Privacy Policy

This policy explains what data Arvis collects, why, how it's protected, and your rights under GDPR (EU 2016/679). Plain language; no dark patterns.

1. Data controller

The Arvis assistant service is operated by the company above. For any privacy question write to the email above with subject Privacy request.

2. What we collect — and what we deliberately do not

Arvis is built around the principle of minimal collection + zero-access on content. We collect only what is strictly required to run your account. Everything you actually say to Arvis — chat messages, voice notes, uploaded documents — is encrypted with a key derived from your account so that a leaked database alone is unreadable. Our roadmap goal is full zero-access encryption (key held only by you) in the next major release; today the master key still resides on our production server.

2.1 Account data we store (the minimum)

• Your platform user ID (Telegram, WhatsApp or — once launched — our own app account ID). Required to route messages to you.
• Email (only if you use it for billing or to connect Google Calendar — see §4 for the full Google API Limited Use disclosure).
• Language preference, timezone.
• Plan tier and usage counters per billing period.

2.2 Conversation content — encrypted, zero-access

Anything you actually communicate with Arvis is treated as your private content:

• Chat messages.
• Voice notes (only the transcript is stored; original audio is deleted within minutes).
• Documents and files you upload.
• Tasks, reminders, events, memories you create.

All of these are encrypted at rest with a per-user derived key. A leaked database file or backup, on its own, is unreadable — the per-user keys never live in the database itself.

Honest scope today: the master secret used to derive per-user keys still lives on our production server, accessible only to the principal engineer for incident response. Full zero-access (where even our staff cannot decrypt your content because the key is held only by you) is on our roadmap for the next major release. We will update this page the day it ships.

The only situation in which a small piece of your text leaves our servers in plaintext is the short window in which it is sent server-to-server to an AI provider (see §4) to generate the reply you asked for — and that provider, by contract, never trains on it.

2.3 Operational data (anonymous)

• Anonymous error logs (no message content) for diagnostics, retained 30 days.
• Anonymous AI-call cost telemetry for capacity planning.

2.4 What we do NOT collect

• No browser cookies on the marketing site (only an opt-in localStorage flag for analytics consent).
• No third-party tracking pixels.
• No cross-site behavioural profiling.
• Your conversations are stored only as ciphertext in the database; access is restricted to the principal engineer and only for incident response.

3. How we use what we have

• Run the assistant features (only purpose).
• Bill the right plan and prevent abuse.
• Diagnose incidents (using anonymous logs only).

We never train models on your data. We never sell, rent, or share it.

4. Google user data — Calendar (Limited Use disclosure)

When you connect your Google account through the /gcal Telegram command, Arvis requests these OAuth scopes:

• https://www.googleapis.com/auth/calendar.events — view and edit events on your calendars. Used so the assistant can list upcoming events, create new events you dictate, update times you change, and delete events you ask to cancel.
• https://www.googleapis.com/auth/userinfo.email — identify which Google account you connected so we can attach the right calendar to your Arvis account.

Gmail integration via /gmail is in development and will request additional scopes (read, send, modify) once enabled. This page will be updated before any Gmail scope is requested.

4.1 Limited Use commitment

Arvis's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• Google user data is used only to provide or improve the user-facing features you invoked (reading, sending, organising your mail and calendar through the assistant).
• Google user data is not used for serving advertisements, including retargeting or personalised ads.
• Google user data is not used to develop, improve, or train generalised machine-learning models. Anthropic and OpenAI, the LLM providers we call to generate replies, are contractually bound not to train on API traffic.
• Google user data is not sold or transferred to third parties, except as necessary to provide the user-disclosed feature (server-to-server LLM call to compose a reply you asked for), to comply with applicable law, or as part of a merger/acquisition with continued Limited-Use protection.
• No human at Arvis reads your Google data, except (a) with your explicit consent, (b) for security/abuse investigation, (c) to comply with law, or (d) for aggregated and anonymised internal operations.

4.2 How your Google data flows

1. You issue a command in Telegram (e.g. "what's on my calendar tomorrow?" or "create a meeting with Andrei at 3pm Friday").
2. Arvis fetches the minimum calendar data needed via the Google Calendar API over TLS 1.3.
3. The relevant text is sent server-to-server to the LLM provider (Anthropic Claude) to compose a reply or extract event details.
4. The reply is returned to your Telegram chat; new events are written back to your calendar.
5. Raw event content is not persisted; only the conversation transcript (encrypted per §6) is kept so you can refer back to it.

4.3 OAuth tokens — storage & deletion

• Access and refresh tokens are stored encrypted at rest with the same per-user derived key described in §6.
• Tokens are deleted within 24 hours when you (a) run the Telegram command /forget_me, (b) run /disconnect_google, or (c) close your Arvis account.
• If a refresh token is unused for 180 days it is auto-purged.

4.4 Revoking access

You can revoke Arvis's access at any time, two equivalent ways:

• In Google: myaccount.google.com/permissions → select Arvis → Remove access.
• In Telegram: send /forget_me to delete all Arvis data including OAuth tokens, or /gcal disconnect to remove only the Calendar connection.

5. AI providers

To generate replies we call third-party LLM APIs (currently Anthropic Claude and, for voice transcription, OpenAI Whisper). The minimum text needed to answer your request is sent server-to-server, processed, and returned. These providers commit to not training on API traffic and retain it only for short-term abuse prevention.

6. Storage, encryption & zero-access

• Hosted in the EU (Germany).
• All sensitive fields (raw text, expanded text, audio transcripts, file contents) are encrypted at rest with a per-user derived key. The keys are derived from a master secret held only on the production server, never written to the database.
• Database backups are encrypted before leaving the server.
• Transport encryption (TLS 1.3) for every request between your client, our servers, and any provider we call on your behalf.

7. Retention

• Account & memories: until you delete or close the account.
• Diagnostic logs: 30 days, then auto-purged.
• AI call telemetry: 90 days, then auto-purged.
• Encrypted off-site backups: rolling 30 days.

8. Your GDPR rights

• Access — request a full JSON export with the data export command in Telegram.
• Rectification — edit or remove any saved fact via memory commands.
• Erasure — the /forget_me command deletes all data within 24 hours.
• Portability — same JSON export is the portable copy.
• Object / restrict — write to the privacy email above.
• Lodge a complaint — your national data protection authority (in Romania: ANSPDCP — dataprotection.ro).

9. Children

Arvis is not directed at children under 16. We do not knowingly collect their data.

10. Changes

If we change this policy materially, you'll receive an in-bot notice and this page will be updated with a new effective date.