Privacy Policy
Effective Date: May 9, 2026
Last Updated: May 9, 2026
Controller: Arveo Inc.
Address: Boca Raton, Florida
Contact: privacy@arveo.ai
1. Introduction
Arveo Inc. ("Arveo," "we," "us," or "our"), a Delaware corporation, operates the Arveo AI bookkeeping and financial intelligence platform, accessible at https://arveo.ai (the "Platform"). This Privacy Policy explains what personal information we collect about you, how we use it, who we share it with, how long we keep it, and what rights you have over it.
By accessing or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree, do not use the Platform.
If you are using the Platform on behalf of an employer or other organization (for example, as an employee of an accounting firm that subscribes to Arveo), your organization is the data controller for your use of the Platform, and you should also review your organization's own privacy policies.
2. Who We Are and Our Role
Arveo acts as a data controller with respect to information collected directly from visitors to our marketing website and from individual users who create accounts on the Platform.
Where Arveo processes personal data on behalf of a subscribing accounting firm or business customer (the "Controller"), Arveo acts as a data processor under the terms of a Data Processing Addendum. In those situations, the Controller's own privacy policy and the terms of the DPA govern the processing of that personal data.
For questions about this Privacy Policy, contact us at privacy@arveo.ai.
3. What We Collect
3.1 Information You Provide
| Category | Examples |
|---|---|
| Account registration data | Name, email address, firm name, password (hashed) |
| Profile and settings | Job title, notification preferences, scheduled briefing time |
| Payment information | Billing name, billing address, payment card details (processed and stored by Stripe — we do not store raw card numbers) |
| Communications | Content of emails or support messages you send to us |
3.2 Information from Third-Party Integrations
When you connect a third-party service to your Arveo account, we receive data from that service as authorized by you:
- QuickBooks Online (Intuit): Financial transaction records, account balances, merchant names, and other accounting data that you authorize Arveo to access via QuickBooks Online's OAuth API. We access this data using a read-only OAuth scope. We store an encrypted OAuth refresh token in our database to maintain the connection.
- Slack: If you configure Slack notifications, we store an encrypted Slack OAuth token and send messages to the designated Slack channel.
3.3 Information Collected Automatically
When you use the Platform or visit our website, we automatically collect:
| Category | Examples |
|---|---|
| Usage data | Pages visited, features used, clicks, session duration |
| Device and network data | IP address, browser type and version, operating system |
| Authentication events | Login timestamps, MFA events, session activity |
| Error and performance data | Crash reports and stack traces collected by Sentry (see Section 7) |
3.4 Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
- Strictly necessary cookies: Required for the Platform to function, including session authentication cookies managed by Supabase Auth. You cannot opt out of these while using the Platform.
- Analytics cookies: We may use privacy-respecting analytics tools to understand how users interact with the Platform. [Jason: specify any analytics vendor (e.g., Vercel Analytics, PostHog) before publishing]
- Marketing cookies: We do not currently use marketing or advertising cookies on the Arveo Platform. Our marketing website may use analytics tags; you may opt out via the cookie banner on that site.
You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent the Platform from functioning correctly.
4. How We Use Your Information
We process your personal information for the following purposes and on the following lawful bases:
| Purpose | Lawful Basis (GDPR) | CCPA Business Purpose |
|---|---|---|
| Providing the Platform: authentication, account management, data display, financial transaction sync | Contract performance | Performing services |
| Generating AI-powered financial summaries and daily briefings | Contract performance | Performing services |
| Sending transactional emails and SMS alerts | Contract performance | Performing services |
| Processing payments via Stripe | Contract performance / Legal obligation | Performing services |
| Monitoring platform security and detecting fraud | Legitimate interests (security) | Security / fraud detection |
| Error monitoring and performance optimization via Sentry | Legitimate interests (improvement of service) | Debugging / quality assurance |
| Responding to support requests | Contract performance / Legitimate interests | Performing services |
| Complying with legal obligations (e.g., tax, financial recordkeeping) | Legal obligation | Legal obligation |
| Maintaining audit logs for SOC 2 and regulatory compliance purposes | Legitimate interests (compliance) | Internal research and compliance |
We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you without human review.
5. Financial Data
The core service Arveo delivers involves financial data. Arveo connects to your QuickBooks Online account using a read-only OAuth connection. We retrieve your transaction records, merchant names, and account summary data solely to provide you with the AI summaries, briefings, and analytics that you subscribed for.
We do not sell, rent, or share your financial transaction data with third parties for their own purposes. Financial data is processed by Anthropic's Claude API to generate summaries; Anthropic processes this data as a service provider under our Data Processing Agreement and does not retain it for its own model training purposes under our enterprise API terms. We transmit transaction memos and amounts to Anthropic; we do not transmit full account numbers, Social Security numbers, or raw bank credentials.
6. Who We Share Your Information With
We share personal information only in the following circumstances:
6.1 Subprocessors
We use third-party service providers ("subprocessors") to deliver the Platform. Each subprocessor receives only the data necessary to perform its service and is contractually bound to data protection obligations. Our full list of subprocessors is at https://arveo.ai/subprocessors.
Current subprocessors include:
| Subprocessor | Purpose | Primary Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Vercel | Application hosting, edge network | United States |
| Anthropic | AI transaction categorization and summarization | United States |
| Resend | Transactional email delivery | United States |
| Twilio | SMS and messaging delivery | United States |
| Slack (Salesforce) | Internal team notifications | United States |
| Sentry | Error and performance monitoring | United States |
| Intuit / QuickBooks Online | Financial data integration | United States |
| Stripe | Payment processing and subscription billing | United States |
| GitHub | Source code and CI/CD | United States |
| Cloudflare | CDN and DNS | United States |
6.2 Legal Requirements
We may disclose personal information to government authorities, courts, or regulators if we have a good-faith belief that disclosure is required by applicable law, regulation, or legal process.
6.3 Business Transfers
If Arveo Inc. is acquired by or merges with another entity, your personal information may be transferred to the successor entity. We will notify you via email or prominent notice on the Platform before such a transfer takes effect, and provide you with an opportunity to delete your account if you do not wish to continue.
6.4 With Your Consent
We share information with other parties only with your explicit consent.
6.5 What We Do Not Do
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not disclose customer financial records to any party not listed in this policy or the DPA.
7. Error Monitoring and Sentry
We use Sentry (sentry.io) to capture application error reports and performance data. Sentry may receive stack traces, request metadata, and technical context about errors. We configure Sentry to scrub and mask personally identifiable information and financial data from error payloads. If you encounter a Sentry-related concern, contact privacy@arveo.ai.
8. Data Retention
We retain personal information for as long as necessary to provide the Platform and fulfill the purposes described in this Policy, and as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Account data (name, email, profile) | For the duration of the account plus 90 days following deletion request |
| Financial transaction data (from QBO sync) | For the duration of the subscription plus 90 days following account termination |
| Encrypted OAuth tokens | Deleted within 24 hours of integration disconnection or account termination |
| Audit log entries (security events, role changes) | 3 years from the date of the event |
| Sentry error data | 90 days (configurable) |
| Payment records | 7 years (legal / tax obligation) |
| Support communications | 3 years |
Following expiration of the applicable retention period, we securely delete or anonymize personal information.
9. Data Security
We maintain technical and organizational measures appropriate to the risk of processing, including:
- Encryption of all data in transit via HTTPS/TLS
- AES-256 encryption of data at rest
- Application-layer encryption of OAuth tokens
- Multi-factor authentication on all administrative accounts
- Role-based access control and database Row-Level Security
- Annual penetration testing
- SOC 2 Type 1 audit in progress (target Q3 2026)
A full description of our security measures is available at https://arveo.ai/security.
No security measure is perfect. In the event of a data breach affecting your personal information, we will notify you as required by applicable law and in accordance with our Incident Response Plan.
10. Your Rights
10.1 Rights Under GDPR (EU/UK Residents)
If you are located in the European Economic Area or the United Kingdom, you have the following rights with respect to personal data for which Arveo is the controller:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Restriction: Request that we restrict processing of your personal data in certain circumstances.
- Portability: Receive your personal data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interests, including profiling.
- Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise these rights, contact privacy@arveo.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
10.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
- Delete: Request deletion of personal information we have collected about you, subject to certain exceptions.
- Correct: Request correction of inaccurate personal information.
- Opt Out of Sale or Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm this.
- Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes other than those permitted under CPRA.
- Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To submit a CCPA request, contact privacy@arveo.ai with the subject line "California Privacy Request."
We will verify your identity before processing rights requests by confirming the email address associated with your Arveo account.
11. Children's Privacy
The Platform is intended for use by business professionals and accounting firms. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected personal information from a minor, we will delete it promptly.
12. Links to Third-Party Sites
The Platform and our emails may contain links to third-party websites, including QuickBooks Online, Stripe, and others. This Privacy Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party services you connect to through Arveo.
13. International Transfers
Arveo is based in Florida, United States, and all primary data processing occurs within the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from those of your country. For customers whose data is subject to GDPR, please refer to the international transfer provisions in our Data Processing Addendum.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you by email (to the address associated with your Arveo account) and by posting a prominent notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date of the updated policy constitutes acceptance of the updated terms.
15. Contact Us
For privacy inquiries, data rights requests, or DPA requests:
Email: privacy@arveo.ai
Mail: Arveo Inc., Attn: Privacy, Boca Raton, FL
We will acknowledge receipt of all privacy requests within 5 business days.
Privacy Policy — Arveo Inc. — Version 1.1 — May 28, 2026