Privacy Policy

Effective Date: February 4, 2026
Last Revised: February 4, 2026

This Privacy Policy describes how ARAGS Inc. ("ARAGS," "we," "us," or "our") collects, uses, discloses, and protects your information through the ARAGS Hub (the "Hub"). The Hub is a static marketing interface for our Autonomous RAG Service ("ARAGS Service"). We are committed to protecting the privacy and security of your personal information, including Protected Health Information (PHI).

1. Scope and Definitions

This Privacy Policy applies solely to the ARAGS Hub. The Hub serves as a secure intake point for information that is transferred to the ARAGS Service backend for processing. While the Hub itself does not process PHI in the backend sense, it does collect PHI/PII (including Name, Email, and Clinical Context) through the "Request Access" form for the purpose of securely transferring this data to the ARAGS Service for onboarding.

For comprehensive information about how PHI is processed within the ARAGS Service ecosystem, please refer to the ARAGS Service Privacy Policy and Terms of Service.

2. Information We Collect

We collect the following categories of information, with the legal basis for each collection:

A. Analytics Data (Legitimate Interest)

• Non-identifiable traffic data (page views, session duration)
• Browser type, device information, IP address (anonymized)
• Referral sources and navigation patterns

B. Beta Application Data (Explicit Consent + Contractual Basis)

• Name: Your full name for identification
• Email Address: For communication regarding your application
• Clinical Context: Information about your clinical practice, specialty, and intended use case. This may include PHI/PII.

Important: By submitting the "Request Access" form, you provide explicit consent for ARAGS to collect, store, and transfer this information (including PHI/PII) to the ARAGS Service backend for onboarding purposes. Consent is obtained via a mandatory checkbox on the form.

C. Cookies and Tracking Technologies

We use essential cookies for website functionality and analytics cookies to improve user experience. For detailed information about our cookie usage, please see Section 8 (Cookie Policy).

3. How We Use Your Information

We use collected information for the following purposes:

• Analytics Data: To improve Hub performance, analyze user behavior, and optimize the user experience.
• Beta Application Data: To evaluate your eligibility for the ARAGS Service, establish a clinical baseline for onboarding, and communicate with you regarding your application status.
• Security and Compliance: To detect fraud, ensure data security, and comply with legal obligations under HIPAA, PIPEDA, GDPR, and CCPA/CPRA.

4. Data Sharing and Third-Party Service Providers

We do not sell your data. We share data only with trusted third-party service providers under strict contractual protections:

• Firebase (Google Cloud): Hosting and analytics. Business Associate Agreement (BAA) in place for HIPAA compliance.
• HubSpot: Beta application management and communication. Data Processing Agreement (DPA) and BAA in place.

All third-party providers are contractually obligated to protect your data and use it only for the purposes we specify.

5. International Data Transfers

Your information may be transferred to and processed in jurisdictions outside your country of residence, including the United States. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR compliance
• Business Associate Agreements (BAAs) for HIPAA compliance
• Encryption in transit and at rest (TLS 1.3, AES-256)

6. Data Retention

We retain your information for the following periods:

• Analytics Data: 26 months, then anonymized or deleted
• Beta Application Data (Approved): Duration of ARAGS Service usage + 7 years (regulatory compliance)
• Beta Application Data (Rejected/Withdrawn): 90 days, then securely deleted

You may request early deletion of your data by contacting us (see Section 10).

7. Your Rights (Data Subject Rights)

Depending on your jurisdiction, you have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent for data processing at any time (does not affect prior lawful processing)
• Right to Object: Object to processing based on legitimate interests
• Right to Restrict Processing: Request restriction of processing under certain conditions

To exercise any of these rights, please contact us at info@arags.io. We will respond within 30 days for GDPR requests and 45 days for CCPA/CPRA requests.

8. Cookie Policy

We use the following types of cookies on the ARAGS Hub:

• Essential Cookies: Required for website functionality (cannot be disabled)
• Analytics Cookies: Google Analytics (anonymized IP) to measure website performance

You can manage cookie preferences through your browser settings. Note that disabling cookies may affect website functionality.

9. Security Safeguards

We implement industry-standard security measures to protect your data:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
• SRE Shield: Isolated infrastructure for PHI processing with strict PHI/PII isolation protocols
• Autonomous Escalated Care (AEC): AI-driven insights are handled with clinical precision and human oversight

10. Contact Information

For privacy-related inquiries, to exercise your data subject rights, or to report a data security concern, please contact:

ARAGS Inc. - Privacy Office
Email: info@arags.io
Address: [To be added - ARAGS Inc. registered address]

For GDPR-specific inquiries (EU residents), you may also contact your local data protection authority.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Revised" date
• Sending email notification to registered beta applicants

Your continued use of the ARAGS Hub after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Regulatory Compliance

This Privacy Policy is designed to comply with:

• HIPAA (USA): Health Insurance Portability and Accountability Act
• PIPEDA (Canada): Personal Information Protection and Electronic Documents Act
• GDPR (EU/EEA): General Data Protection Regulation
• CCPA/CPRA (California): California Consumer Privacy Act / California Privacy Rights Act