ariyes

Privacy Policy

Effective date: 1 January 2026

This Privacy Policy explains how Ariyes Lda (“Ariyes”, “we”, “us”) collects, uses, and shares personal data when you visit our websites, create an account, or use the Ariyes platform (the “Service”).

Two roles. For personal data about our own users and website visitors, Ariyes acts as a controller, and this Policy applies. For personal data that our customers upload or process through the Service about their own contacts and end users (“Customer Data”), Ariyes acts as a processoron the customer’s behalf - that processing is governed by our Data Processing Addendum, and the customer’s own privacy policy applies to those individuals.

1. Personal data we collect

Information you provide. Account details (name and email address), workspace and company information, billing and payment details (processed by our payment processor, Stripe, we do not store full card numbers), support requests, and anything you choose to send us. Ariyes uses passwordless sign-in, an email “magic link” or Google sign-in, so we do not store account passwords.

Information we collect automatically. Log and device data (IP address, browser, device identifiers), usage data (features used, actions taken), and cookies and similar technologies used to keep you signed in, remember preferences, and understand product usage.

Customer Data. When you use the Service, you submit data about your contacts and recipients (such as names, email addresses, phone numbers, message content, and support tickets). We process this as a processor on your behalf; see the DPA.

2. How we use personal data

We use personal data to: provide, operate, secure, and improve the Service; authenticate users and manage accounts (including via Google sign-in and email magic links); process payments; provide customer support; send service and transactional communications; send marketing about our own products where permitted (you can opt out); detect, prevent, and investigate fraud, abuse, and security incidents (including error and performance monitoring); and comply with legal obligations.

3. Legal bases (EEA/UK)

Where GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, improve, and market our products, balanced against your rights); consent (for certain cookies and marketing, which you can withdraw); and legal obligation (for tax, accounting, and compliance).

4. Cookies and analytics

We use a small set of strictly necessary, first-party cookies to sign you in, keep your session secure (CSRF protection), and remember your active workspace. Your light/dark theme preference is stored locally in your browser, not in a cookie. On our public website, if you consent, we also use analytics cookies - Google Analytics 4 and Google Tag Manager (Google) and Microsoft Clarity (Microsoft) - to understand how visitors use our pages and improve them; these load only after you accept our cookie banner and are not used in the signed-in product. We do notuse third-party advertising cookies and we do not sell data to advertisers. You can accept or reject analytics at any time via “Manage cookies” in the footer. For the full list of cookies and their purposes, see our Cookie Policy.

5. How we share personal data

We share personal data with:

  • Sub-processors and service providers who help us run the Service. These currently include Stripe (payments), Mailgun and AWS SES (email delivery), SendGrid (email event processing), Twilio (SMS and WhatsApp messaging), Chatwoot (optional chat/support integration), Google (Google sign-in and, where you connect a Gmail mailbox, email integration), Sentry (error and performance monitoring), and our cloud hosting and object-storage providers. A current, itemized list is maintained in our DPA and available on request.
  • Website analytics providers (public website only, and only if you consent): Google (Google Analytics 4 and Google Tag Manager) and Microsoft (Clarity).
  • Professional advisors (legal, accounting) under confidentiality.
  • Authorities where required by law or to protect rights, safety, and the integrity of the Service.
  • In a corporate transaction (merger, acquisition, or asset sale), subject to this Policy.

We do not sell personal data.

6. International transfers

Our primary application hosting and email delivery are located in the EU (Frankfurt region). We may still transfer and process personal data in other countries where our sub-processors operate (for example, certain US-based providers). Where we transfer personal data out of the EEA or UK, we use appropriate safeguards such as Standard Contractual Clauses or an equivalent approved mechanism.

7. Retention

We keep personal data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. For account data, we generally delete or anonymize it within [30] days after account closure, subject to legal retention requirements. Customer Data retention is governed by the DPA and your instructions.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, or receive a copy of your personal data, to object to or restrict processing, and to withdraw consent. EEA/UK residents may lodge a complaint with a supervisory authority. California residents have rights under the CCPA/CPRA, including to know, delete, correct, and opt out of “sharing” for cross-context behavioral advertising; we do not sell personal data. To exercise your rights, contact [email protected]. If your request concerns Customer Data held by one of our customers, we will refer you to that customer as the controller.

9. Security

We maintain administrative, technical, and organizational measures designed to protect personal data, including encryption in transit and at rest, access controls, and tenant isolation. See our Security page. No method of transmission or storage is completely secure.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal data.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-product notice, and the “Effective date” above will be updated.

12. Contact

Controller: Ariyes Lda, Lisbon, Portugal (company registration no. 99102561). Privacy contact: [email protected]. Ariyes is established in the EU (Portugal); we have not appointed a Data Protection Officer, and an Article 27 EU representative is not required. Our lead supervisory authority is Portugal’s Comissão Nacional de Proteção de Dados (CNPD), and EEA residents may also lodge a complaint with their local authority.