Privacy Policy
Aria Trove (“we”, “us”, “our”) operates the proposal-software service available at ariatrove.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have under the EU General Data Protection Regulation (“GDPR”) and the EU ePrivacy Directive.
If anything here is unclear, write to us at privacy@ariatrove.com and we’ll explain in plain language.
1. Who we are
The data controller for personal data processed through Aria Trove is:
- Aria Trove — operated by DK Productions IKE (the legal entity), Athens, Greece.
- Contact: privacy@ariatrove.com
- We have not appointed a Data Protection Officer (we’re below the GDPR Art. 37 threshold), but the address above reaches the person responsible for privacy.
2. What we collect and why
We collect only what we need to operate the service. Each category below is paired with the GDPR Article 6 legal basis we rely on.
| Category | What it is | Why | Legal basis |
|---|---|---|---|
| Account | Email, password hash, display name, workspace name | To create and authenticate your account, and to identify you across sessions | Performance of contract (Art. 6(1)(b)) |
| Billing | Plan, billing email, Stripe customer ID, invoice history. We never see your full card number — Stripe handles it. | To bill the subscription you purchased | Performance of contract |
| Proposal content | Anything you put into a proposal: text, images, video, prices, client names and emails | So the service can store, render, and deliver the proposals you create | Performance of contract |
| Recipient data | If you enter a client’s name and email to send them a proposal, we store that and log when they open it | To deliver the proposal and report engagement back to you | Legitimate interest (Art. 6(1)(f)) — the recipient’s reasonable expectation that a sender tracks delivery |
| Usage logs | Page-view audit trail, IP address, user agent, approximate geographic region (city / country, derived from IP via MaxMind GeoLite2) | Security, fraud prevention, debugging, and the engagement insights we surface in your dashboard | Legitimate interest |
| Transactional emails (verification, password reset, signed-PDF delivery, notifications) | To run the service | Performance of contract | |
| Cookies | Auth session cookie (necessary), theme-preference cookie (necessary for UX). See section 8. | To keep you signed in and remember your light/dark preference | Strictly necessary (cookies) / legitimate interest (preference) |
3. Who we share it with (sub-processors)
We work with the following sub-processors. Each processes personal data only on our written instructions and under a Data Processing Agreement (DPA) compliant with GDPR Art. 28.
| Service | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (application + database) | Germany / Finland (EU) |
| Cloudflare, Inc. | DNS, registrar, edge proxy (when enabled) | United States — relies on EU SCCs |
| Stripe Payments Europe Ltd. | Subscription billing | Ireland (EU) |
| Resend, Inc. | Transactional email delivery | United States — relies on EU SCCs |
| Backblaze, Inc. | Encrypted off-host database backups | United States — backups are encrypted with a key held only by us, so the provider cannot read content |
| MaxMind, Inc. | Offline IP→city/country lookup | United States — only an offline GeoLite2 file is downloaded; no IP addresses leave our servers |
| Anthropic, PBC | AI-assisted document parsing for the optional “Stylize” doc-import feature. Only invoked when a user explicitly uploads a document and chooses the Stylize action; document content is sent to Anthropic’s Claude model for structural extraction. We do not retain Anthropic responses beyond the import. | United States — relies on EU SCCs and the EU–US Data Privacy Framework. Per Anthropic’s commercial terms, customer data sent to the API is not used to train their models. |
We do not sell your data, share it with advertisers, or use it to train machine-learning models.
4. International transfers
Some sub-processors are based in the United States. Where personal data is transferred outside the EU/EEA we rely on the European Commission’s Standard Contractual Clauses (SCCs, 2021/914) and, where the recipient self-certifies, the EU–US Data Privacy Framework. You may request a copy of the SCCs in place by emailing privacy@ariatrove.com.
5. How long we keep it
| Data | Retention |
|---|---|
| Account + workspace data | For as long as you have an account, plus 30 days after deletion (a soft window so we can restore in case of accidental deletion) |
| Proposal content + recipient logs | Same as the parent workspace |
| Billing records (invoices) | 10 years (Greek tax law requires this) |
| Server access + audit logs | 90 days |
| Off-host encrypted backups | 30 daily snapshots, then deleted |
| Email delivery logs at Resend | 30 days (their default) |
Beta-program applications (BetaApplication) | Pending: 90 days. Approved: linked to the resulting account and retained alongside it. Declined or waitlisted: 30 days, then anonymised. |
| Stripe customer record | Deleted from Stripe when you delete your account. Past invoices stay on Stripe for as long as Greek tax law requires. |
6. Your rights under GDPR
You have the right to:
- Access — get a copy of the personal data we hold about you (Art. 15)
- Rectification — correct anything inaccurate (Art. 16)
- Erasure — have your data deleted (“the right to be forgotten”, Art. 17), unless we’re legally required to keep it (e.g. invoices)
- Restriction — pause processing while a dispute is resolved (Art. 18)
- Portability — receive your data in a structured, machine-readable format (JSON export from your settings page) (Art. 20)
- Objection — object to processing based on legitimate interest (Art. 21)
- Withdraw consent — where processing is based on consent, withdraw at any time without affecting prior lawful processing (Art. 7(3))
- Lodge a complaint — with your local supervisory authority. In Greece this is the Hellenic Data Protection Authority (HDPA).
To exercise any of these, email privacy@ariatrove.com. We’ll respond within 30 days as required by Art. 12. The Access and Portability rights are also self-serve from inside the app — when signed in, request GET /api/admin/account/export (or use the “Download my data” button in your settings page) and you’ll receive a single JSON file containing every personal-data record we hold about you.
6a. Your California rights (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These overlap heavily with the GDPR rights above; the differences are spelled out here.
- Right to know — what categories of personal information we’ve collected about you in the past 12 months, where it came from, and who we shared it with. (See sections 2 and 3 above for the always-current answer.)
- Right to delete — request deletion of your personal information.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell your personal information, and we do not share it for cross-context behavioural advertising. The right is therefore moot, but you may register the preference at any time by emailing privacy@ariatrove.com or following the Do Not Sell or Share My Personal Information link in our footer.
- Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA (no government IDs, biometrics, precise geolocation, racial/ethnic origin, religious beliefs, health data, etc.). The right is therefore moot.
- Right to non-discrimination — exercising any of the above will not affect the price or quality of the service.
We honour the Global Privacy Control (GPC) signal: if your browser or extension transmits the Sec-GPC: 1 header on any page request, we treat it as a valid “Do Not Sell or Share” opt-out for that user session, and persist it on your account when you are signed in. No additional action is required from you.
To exercise any California right, email privacy@ariatrove.com. We’ll acknowledge within 10 business days and respond substantively within 45 calendar days, with a one-time 45-day extension if the request is unusually complex.
7. Automated decision-making and profiling
We do not make automated decisions that have legal or similarly significant effects on you. The engagement metrics we surface (heatmaps, dwell time) are insights for the proposal sender, not decisions made about the recipient.
8. Cookies
We use the following first-party cookies. There are no third-party advertising or analytics cookies on this site at this time.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
authjs.session-token | Strictly necessary | Keeps you signed in | 30 days, refreshed on use |
authjs.csrf-token | Strictly necessary | Cross-site request forgery protection during sign-in | Session |
dkp_theme | Functional | Remembers your light/dark preference | 365 days |
aria_consent | Strictly necessary | Remembers your cookie-banner choice | 365 days |
We also use localStorage on the welcome tour to remember which step you reached (key: dkp_onboarding_step). This is functional, not tracking, and you can clear it from your browser at any time.
If we ever introduce analytics or marketing cookies, we will update this list and ask for your explicit opt-in.
9. Security
We follow industry-standard practice: TLS for all transport, scram-sha-256 for database authentication, encrypted off-host backups (age + zstd), per-process secret isolation, an egress proxy that prevents the application from making unexpected outbound connections, and rate limiting on authentication endpoints.
If you believe you’ve found a security vulnerability, please write to security@ariatrove.com and we’ll respond within 72 hours.
Breach notification. If we ever detect a personal-data breach that affects you, we will notify the Hellenic Data Protection Authority (HDPA) within 72 hours of becoming aware of it, as required by GDPR Art. 33, and we will notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34). For California residents, parallel notification under California Civil Code §1798.82 will be issued as required.
10. Children
Aria Trove is not directed to children under 16. We do not knowingly collect personal data from anyone under that age. If you believe a child has signed up, tell us and we’ll delete the account.
11. Changes to this policy
We may update this policy as the service evolves. When we make a material change we will (a) update the “Last updated” date above and (b) email account holders. Continued use of Aria Trove after a material change constitutes acceptance.
12. Contact
For any privacy question, request, or complaint:
- Email: privacy@ariatrove.com
- Postal: DK Productions IKE, Athens, Greece
13. Do Not Sell or Share My Personal Information
We do not sell your personal information for monetary or other valuable consideration, and we do not share it for cross-context behavioural advertising. There is therefore no “sale” or “sharing” for you to opt out of under the CCPA / CPRA. We list this section explicitly because California law requires the link to exist regardless.
If you would still like to register an explicit opt-out preference on your account — for example because you intend to forward this preference to a future processor — email privacy@ariatrove.com, or, if you are signed in, toggle the “Do Not Sell or Share” preference on your settings page. Sending the Sec-GPC: 1 header from your browser will set this preference automatically.