Privacy Policy

Last updated: June 5, 2026

Last updated June 5, 2026. This policy is production-ready and written to the strictest applicable standard (GDPR + UK GDPR + CCPA/CPRA) applied globally. Three things still need an operator pass before this is final: (1) confirm the legal trading identity and home jurisdiction (we default to Idan Mann, sole proprietor trading as "Arlo," based in Wyoming, USA); (2) insert the real postal mailing address everywhere it is referenced; (3) appoint and name the UK and EU Article 27 representatives. We recommend a licensed privacy attorney (US + EU/UK) review this once before the first paid signup, and a periodic review (at least annually, or whenever sub-processors, recording, or AI processing materially change).

About this policy

This Privacy Policy explains how Arlo ("Arlo", "we", "us", "our") collects, uses, shares, and protects information when you use the Arlo AI assistant and related services (the "Service"). We have written it in plain language and tried to keep the legalese to a minimum.

We aim to apply one high standard everywhere, so most of what is below applies to everyone regardless of where you live. Some sections call out specific rights for people in the UK, the EU, and U.S. states with privacy laws.

If we make a material change to this policy, we will tell you by email or in the app before it takes effect. We do not make meaningful changes silently.

Who is responsible for your data

Arlo is operated by Idan Mann, a sole proprietor trading as "Arlo", based in Wyoming, United States. For data-protection purposes, Idan Mann is the "controller" of the personal data described in this policy (except for data about non-users, where the Arlo user who invited Arlo is the controller and Arlo acts on their behalf, see "Information about people who don’t use Arlo" below).

For any privacy question or request, email privacy@arlo.sh, or write to us at the postal address listed in the "Contact" section at the end of this policy. If you are in the UK or the EU, you can also reach our representatives, listed in the "UK and EU representatives" section.

Information we collect

We collect the categories of personal information below. We use the formal category names from California law in parentheses so U.S. residents can match them to their rights.

Account and identifiers (Identifiers) — your name, email, mobile phone number, account ID, login identifiers, and IP address. Used to create your account, sign you in, and text or call you.
Customer and billing records (Customer records; Commercial information) — your billing contact details, plan, credits, and payment history. Card payments are processed by Stripe; we do not store full card numbers.
Messages and content (Audio and electronic information) — the messages, requests, files, and content you send to Arlo, and Arlo’s responses.
Connected-account data (Professional or employment-related information) — information from tools you connect, such as Slack, Microsoft Teams, email, and calendar, including the message and calendar contents Arlo needs to act on your instructions, plus the access tokens that let Arlo reach those tools.
Audio, recordings, and transcripts (Audio and electronic information) — recordings and transcripts of phone calls and video meetings Arlo joins or makes on your behalf. See "Recording calls and meetings" below.
Memory and inferences (Inferences) — Arlo’s long-term "memory": facts Arlo learns about you from your messages and connected tools, stored as text and as mathematical representations (embeddings), so it can recall context and personalize how it helps you.
Usage and technical data (Internet or network activity) — device, log, and usage information needed to operate, secure, and improve the Service.

Where this information comes from

We collect information directly from you (for example, when you sign up or message Arlo), from the tools you choose to connect, automatically as you use the Service (usage and technical data), and from the calls and meetings you ask Arlo to join. We may also receive information about other people through you, for example other participants in a meeting Arlo records or a teammate you ask Arlo to message.

Sensitive information

Some of what Arlo handles is treated as sensitive personal information under California and other state laws, and as special-category or otherwise sensitive data under UK and EU law. For Arlo this means, in particular: the contents of messages, emails, and meeting conversations Arlo processes for you, including communications where Arlo is not the original or intended recipient; and the login credentials and access tokens for accounts you connect.

We use sensitive information only to provide and secure the Service you asked for. We do not use it to infer characteristics about you for advertising, we do not sell it, and we do not share it for cross-context behavioral advertising. Because we limit our use this way, there is nothing extra you need to do to restrict it, but you can always ask us about it at privacy@arlo.sh.

Why we use your information, and our legal basis

We only use your personal data when the law lets us. For people in the UK and EU, here is the lawful basis under the GDPR for each purpose.

To run Arlo and answer your requests — because it is necessary to deliver the Service you signed up for (contract, Art. 6(1)(b)).
To send the texts, voice calls, and notifications you asked for — to deliver the Service, or with your consent where required (Art. 6(1)(b) or 6(1)(a)). You can stop SMS any time by replying STOP.
To keep Arlo secure, prevent fraud and abuse, fix problems, operate reliably, and improve how it works — because we have a legitimate interest in running a safe, dependable product, balanced against your rights (Art. 6(1)(f)).
To take payment — to perform our contract with you and to meet our legal and accounting obligations (Art. 6(1)(b) and 6(1)(c)).
For anything optional, such as marketing emails or texts — only with your consent, which you can withdraw at any time (Art. 6(1)(a)).

Do you have to give us this information

You do not have to connect any tool or give us a phone number. Some features simply will not work without the relevant data: for example, Arlo cannot text you without a phone number, and cannot act in Slack or your calendar unless you connect those tools. Where we ask for information we genuinely need to run the Service, declining means that part of the Service is unavailable to you.

We do not train AI models on your content

We do not use your messages, voice, transcripts, or memories to train AI models. We send your content to AI providers under their business and API terms, which provide that they do not use it to train their models. Those providers may keep inputs briefly to detect abuse (for example, on the order of about 7 days for Anthropic’s API and up to about 30 days for OpenAI’s API) and then delete them.

Because some requests are routed through OpenRouter to the model that actually runs them, the handling of your content follows the combined terms of OpenRouter and that model provider. This is a contractual commitment from our providers rather than something we can guarantee absolutely on their behalf, but it is the standard no-training posture for the API and commercial plans we use, and we choose providers on that basis.

How Arlo’s AI works

Arlo is an AI assistant. When you chat, text, or talk with Arlo, you are interacting with artificial intelligence, not a human. On phone and voice calls, Arlo tells you it is an AI at the start of the call.

To understand your requests and act on them, Arlo sends the relevant content — your messages, the things you ask Arlo to do, data from tools you connect, and the audio and transcripts of calls or meetings Arlo joins — to the third-party AI providers that run the underlying models (see "Who we share information with"). Arlo also builds a long-term memory to personalize its help. You can ask Arlo, or email us, to show you what it remembers, correct it, export it, or delete it, including wiping Arlo’s memory entirely; deleting your account deletes your memory.

Arlo does not make solely-automated decisions that produce legal or similarly significant effects about you. Arlo’s responses are AI-generated and can be inaccurate, incomplete, or out of date, so please double-check anything important. If an automated action affects you and you would like a human to look at it, or you want an explanation of a specific result, contact us at privacy@arlo.sh.

Recording calls and meetings

Arlo can join phone calls and video meetings on your behalf. When it does, it records and transcribes the audio so it can take notes, follow up, and remember what was discussed. Recording and transcription are handled by our providers, including Recall.ai (meeting recording and transcription), ElevenLabs (voice), and Telnyx or Linq (calls), and the transcript is sent to the AI models that generate Arlo’s responses (through OpenRouter to models such as Anthropic Claude and Moonshot Kimi, and OpenAI for memory and search). Recordings and transcripts are not used to train AI models, are not sold, and are not handed to third parties to train their models.

We announce it. Before Arlo records, it tells everyone on the call or in the meeting that it is there and that the conversation is being recorded and transcribed. On calls where Arlo speaks, it also tells people up front that they are talking to an AI voice. Anyone who does not want to be recorded can ask to stop the recording or leave.

Everyone has a say. Many places — including California, Florida, Illinois, Pennsylvania, Washington, and several other U.S. states, and the EU and UK — require everyone on a call or in a meeting to agree before it is recorded. If you invite Arlo into a call or meeting with other people, you are responsible for making sure those people are informed and that you have a lawful basis to record them. Our Terms set out this obligation in more detail.

We do not create voiceprints. Arlo does not build or store a voiceprint or other voice fingerprint to identify people by their voice.

Participants — including people who do not use Arlo — can request deletion of a recording or transcript, including the copies held by our providers, by emailing privacy@arlo.sh.

Information about people who don’t use Arlo

Sometimes Arlo processes information about people who are not Arlo users — for example, other participants in a meeting Arlo records, teammates an Arlo user asks Arlo to message, or the senders of emails Arlo handles. This section is the notice the law requires us to give those people (UK and EU GDPR Article 14).

If this is you: the categories of your data we process are typically your name, contact details, and the content of the call, meeting, or message involved. The source of that data is the Arlo user who invited Arlo or directed the action — that user is the controller of the data, and Arlo acts on their behalf to provide the requested feature. We use it only for that purpose, rely on the same lawful bases described above (principally the user’s contract with us and our and the user’s legitimate interests in running the requested feature), share it only with the providers listed below, may transfer it to the United States under the safeguards described below, and keep it no longer than needed.

You have the same rights set out in "Your rights" below — including to ask what we hold, object, or have it deleted. Contact privacy@arlo.sh and we will help, and point you to the relevant Arlo user where they are the controller.

Who we share information with

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not run third-party advertising trackers (such as ad pixels) on arlo.sh. If that ever changes, we will post a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control (GPC) signals.

To run Arlo, we use trusted companies ("sub-processors") that handle data on our behalf, only to provide the Service and under contracts that bind them to service-provider or data-processor terms. Because of those contracts, sharing data with them is not a "sale" or "share" under California law. They fall into these categories:

AI inference and search — OpenRouter, Anthropic, Moonshot (Kimi), OpenAI, Exa.
Messaging and voice — Telnyx, ElevenLabs, Linq.
Meeting recording and transcription — Recall.ai.
Integrations and sign-in — Composio, WorkOS, Slack, Microsoft.
Compute, storage, and media — Cloudflare R2, Neon, Daytona, fal.ai, Anchor Browser, Parse.bot.
Payments — Stripe.

A full, current list of our sub-processors — with what each one does and where it processes data — is published at arlo.sh/subprocessors, and we update it as our providers change.

International data transfers

Arlo’s AI and infrastructure run partly in the United States, so when you use it your personal data may be transferred there and to other countries. Where we transfer personal data out of the UK or the EEA, we protect it using:

the EU-US Data Privacy Framework (and its UK extension) where the receiving provider is certified, for example Anthropic; and

the European Commission’s Standard Contractual Clauses, together with the UK International Data Transfer Addendum or IDTA, for providers that are not certified under the Framework, backed by a transfer risk assessment.

We treat the Framework alone as insufficient for providers that are not certified, which is why we layer Standard Contractual Clauses and the UK Addendum or IDTA over those transfers. To request a copy of the safeguards we rely on, email privacy@arlo.sh.

How long we keep information

We keep personal information only as long as we need it for the purposes described in this policy, then delete or de-identify it. Concretely:

Account details — kept while your account is open, then deleted within 30 days of account closure.
Messages, memory, and transcripts — kept so Arlo can be useful to you, until you delete them or close your account; then removed from live systems within 30 days and from backups within 90 days.
Call and meeting audio recordings — deleted within 30 days; the transcript and any notes Arlo remembers follow the line above and can be deleted on request at any time.
Billing and tax records — kept for up to 7 years where tax and accounting law requires.
Security and abuse-prevention logs — kept only as long as needed to keep the Service safe, then deleted.

Your rights

Depending on where you live, you have rights over your personal information, and we honor the rights below for everyone wherever you are.

If you are in the UK or EU (GDPR), you have the right to: access your data; have it corrected; have it erased; restrict or object to processing, including processing based on our legitimate interests; receive a portable copy; and withdraw consent at any time (withdrawing consent does not affect processing we already did). You also have the right to complain to a supervisory authority (see "Complaints").

If you are in California or another U.S. state with a privacy law (such as Colorado, Connecticut, Texas, or Virginia), you have the right to: know and access the categories and specific pieces of personal information we have collected (with a 12-month lookback in California), where it came from, why, and who we shared it with; delete it, including your Arlo memory; correct inaccurate information; opt out of any sale or sharing (we do neither, so there is nothing to opt out of); limit the use of sensitive information (we already limit it to running the Service); and not be discriminated against for exercising your rights — you get the same Arlo, at the same price. You can also use an authorized agent to make a request for you.

To exercise any right, email privacy@arlo.sh or use the form at arlo.sh/privacy-request. To stop SMS, reply STOP (or CANCEL, END, QUIT, or UNSUBSCRIBE) to any text; reply HELP for help.

How to make a request, and our timelines

Requests are free of charge. We may need to verify your identity before we act, and if an authorized agent makes a request on your behalf we may ask you to confirm you gave them permission.

For UK and EU (GDPR) requests, we respond within one month, and can extend by up to two further months for complex requests (we will tell you if we need to).

For U.S. state requests, we acknowledge within 10 business days and respond within 45 calendar days, extendable once to a total of 90 days with notice. We act on opt-out and "limit sensitive information" requests within 15 business days, and we honor messaging opt-outs (STOP) within 10 business days at the latest, usually immediately.

Complaints

If you have a concern about how we handle your data, please contact us first at privacy@arlo.sh. We will acknowledge your complaint, look into it, and respond.

You also have the right to complain to a data protection authority. In the UK, that is the Information Commissioner’s Office (ico.org.uk). In the EU, it is your local supervisory authority. We would appreciate the chance to address your concern directly first, but you do not have to contact us before going to a regulator.

UK and EU representatives

Because Arlo is operated from outside the UK and EU but offers its Service to people there, we appoint representatives under Article 27 of the UK and EU GDPR. Our UK representative and our EU representative, with their addresses, are listed here and you can contact either of them on data-protection matters in addition to contacting us at privacy@arlo.sh. (Operator note: appoint and name the UK and EU Article 27 representatives, with their member-state and UK addresses, before serving UK/EU users at scale.)

For business customers

If you use Arlo on behalf of a team or organization, a Data Processing Agreement is available that includes the data-processing terms required by Article 28 of the GDPR, our sub-processor list, and our transfer safeguards. Contact privacy@arlo.sh to request one. Our Terms of Service explain the rest of the business relationship.

Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has given us personal information, contact privacy@arlo.sh and we will delete it. We chose 16 to comfortably cover both the U.S. floor and the higher digital-consent age that applies in parts of the UK and EU, which is appropriate given that Arlo can record calls and handle sensitive content.

How to reach us

Questions or requests about privacy? Email privacy@arlo.sh, or write to us at our postal address (Arlo, attn: Privacy — insert the operator’s mailing address here). Arlo is operated by Idan Mann, trading as Arlo. See also our Terms of Service, including the messaging and recording terms.