Privacy Policy

1.1 Account and Authentication Data

Collected when accounts are created, during login, or when using security features:

• Identifiers: Name, email address (varies by user type)
• Authentication Data: Password (stored hashed), password reset tokens, "remember me" tokens
• Security Data: Optional two-factor authentication secret and confirmation timestamps
• Account Status: Email verification timestamps, last login, lockout counters/timers, suspension flags
• API Authentication: Personal access tokens with expiry (for mobile/API access)

1.2 User Types and Portal-Specific Data

• Administrator Users: Name, email, phone number, job title, department, role permissions
• Employee Users: Name, email, device tokens for push notifications, API tokens
• Client Portal Users: Name, email, portal access permissions, associated client organization
• Training Students: Name, email, enrollment records, course progress, certificates
• Instructors: Name, email, credentials, course assignments
• Community Users: Name, email, unit/property association, access permissions
• Visitor Users: Name, contact information, visit records, access logs

1.3 Employee Records (HR/Personnel Data)

When employers add employees to the system, the following information may be collected:

• Personal Identification: Full name (first/middle/last/preferred), date of birth, gender, nationality, marital status
• Contact Information: Personal/work email, mobile/home/work phone numbers, home and mailing addresses
• Emergency Contacts: Names, relationships, phone numbers, email addresses, and addresses
• Employment Information: Employee code, hire date, position, department, employment type and status
• Compensation Data: Hourly rate, salary, pay frequency (visible only to authorized personnel)
• Background Check Status: Completion flag, date, status, notes (not the underlying reports)
• Professional Credentials: License numbers, certifications, permit information, expiration dates
• Notes: Free-text notes fields for HR purposes

1.4 Client and Site Information

• Client Organizations: Names, addresses, primary email/phone, industry, tax ID (if provided), tags, notes, metadata
• Client Contacts: Names, titles, departments, emails, phone numbers, notification preferences
• Sites: Addresses, GPS coordinates (latitude/longitude), operating hours, security requirements, emergency procedures
• Geofence Settings: Whether geofence is enabled, allowed radius, enforcement flags for clock-in/out
• Billing Information: Billing contacts and payment details

1.5 Location and Device Data

Collected to support scheduling, geofencing, supervisor timekeeping, emergency alerts, and operational reporting:

• GPS Coordinates: Collected when employees clock in/out, supervisors record timekeeping actions on behalf of employees, users submit reports, users trigger emergency alerts, users scan checkpoints, or clocked-in mobile users keep the app open for foreground location pings (when the feature is used and the device provides it)
• Clock Location Pings: Stored foreground GPS updates captured while an employee is clocked in and the mobile app is open, used for supervisor/dispatch visibility, geofence and timekeeping records, patrol proof trails, safety context, and billing or dispute support
• Geofence Validation: Whether user was within allowed range and measured distance
• IP Address and User Agent: Browser/device information for sessions and audit logs
• Device Identifiers: Some mobile features store device/app metadata (e.g., checkpoint scans)

Location data is collected only during work-related activities and is used to verify attendance, store clocked-in location pings, support supervisor timekeeping, support emergency alert dispatch, and document patrol/report activity. The mobile app does not track location in the background.

1.6 Operational and Security Operations Data

• Schedules and Shifts: Shift times, assignments, notes, approvals
• Time Entries: Clock-in/out times, break times, late/variance info, approval metadata
• Incident Reports: Narrative, timestamps, location description, GPS coordinates, law enforcement fields, injury/property-damage fields, review/approval status, legal-hold flags
• Activity Reports/Run Sheets: Notes, patrol areas, checkpoint data, GPS coordinates, approvals
• Dispatch Records: Call information, assignments, response times
• Messaging: Conversations, message content, attachments metadata, read receipts, message access requests and logs
• Vehicle/Fleet Data: Assignments, inspections, fuel logs, maintenance records

1.7 Documents and Media

• Uploaded Documents: Credentials, certificates, contracts (stored with filename, MIME type, size, optional encryption flag)
• Operational Media: Incident photos, activity media, run sheet media, work order attachments, message attachments
• EXIF Metadata: For uploaded images, EXIF metadata may be extracted when available (GPS coordinates, timestamps)
• Profile Photos: Optional user profile images
• Access Logs: Document access is logged for audit purposes

1.8 Payment and Billing Data

When billing features are enabled:

• Billing Customers: Name, email, phone, billing address, currency, status
• Invoices: Invoice numbers, line items, amounts, due dates, status, gateway metadata
• Payments/Refunds: Amounts, dates, statuses, gateway IDs, failure reasons, fee calculations

Payment card details are handled by Stripe's payment UI (Stripe Elements) and are not stored in our application database. Card data goes directly to Stripe.

1.9 On-Device Storage (Web/PWA and Native Mobile)

When using the web/PWA or native mobile app, the Service may store limited data on your device:

• Service Worker Cache: Certain responses and static assets are cached for offline availability in supported web/PWA environments
• Offline Queues: Pending clock actions, supervisor actions, reports, and other queued sync items may be stored locally on-device (including timestamps and, where applicable, GPS coordinates) until they sync successfully or are cleared
• Secure Session Storage: Native mobile builds may store session tokens, cached status data, theme preferences, and offline queue state using secure on-device storage provided by the operating system or application framework
• Cache Clearing: The app attempts to clear applicable caches, secure tokens, and offline queues on logout, but device-level storage behavior can vary by platform and browser

1.10 AI Assistant Data (IRIS)

When AI features are enabled and used:

• Knowledge Base: SOP content processed into searchable items with versioning and processing status
• Embeddings: Vector embeddings and the text content used to generate them (for semantic search)
• Query Logs: Query text, response text, matched sources, model used, token counts, response time
• Chat Sessions: Full user/assistant messages, session IDs, tool-call metadata and results
• Feedback: Helpfulness ratings and feedback responses (some stored anonymously for aggregation)

1.11 Technical and Usage Data

• IP addresses and browser/device information (user agent)
• Login timestamps and session information (encrypted, stored in Redis or database)
• Feature usage patterns for service improvement
• Error logs for troubleshooting
• Performance telemetry (trimmed after configured retention period)

For detailed information about cookies, local storage, and service workers used by the application, see our Cookie and Local Storage Policy.

2.1 Service Operations

• Provide authentication and account management across all portals
• Manage organizations, locations, employees, clients, sites, schedules, and workflows
• Enforce geofencing/clock-in/out policies and support timekeeping
• Store foreground clocked-in location pings for supervisor/dispatch visibility, safety, patrol verification, and dispute support
• Create, review, and manage operational reports (incidents, activity, run sheets)
• Process billing, invoicing, and payments
• Verify credential compliance and expiration tracking
• Manage fleet and asset assignments

2.2 Communications

• Provide messaging and notifications (in-app, email, push, real-time updates)
• Send transactional emails (password resets, shift notifications, credential alerts, invoices)
• Deliver push notifications for time-sensitive updates
• Provide system announcements and service updates

2.3 AI Features

• Knowledge search across SOPs, policies, and procedures
• Report-writing assistance by analyzing report content
• SOP generation from descriptions and interview answers
• Analytics on IRIS usage to identify knowledge gaps

2.4 Security and Compliance

• Verify employee identity and attendance through geofence validation
• Maintain audit logs for accountability and compliance
• Investigate security incidents or policy violations
• Enforce access controls and data segregation between organizations
• Prevent abuse and unauthorized access

3.1 Within Your Organization

The Service is role-based. Information is shared with authorized users within your organization based on their role and permissions. Administrators can view employee data; supervisors can view their team's schedules and time records; employees can view their own information.

3.2 With Client Organizations

Security companies using our platform may share limited operational data with their clients through the client portal, including shift coverage information, incident reports, and activity summaries as configured by the security company.

3.3 Service Providers

We use the following categories of service providers:

We require service providers and subprocessors that handle personal data on our behalf to use appropriate technical and organizational safeguards and to protect that data with the same or equivalent privacy and security protections described in this policy.

Our Data Processing Agreement (DPA) governs how we process personal data on behalf of our customers. A current list of subprocessors is maintained at arcovaos.com/subprocessors. The full DPA is available at arcovaos.com/dpa.

3.4 AI Data Processing

IRIS agent operations are processed directly through the OpenAI API under our business account. Per OpenAI's business data commitments, OpenAI does not train its models on our API business data by default. OpenAI may retain API data for abuse and misuse monitoring for up to 30 days and then delete it, unless retention is required by law. See OpenAI Enterprise Privacy and OpenAI API data controls.

3.5 Legal Requirements

We may disclose information when required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to lawful requests from public authorities
• Protect our rights, privacy, safety, or property
• Enforce our terms of service

The Service includes legal-hold flags for certain incident records to support legal discovery and compliance requirements.

3.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of personal information.

3.7 No Sale of Personal Information

We do not sell personal information or share it for third-party advertising or marketing purposes.

4.1 Short-Lived / Technical Data

• Offline Queues (Device): Retained until synced or user clears (app attempts to clear on login/logout)
• Service Worker Caches: Retained until cleared/evicted by browser
• AI Chat Context: Stored with time limit (TTL) for conversation continuity
• Sessions: Expire based on configured session lifetime
• API Tokens: Configured to expire (default 7 days)
• Performance Telemetry: Trimmed on configured schedule (e.g., 7 days)
• OpenAI API Abuse Monitoring Logs (Provider-Side): Retained for up to 30 days, then deleted by OpenAI (subject to legal obligations)

4.2 Business Records

• Active Accounts: Data retained while the account remains active
• Employee Records: Retained according to your organization's policies and applicable labor law requirements
• Operational Records: Incident reports, time records, schedules, messages, documents, and billing records retained until authorized user deletes/archives them
• AI Interaction Logs: Retained to improve service quality and identify knowledge gaps
• Audit Logs: Retained for security and compliance purposes

4.3 Soft Deletes

When data is deleted, many records are initially "soft deleted" (marked as deleted but retained in the database) before permanent removal. This allows for recovery in case of accidental deletion and supports legal hold requirements. Soft-deleted records may remain until permanently purged according to your organization's data retention policies.

5.1 Access Controls

• Role-based permissions limiting data access to authorized personnel
• Multi-tenant architecture ensuring complete data isolation between organizations
• Per-portal authentication guards for different user types
• Two-factor authentication (2FA) available for applicable user accounts
• Account lockout protection against brute force attacks
• Session management with automatic timeout

5.2 Encryption

• All data transmitted over HTTPS (TLS encryption in transit)
• Passwords hashed using bcrypt algorithm
• Two-factor authentication secrets encrypted at rest
• Session data encrypted (payload encryption enabled)
• Sensitive messages encrypted in the database
• Optional file-level encryption for uploads (when selected by uploader)
• Stripe webhook signature verification for payment security

5.3 Monitoring and Auditing

• Comprehensive audit logging of security-relevant events
• Document access logs tracking who accessed what files
• Message access requests and approval logs
• Login attempt monitoring and anomaly detection
• Billing audit logs
• Activity tracking for accountability

6.1 Access Your Information

Users can view their own profile information, schedules, time records, and other personal data through the application interface. What you can view depends on your portal and role.

6.2 Update Your Information

Users can update certain profile information directly (e.g., contact details, passwords). For other data changes, contact your organization's administrator.

6.3 Location Permissions

Some features, including clock-in/out, supervisor timekeeping, certain reports, and emergency alerts, require device GPS coordinates. When an employee is clocked in and the native mobile app is open, Arcova may store foreground location pings for workforce operations; these pings stop when the app is backgrounded, the employee is logged out, location permission is denied, or the employee is not clocked in. If location permissions are denied, those features may not work when geofence/GPS enforcement is enabled. You can revoke location access at any time in your device or browser settings.

6.4 Push Notifications

Users can subscribe/unsubscribe from web push notifications, and native mobile users can also enable or disable notification permissions in device settings. Subscription endpoints and device keys are stored server-side to deliver notifications.

6.5 Account Deletion and Mobile Access

Administrator users can request or perform account deletion through account settings. Employee mobile users may disable mobile app access from Settings; that action revokes mobile sessions and push notification registrations but does not delete employer-maintained workforce records such as employee profiles, schedules, timekeeping records, stored clock location pings, reports, message history, payroll records, or compliance history. Users who cannot complete deletion in-product can contact [email protected] or their organization administrator to request deletion, mobile access removal, or account closure. Your organization may retain certain records as required by law or business necessity.

6.6 Data Export

Organization administrators can request data export. Contact us for bulk export requests. A universal "download all my data" self-service workflow is not available across all portals; these requests are typically handled by administrators.

6.7 Withdraw Consent and Ask Questions

Where processing depends on optional permissions or consent, you may withdraw that consent by disabling the relevant permission in your device or browser settings or by contacting [email protected]. Withdrawing consent will not affect processing that occurred before withdrawal, and some features may stop working if the related permission is disabled.

7.1 What AI Does

When enabled, IRIS features can:

• Search your organization's knowledge base (SOPs, policies, procedures) using semantic search
• Generate structured summaries based on matched internal sources
• Provide report-writing suggestions by analyzing report content you submit
• Generate draft SOP content from descriptions/interview answers you provide
• Look up schedules, employee information, and operational data

7.2 What AI Does NOT Do

• IRIS does not automatically take action without explicit user interaction
• AI cannot modify data autonomously—all changes require user confirmation
• Tool usage is restricted to registered, read-only tools (knowledge search, data lookups)
• AI cannot access data from other organizations

7.3 AI Responses Are Advisory

AI responses are for informational purposes only and should be verified for critical decisions. We do not guarantee the accuracy, completeness, or reliability of AI-generated content.

7.4 Privacy Protections for AI

All personally identifiable information is automatically replaced with placeholder tokens before being sent to AI providers. Real names, phone numbers, email addresses, and other PII are never transmitted to external AI services, and we only use model providers configured for zero data retention.

7.5 Where AI Runs

• All IRIS agent operations run directly on the OpenAI API (business account).
• IRIS embedding requests for retrieval run through OpenRouter.

8.1 Core Infrastructure

• Netcup / Hetzner — VPS hosting and server infrastructure
• Amazon Web Services (S3) — Cloud file storage

8.2 Payments

• Stripe (Stripe Connect + Stripe Elements) — Payment processing and connected account onboarding. Card data is handled by Stripe's libraries in the browser.

8.3 Communications

• Resend / SMTP Provider — Email delivery
• Apple / Google / Mozilla / Microsoft / Samsung — Push notification delivery (web push endpoints)

8.4 AI Services

• OpenAI API (Business Account) — Direct IRIS agent operations processing
• OpenRouter — Embedding generation/routing for IRIS knowledge retrieval

8.5 Maps and External Assets

• Google Maps — Map UI when officer map is used (if configured)
• OpenStreetMap — Map tiles for geofence UI
• Nominatim (OpenStreetMap) — Geocoding requests for address lookup
• Bunny Fonts — Font delivery on some pages
• cdnjs (Cloudflare) — Leaflet marker icon assets

10.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Your Rights:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (such as precise geolocation and Social Security numbers, if applicable) only for the business purposes described in this policy and as permitted by the CCPA.

Categories of Personal Information Collected:

In the preceding 12 months, we have collected the following categories of personal information as described in Section 1 of this policy:

• Identifiers (name, email, phone, employee ID)
• Personal information under Cal. Civ. Code 1798.80(e) (name, address, phone, employment information)
• Protected classification characteristics (date of birth, gender, nationality — when provided by employer)
• Commercial information (billing records, payment history)
• Internet or electronic network activity (login records, feature usage, IP addresses)
• Geolocation data (GPS coordinates during work-related activities)
• Professional or employment-related information (job title, credentials, certifications)
• Inferences drawn from the above (AI-generated operational insights)

Important Note for Employees/Guards:

If your employer uses Arcova to manage your work data, certain CCPA exemptions may apply to information collected in the employment context. Your employer, as the data controller, is primarily responsible for responding to your requests regarding employment-related data. You may also contact us directly at [email protected], and we will coordinate with your employer as appropriate.

10.2 Other State Privacy Laws

Residents of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, and other states with comprehensive privacy legislation may have similar rights, including:

• Right to access personal data
• Right to correct inaccurate data
• Right to delete personal data
• Right to data portability
• Right to opt out of targeted advertising (we do not engage in targeted advertising)
• Right to opt out of profiling with legal or similarly significant effects
• Right to appeal a denial of your privacy request

We do not sell personal data, use it for targeted advertising, or engage in profiling that produces legal or similarly significant effects.

10.3 How to Exercise Your Rights

To exercise any of the rights described above:

• Email: [email protected] with "Privacy Rights Request" in the subject line
• For employment-related data: Contact your employer's administrator first

We will verify your identity before fulfilling a request. For requests related to employment data, we may need to coordinate with your employer (the data controller). We will respond to verifiable requests within 45 days (or as required by applicable law), with an extension of up to an additional 45 days where reasonably necessary.

10.4 Authorized Agents

You may designate an authorized agent to make a request on your behalf. We may require the authorized agent to provide written proof of authorization and may verify your identity directly.

10.5 Appeals

If we deny your privacy request, you may appeal the decision by emailing [email protected] with "Privacy Appeal" in the subject line. We will respond to appeals within the timeframe required by applicable law.