This Privacy Policy explains how Arpixa collects, uses, stores, shares, and protects personal data when you use our websites, applications, and related services. It also explains your choices and privacy rights, conforming to international regulations including the GDPR and CCPA.

Arpixa is an agency management platform for freelancers, studios, and agencies. The platform helps businesses manage clients, leads, projects, messaging, files, meetings, proposals, contracts, invoices, payments, and reporting from one workspace.

1. Who We Are

Arpixa ("Arpixa", "we", "us", "our") provides software services under the Arpixa brand. For privacy requests, contact us at support@arpixa.io.

2. Scope of This Policy

This policy applies to:

Visitors to Arpixa websites and landing pages.
Users who create Arpixa accounts and workspaces.
Team members and collaborators invited into workspaces.
Clients and contacts whose information is added to Arpixa by workspace users.
People who interact with us for support, billing, security, or legal matters.

This policy does not govern third-party services that you connect to Arpixa (for example Google, Stripe, Razorpay, Slack, Zoom, or Notion) beyond the data Arpixa receives from those services.

3. Roles and Responsibility for Data

Depending on context, Arpixa can act as a data controller or data processor:

Controller: For Arpixa account, subscription, security, and operational data, Arpixa determines why and how processing happens.
Processor: For client/customer data entered by a workspace (for example project, invoice, contract, meeting, and message records), Arpixa generally processes data on behalf of that workspace under a Data Processing Agreement (DPA).

4. Categories of Data We Collect

We may collect and process the following categories of personal data:

Identity and profile data: name, username, avatar, role, and workspace membership details.
Contact data: email address, phone number, business name, billing address, and communication preferences.
Workspace and business records: client lists, projects, tasks, notes, proposals, contracts, invoices, and shared files.
Integration and token metadata: integration status, granted scopes, and encrypted token material necessary to securely operate connected features.
Scheduling and meeting data: booking inputs, event timing, and generated meeting links.
Payment data: plan details, transaction references (Arpixa never stores full credit card numbers).
Technical and usage data: IP address, user agent, session events, errors, and feature usage.
Consent and compliance records: your cookie-consent choices and your acceptance of this Privacy Policy and our Terms of Service — including the policy version, the method of acceptance (checkbox or Google sign-in), a timestamp, IP address, and browser/user-agent — retained as proof of consent.

5. How We Collect Data

We collect data through multiple channels:

Directly from you: when you sign up, configure your workspace, upload files, or contact support.
Automatically: through logs, consented browser storage, and telemetry for security and diagnostics.
From connected services: when you authorize integrations like Google APIs or Payment Gateways.

6. Why We Use Personal Data

We use personal data for legitimate business and service purposes, including to:

Provide, operate, and maintain Arpixa services natively.
Process invoices, subscriptions, and payment-related operations securely.
Send service notices, security alerts, product updates, and support communications.
Monitor performance, detect abuse, investigate incidents, and enforce policies.
Comply strictly with overriding legal obligations.

7. Google API and Connected Account Data (Limited Use)

If you connect Google services, Arpixa may access Google account data according to scopes you authorize. This can include calendar, meeting, and drive functions needed for agency workflows.

We strictly comply with the Google API Services User Data Policy, including all Limited Use requirements.

No Sale of Data: Arpixa emphatically does not sell Google user data to any third-party brokers.
No Advertising: We do not use Google Workspace API data, connected files, or calendar data to serve or target advertisements.
No AI Profiling: We do not use Google Workspace API data to train generalized AI or machine learning models.
Limited Use: Any data extracted via restricted scopes is utilized solely to facilitate the core dashboard features directly requested by you, such as storing approved files or backing up generated PDFs to connected storage.

You can revoke access at any time from your Google account permissions and from Arpixa integration settings.

8. Cookies, Local Storage, and Consent Matrix

Arpixa utilizes a robust, user-configurable Cookie Consent Manager. We categorize our browser storage into strictly necessary technologies (which cannot be disabled as they govern security) and optional technologies.

No non-essential storage before consent: Optional technologies, including Google Analytics, are never loaded or activated until you provide explicit opt-in consent through our consent banner. Declining or ignoring the banner means only strictly necessary technologies are used.

Category	Provider	Purpose	Can User Opt-Out?
Strictly Necessary	Firebase	Core authentication, session integrity, security (CSRF prevention), and load-balancing.	No (Required for Service)
Analytics & Performance	Google Analytics	Measures page visits, feature engagement, and traffic sources to help us improve the platform.	Yes (via Cookie Banner)
Preferences	Local Storage	Remembers UI state (e.g., Dark Mode) to enhance user experience without tracking behavior.	Yes (Clearing browser data)

You can review or change your consent preferences at any time using the "Cookie Settings" link in our website footer, which reopens the consent manager. Withdrawing consent is as easy as granting it. Because preferences are stored in your browser's local storage, you may alternatively clear your browser site data to reset all choices and re-trigger the banner.

When you make a consent choice (either here or via the Privacy Policy and Terms acceptance during sign-up/sign-in), we keep a durable record of that choice — including the policy version, the method, a timestamp, and limited technical metadata — so that we can demonstrate, as required under the GDPR and India's DPDP Act, that consent was obtained.

9. How We Share Personal Data

We share data only when operationally strictly necessary to run the service:

Infrastructure providers: Firebase/Google Cloud for encrypted data storage and identity routing.
Payment processors: Stripe and Razorpay under PCI-compliant transmission.
Legal and compliance: Regulators or law enforcement only when compelled by a valid subpoena or overriding legal mandate.

Arpixa does not sell personal information to data brokers.

10. International Data Transfers

Arpixa and its providers may process data cross-border (e.g., US, EU, India). We rely on legally recognized transfer mechanisms, including Standard Contractual Clauses (SCCs), to safeguard your data.

11. Data Retention and Deletion

We retain personal data only as long as needed for operational, security, and legal requirements.

If you request account deletion, we process primary deletion as soon as reasonably possible.
Backup and log data may persist for an encrypted recovery window (up to 90 days) before automatic catastrophic deletion.

12. Security Measures & Breach Notification

We maintain administrative, technical, and organizational safeguards (including data encryption at-rest and in-transit) to protect personal data.

Breach Notification: In the highly unlikely event of a verified data breach exposing unencrypted personal data, Arpixa will notify affected users without undue delay, and in compliance with statutory timelines (e.g., within 72 hours under GDPR), outlining the scope of the breach and remediation steps taken.

13. Your Privacy Rights

Depending on your jurisdiction, you unequivocally have the right to:

Access: Obtain a structured copy of your personal data.
Rectification: Correct inaccurate information.
Erasure (Right to be Forgotten): Request catastrophic deletion of personal data, subject to legal overrides.
Restriction: Object to or restrict specific processing activities.
Portability: Demand data in a machine-readable format.

To exercise rights, email support@arpixa.io from your registered account. We will respond within 30 days.

14. Region-Specific Notices (GDPR & CCPA)

European Economic Area (GDPR): If you reside in the EEA or UK, Arpixa processes your data according to lawful bases established under the General Data Protection Regulation. You have the right to lodge a complaint with your local supervisory authority.

California (CCPA/CPRA): Under the California Consumer Privacy Act, California residents have the right to know, access, and delete their data, and protect themselves against discrimination for exercising these rights. We confirm: Arpixa has not "sold" or "shared" personal information for cross-context behavioral advertising within the last 12 months.

India (DPDP Act, 2023 & IT Rules): If you are in India, Arpixa processes your personal data in accordance with the Digital Personal Data Protection Act, 2023. You may give, manage, and withdraw consent, request access and correction, nominate another individual to exercise your rights, and lodge a grievance with our Grievance Officer (see Section 19) before approaching the Data Protection Board of India. Individuals under 18 are treated as children whose data is processed only with verifiable parental/guardian consent.

15. Children's Privacy and Minimum Age

Arpixa is a business-to-business platform intended exclusively for professional use by individuals who are at least 18 years of age and who have the legal capacity to enter into a binding contract. We do not knowingly direct the Service to, or knowingly collect personal data from, anyone under 18.

We set the minimum age at 18 (rather than 13) because using Arpixa involves forming a binding contract and processing payments. Under the Indian Contract Act, 1872, an agreement with a minor is void, and under India's DPDP Act, 2023, any individual under 18 is a "child" whose personal data may be processed only with the verifiable consent of a parent or lawful guardian. The 13-year threshold associated with laws such as the U.S. Children's Online Privacy Protection Act (COPPA) applies to consumer/child-directed services and is not appropriate for a contract-based B2B product like Arpixa. If we learn that we have collected personal data from a person under 18 without the required parental consent, we will delete it promptly.

16. Third-Party Links and Services

Our platform integrates with third-party tools. Their privacy practices are governed by their own policies.

17. Changes to This Privacy Policy

We may refine this Policy to reflect operational evolutions. Material changes will be highlighted to active users via service notifications prior to taking effect.

18. Contact Us

For privacy compliance, access requests, or regulatory concerns, contact our DPO team at support@arpixa.io.

19. Grievance Officer (India)

In accordance with the Information Technology Act, 2000, the rules made thereunder, and India's Digital Personal Data Protection Act, 2023, the contact details of our Grievance Officer are provided below. The Grievance Officer addresses questions, complaints, and requests regarding the processing of your personal data and your rights.

Grievance Officer: Alok Barai (Founder, Arpixa)
Email: support@arpixa.io

We aim to acknowledge grievances within 24 hours and resolve them within the timelines prescribed by applicable law (and in any case within 30 days). If you are not satisfied with the resolution, you may escalate to the relevant supervisory authority — for example, the Data Protection Board of India.