Privacy Policy

1. Introduction

Arnis ("we," "us," or "our") is committed to protecting the privacy of our clients and their contacts. This Privacy Policy explains how we collect, use, store, and protect information when you use the Arnis platform ("Service").

This policy applies to two categories of individuals:

• Clients: Businesses and individuals who use the Arnis platform to manage campaigns, contacts, and communications
• Contacts: Individuals whose information is uploaded to the platform by Clients and who receive communications through the Service

If you are a Contact who has received messages through the Arnis platform, the Client who uploaded your information is the data controller for your personal data. Please reach out to the business that contacted you for questions about how your data is used.

2. Information We Collect

2.1 Client Account Information

When you create an account and use the Service, we collect:

• Account credentials: Email address and password (stored as a bcrypt hash)
• User activity: Login timestamps, account creation dates, and platform usage data
• Billing information: Payment method details are processed and stored by Stripe; we only store references (card brand, last four digits, expiration date)
• Configuration data: Campaign settings, business hours, holiday schedules, and system preferences

2.2 Contact Data

Clients upload contact information to the platform, which may include:

• Phone numbers: Stored in original and E.164 normalized format
• Names: First name and last name
• Location data: State code, timezone (confirmed through AI conversation or derived from area code)
• Opt-out status: Whether the contact has opted out of communications

2.3 Communication Data

The platform processes and stores communication records, including:

• SMS messages: Full content of all inbound and outbound text messages
• Call records: Call status, duration, timestamps, forwarding numbers, and outcomes
• Conversation metadata: Conversation status, associated campaign, phone numbers used
• Scheduled appointments: Scheduled call times, timezones, confirmation status

2.4 Activity & Audit Logs

We maintain detailed activity logs for all contact interactions, including:

• When contacts were created, updated, or added to lists
• All messages sent and received
• Call attempts and outcomes
• Campaign enrollments and status changes
• Opt-out events and timestamps
• State and timezone confirmations

3. How We Use Your Information

3.1 Providing the Service

We use the information collected to:

• Send and receive SMS messages on behalf of Clients
• Initiate and manage phone calls (call-first and forward-first transfers)
• Generate AI-powered conversation responses
• Schedule and confirm appointments
• Enforce TCPA compliance and business hours restrictions
• Process payments and manage billing
• Provide dashboard analytics and reporting
• Deliver webhook notifications to Client-configured endpoints

3.2 Platform Improvement

Within each Client's isolated instance, we use data to:

• Improve AI response quality through the Question Templates system
• Optimize message delivery and timing
• Enhance campaign performance and analytics

3.3 Communications

We may use your email address to send:

• Password reset emails
• Low balance warnings
• Auto top-up confirmations
• System notifications and service updates

4. AI & Data Processing

4.1 AI Conversation Generation

The platform uses OpenAI's language models to generate conversational responses. When processing conversations:

• Conversation history, campaign context, and question templates are sent to OpenAI's API to generate responses
• We configure the AI with strict governance rules to prevent hallucination, protect sensitive information, and maintain compliance
• AI-generated responses are validated against campaign rules before sending

4.2 AI Data Boundaries

The AI is designed with strict information boundaries. It will only use information explicitly provided in campaign context, service descriptions, and answered question templates. It will not fabricate information, make commitments, or discuss prohibited topics.

4.3 Question Templates

When the AI encounters questions it cannot answer, those questions are logged within your instance. Answered questions become templates used exclusively within your installation to improve future conversations. Question template data is not shared across client installations.

5. Data Isolation & Architecture

5.1 Single-Tenant Deployment

Arnis uses a single-tenant architecture where each Client receives their own dedicated installation. This means:

• Complete data isolation: Your data is stored separately and is never mixed with or accessible to other clients
• Independent configuration: Your system settings, API credentials, and campaign configurations are unique to your instance
• Dedicated resources: Your installation operates independently from other client deployments

5.2 No Cross-Client Data Sharing

We do not share, aggregate, or cross-reference data between client installations. Each instance is a self-contained environment. Contact data, conversation histories, campaign configurations, question templates, and all other data remain exclusively within your dedicated installation.

6. Data Sharing & Third Parties

6.1 Service Providers

We share data with the following third-party service providers as necessary to deliver the Service:

• Twilio: Phone numbers, SMS content, and call data for telephony services
• OpenAI: Conversation context and campaign information for AI response generation
• SendGrid: Email addresses for transactional emails (password resets, balance notifications)
• Stripe: Payment information for billing and credit card processing

6.2 Webhooks

If you configure webhooks, event data (such as call completions, appointment schedules, or opt-outs) is sent to your specified webhook URLs. You are responsible for the security and privacy practices of your webhook endpoints.

6.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 No Sale of Data

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

7. Carrier & Telephony Data

7.1 Arnis-Provided Carriers

When we provide telephony services, we manage the carrier accounts and are responsible for the secure handling of telephony data within those accounts. Phone number usage, call records, and SMS logs are maintained within your dedicated instance.

7.2 Client-Provided Carriers

When you provide your own carrier credentials (e.g., Twilio Account SID, Auth Token), those credentials are stored securely (encrypted at rest) within your instance. We use your credentials solely to provide the Service. You are responsible for the security of your carrier accounts and for complying with your carrier's data handling policies.

Regardless of the carrier arrangement, all communication data processed through the platform is stored within your isolated instance and subject to the same data protection standards.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption: Sensitive credentials (API keys, auth tokens, SIP passwords) are encrypted at rest
• Password security: User passwords are hashed using bcrypt
• Session management: Sessions are stored in Redis with expiration
• Rate limiting: API and messaging rate limits prevent abuse
• Access control: Role-based access (Super Admin / Admin) limits functionality based on user level
• PCI compliance: All payment processing is handled by Stripe in accordance with PCI-DSS standards; we never store raw credit card data
• Data isolation: Single-tenant architecture ensures your data is physically separated from other clients

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Data Retention

9.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service. This includes:

• Contact records and list associations
• Conversation and message histories
• Call records and outcomes
• Campaign configurations and question templates
• Activity and audit logs
• Billing records and transaction history

9.2 After Termination

Upon termination of your service agreement, you may request a data export within 30 days. After this period, your data may be permanently deleted from our systems, including all backups, within a reasonable timeframe.

9.3 Caching

The platform uses Redis for short-term caching (session data, rate limiting, conversation context, campaign settings). Cached data expires automatically based on configured time-to-live values, typically ranging from 1 minute to 24 hours.

10. Your Rights

10.1 Client Rights

As a Client, you have the right to:

• Access: View all data stored within your platform instance
• Export: Export your data via CSV export or API at any time
• Correction: Update or correct any information in your account or contact records
• Deletion: Delete contacts, conversations, campaigns, and other data through the platform
• Account closure: Request termination of your account and deletion of your data

10.2 Contact Rights

If you are a Contact who has received communications through the Arnis platform:

• Opt out: Reply STOP (or any supported opt-out keyword) to any message to immediately cease all communications
• Access & deletion: Contact the business that messaged you to request access to or deletion of your personal data

Clients are responsible for honoring data subject requests from their contacts in accordance with applicable privacy laws.

10.3 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

11. Contact & Lead Data

11.1 Client Responsibility

Clients are the data controllers for all contact and lead data they upload to the platform. Clients are responsible for:

• Ensuring they have a lawful basis for collecting and processing contact data
• Obtaining proper consent before uploading contact information for SMS outreach
• Honoring opt-out requests and data subject rights
• Complying with all applicable privacy laws regarding their contacts' data

11.2 Data Processing

We process contact data on behalf of Clients as a data processor. We only use contact data as instructed by the Client through their campaign configurations and platform settings. We do not independently use contact data for our own purposes.

12. Cookies & Tracking

The Arnis marketing website may use cookies and similar technologies for analytics and functionality. The Arnis platform application uses session-based authentication stored in Redis rather than persistent cookies.

A debug mode setting (configurable by Super Admin) may enable browser console logging for troubleshooting purposes. This does not transmit additional data to our servers.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us so we can take appropriate steps to remove that information.

14. International Data

The Service is primarily designed for use within the United States and is optimized for U.S. phone numbers, area codes, and TCPA regulations. If you use the Service from outside the United States, you acknowledge that your data may be transferred to and processed in the United States.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you through the platform or via email. The "Last updated" date at the top of this page indicates when this policy was last revised.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Arnis
Email: [email protected]

For data subject requests or privacy-related inquiries from Contacts, please reach out to the business that contacted you directly.

---

By using the Arnis platform, you acknowledge that you have read and understood this Privacy Policy.