation date, expiry date, machine_id_hash referenceValidate active licenses; enable re-activation on machine change; enforce tier limitsDPDP: Consent · GDPR: Art 6(1)(b) Performance of contractLicense duration + 3 years (for legal / audit purposes)

2E - Contact, Demo, and Sales Requests

FieldPurposeLegal BasisRetention
Name, work email, company, job title, message contentRespond to enquiry; assess suitability for demo or Enterprise tierDPDP: Consent · GDPR: Art 6(1)(a)2 years from last contact or until deletion requested

2F - Design Partner Applications

FieldPurposeLegal BasisRetention
Company name, email, ML stack description, problem descriptionEvaluate suitability for Design Partner ProgrammeDPDP: Consent · GDPR: Art 6(1)(a)2 years or until deletion requested

2G - Documentation Access

FieldPurposeLegal BasisRetention
Email (verified), docs access token hash, access timestamp, IP addressAuthenticate docs access; detect token sharing; understand documentation usage patternsDPDP: Consent · GDPR: Art 6(1)(f) Legitimate interestsToken hash: 30 days · Email reference: 2 years

Section 3 - Software Telemetry

3.1 Telemetry Is On By Default (Opt-Out)

THE ARA SOFTWARE EMITS ANONYMOUS OPERATIONAL METRICS BY DEFAULT. Telemetry can be disabled at any time by setting the environment variable ARA_TELEMETRY_DISABLE=1 before starting the ARA server process. Telemetry never includes Licensee Data, entity identifiers, feature values, decision outputs, or any personally identifiable information.

3.2 What Telemetry Contains (Effective Date)

As of 1 July 2026, telemetry events are written to local stdout and local log file only. No external HTTP calls are made by the Software. This will change as described in Section 3.4 below.

The telemetry events and fields collected are limited to operational metrics: ARA version, tier, worker count, port number, aggregate operations rate ranges, uptime, and crash metadata. Telemetry contains no Licensee Data, no entity identifiers, no feature values, no decision outputs, and no personally identifiable information.

3.3 Telemetry Legal Basis

  • DPDP Act: Legitimate use - the processing is necessary for improving and securing the Software and does not cause harm to Data Principals. You may opt out at any time by setting ARA_TELEMETRY_DISABLE=1.
  • GDPR: Legitimate interests (Art. 6(1)(f)) - ARA has a legitimate interest in understanding how the Software is used to improve reliability and guide product development. This interest is not overridden by your interests given the strictly anonymous, non-PII nature of the data. You may opt out at any time.

To opt out, set ARA_TELEMETRY_DISABLE=1 in the Software's environment and restart the ARA server process.

3.4 Planned Future Change: External Telemetry Transmission

ARA plans to add external telemetry transmission in a future Software version. When this change is introduced:

  • Telemetry events will be transmitted via HTTPS POST to https://telemetry.aralabs.ai/v1/event.
  • ARA's backend will forward these events to a PostHog analytics instance operated by PostHog, Inc. PostHog will be added as a Sub-Processor under ARA's Data Processing Agreement.
  • The fields transmitted will remain those listed in Section 3.2 above - no additional personal data or Licensee Data will be added.
  • ARA will notify all registered users and licensees at least thirty (30) days before this change is released.
  • If you are not comfortable with external transmission, you may opt out before upgrading to the version that introduces external telemetry by setting ARA_TELEMETRY_DISABLE=1.

3.5 What Telemetry Is Never

Telemetry will never include entity identifiers, feature values, or any data passing through ARA's serving path; customer names, email addresses, or personal information about you or your end users; infrastructure details beyond the Software's own version, tier, port, and worker configuration; or any data derived from or correlated with Licensee Data.

Section 4 - Cookies and Tracking

4.1 Cookies We Use

The ARA website uses only technically necessary cookies. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that transmit data to external parties.

4.2 No Third-Party Tracking

We do not embed Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or any other third-party tracking script on the Website. We do not participate in cross-site advertising or behavioural targeting networks.

4.3 Future Changes

If we add optional analytics cookies or third-party tracking in future, we will update this Policy, add a cookie consent banner, and obtain your consent before placing non-essential cookies.

4.4 Server-Side Logging

Our web server maintains standard access logs recording IP addresses, HTTP method, URL path, response code, and timestamp for each request. These logs are used for security monitoring, abuse detection, and debugging. They are retained for up to ninety (90) days and are not shared with third parties for marketing.

Section 5 - How We Use Your Data

5.1 Service Delivery

We use your data to deliver the services you have requested: issuing download activation links; serving the correct binary for your platform; issuing and managing License Keys; responding to contact and demo enquiries; and operating the Documentation portal.

5.2 Communications

  • Transactional emails (no opt-out): Activation links, download confirmations, License Key issuance, security advisories, and critical product notices. These are necessary for service delivery and cannot be opted out of while you have an active registration.
  • Product communications (opt-out available): Release announcements, feature updates, and product news. You may unsubscribe at any time via the link in any such email or by writing to legal@aralabs.ai. Unsubscription does not affect transactional emails.

5.3 Product Improvement

We use aggregated, anonymised data derived from registration enrichment fields (use case, role, company size, decision volume range) to understand our user base and prioritise features. We do not use individual-level data for these purposes unless it has been aggregated in a form that cannot identify you.

5.4 Security and Abuse Prevention

We use IP addresses, HTTP referrers, request timestamps, and token usage patterns for rate limiting, fraud prevention, activation abuse detection, and security monitoring. This processing is based on legitimate interests (GDPR) and legitimate use (DPDP Act).

5.5 Legal Compliance

We may process or retain personal data as required by applicable law, including to comply with court orders, government requests, or tax obligations. We will notify you before disclosing your data in response to legal process, unless legally prohibited from doing so.

5.6 No Sale of Data

We do not sell, rent, or lease your personal data to any third party for their own commercial purposes. We do not share personal data with advertising networks, data brokers, or analytics resellers.

Section 6 - Data Sharing and Third-Party Processors

6.1 Our Principle

We share personal data with third parties only where necessary for service delivery, and only with parties that provide appropriate contractual and technical data protection guarantees.

6.2 Current Third-Party Processors

ProcessorLocationPurposeSafeguard
GitHub, Inc.USARelease binary hosting; repository and issue trackingStandard Contractual Clauses; GitHub DPA
Email delivery provider (TBD)TBDTransactional and product email deliveryDPA with equivalent protections
PostHog, Inc. (planned)USAOpt-out Software telemetry analytics (see §3.4)Will be added 30 days before external telemetry release; SCCs; PostHog DPA

6.3 No Other Sharing

We do not share personal data with any other third party except: (a) with your explicit consent; (b) as required by applicable law or court order; (c) to protect the rights, property, or safety of ARA, our users, or the public; or (d) in connection with a merger or acquisition, subject to the acquiring entity being bound by this Policy or providing equivalent protections.

6.4 International Transfers

Your data is primarily stored and processed in India. Where we transfer personal data to processors located outside India, we ensure appropriate safeguards:

  • For EEA/UK data subjects: Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, or other approved transfer mechanisms.
  • For Indian data subjects: Transfers are made in accordance with the DPDP Act's cross-border transfer provisions and applicable government notifications.
  • We do not transfer data to jurisdictions subject to a binding government prohibition under Indian law.

Section 7 - Data Retention

7.1 Retention Periods

Data CategoryRetention Period
Download registration (email, name, enrichment fields)3 years from registration or until deletion requested
Activation / download token hashes30 days (tokens expire and are invalidated)
Machine activation records (machine_id_hash)License duration + 1 year
License recordsLicense duration + 3 years (legal / audit)
Contact and demo request data2 years from last contact or until deletion requested
Design partner application data2 years or until deletion requested
Server access logs (IP, URL, response code)90 days
Telemetry data (when external transmission is live)12 months in aggregate form

7.2 Deletion on Request

You may request deletion of your personal data at any time by writing to legal@aralabs.ai. We will process deletion requests within thirty (30) days. Deletion may affect your ability to use the ARA Software if your License Key is linked to the deleted registration. We will inform you of any such impact before processing the deletion.

7.3 Retention Beyond Request

We may retain data beyond the periods above where: (a) we are required to do so by law (e.g., tax records for 7 years under Indian law); (b) the data is needed to resolve a pending dispute or legal claim; or (c) the data has been anonymised such that it can no longer identify you. We will inform you if we are unable to delete data for these reasons.

Section 8 - Data Security

8.1 Technical Measures

  • TLS 1.2 or higher for all data in transit between your browser/client and our servers.
  • Cryptographic hashing (HMAC-SHA256 or SHA-256) for all tokens, activation codes, and machine identifiers - original values are never stored.
  • Single-use token enforcement: activation, download, and docs access tokens are invalidated after use.
  • Per-IP rate limiting on all API endpoints (100 req/15 min general; 5 req/15 min on email-adjacent routes; 10 req/hour on file download).
  • Server-side input validation and sanitisation on all form submissions.
  • Security headers (CSP, HSTS, X-Content-Type-Options, etc.) on all responses.
  • Admin routes protected by separate authentication middleware; not accessible to regular visitors.
  • The GitHub release asset URL is never exposed in any API response - the binary is proxied through our server.

8.2 Organisational Measures

Access to personal data is restricted on a need-to-know basis within ARA. We do not retain unencrypted copies of sensitive tokens. We conduct periodic reviews of access controls and security configurations.

8.3 Breach Notification

In the event of a personal data breach likely to cause harm, ARA will notify the Data Protection Board of India (or relevant supervisory authority) within the timeframe required by applicable law (currently 72 hours under GDPR; under the DPDP Act, per forthcoming rules), and notify affected individuals without undue delay where the breach poses high risk. We maintain records of all breaches, their scope, effects, and remedial actions.

8.4 No Absolute Security

No security measure is perfect. Whilst we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. You are responsible for keeping your activation tokens, download links, and License Keys confidential.

Section 9 - Your Rights

9.1 Rights Under the DPDP Act (India)

RightWhat it meansHow to exercise
AccessObtain a summary of personal data we hold about you and how it is being processedlegal@aralabs.ai

We respond within 30 days. Identity verification may be required.
CorrectionHave inaccurate or incomplete personal data corrected or updated
ErasureHave your personal data erased (subject to lawful retention requirements)
Grievance RedressalLodge a grievance with ARA's Grievance Officer; escalate to the Data Protection Board of India if unresolved
Withdraw ConsentWithdraw consent for any processing based on consent. Withdrawal does not affect lawfulness of prior processing.

9.2 Additional Rights Under GDPR (EEA / UK / Switzerland)

RightWhat it means
PortabilityReceive your personal data in a structured, machine-readable format and transmit it to another controller (where processing is by consent or contract)
ObjectObject to processing based on legitimate interests. We will cease unless we demonstrate compelling grounds that override your interests
RestrictRequest restriction of processing in certain circumstances (e.g., while accuracy is contested)
Lodge a ComplaintLodge a complaint with your Member State's supervisory authority (see §12.3)

9.3 Response Timelines

We aim to respond to all rights requests within thirty (30) calendar days. Where a request is complex, we may extend by up to sixty (60) further days (GDPR) or as permitted by the DPDP Act, and will inform you of the extension and reason.

9.4 Verification

To protect against fraudulent requests, we may ask you to verify your identity before processing a rights request. We will only ask for information reasonably necessary to confirm your identity and locate your records.

Section 10 - Children's Privacy

The ARA Website and Software are intended for professional use by adults aged eighteen (18) or older. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected such data, contact legal@aralabs.ai and we will delete it promptly.

Section 11 - Changes to This Policy

11.1 How We Update This Policy

We may update this Privacy Policy to reflect changes in our data practices, applicable law, or the ARA Software. When we make material changes, we will update the Effective Date, email all registered users, and - where required by the DPDP Act - obtain fresh consent if we introduce a new purpose for processing that requires it.

11.2 Version History

VersionDateSummary of Changes
1.01 July 2026Initial publication

Section 12 - Contact and Grievance Officer

12.1 How to Contact Us

For any question, request, or complaint relating to this Privacy Policy or our data practices:

  • General privacy enquiries: legal@aralabs.ai
  • Grievance Officer: privacy@aralabs.ai (DPDP Act Grievance Officer designation)
  • Security vulnerabilities: security@aralabs.ai
  • Postal: ARA AI Labs Private Limited, Raheja Woods, Pune, Maharashtra, India

12.2 Grievance Resolution Timeline

ARA's Grievance Officer will acknowledge your grievance within seven (7) business days of receipt and endeavour to resolve it within thirty (30) calendar days, as required by the DPDP Act. If a grievance cannot be resolved within thirty (30) days, we will inform you of the reason and expected resolution timeline.

12.3 Supervisory Authorities

  • India: Data Protection Board of India (once constituted and operational under the DPDP Act, 2023)
  • European Union: Your Member State's national data protection authority
  • United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk
  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch
ARA AI Labs Private Limited  ·  Privacy Policy v1.0  ·  Effective 1 July 2026
https://aralabs.ai/privacy.html  ·  legal@aralabs.ai  ·  © 2026 ARA AI Labs. All Rights Reserved.
Also available as a permanent URL for DPDP Act / GDPR compliance linking.
Schedule a technical call
We respond within one business day. An engineering conversation, no sales scripts.
✓

Request received.

We'll reach out within one business day.

ARA.
ARA AI Labs · Raheja Woods, Pune, India
DPIIT Recognized Startup·DIPP270929
Product
  • Download
  • Documentation
  • Community
Company
  • About
  • Blog
  • Press
  • Enterprise
  • Security
Legal
  • EULA
  • Privacy Policy
  • Terms of Use
© 2026 ARA AI Labs