← All legal documents

Privacy Policy

Version 2026-05-10 · Effective 2026-05-10

⚠ Draft — not yet reviewed by counsel

This document was generated by AI as a starting point tailored to the Arbor codebase and operating model. It has not been reviewed by a licensed attorney. Do not rely on it for binding legal effect until a qualified lawyer has reviewed and approved it. Acceptance recorded against this version will need to be re-collected when counsel-approved language replaces this draft.

This Privacy Policy describes how Raised Beef AI, LLC("Arbor", "we", "us") collects, uses, and shares personal information when you visit our website, sign up for an account, use the Arbor application, or interact with us in any other way.

For Customer Data we process on behalf of an organization (e.g. instructor records, training records uploaded by your hospital's training department), we act as a processor under that organization's instructions, governed by the Data Processing Addendum. This Policy primarily describes the personal information we collect as a controller — for example, your email address when you create an account, or analytics about how you use our marketing site.

1. Information we collect

1.1 Information you give us

  • Account information:name, email address, password (hashed via Supabase Auth's bcrypt), profile photo if provided, phone number if provided.
  • Organization details: organization name, slug, role (manager, instructor, viewer, agency_admin), workspace preset, and (for agencies) billing contact, bill-to address, payment terms.
  • Communications: messages you send via support, sales inquiries, replies to invitation emails, and similar.
  • Customer Data you upload:instructor records, classes, training records, project plans, allocations, files. As described above we process these as a processor on your organization's behalf.

1.2 Information we collect automatically

  • Device and usage:IP address, browser type and version, operating system, timestamps, pages visited within the Service, features used. Captured via Vercel edge logs and our application's audit_log table.
  • Cookies: session cookies (necessary for authentication), preference cookies, and — only with your consent — analytics cookies. See the Cookie Policy.

1.3 Information from third parties

If you sign in via SSO, we receive identity attributes (email, name) from your organization's identity provider (e.g. AzureAD, Okta, Google Workspace). If your organization is provisioned by a reseller agency, we receive your initial role and membership from that agency.

2. How we use information

  • To provide, maintain, and improve the Service.
  • To authenticate users, gate access to organizational resources, and enforce roles.
  • To send transactional email (invitations, password resets, billing) via Resend.
  • To respond to support requests and communicate about your account.
  • To detect, prevent, and respond to security incidents, abuse, and violations of the Acceptable Use Policy.
  • To comply with legal obligations and enforce our agreements.
  • With your consent, for analytics that help us understand product usage and improve UX.

3. Legal bases for processing (GDPR)

For users in the European Economic Area, United Kingdom, or Switzerland, our legal bases are: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to operate, secure, and improve the Service; (c) consent — for non-essential cookies and any marketing communications; (d) legal obligation — when required to comply with applicable law.

4. How we share information

We do not sell personal information. We share it only with:

  • Subprocessors that help us operate the Service (Supabase, Vercel, Resend, Drata, GitHub). The full list and what each receives is at /legal/subprocessors. All subprocessors are bound by contract to protect personal information.
  • Within your organization: data uploaded by one Authorized User is visible to other Authorized Users in the same organization based on their role.
  • To your reseller agency, if your organization is a Client Org under an agency: the agency_admin can see your organization name, seat counts, and billing-related metadata. They cannot see Customer Data inside your organization unless explicitly added as a manager.
  • For legal reasons: when we believe in good faith disclosure is required by law, valid legal process, or to protect rights, property, or safety.
  • In a business transaction: in connection with a merger, acquisition, or sale of assets, with notice to you and your right to object where required by law.

5. International transfers

Customer Data and personal information are stored in Supabase's and Vercel's US infrastructure regions by default. If you are in the EEA / UK / Switzerland, your data may be transferred to the United States. Where required, transfers rely on the EU Standard Contractual Clauses (incorporated by reference in our DPA) and applicable supplementary measures.

6. Data retention

Customer Data is retained for the duration of your account plus 30 days post-termination (during which you can export). Audit log entries default to 5 years (configurable per-organization to a minimum of 30 days). Account-level personal information is retained while the account is active and for a reasonable period thereafter to satisfy legal, accounting, or reporting requirements.

7. Your rights

Depending on your location, you may have the right to access, correct, delete, restrict, or port your personal information; to object to processing; and to withdraw consent. To exercise any of these rights, contact privacy@arbor.app. We will respond within the period required by applicable law (typically 30 days). You also have the right to lodge a complaint with your local data protection authority.

Where we process personal information as a processor on behalf of your organization (e.g. records inside your training database), please direct rights requests to your organization's administrator first; we will assist them in fulfilling your request.

8. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, contact privacy@arbor.app.

9. Security

We maintain administrative, physical, and technical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure. Highlights: encryption in transit (TLS 1.2+) and at rest (Supabase managed encryption), Row-Level Security on every tenant table, audit logging, SAML SSO support, custom-domain TLS via Vercel, dependency scanning via GitHub Dependabot, and a documented incident-response runbook. Our SOC 2 Type II program is managed via Drata.

10. Contact

For privacy questions, requests, or complaints, contact our privacy team at privacy@arbor.app or our data protection officer at dpo@arbor.app. Postal: [Configure ARBOR_LEGAL_ADDRESS].

11. Changes

We will notify you of material changes by email or in-product notice at least 30 days before they take effect, and will update the version date at the top of this page.