Privacy Policy
Privacy Policy
Effective Date: [Date]
Controller: Aria Coda LLC, a Texas limited liability company.
Aria Coda LLC is committed to data minimization and the protection of your personal information. This Privacy Policy is drafted to meet the stringent standards of the General Data Protection Regulation (GDPR) and applies universally to all users of the Platform.
§1. Data We Collect, Process, and Our Lawful Basis
To comply with global transparency requirements, we process specific categories of data strictly for defined purposes, relying on the following lawful bases:
- Account Data & Active Negotiation Data: For Issuers and Receivers who have accepted our Terms of Use, we process identity and negotiation data on the basis of Contractual Necessity to provide the Platform's core services.
- Invited Receivers & Third-Party Contract Data: We process the personal data of invited Receivers (prior to their acceptance of the Terms) and incidental third parties named within contract bodies (e.g., notice contacts, signatories) on the basis of our Legitimate Interests in facilitating B2B commercial agreements.
- Notice of LIA: A Legitimate Interests Assessment (LIA) is maintained on file. You have the specific right to object to this processing (see §6).
- Indirect Collection (Article 14): For third parties whose data is incidentally collected within contract documents, Aria relies on the exemption under GDPR Article 14(5)(b), as providing individual notice would require disproportionate effort and impair the confidentiality of our users' commercial negotiations.
- Payment Data: Transaction records and account balances (processed by Stripe) are retained to process run fees and manage top-up credits on the basis of Contractual Necessity and Legal Obligation (to comply with applicable tax and accounting laws).
- Technical and Usage Data: IP addresses, basic server logs, and essential session cookies are processed to prevent fraud and ensure the foundational security of the Platform on the basis of our Legitimate Interests. Aria does not use non-essential tracking or analytics cookies.
§2. The AI Negotiation Flow & Data Minimization (ARCH-10)
Aria's architecture enforces strict data minimization to protect your identity during AI processing.
- Role-Labeling: We utilize local role-labeling so structured personal data (names, registered addresses) is never transmitted to our AI model providers. Real party names, addresses, and commercial schedules are reconstituted only within Aria's own secure infrastructure and appear only in the final documents generated for you.
- Residual Data & AI Providers: Residual free-text personal data (such as names or contact details typed into free-text fields) is processed by our third-party AI providers in accordance with their respective data processing terms, subject to limited provider-side retention for abuse monitoring, security, and legal compliance.
§3. Infrastructure & AI Sub-Processors
Aria Coda LLC utilizes essential sub-processors to operate the Platform. We maintain standard Data Processing Agreements (DPAs) with all vendors:
- Infrastructure & Operations: DigitalOcean, LLC (Hosting), SignWell, Inc. (E-signatures), and AC PM, LLC (Transactional email).
- Payment Processing: Stripe, Inc.
- AI Model Providers: Anthropic PBC / Anthropic Ireland Limited, OpenAI OpCo, LLC, and Google LLC (processing for contract negotiation; subject to limited provider-side retention for abuse monitoring, security, and legal compliance, as set out in each provider's data processing terms).
§4. International Data Transfers
Aria Coda LLC is headquartered in the United States. To provide the Platform's automated negotiation services, personal data originating from the European Economic Area (EEA), the United Kingdom (UK), and other global jurisdictions will be transferred to, and processed by, our authorized sub-processors located in the US.
To ensure these cross-border transfers are lawful and maintain a substantially equivalent level of data protection, we implement the following transfer mechanisms:
- EEA and Switzerland: We strictly rely on the European Commission's approved Standard Contractual Clauses (SCCs) for all transfers to US-based sub-processors.
- United Kingdom: We rely on the UK Information Commissioner's Office International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
- APAC, Canada, and Other Jurisdictions: We implement comparable-protection measures and execute contractual safeguards as required by applicable regional privacy frameworks (including PIPEDA, the Australian Privacy Act 1988, and the Singapore PDPA).
§5. Data Retention and Deletion
Aria Coda LLC enforces a strict, tiered data minimization protocol designed to protect the legal interests of our users while limiting unnecessary data exposure:
- Account Data & Deliverables: Standard account information and the final, unsigned deliverables generated by the Platform (the finalized draft agreement, redlines, and plain-English summaries) are retained for the active lifespan of your account. Upon account deletion, this data is securely purged within 90 days.
- Working Negotiation Data: To protect your strategic commercial interests, all transient process data—including private negotiating ranges, playbooks, AI prompts, and round-by-round negotiation transcripts—is automatically pruned and permanently deleted 90 days after a negotiation session concludes.
- Transaction Metadata: Core transaction records (such as the database record of the negotiation, user IDs, timestamps, and billing/tax data) are retained for seven (7) years following a completed negotiation to protect Aria's legal interests regarding breach-of-contract limitation periods and service validation.
- Note: Aria does not durably store the finalized, executed contract PDF or the parties' private pre-signing negotiation parameters. If you utilize our optional e-signature integration, final execution and long-term document retention are facilitated directly through our provider (SignWell). If you elect to download the finalized draft for independent execution, Aria retains no record of the ultimately executed agreement.
§6. Your Data Rights & Representatives
Depending on your jurisdiction, you have the right to access, correct, delete, or restrict the processing of your personal data, as well as the right to data portability. To exercise these rights, please contact us at privacy@ariacoda.com.
- Right to Object: You have the explicit right to object to any processing of your personal data that we conduct based on Legitimate Interests.
- Right to Complain: If you are located in the EU or UK, you have the right to lodge a complaint regarding our processing of your personal data with your local data protection supervisory authority.
- EU/UK Article 27 Representative & Singapore DPO: Because Aria Coda LLC is located outside of the EU and UK, we have appointed formal Data Protection Representatives to act as our direct point of contact for data subjects and supervisory authorities.
- EU Representative: [Insert Name, Company, and Contact Details of EU Rep]
- UK Representative: [Insert Name, Company, and Contact Details of UK Rep]
- Singapore DPO: [Insert Name and Contact Details of Singapore DPO]