Privacy Policy and Personal Data Processing1. General Provisions1. This Privacy Policy and Personal Data Processing Policy (hereinafter — the Policy) is developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), as well as applicable legislation of the Republic of Estonia.
2. The Policy defines the procedure for processing personal data and measures to ensure their security undertaken by ARHI. AI OÜ (hereinafter — the Operator).
3. The primary objective of the Operator is to ensure the observance of the rights and freedoms of personal data subjects, including the right to privacy and protection of personal data.
4. This Policy applies to all information that the Operator may obtain about users of the ARHI. AI website and services.
2. Information About the Operator1. Company name: ARHI. AI OÜ
2. Registry code: 17 306 157
3. Legal address: Paekaare tn 40−96, Tallinn, Harjumaa, 13 613, Estonia
4. The Operator independently determines the purposes and means of personal data processing.
3. Definitions1. Personal data — any information relating to an identified or identifiable natural person.
2. Data subject — a natural person whose personal data are processed.
3. Processing of personal data — any operation or set of operations performed on personal data, including collection, storage, use, transfer, restriction, erasure, or destruction.
4. Automated processing — processing of personal data using information technologies.
5. Data Controller (Operator) — a legal entity that determines the purposes and means of personal data processing.
6. Data Processor — a person who processes personal data on behalf of the Operator.
7. Restriction of processing — temporary suspension of personal data processing.
4. Principles of Personal Data ProcessingPersonal data processing is carried out based on the following principles:
1. Lawfulness, fairness, and transparency.
2. Purpose limitation to specific and legitimate purposes.
3. Data minimization — processing only data that are necessary.
4. Accuracy and relevance of personal data.
5. Storage limitation.
6. Integrity and confidentiality.
7. Accountability of the Operator.
5. Purposes of Personal Data ProcessingThe Operator processes personal data for the following purposes:
1. Providing access to website functionality and services.
2. User registration and account management.
3. Fulfillment of contractual obligations.
4. Communication with users, including sending notifications and informational messages.
5. Improving service quality and user experience.
6. Compliance with EU and Estonian legal requirements.
6. Categories of Personal Data ProcessedFor the purposes specified, the following personal data may be processed:
1. First and last name.
2. Email address.
3. Phone number.
4. User account data.
5. Technical data (IP address, browser data, cookies).
6. Other data voluntarily provided by the user.
The Operator does not process special categories of personal data without a separate lawful basis.
7. Legal Grounds for ProcessingPersonal data processing is carried out on the basis of:
1. Consent of the data subject.
2. Necessity for the performance of a contract.
3. Compliance with legal obligations of the Operator.
4. Legitimate interests of the Operator, provided they do not override the rights of the data subject.
8. Retention Periods of Personal Data1. Personal data are stored no longer than necessary to achieve the processing purposes.
2. Upon achievement of the processing purposes, data are erased or anonymized unless otherwise required by law.
3. The user has the right to request erasure of their data in cases provided by GDPR.
9. Transfer of Personal Data to Third Parties1. Personal data may be transferred to third parties only to the extent necessary to achieve processing purposes.
2. Transfers are carried out to data processors under data processing agreements.
3. Cross-border transfers outside the EU are permitted only with appropriate safeguards provided by GDPR.
10. Processing of User Content by Third-Party AI Services1. In the course of providing the Service, user-submitted content — including text queries, uploaded files, images, and audio — is transmitted to the following third-party AI service providers for the purpose of generating responses:
- OpenAI (OpenAI, L.L.C.) — text and content generation
- Anthropic (Anthropic, PBC) — text and content generation
- OpenRouter (OpenRouter, Inc.) — AI model routing and response generation
- Pollo.ai (COCOSOFT TECHNOLOGY PTE. LTD.) — image and media generation
2. Data transmitted to AI service providers is used solely for the purpose of generating a response to the user's request. This data is not used for model training, advertising, or sale to third parties.
3. Data retention periods for AI service providers:
- OpenAI API: up to 30 days for abuse monitoring, then permanently deleted
- Anthropic API: temporarily retained for safety monitoring, then deleted
- OpenRouter API: retained only for the duration of request processing and operational logging
- Pollo.ai API: retained only for the duration of request processing
4. Chat history is stored on the Operator's servers to enable cross-device access. Users may delete their chat history at any time through the application settings.
5. The Operator does not specifically collect, request, or process health data. The Service is not a medical device and is not intended for medical diagnosis or treatment. Users are advised to consult qualified healthcare professionals before making any health-related decisions.
6. By accepting this Privacy Policy and using the Service, the User expressly consents to the transmission of their user-submitted content to the third-party AI service providers listed above.
11. Rights of Personal Data SubjectsThe data subject has the right to:
1. Obtain information about the processing of their personal data.
2. Access their personal data.
3. Request correction of inaccurate data.
4. Request erasure of personal data.
5. Restrict processing of personal data.
6. Object to personal data processing.
7. Data portability.
8. Withdraw consent at any time.
9. Lodge a complaint with a data protection supervisory authority.
12. Personal Data Protection MeasuresThe Operator applies necessary technical and organizational measures to protect personal data from:
1. Unauthorized access.
2. Loss, alteration, or destruction.
3. Unlawful disclosure.
13. Final Provisions1. This Policy is valid indefinitely until replaced by a new version.
2. The Operator has the right to amend this Policy in case of changes in legislation or business processes.
3. The current version of the Policy is subject to publication on the Operator’s website.