Privacy Policy

Effective date: April 18, 2026 · Replaces all prior versions

Arez AI ("Arez AI," "we," "our," or "us") is a business-to-business (B2B) software company. We operate the Arez AI web application at ai-arez.com and the Arez AI mobile application available on the Apple App Store and Google Play (collectively, the "Service").

This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have over your data. By creating an account or using the Service, you acknowledge that you have read and understood this policy. If you do not agree, do not use the Service.

Contents

Who We Are and How to Contact Us
Information We Collect
Lawful Basis for Processing
How We Use Your Information
AI Processing Disclosure
Data Sharing and Third-Party Processors
We Do Not Sell Your Data
Cookies and Tracking Technologies
Data Retention and Account Deletion
Security Measures
Children's Privacy (COPPA)
California Residents — CCPA Rights
EU and UK Residents — GDPR Rights
International Data Transfers
Mobile App Store Privacy
Changes to This Policy
Contact and Data Requests

1. Who We Are and How to Contact Us

Arez AI is the data controller for personal information processed in connection with accounts, billing, and use of the Service. For AI feature processing, certain third-party services act as data processors under our instructions (see Section 6).

Contact: support@ai-arez.com · ai-arez.com

2. Information We Collect

2.1 Information You Provide Directly

Account registration: Email address, full name, company name, trade type (e.g., HVAC, plumbing, electrical), phone number, and business address.
Profile and settings: License number, additional contact details, and AI default preferences you configure (markup percentages, labor rates, preferred sub-trades, material preferences).
Project data: Project names, client names and contact information, job-site addresses, AI chat messages, construction estimates, tasks, notes, invoices, and proposals you create within the Service.
Uploaded files: Photos, blueprints, PDF documents, and other files you upload to projects for AI analysis or record-keeping.
Communications: Messages you send to our support team.
Bug reports: Descriptions, chat snapshots, and file references you submit via the in-app bug report feature.

2.2 Information Collected Automatically

Usage data: Features accessed, pages viewed, actions taken (e.g., estimates generated, proposals sent), and session timestamps.
API and AI call logs: Aggregated records of API requests, AI feature usage, and usage counts used for subscription metering and cost management. These logs are keyed to your account and organization.
Technical data: IP address, browser type and version, operating system, device model, app version, and platform (iOS, Android, web).
Error and crash data: Stack traces, error messages, and diagnostic information collected via Sentry when the application crashes or encounters an error (see Section 6).

2.3 Information From Third Parties

Billing status: Stripe provides us with subscription status, plan tier, and payment event data (e.g., successful charge, subscription cancelled). We do not receive or store raw payment card numbers, full bank account numbers, or CVV codes.
Team invitations: If a team owner invites you to their organization, we receive your email address from the inviting party to create your account.

3. Lawful Basis for Processing

The Service is a B2B platform used by business professionals in the United States. We process personal information on the following bases:

Processing Activity	Lawful Basis
Creating and managing your account; delivering the core Service features	Performance of a contract (our Terms of Service)
AI-powered estimate generation; image and document analysis	Performance of a contract; you explicitly submit content to use the feature
Billing and subscription management	Performance of a contract; legal obligation
Transactional emails (verification codes, account alerts)	Performance of a contract
Error tracking and crash reporting (Sentry)	Legitimate interest in maintaining service reliability
Usage analytics to improve the Service	Legitimate interest in product improvement (aggregated, non-advertising)
Compliance with applicable law; responding to legal process	Legal obligation

4. How We Use Your Information

We use the information we collect strictly to operate and improve the Service:

Service delivery: To create and maintain your account, authenticate you, process your projects and estimates, and provide all features included in your subscription plan.
AI feature processing: To send your chat messages, project descriptions, and uploaded images to third-party AI APIs (Anthropic Claude, Google Gemini, Google Imagen) on your behalf to generate estimates, analyze photos and blueprints, and produce renovation previews. See Section 5 for full disclosure.
Billing and payments: To manage your subscription, process payments through Stripe, send receipts, and enforce plan-level feature access.
Transactional communications: To send email verification codes, password reset links, team invitations, and other account-related notices via the Resend email service.
Customer support: To respond to your support requests, investigate bugs, and diagnose issues using the information you submit.
Error monitoring: To detect, investigate, and resolve crashes and errors in the application via Sentry. Error reports are filtered to remove passwords and other sensitive fields before transmission.
Service improvement: To analyze aggregated, non-identifying usage patterns to understand which features are used most, identify performance bottlenecks, and prioritize product development. We do not use your project content or AI chat messages for this purpose.
Legal compliance: To comply with applicable laws, respond to valid legal process, enforce our Terms of Service, and protect the rights, property, or safety of Arez AI, our users, or the public.

We do not use your personal information for advertising, profiling for marketing purposes, or for training our own AI models. When AI providers process your content under our contracts with them, you can review each provider's applicable data use terms (see Section 6).

5. AI Processing Disclosure

The core value of the Service is AI-powered estimation. To deliver this, certain user content is transmitted to third-party AI APIs. We are transparent about exactly what is sent and to whom.

5.1 Anthropic (Claude AI) — Chat and Estimate Generation

When you use the AI chat feature, your chat messages, project context (project name, address, type), and your saved AI preferences (markup rate, labor rates, trade preferences) are sent to Anthropic's Claude API. Anthropic processes this content to generate a response on our behalf.

Anthropic's current API terms provide that it does not use inputs or outputs from the API to train its models without explicit consent. For current Anthropic data practices, see: anthropic.com/privacy.

5.2 Google (Gemini and Imagen) — Image and Photo Analysis

When you use image analysis features (Quick Analysis, Deep Analysis, or Renovation Preview), the images or photos you upload are transmitted to Google's Gemini API or Google Cloud Vertex AI (Imagen) for processing. Google acts as a data processor under our API agreement.

For current Google Cloud data practices, see: Google Cloud Data Processing Addendum.

5.3 What You Control

AI analysis features require your affirmative action — you choose to attach an image or send a chat message. No content is sent to AI providers passively or in the background. You can use the Service for non-AI features (project management, invoicing, proposals) without triggering any AI API calls.

We do not sell, rent, or trade your personal information. We share data only with the following categories of recipients, and only to the extent necessary to deliver the Service:

Processor	Purpose	Data Shared
Anthropic, Inc.	AI chat and estimate generation (Claude API)	Chat messages, project context, AI preferences
Google LLC (Gemini API, Vertex AI)	Image analysis and renovation preview	Uploaded images and photos (when you use image features)
Stripe, Inc.	Payment processing and subscription management	Billing contact information; Stripe manages payment card data directly
Supabase, Inc.	Database hosting and storage (US-based)	All account, project, and application data stored on your behalf
Resend, Inc.	Transactional email delivery	Email address, email content (verification codes, invitations)
Sentry (Functional Software, Inc.)	Crash and error reporting	Technical error data, stack traces; PII fields (email, password) are filtered before transmission
Railway Corp.	Backend application hosting	Application traffic passes through Railway's infrastructure
Cloudflare, Inc.	Frontend hosting, CDN, and DDoS protection	Network-layer access to web traffic; no application-layer data stored

Each processor is contractually required to process data only on our documented instructions, maintain appropriate security measures, and not use your data for their own purposes beyond the contracted service. We do not engage processors located outside our authorized supply chain without updating this policy.

6.1 Other Disclosures

We may disclose personal information without your consent in the following limited circumstances:

To comply with a legal obligation, court order, subpoena, or valid request from a government authority with jurisdiction;
To investigate, prevent, or take action regarding suspected fraud, illegal activity, or violations of our Terms of Service;
To protect the vital interests of any person;
In connection with a merger, acquisition, or sale of all or substantially all of our assets, provided the acquiring party agrees to honor this Privacy Policy or provide you with notice and choice.

7. We Do Not Sell Your Data

Arez AI does not sell, rent, share for cross-context behavioral advertising, or otherwise monetize your personal information. This applies to all users, including California residents covered by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). There is nothing to opt out of — we have never sold personal information and have no plans to do so.

8. Cookies and Tracking Technologies

The Arez AI web application uses the following limited session technologies:

Authentication token (localStorage): A JSON Web Token (JWT) is stored in your browser's local storage after login. This token is required to authenticate your API requests. It expires after 7 days and is cleared when you log out or delete your account.
Session state: Temporary in-memory state used to track your active project and navigation state during your browser session. This is never written to a persistent cookie.

We do not use advertising cookies, third-party tracking pixels, behavioral profiling tools, or cross-site analytics platforms (such as Google Analytics or Meta Pixel). The Service contains no advertising infrastructure of any kind.

The mobile app stores your authentication token using the device's secure storage (AsyncStorage on React Native). No third-party SDKs with advertising or behavioral tracking capabilities are included in the mobile app.

9. Data Retention and Account Deletion

9.1 Retention While Your Account Is Active

We retain all account and project data for as long as your account exists and your subscription is active (or during any applicable grace period). Inactive accounts on free or expired trials may be subject to deactivation notice and deletion after 12 months of inactivity, with advance email notice.

9.2 Deletion on Account Closure

You may delete your account at any time from the Settings screen in the app (Settings → Account → Delete Account). Upon confirmed deletion, we initiate the following process:

Your Stripe subscription is immediately cancelled (no further charges).
All personal information and project data associated with your account — including projects, estimates, invoices, proposals, uploaded files, AI chat history, and usage logs — is permanently deleted from our production database within 30 days of your deletion request.
Residual copies in automated database backups are purged within the backup rotation cycle, not to exceed 90 days from the deletion date.
Aggregate, anonymized statistical records that cannot be re-linked to you (e.g., platform-wide daily estimate counts) may be retained indefinitely.

To request account deletion if you are unable to access the in-app option, contact support@ai-arez.com with the subject line "Account Deletion Request" from your registered email address. We will complete the deletion within 30 days of verification.

9.3 Legal Hold

Notwithstanding the above, we may retain certain data for longer periods where required by applicable law (e.g., tax records, fraud investigation) or to resolve disputes or enforce our agreements. In such cases, we will retain only the minimum data necessary and for no longer than legally required.

10. Security Measures

We implement the following technical and organizational measures to protect your information:

Encryption in transit: All data transmitted between your browser or app and our servers is encrypted using TLS 1.2 or higher (HTTPS). API communications with third-party processors are similarly encrypted.
Encryption at rest: Data stored in Supabase is encrypted at rest using AES-256. Uploaded files in Supabase Storage are encrypted at the storage layer.
Access control: Database access uses a service role key with row-level security (RLS) enabled on all tables. All user data is scoped by organization ID — team members can only access data belonging to their organization. No employee has standing access to production user data without a logged, audited reason.
Authentication: Accounts are protected by email verification on signup and JWT-based session tokens. Tokens expire after 7 days. Passwords are never stored in plaintext.
Rate limiting: API endpoints are rate-limited to reduce brute-force and abuse risk (10 login attempts per 15 minutes; 60 AI requests per minute per user).
Secret management: API keys and credentials are stored exclusively as environment variables on Railway's production infrastructure. They are never embedded in client-side code or committed to source control.
Error filtering: Sentry crash reports are filtered to strip email addresses and passwords before transmission.

Despite these measures, no method of transmission or storage is 100% secure. In the event of a data breach that creates a risk to your rights and freedoms, we will notify affected users and applicable regulators as required by law.

11. Children's Privacy (COPPA)

The Service is a professional tool designed exclusively for contractors, business owners, and their employees operating in the residential and commercial home services industry. Users must be at least 18 years of age to create an account.

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete that information promptly. If you believe a child under 13 has created an account or submitted information, contact us immediately at support@ai-arez.com.

12. California Residents — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights with respect to your personal information:

12.1 Right to Know

You have the right to request that we disclose: (a) the categories and specific pieces of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) our business purpose for collecting it; and (d) the categories of third parties with whom we share it.

12.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., data needed to complete a transaction, comply with a legal obligation, or detect security incidents). Account deletion via Settings fulfills this right in full.

12.3 Right to Correct

You have the right to request correction of inaccurate personal information. Most account information can be updated directly in your profile settings. For information you cannot update yourself, contact us.

12.4 Right to Opt-Out of Sale or Sharing

We do not sell personal information, nor do we share it for cross-context behavioral advertising. There is no opt-out mechanism necessary because no such selling or sharing occurs.

12.5 Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information (as defined by CPRA) for purposes other than providing the Service.

12.6 Non-Discrimination

We will not discriminate against you for exercising any of these rights. Exercising your privacy rights will not result in denial of service, different pricing, or reduced quality.

12.7 How to Submit a Request

Submit a verifiable consumer request by emailing support@ai-arez.com with the subject "California Privacy Request" from your registered email address. We will respond within 45 days. Complex requests may be extended by an additional 45 days with notice.

You may authorize an agent to submit a request on your behalf by providing written authorization. We will verify the agent's authority before processing the request.

The Service is operated and marketed in the United States and is primarily intended for US-based contractors. We do not have a legal establishment in the European Union or United Kingdom. If you are located in the EU or UK and use the Service, your personal data is processed in the United States (see Section 14 on international transfers).

To the extent GDPR or the UK GDPR applies to your use of the Service, you have the following rights:

Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data where there is no overriding legal basis for continued processing. Account deletion via Settings fulfills this right.
Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
Right to data portability (Art. 20): Request your personal data in a structured, machine-readable format where processing is based on consent or contract.
Right to object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority in your EU member state or, for UK residents, the Information Commissioner's Office (ICO).

To exercise any of these rights, email support@ai-arez.com. We respond within 30 days as required under GDPR.

14. International Data Transfers

Arez AI is based in the United States. All servers, databases (Supabase), and application infrastructure are located in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following transfer mechanisms for any incidental processing of EU/UK personal data:

Standard Contractual Clauses (SCCs): Where our data processors (e.g., Supabase, Sentry) maintain EU SCCs or equivalent UK transfer mechanisms, those clauses govern transfers to the United States.
Adequacy decisions: Where applicable transfer adequacy decisions are in force, those decisions provide the basis for transfer.

You may request a copy of the applicable transfer safeguards by contacting support@ai-arez.com.

15. Mobile App Store Privacy

The Arez AI mobile application is distributed through the Apple App Store and Google Play Store. Each platform has its own privacy and data safety disclosures, which we maintain consistent with this policy:

Apple App Store (Privacy Nutrition Label): We report data linked to you (account, usage, and contact info used for app functionality and crash reporting) and data not linked to you (crash data) consistent with Apple's labeling requirements.
Google Play (Data Safety Section): We disclose the data types collected, their purposes, whether data is shared with third parties, and whether data is encrypted in transit, consistent with Google Play's data safety requirements.
Account deletion: In compliance with Apple App Store guidelines (effective February 2022), users can delete their account and all associated data directly within the app at Settings → Account → Delete Account, without needing to contact support.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

Update the effective date at the top of this page;
Send a notice to the email address associated with your account at least 30 days before the changes take effect; and
Post a prominent notice within the app for at least 30 days.

Non-material changes (such as clarifications, corrections, or additions about processors already in use) may be made without advance notice. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must stop using the Service and may delete your account.

We maintain a version history of this policy. Prior versions are available on request by emailing support@ai-arez.com.

17. Contact and Data Requests

For privacy questions, data access requests, deletion requests, or to exercise any right described in this policy, contact us at:

Email: support@ai-arez.com
Subject line for data requests: "Privacy Request — [your request type]"
Website: ai-arez.com

We respond to all privacy requests within 30 days. California residents exercising CCPA rights receive a response within 45 days (extendable to 90 days for complex requests). We may ask you to verify your identity before processing a request.

← Back to Arez AI