ARITHA — Privacy Policy
Controller: ARITHA LLC, a Wyoming limited liability company, with operations conducted remotely from New Jersey, USA ("ARITHA," "we," "us," "our"). Product: ARITHA, an AI job-search assistant, at aritha.com and aritha.ai. Privacy contact: privacy@aritha.com. Data Protection Officer (NDPA / Quebec Law 25): dpo@aritha.com. Effective date: June 8, 2026. Version: 1.0. Last updated: June 8, 2026.
This Policy is recorded against each user's consent. A material change increments the version and, where required, triggers renewed consent.
1. Scope and who this applies to
This Policy explains how ARITHA handles personal data of: people who create an account and upload a résumé ("Users"); visitors to our websites; and individuals whose data a business customer processes through ARITHA (governed additionally by our Data Processing Agreement). It applies to Users in the United States, the European Union/EEA, the United Kingdom, Nigeria, and Canada (including Quebec). We apply the protections of the EU GDPR, UK GDPR, the Nigeria Data Protection Act 2023 ("NDPA"), Canada's PIPEDA and Quebec's Law 25, and applicable U.S. state privacy laws to the relevant Users.
2. The personal data we collect
| Category | Examples |
|---|---|
| Account & identity (via our auth provider, Clerk) | Name, email address, authentication identifiers. |
| Your résumé and profile — our most sensitive category | The résumé file(s) you upload and the structured profile we extract: name, contact details, employment history, education, skills, certifications and similar career information ("Profile Data"). |
| Job preferences | Target titles, locations/countries, salary expectations, work-model and other search settings. |
| Application data | Tailored résumés and cover letters ARITHA generates for you, jobs you queue or submit, and outcomes you record. |
| Usage & device data | Log data, IP address, basic device/browser information, and — only with your consent — product-analytics events. |
| Payment data (paid plans) | Handled by our payment processor (Stripe). We do not store full card numbers. |
Sensitive data. We do not intentionally collect special-category/sensitive data (e.g., health, religion, biometric, race). Please do not include such data in your résumé unless necessary; if you do, you instruct and authorize us to process it to provide the service.
3. How we use Artificial Intelligence — and where your data goes
ARITHA's core features (matching you to jobs, scoring fit, and generating tailored résumés and cover letters) use large language models (LLMs). To provide these features, your résumé text, extracted Profile Data, and the relevant job descriptions are transmitted to third-party AI processors that run these models on our behalf and under contract:
| AI processor | What we send | Purpose |
|---|---|---|
| Anthropic (Claude) | Profile Data + job description | Generating tailored résumé / cover-letter materials |
Groq (incl. models such as Llama and openai/gpt-oss-120b) | Profile Data + job description | Job-fit scoring; résumé parsing fallback |
| Parsing pipeline | Résumé text | Extracting structured Profile Data |
Our commitments. These processors act only on our instructions; they are contractually prohibited from using your data to train their own foundation models. We transmit only the data needed for the requested feature. We do not sell your personal data and we do not use it for third-party advertising. If we move this processing to a self-hosted model in future, we will update this section and your data will no longer be sent to these third parties.
4. Why we process your data (lawful bases)
- Contract (GDPR/UK GDPR Art. 6(1)(b); NDPA s.25(1)(b); PIPEDA/Law 25 consent): to provide the service — account, parsing, matching, scoring, and generating materials.
- Consent (GDPR Art. 6(1)(a); NDPA s.25(1)(a); Law 25 art. 14): for optional analytics cookies and any optional features; you may withdraw consent at any time.
- Legitimate interests (GDPR Art. 6(1)(f); NDPA s.25(1)(f)): to secure, debug and improve the service, prevent abuse, and send service messages — balanced against your rights.
- Legal obligation: to comply with law, lawful requests, and tax/accounting for paid plans.
5. Who we share data with (processors and recipients)
We use the following service providers ("sub-processors") strictly to operate ARITHA. A current list is maintained at aritha.com/subprocessors; material additions are notified per §12.
| Provider | Role | Region |
|---|---|---|
| Clerk | Authentication | USA |
| Supabase | Database & file storage | USA (AWS us-east-1) |
| Vercel | Application hosting | USA |
| Amazon Web Services (EC2) | Compute / processing pipeline | USA |
| Resend | Transactional email (aria@aritha.ai) | USA |
| Anthropic; Groq | AI processing (see §3) | USA |
| Stripe | Payment processing (paid plans) | USA |
| PostHog | Product analytics (loads only with consent) | USA/EU |
Job listings. ARITHA retrieves job postings from third-party sources through their official, authorized partner programs, APIs or licensed feeds (for example LinkedIn, Indeed, ZipRecruiter, Amazon and similar career sites, and aggregator feeds). We do not send these sources your résumé. If you choose to apply on an employer or applicant-tracking-system (ATS) site, the data you submit there is governed by that site's own privacy policy.
We may also disclose data to comply with law, enforce our Terms, protect rights and safety, or in connection with a corporate transaction (with notice where required). We do not sell personal data.
6. International data transfers
ARITHA is operated from, and stores data in, the United States. If you are in the EU/EEA, UK, Nigeria, or Canada, your data is transferred to and processed in the U.S. and by the providers above. Where required, we rely on appropriate safeguards:
- EU/EEA & UK: the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supported by a transfer impact assessment; where a U.S. recipient is self-certified under the EU–U.S. Data Privacy Framework we may also rely on it, with SCCs maintained as the backstop.
- Nigeria (NDPA Part VIII): transfers are made on an adequacy decision of the NDPC where available, otherwise on appropriate safeguards or a permitted derogation (including your explicit, informed consent and contractual necessity).
- Canada (Quebec Law 25): before transferring personal information outside Quebec we conduct a privacy impact assessment confirming the information receives adequate protection.
You may request details of the safeguards used by contacting privacy@aritha.com.
7. Your rights
Subject to applicable law, you may: access your data; correct inaccurate data; delete your data (erasure); export/port your data in a machine-readable format; object to or restrict certain processing; withdraw consent; and, in Canada and the EU/UK, obtain human review of solely automated decisions (see §8). In ARITHA you can export your data and delete your account from Settings, or contact privacy@aritha.com. We respond within the timeframes the law requires (generally without undue delay and within one month under GDPR/NDPA; within 30 days under PIPEDA/Law 25). You may also complain to your regulator: the NDPC (Nigeria, ndpc.gov.ng); your EU/EEA or UK data-protection authority; the Office of the Privacy Commissioner of Canada (priv.gc.ca); or the Commission d'accès à l'information du Québec.
8. Automated decision-making and AI transparency
ARITHA uses automated processing to score job-fit and generate draft application materials. These outputs are decision-support tools that you review and control; ARITHA does not make legally or similarly significant decisions about you (such as hiring) on a solely automated basis — employers make hiring decisions. Where required by GDPR Art. 22, the NDPA, or Quebec Law 25, you have the right to be informed of the automated processing, to make observations, to obtain meaningful human review, and to contest a relevant decision. Contact dpo@aritha.com.
9. Data retention
- Résumés / Profile Data: retained while your account is active; on deletion, soft-deleted then permanently purged (currently within ~30 days).
- Job-match catalog: postings retained for a limited window (currently up to 30 days) and then removed.
- Application records & outcomes: retained while your account is active to power your tracker and improve matching.
- Account/billing records: retained as required for legal, tax and accounting purposes after closure.
Breach records are retained for at least 24 months where required (e.g., PIPEDA). Full detail is in our internal retention schedule.
10. Security
We protect personal data using encryption in transit, access controls, scoped service credentials, least-privilege practices, logging, and a documented breach-response process. Our information-security program is designed to align with the AICPA SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy), and we are working toward a SOC 2 Type II examination. No system is perfectly secure. We will notify the relevant authority — and affected individuals where required — within 72 hours of becoming aware of a notifiable breach, consistent with GDPR Arts. 33–34 and the NDPA, and without undue delay under PIPEDA (real risk of significant harm) and Quebec Law 25.
11. Children
ARITHA is intended for adults and is not directed to children under 18. We do not knowingly collect data from children. If you believe a child has provided data, contact privacy@aritha.com for deletion.
12. Changes to this Policy
We may update this Policy. Material changes are notified in-app and/or by email, the version string is incremented, and where the change affects the basis on which we process your data we will request your renewed consent before continued use.
13. Cookies
See our separate Cookie Notice for essential vs. optional cookies and how to manage them.
14. Region-specific notices
14.1 EU/EEA & UK
Our lawful bases are set out in §4. You have the rights in §7 and may lodge a complaint with your supervisory authority. If we are required to appoint an EU/UK Article 27 representative, the appointment will be published here.
14.2 Nigeria (NDPA 2023)
As ARITHA grows it will cross NDPA thresholds. Once it processes the personal data of more than 200 Nigerian data subjects within six months it becomes a Data Controller of Major Importance, must register with the NDPC within six months and appoint a Data Protection Officer; under the NDPC General Application and Implementation Directive 2025, higher-tier controllers (scaling toward 10,000+ data subjects) must also file compliance audit returns through an NDPC-accredited Data Protection Compliance Organisation. Our DPO contact is dpo@aritha.com.
14.3 Canada (PIPEDA & Quebec Law 25)
We process Canadian personal information under PIPEDA and, for Quebec residents, Law 25. Our Privacy Officer (dpo@aritha.com) is accountable for compliance, handles access/correction requests, and oversees breach assessment and cross-border transfer assessments. We report breaches posing a real risk of significant harm to the Office of the Privacy Commissioner of Canada and, in Quebec, to the Commission d'accès à l'information, and notify affected individuals.
14.4 United States
Where state privacy laws apply (e.g., California CCPA/CPRA), eligible residents may exercise access, deletion, correction, and opt-out rights, and will not be discriminated against for doing so. We do not sell personal data or share it for cross-context behavioral advertising. Submit requests to privacy@aritha.com.
15. Contact
Privacy enquiries: privacy@aritha.com. DPO / Quebec Privacy Officer / NDPA matters: dpo@aritha.com. Postal address available on request. ARITHA LLC is organized under the laws of the State of Wyoming, USA.
© 2026 ARITHA LLC. This Policy forms part of, and should be read with, the ARITHA Terms of Service, Cookie Notice, and (for business customers) the Data Processing Agreement.