Legal

Privacy Policy

EFFECTIVE: MAY 1, 2026 · LAST UPDATED: MAY 1, 2026

This Privacy Policy describes how SRVC Technologies Inc., doing business as Arx ("Arx," "we," "our," "us") collects, uses, discloses, and protects information when you use our website, application, and related services (together, the "Service"). It applies to anyone who visits our pages or creates an account.

Arx is built for early-stage founders. The data you put into Arx — your cap table, your SAFEs, your investor pipeline, your financial model — is among the most sensitive information your company holds. We treat it that way.

Contents
  1. Information we collect
  2. How we use information
  3. When we share information
  4. AI features & your data
  5. Third-party integrations
  6. Cookies & analytics
  7. Data retention
  8. Security
  9. Your rights
  10. Children's privacy
  11. Changes to this policy
  12. Contact us

1. Information we collect

Information you provide

When you create an Arx account and use the Service, you provide:

  • Account information — your name, email address, password (hashed), role title, and timezone.
  • Company information — legal name, state of incorporation, stage, description, keywords, and competitor watchlist.
  • Cap table data — shareholders, options pool, signed SAFE agreements (including PDF documents and side letters), and pro-forma scenarios you save.
  • Data room contents — files (PDFs, spreadsheets, documents, links), folder structures, and the email addresses you share rooms with.
  • Pitch decks — uploaded PDF files and the public-link slugs you generate.
  • Investor records — names, firms, partner contacts, email addresses, statuses, notes, and check amounts.
  • Updates & communications — drafts, sent updates, embedded Loom URLs, and recipient lists.
  • Forecast assumptions — model inputs and scenario data.
  • Billing information — handled by Stripe; we do not store full card numbers. We retain your Stripe customer ID and subscription status.

Information collected automatically

When you use the Service, we collect:

  • Usage data — pages visited, features used, timestamps, and approximate IP-based location.
  • Device data — browser type, operating system, screen size, language.
  • Public-link analytics — when an investor opens a deck or data room you shared, we log their email address (if known), the time, duration of viewing, pages or files accessed, and approximate location. This is the analytics feature you, as a founder, use.

Information from third parties

If you sign in with Google, we receive your name, email address, and profile photo from Google. If you connect Gmail, we receive an access token scoped to send mail on your behalf and (optionally) read replies to your update threads. These tokens are encrypted at rest with AES-256-GCM using a key separate from your application data.

2. How we use information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Authenticate you and secure your account.
  • Send transactional email (sign-up confirmation, password resets, deck-view notifications, weekly digests, billing receipts).
  • Provide the AI assistant features, including generating responses, drafting updates, computing pro-forma scenarios, and answering questions about your data.
  • Detect and prevent abuse, fraud, and unauthorized access.
  • Improve the Service in aggregate (e.g., feature usage trends across all customers, never identifying any individual workspace).
  • Comply with legal obligations.

We do not use your information to train any AI model that is used by other customers. We do not sell or rent your personal information to anyone.

3. When we share information

Within your workspace

Workspace data (cap table, data rooms, decks, updates, forecasts) is visible to members of your company workspace based on their assigned role (Owner, Admin, Member).

With people you share with

When you share a data room or deck, recipients receive access via a link. We log their interactions and show that analytics back to you. Recipients can read their own access permissions but cannot read any other workspace data.

With our service providers

We rely on a small number of trusted third parties to operate the Service. Each is bound by a Data Processing Agreement:

  • Supabase (US/EU) — database, authentication, file storage.
  • Vercel (US) — frontend hosting.
  • Railway (US) — backend application hosting.
  • Stripe (US) — payment processing and customer portal.
  • Resend (US) — transactional email delivery.
  • Google (US) — optional Gmail send-from integration.
  • OpenAI (US) — AI model inference for the assistant. Your prompts and the relevant snippets of your data are sent at request time; OpenAI's enterprise API agreement excludes our data from model training and retains it for 30 days for abuse monitoring only.
  • Perplexity (US) — weekly competitor and industry news search. We send your company name, description, and competitor list; we do not send cap-table or financial data.

For legal reasons

We may disclose information if required by law, by valid legal process, or to protect the rights, property, or safety of Arx, our customers, or others.

Business transfers

If Arx is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

4. AI features & your data

Arx includes an AI assistant ("Ask Arx") that reads context from the page you're on. When you use it:

  • We send a snapshot of the relevant data (e.g., your cap table summary, current forecast row, recent deck views) along with your message to our AI provider.
  • Conversation history is stored in your workspace and visible only to your team members.
  • Our AI provider does not use your data for model training.
  • You can request deletion of any AI conversation at any time.

5. Third-party integrations

When you connect Gmail, you authorize Arx to send email on your behalf using your Google account. We request the minimum scopes needed: gmail.send and optionally gmail.readonly for thread reading. You can revoke access in Settings → Integrations or from your Google account at any time. Upon revocation, tokens are deleted and we stop sending mail through your account.

6. Cookies & analytics

We use a small number of strictly necessary cookies to keep you signed in and remember your active workspace. We also use first-party analytics to understand product usage in aggregate. We do not use third-party advertising trackers. You can clear cookies at any time in your browser settings; doing so will sign you out.

7. Data retention

We keep your information for as long as your workspace is active. If you cancel your subscription, your workspace becomes read-only for 30 days, during which you can export your data. After 30 days, your workspace and all associated data are permanently deleted from our active systems, and from our backups within 90 days.

You may request immediate deletion at any time via Settings → Security → Delete account & all data. This is irreversible.

8. Security

We work hard to keep your data safe:

  • Encryption in transit — TLS 1.2+ on all connections.
  • Encryption at rest — provided by our database and storage providers.
  • OAuth tokens — encrypted with AES-256-GCM using a key separate from your application data.
  • Row-level security — every database query is gated by your workspace membership.
  • Authentication — strong password hashing (bcrypt), optional two-factor authentication, optional passkeys.
  • Backups — daily point-in-time backups; storage objects versioned.
  • Audit log — every state-mutating action is logged.
  • Watermarks — view-only PDFs shared via the data room are watermarked with the viewer's email.

No system is perfectly secure. If you discover a security vulnerability, please email security@arx.so before disclosing publicly.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information (we provide a one-click "Delete account" flow).
  • Object to or restrict certain processing.
  • Request a portable copy of your data.
  • Withdraw consent for any optional processing.

To exercise any of these rights, email privacy@arx.so. We respond within 30 days.

10. Children's privacy

Arx is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with information, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to the account owner at least 14 days before they take effect, and the "Last Updated" date at the top of this page will be revised. Continued use of the Service after the effective date constitutes acceptance.

12. Contact us

If you have any questions about this Privacy Policy, please reach out:

This document is provided for transparency. It is not legal advice. Specific contractual terms may apply to enterprise customers.