Privacy Policy

1. Introduction

Arvanic LLC, a Texas limited liability company ("Arvanic," "we," "us," or "our"), operates the Arvanic platform (the "Platform"). This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use our Platform. It applies to Case Managers (registered users who create and manage investigations) and Participants (individuals invited to complete interviews through the Platform).

By using the Platform, you agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy is incorporated into and subject to our Terms of Service.

2. Information We Collect

2.1 Information Provided by Case Managers

When you create an account and use the Platform as a Case Manager, we collect: your name and email address (through our authentication provider); organization name and professional role; subscription and payment information (processed by our third-party payment processor — we do not store full credit card numbers); investigation details, including investigation type, allegation summaries, and contextual descriptions; participant names, email addresses, and assigned roles; and any exhibits or files you upload to the Platform.

2.2 Information Provided by Participants

When you access the Platform as a Participant through an invitation link, we collect: your name and email address (as provided by the Case Manager who invited you); your interview responses, including answers to structured questions and follow-up questions; your browser timezone (for timestamp display purposes); and technical session information, including session identifiers and timestamps.

2.3 Information Collected Automatically

When you access the Platform, we automatically collect: IP addresses; browser type and version; device information; pages visited and actions taken within the Platform; timestamps of access and actions; and error and performance data (collected through our error monitoring service).

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide the Platform: processing interview responses, generating investigation reports, evaluating response sufficiency, selecting follow-up questions, and conducting safety evaluations.

To manage accounts and subscriptions: authenticating users, processing payments, enforcing subscription limits, and communicating account-related information.

To maintain security and safety: monitoring for safety concerns in participant responses, enforcing rate limits and brute force protections, detecting and preventing fraud or unauthorized access, and maintaining audit trails.

To send transactional communications: invitation emails to participants, safety alert notifications to Case Managers, and account-related notices.

To improve the Platform: analyzing usage patterns, diagnosing technical issues, and improving Platform performance and features.

To comply with legal obligations: responding to lawful requests from governmental authorities and complying with applicable laws and regulations.

4. PII Sanitization Before AI Processing

Before any participant interview text is sent to our third-party AI provider for processing, we strip personally identifiable information from the text and replace it with anonymous placeholders. Names, email addresses, phone numbers, and other identifying information are removed or replaced before transmission. The mapping between real identities and placeholders is stored securely in our database and is never sent to the AI provider. After the AI provider returns its analysis, we restore the original identifiers for display to the Case Manager.

While we take reasonable measures to sanitize personally identifiable information, no automated process is perfect. We cannot guarantee that all personally identifiable information will be successfully removed in every instance.

5. Third-Party Service Providers

We rely on the following third-party service providers (sometimes called "subprocessors") to operate the Platform. Each provider receives only the minimum information necessary to perform its function and is bound by its own contractual and security obligations:

Authentication — Clerk: We use Clerk to manage Case Manager account creation, login, and multi-factor authentication. Clerk receives your name and email address. Participants do not have accounts and are not authenticated through Clerk.

Database and Storage — Supabase: We use Supabase to store Platform data, including investigation details, participant information, interview responses, exhibits, and generated reports. Data is held in a secure, access-controlled environment with database-level access controls and tenant-isolation safeguards.

Hosting — Vercel: We use Vercel to host and serve the Platform. Vercel processes Platform traffic in transit but is not a long-term store of your investigation data, which resides with our database and storage provider.

AI Processing — Anthropic (and, in some cases, AWS Bedrock): We use Anthropic's Claude models for textual analysis of participant responses, after PII sanitization as described in Section 4. In some cases the same anonymized request may instead be processed by Anthropic's Claude models hosted on Amazon Web Services (AWS) Bedrock. In all cases the AI provider receives anonymized text only and does not receive identifying information about participants, Case Managers, or organizations.

Payment Processing — Stripe: We use Stripe to handle subscription billing and to provide a self-service billing portal. Stripe receives your email address and subscription details. We do not store full credit card numbers or banking details on our systems.

Email Delivery — Resend: We use Resend to send transactional emails, including participant invitations, safety alert notifications, and account-related notices. Resend receives recipient email addresses and email content. We do not transmit raw interview responses by email.

Error Monitoring — Sentry: We use Sentry to detect and diagnose technical issues. We configure Sentry to scrub personally identifiable information from error reports before transmission.

Rate Limiting — Upstash: We use Upstash to operate rate-limiting and abuse-prevention controls that protect the Platform. Upstash processes only technical request metadata, such as IP addresses; it does not receive your name, email content, or interview responses.

6. When We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

With service providers: As described in Section 5, to third-party providers that help us operate the Platform.

Within the Platform: Case Managers can view the responses, reports, and data associated with their own investigations. Participants can view only their own interview questions and responses. No cross-tenant data access is permitted.

For safety purposes: If a participant's responses indicate an imminent risk of harm, we may notify the Case Manager who initiated the investigation through the Platform's safety alert system.

To comply with law: We may disclose information if required to do so by law, regulation, legal process, or governmental request.

To protect rights: We may disclose information when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Arvanic, our users, or the public.

In a business transfer: If Arvanic is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

7. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your information, including: encryption of data in transit using TLS/HTTPS; database-level access controls and tenant isolation policies; cryptographic protection of sensitive tokens; immutable audit trail logging; PII sanitization before AI processing; rate limiting and brute force protections; and error monitoring configured to scrub personally identifiable information.

No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee its absolute security.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Platform to you. Specific retention practices include:

Active accounts: All investigation data, interview responses, reports, and audit trail entries are retained for the duration of the account.

Closed investigations: Data from closed investigations is retained until the Case Manager uses the Platform's data deletion functionality to permanently purge it.

Deleted accounts: Following account deletion, data is retained for thirty (30) days to allow for dispute resolution or data recovery. After the grace period expires and no legal hold is in place, the platform owner may initiate a permanent data purge.

Audit trail: Audit trail entries are anonymized (not deleted) when associated investigation data is purged, preserving a record of platform activity without retaining personally identifiable information.

Invitation tokens: Invitation tokens expire forty-eight (48) hours after creation and are automatically invalidated when an investigation is closed. Token hashes are purged with associated investigation data.

9. Your Rights and Choices

9.1 Case Managers

As a Case Manager, you may: access and update your account information through your account settings; download investigation reports at any time while your account is active; permanently delete investigation data from closed investigations using the Platform's data deletion functionality; cancel your subscription at any time through the self-service billing portal; and request deletion of your account by contacting us at support@arvanic.io.

9.2 Participants

As a Participant, you may: view the interview questions and your responses during your active interview session; contact the Case Manager who invited you for questions about your participation; and contact Arvanic at support@arvanic.io with privacy-related concerns. Participants do not have accounts on the Platform and cannot directly access, modify, or delete their interview data. Requests to access, correct, or delete participant data should be directed to the Case Manager who initiated the investigation.

9.3 State Privacy Rights

Residents of certain U.S. states, including California, Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws, may have additional rights regarding their personal information, including the right to know what personal information we collect and how we use it; the right to request deletion of personal information; the right to opt out of the sale or sharing of personal information (Arvanic does not sell or share personal information for cross-context behavioral advertising); and the right to non-discrimination for exercising privacy rights.

To exercise any of these rights, please contact us at support@arvanic.io. We will respond to verifiable requests within the timeframes required by applicable law.

10. Cookies and Similar Technologies

The Platform uses cookies and similar technologies that are strictly necessary for the operation of the Platform, including: authentication cookies to maintain your login session; session cookies to bind participant interview sessions to their browser; and security cookies used by our authentication and rate limiting providers.

We do not use cookies for advertising, behavioral tracking, or cross-site tracking purposes. We do not use third-party analytics cookies. The Platform does not participate in any advertising networks.

11. Children's Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@arvanic.io.

12. International Users

The Platform is operated from the United States. If you are accessing the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate. By using the Platform, you consent to the transfer of your information to the United States and other jurisdictions that may not provide the same level of data protection as your home country.

13. Do Not Track Signals

The Platform does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. We do not engage in cross-site tracking or behavioral advertising.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Platform prior to the changes taking effect. We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Information

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Arvanic LLC
3723 Greenville Ave, Ste 49036
Dallas, TX 75206
Email: support@arvanic.io
Phone: (888) 449-5859