Privacy Policy
Last updated: 2026-05-11
This Privacy Policy explains how primarylaw.ai Ltd (“arryv,” “we,” “us,” “our”), a corporation incorporated in the Province of Manitoba, Canada, collects, uses, discloses, retains, and protects personal information when you use the arryv service (the “Service”). It applies to all users of the Service worldwide and supplements (rather than replaces) the protections granted to you by applicable privacy law.
1. Who we are & how to contact us
For purposes of Canadian privacy law (PIPEDA, Manitoba PIPITPA where applicable), the EU/UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and similar laws, primarylaw.ai Ltd is the data controller (or equivalent) for the personal information processed through the Service.
Privacy questions, access/deletion requests, or any other request under this Policy:
info@arryv.ai
2. What we collect
- Account information. Your email address; a hashed password (if you use the email/password sign-in); and, if you sign in with Google, your Google account ID and the basic profile fields Google returns.
- Application data. Everything you enter into the questionnaire — names, dates, places, addresses, family relationships, and similar personal details about you and the ancestors in your Canadian citizenship chain.
- Uploaded documents. Birth, marriage, naturalization, death, and similar civil documents you upload, including the extracted text and structured fields our processing pipeline pulls from them.
- Payment information. Stripe processes your card and stores the card number on its own infrastructure; we receive only the Stripe customer/session/payment identifiers and the metadata Stripe returns (e.g. tier, amount, country).
- Service-generated output. The cover letters, narratives, filled CIT 0001 forms, and bundled PDFs we produce for you.
- Usage and event data. Page views and product events (e.g. “quiz completed,” “package generated”) collected via PostHog; minimal request metadata for security and abuse prevention (IP address, user agent, timestamps); error-and-performance telemetry collected via Sentry.
3. Why we collect it (lawful basis)
We process personal information for the following purposes and on the corresponding lawful bases (where applicable):
- To provide the Service — performance of the contract you entered into when you accepted the Terms of Service.
- To process payments and prevent fraud — performance of contract and our legitimate interest in operating a business safely.
- To improve and debug the Service — our legitimate interest in maintaining and improving a software product. Aggregate analytics only, no automated decisions made about you.
- To send you transactional emails (receipts, package-ready notifications, account notices) — performance of contract.
- To meet legal obligations — tax records, anti-fraud reporting, response to lawful requests, etc.
We do not engage in automated profiling that produces legal or similarly significant effects on you.
4. Where it is stored
Application data, uploaded documents, and account records are stored in Supabase (US-East), encrypted at rest, with row-level security policies that prevent any user from reading another user’s rows. Object storage (uploaded files and generated bundles) is encrypted at rest with the same per-user access controls. Backups run automatically; retention is 30 days.
Our infrastructure (Vercel, Supabase, Stripe, Resend, Anthropic, PostHog, Sentry) is operated by third-party providers in the United States and other jurisdictions. Information you submit may be transferred to and processed in the United States and elsewhere, where data-protection laws may differ from those of your country. We rely on Standard Contractual Clauses (or equivalent transfer mechanisms) with subprocessors where required.
5. Who we share it with (subprocessors)
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, object storage | US |
| Vercel | Web hosting, edge compute | US |
| Anthropic | AI extraction and generation (cover letter, narrative). Anthropic does not train on customer prompts. | US |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
| PostHog | Product analytics. No application data or document contents are sent. Loaded only after analytics consent. | US |
| Google Analytics | Page-view and aggregate audience analytics. Operates under Google Consent Mode v2 with all signals defaulted to “denied” until you grant consent. | US |
| Sentry | Error and performance monitoring. PII fields suppressed. | US |
| Google (optional) | OAuth sign-in — only if you choose “Sign in with Google.” | US |
We may also disclose personal information (i) to comply with applicable law, legal process, or a lawful government request; (ii) to enforce the Terms of Service or defend our rights; (iii) to detect, prevent, or address fraud, security, or technical issues; (iv) in connection with a merger, acquisition, financing, or sale of assets, in which case your information will continue to be subject to a policy at least as protective as this one.
We do not sell or share your personal information for cross-context behavioural advertising.We do not engage in “sale” or “sharing” as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve months.
6. How long we keep it
- Application data and uploaded documents: for the life of your account plus ninety (90) days after deletion request (to honour chargeback and dispute windows), then permanently deleted.
- Generated packages: same retention as application data.
- Quiz responses: retained indefinitely in anonymised form (no email or account link) after one hundred eighty (180) days, unless tied to an active account.
- Server and security logs: 30 days.
- Stripe payment records and required tax records: as long as required by applicable law (typically seven years).
7. Cookies and similar technologies
We use a small number of cookies and similar storage mechanisms (localStorage) for the following:
- Strictly necessary: session and authentication (Supabase Auth cookies); CSRF and security tokens. These are always on — without them the Service cannot function.
- Analytics & performance (optional): PostHog and Google Analytics cookies/localStorage. Loaded only after you grant consent through the cookie banner. Until you grant consent, Google Consent Mode v2 keeps all advertising and analytics signals defaulted to “denied” (no identifying cookies are written; only modelled aggregate pings).
You may withdraw analytics consent at any time by clearing site data or by emailing info@arryv.aiwith the subject “Withdraw analytics consent.”
8. Your privacy rights
Depending on where you live, you may have some or all of the following rights with respect to your personal information:
- Access — request a copy of what we hold about you.
- Correction — ask us to fix inaccurate information.
- Deletion — ask us to delete your account and associated data.
- Portability — receive your data in a structured, commonly used format.
- Restriction or objection to processing, where applicable.
- Withdraw consent at any time, where we rely on consent (e.g. analytics).
- Right to opt out of “sale” or “sharing” (CCPA/CPRA) — we do not engage in either, but you may direct us to confirm that.
- Right to lodge a complaint with your data-protection authority — in Canada, the Office of the Privacy Commissioner of Canada (priv.gc.ca); in the EU/UK, your national supervisory authority; in California, the California Privacy Protection Agency.
- Right to non-discrimination for exercising any of the above.
To exercise a right, email info@arryv.ai. We may need to verify your identity (typically by confirming you can receive email at the account address) before fulfilling the request. We respond within 30 days, or such other period as required by applicable law.
9. Security
We implement technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, and destruction — including transport encryption (TLS), encryption at rest, row-level access controls in the database, short-lived signed URLs for file access, and strict subprocessor agreements. No system is perfectly secure; in the event of a breach affecting your personal information, we will notify you and the relevant regulator(s) as required by applicable law.
10. Children
The Service is not directed at children under 13 and we do not knowingly collect personal information from children under 13. The Service is intended for adults (18+). An adult parent or legal guardian may apply on behalf of a minor child; in that case, the personal information about the child is provided by, and the responsibility of, the adult account holder. If you believe a child has provided us personal information without parental consent, contact info@arryv.ai and we will delete it.
11. Region-specific disclosures
European Economic Area & United Kingdom (GDPR / UK GDPR). The data controller is primarylaw.ai Ltd. Our lawful bases for processing are described in Section 3. International transfers to the US are made under Standard Contractual Clauses or equivalent safeguards. You have the rights listed in Section 8 and the right to lodge a complaint with your national supervisory authority.
California (CCPA / CPRA). Categories of personal information collected: identifiers (email, account ID), internet/electronic activity (usage events), commercial information (transactions), and sensitive personal information (account credentials, government-identifier data in uploaded documents). We collect this information for the purposes in Section 3 and disclose it to the categories of subprocessors listed in Section 5. We do not sell or share personal information, do not use sensitive personal information for inferences, and retain information for the periods in Section 6. You have the rights listed in Section 8.
Canada (PIPEDA). The Office of the Privacy Commissioner of Canada oversees compliance: priv.gc.ca. You have the right to access your information and to challenge its accuracy.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the current version.
13. Contact
primarylaw.ai Ltd
Manitoba, Canada
info@arryv.ai