Privacy Policy — Arandek
Version: 1
Quick Summary
If you don’t want to read everything, here’s the essential version:
- We collect: name, email, documents you create, platform usage, and data from services you connect
- Why: to operate the service, carry out the tasks you ask for, and keep things secure
- Who we share with: only necessary technical services (AWS, OpenAI, Anthropic, Google) and when required by law
- What we do NOT do: we do not sell your data, do not use Google data to train AI, and do not do targeted advertising
- Your rights: access, correct, delete, and export — just ask at privacy@arandek.com
- How you control it: cookie, marketing, and integration choices are in Settings
1. Who We Are
SACOLAS DE IDEIAS ATIVIDADES DE INFORMÁTICA LTDA
CNPJ: 41.725.670/0001-52
Address: Praça Garibaldi, nº 74, Azenha, Porto Alegre – RS, CEP 90.050-020, Brazil
Application: Arandek (arandek.com)
General contact: privacy@arandek.com
Data Protection Officer (DPO): privacy@arandek.com
Arandek is the controller of the data you provide — meaning we decide why and how it is used, always within what this Policy describes.
2. What We Collect and Why
2.1 Data you provide
| Action | What we collect | Why |
|---|---|---|
| Create an account | Name, email, password (encrypted), photo | To identify you and allow login |
| Use the platform | Documents, chats, automations, and assistants you create | To store your work and let you access it later |
| Upload files | Spreadsheets, PDFs, images, code | To process the file you sent |
| Connect external services | Data you explicitly authorize via OAuth | To integrate the chosen service with Arandek |
| Pay | Name, billing address, card details | To process payments (card data stays with the provider, not on our servers) |
| Contact support | Email, phone, message content | To answer your question |
2.2 Automatically collected data
| Data | What it is | Why |
|---|---|---|
| IP | Your connection identifier | Security and fraud detection |
| Browser, operating system | Chrome, Safari, Windows, Mac, etc. | To adapt the interface to your device |
| Interactions | Pages visited, clicks, time spent | To understand what works and improve the platform |
| Cookies | Small files in your browser | To keep you logged in and remember preferences |
2.3 Data from services you connect (OAuth)
When you authorize Arandek to access an external service (Google, Slack, Microsoft, Notion, etc.) via OAuth:
- You explicitly authorize which scopes will be accessed
- We access only what you allowed, nothing beyond that
- OAuth tokens are encrypted at rest — your external service password never passes through Arandek
- You can revoke access at any time in Settings > Integrations or in the permissions panel of the service itself
3. Google Data (Gmail, Drive, Calendar, Tasks)
This section describes, specifically and in compliance with the Google API Services User Data Policy, how Arandek handles data received from Google APIs.
3.1 Requested scopes
When you connect your Google account to Arandek, the scopes we may request include:
| Scope | What it is for |
|---|---|
gmail.readonly |
Read emails you asked the assistant to process |
gmail.send |
Send emails on your behalf, always under your explicit instruction |
gmail.modify |
Mark emails as read, move between labels when you ask |
drive.file |
Access only the files you select or that Arandek creates — we do not have access to the rest of your Drive |
calendar.events |
Read and create events when you ask |
tasks |
Manage your tasks in Google Tasks |
userinfo.email / userinfo.profile |
Identify your Google account after login |
You will see the exact list of scopes requested on the Google consent screen before authorizing the connection.
3.2 How we use Google data
We use data received from Google APIs exclusively to provide or improve user-visible functionality within Arandek — that is, to carry out the task you asked the assistant to perform.
3.3 What we do NOT do with Google data
Arandek does not use, transfer, or sell data received from Google APIs for:
- Training, retraining, or fine-tuning AI models (ours or third-party)
- Targeted advertising, retargeting, personalized or interest-based ads
- Sale to data brokers or information resellers
- Credit analysis, scoring, or lending decisions
- Creating third-party databases
- Any purpose unrelated to a functionality you explicitly requested
3.4 Human access to Google data
Data received from Google APIs is processed automatically. Humans on the Arandek team only read this data in the following cases:
- With your express consent (for example, support you requested)
- For security purposes (to investigate abuse, fraud, or policy violations)
- To comply with applicable law or court orders
- In aggregated and anonymized form, for internal metrics
3.5 Sharing and transfer
We do not share Google data with third parties, except:
- Essential infrastructure providers (AWS, Google Cloud) — only to host and process
- When required by law
- With your express consent
3.6 Retention and deletion
- Google data is processed in real time and stored only for as long as necessary to perform the requested task
- OAuth tokens are encrypted at rest
- You may revoke access at any time in:
- Settings > Integrations in Arandek
- myaccount.google.com/permissions
- When revoked, tokens are deleted and any stored Google data is deleted within 30 days
3.7 Limited Use Disclosure
Arandek's use and transfer of information received from Google APIs to any other app will comply with the Google API Services User Data Policy, including the Limited Use requirements.
4. Artificial Intelligence — How It Works
Part of Arandek uses AI models (OpenAI, Anthropic, Google) to process what you type.
4.1 What happens
You type a prompt
↓
Arandek sends it to the AI provider (OpenAI / Anthropic / Google)
↓
Model processes it
↓
Response returns to you
4.2 What is sent to the AI provider
- Your prompt (question/instruction)
- Documents you mentioned
- Files you uploaded for analysis
4.3 What is NOT sent
- Credentials and passwords
- Other users' data
- Data you did not mention in the prompt
4.4 Protection
- Your content does not train global models — other users do not see your work
- Contracts with AI providers require that data is not retained after processing
- Google data is never used to train AI, as stated in section 3.3
- Private mode is available in Enterprise plans (processing on dedicated infrastructure)
4.5 Your responsibility
- Do not send passwords, API keys, or extremely sensitive data in prompts
- Review AI responses before making decisions — models can make mistakes and “hallucinate”
- Test AI outputs before using them in critical environments
5. How We Use Your Data
| Purpose | Legal basis | Details |
|---|---|---|
| Operate the service | Contract performance | Login, storage, automation execution |
| Improve the platform | Legitimate interest | Analysis of aggregated and anonymized data |
| Security | Legal obligation + legitimate interest | Detect hacking, fraud, abuse |
| Operational communication | Contract performance | Security notices, maintenance, updates |
| Marketing | Consent | Newsletter and promotions — you can unsubscribe anytime |
| Legal compliance | Legal obligation | Respond to court orders and investigations |
Google data is used exclusively to operate the service (carry out the task you requested) — not for any of the other purposes above.
6. Who We Share With
6.1 Technical providers (sub-processors)
| Provider | Role | Protection contract |
|---|---|---|
| AWS, Google Cloud | Host servers and data | ✅ DPA signed |
| OpenAI, Anthropic, Google | Process AI prompts | ✅ DPA signed, no retention |
| Stripe, Pagar.me | Process payments | ✅ PCI-DSS |
| Amazon SES, SendGrid | Send transactional emails | ✅ DPA signed |
6.2 Integrations you choose
When you connect Gmail, Slack, Drive, etc., data flows only between you, Arandek, and the chosen service. No data is passed to unauthorized third parties.
6.3 Legal authorities
We may be required to share data in response to a court order. When legally possible, we will notify you first.
6.4 Arandek does NOT sell your data
We do not sell personal data under any circumstances — not Google data, not data from other integrations, and not platform usage data.
7. How You Control Your Data
| Control | Where to find it |
|---|---|
| Unsubscribe from marketing | Link in the footer of any email or Settings > Preferences |
| Disable analytics | Settings > Privacy |
| Manage cookies | Your browser settings |
| Disconnect integrations | Settings > Integrations |
| Revoke Google access | myaccount.google.com/permissions |
| Delete account | Settings > Profile > Close Account |
8. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Active account data | As long as the account exists |
| Data after account deletion | 30 days (recovery period), then deleted |
| Google data | Only during processing of the requested task |
| OAuth tokens | Until you revoke access |
| Financial data | 5 years (legal requirement) |
| Security logs | 6 months |
| Backups | 90 days |
9. Security
- Encrypted communication in transit (TLS 1.2+)
- Data encrypted at rest (AES-256)
- OAuth tokens encrypted at rest
- Role-based access control (RBAC)
- Continuous security monitoring and intrusion detection
- Periodic vendor audits
No system is 100% secure. If a security incident affects your data, we will notify you and the competent authorities as required by LGPD and other applicable laws.
10. Cookies and Tracking
| Type | Required? | Function |
|---|---|---|
| Essential | ✅ Yes | Keep you logged in |
| Preferences | ❌ No | Remember language and theme |
| Analytics | ❌ No | Count visits and clicks in aggregate |
You can block non-essential cookies in your browser settings.
11. Your Rights (LGPD, GDPR, and other applicable laws)
You have the right to:
- Access the data we hold about you
- Correct incomplete or outdated data
- Delete your data (right to be forgotten)
- Export your data in machine-readable format
- Withdraw consent at any time
- Object to processing based on legitimate interest
- Request review of automated decisions
To exercise any of these rights, write to privacy@arandek.com. We respond within 15 days.
12. Children and Adolescents
Arandek is intended for adults 18 and older. We do not intentionally collect data from minors. If you are responsible for a minor and discover they provided data, write to privacy@arandek.com so it can be deleted.
13. International Transfer
Your data may be processed on servers outside Brazil (mainly the United States and the European Union) through the providers listed in section 6.1. All follow international data protection standards (standard contractual clauses, recognized certifications).
14. Changes to This Policy
We may update this Policy from time to time. Relevant changes will be communicated by email and shown in Arandek. The “Last updated” date at the top indicates the current version.
Changes to Google data processing that expand use beyond what is described here will require your new explicit consent before taking effect.
15. Contact
- General email: privacy@arandek.com
- DPO: privacy@arandek.com
- Address: Praça Garibaldi, nº 74, Azenha, Porto Alegre – RS, CEP 90.050-020, Brazil
- Regulatory authority (Brazil): ANPD — National Data Protection Authority
This Policy is available at arandek.com/privacy and the corresponding Terms of Use at arandek.com/terms.