Privacy Policy

Effective Date: January 14, 2026 Last Updated: January 14, 2026 Version: 1.0.0

Overview

Aragora ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our multi-agent vetted decisionmaking control plane and related services.

SOC 2 Control: P1-01 - Privacy notice and consent management

Information We Collect

Information You Provide

Data Type	Examples	Purpose
Account Information	Email, name, organization	Account management, authentication
Payment Information	Billing address, payment method (via Stripe)	Subscription billing
Content	Debate topics, agent configurations	Service delivery
Communications	Support tickets, feedback	Customer support

Information Collected Automatically

Data Type	Examples	Purpose
Usage Data	API calls, debates run, tokens consumed	Billing, analytics
Log Data	IP address, browser type, timestamps	Security, troubleshooting
Device Information	Operating system, device type	Compatibility
Cookies	Session tokens, preferences	Authentication, UX

Information from Third Parties

Source	Data Type	Purpose
AI Providers	Model responses (not stored)	Service delivery
OAuth Providers	Email, profile (if using SSO)	Authentication
Payment Processors	Transaction status	Billing

How We Use Your Information

Service Delivery

Authenticate your identity
Process and deliver debate results
Track usage for billing
Provide customer support

Improvement and Analytics

Analyze usage patterns to improve features
Monitor system performance
Identify and fix bugs
Develop new capabilities

Communication

Service announcements
Security alerts
Billing notifications
Marketing (with consent, opt-out available)

Legal and Security

Comply with legal obligations
Enforce our Terms of Service
Protect against fraud and abuse
Respond to legal requests

Data Retention

Data Type	Retention Period	Justification
Account Data	Duration of account + 30 days	Service delivery
Usage Data	2 years	Billing, analytics
Audit Logs	7 years	Compliance, security
Debate Content	Configurable (default: 90 days)	Service delivery
Payment Records	7 years	Tax/legal requirements
Support Tickets	3 years	Customer service

After retention periods, data is permanently deleted or anonymized.

We DO NOT:

Sell your personal information
Share data for third-party advertising
Use your content to train AI models without consent
Provide data to government agencies without legal process

Recipient	Purpose	Safeguards
AI Providers (OpenAI, Anthropic, etc.)	Process debate requests	Data Processing Agreements
Payment Processors (Stripe)	Process payments	PCI DSS compliant
Cloud Infrastructure (AWS/GCP)	Host services	SOC 2 certified providers
Analytics (self-hosted)	Improve service	No PII exported
Legal Authorities	Legal compliance	Only with valid legal process

Your Rights

Access and Portability

Request a copy of your data
Export debate history in standard formats (JSON, CSV)
Receive data within 30 days of request

Correction

Update account information via settings
Request correction of inaccurate data
Contact support for assistance

Deletion

Delete your account and associated data
Request deletion of specific data
Data deleted within 30 days of request

Restriction and Objection

Opt out of marketing communications
Restrict processing for specific purposes
Object to automated decision-making

How to Exercise Your Rights

Self-Service: Most rights available in account settings
Email: privacy@aragora.ai
Support Ticket: Via dashboard or support@aragora.ai

We respond to all requests within 30 days.

Data Subject Access Request (DSAR) Process

Submitting a Request

Email: privacy@aragora.ai

Required Information:

Full name and email associated with account
Type of request (access, deletion, correction, etc.)
Specific data or timeframe (if applicable)

Verification

We verify your identity by:

Confirming email ownership
Matching account credentials
For sensitive requests: additional verification

Response Timeline

Step	Timeline
Acknowledgment	Within 3 business days
Verification	Within 5 business days
Fulfillment	Within 30 days
Complex Requests	Up to 45 days (with notice)

International Data Transfers

Data Location

Primary data is stored in the United States (AWS us-east-1 or GCP us-central1).

Transfer Mechanisms

For users outside the US, we rely on:

Standard Contractual Clauses (SCCs)
Adequacy decisions where applicable
Data Processing Agreements with sub-processors

EU/EEA Users

We comply with GDPR requirements including:

Lawful basis for processing
Data subject rights
Data protection impact assessments
Breach notification (72-hour requirement)

Security

Technical Measures

Encryption at rest (AES-256)
Encryption in transit (TLS 1.3)
Multi-factor authentication for admin access
Regular security audits and penetration testing

Organizational Measures

Employee security training
Access controls and least privilege
Incident response procedures
Vendor security assessments

SOC 2 Certification

We maintain SOC 2 Type II certification covering:

Security
Availability
Processing Integrity
Confidentiality

Cookies and Tracking

Essential Cookies

Cookie	Purpose	Duration
session_token	Authentication	Session
csrf_token	Security	Session
preferences	User settings	1 year

Analytics (Optional)

We use self-hosted analytics (no third-party tracking) with:

No cross-site tracking
No advertising cookies
Anonymized IP addresses
Opt-out available in settings

Your Choices

Disable non-essential cookies in browser settings
Use "Do Not Track" browser setting
Opt out of analytics in account settings

Children's Privacy

Aragora is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact privacy@aragora.ai immediately.

Changes to This Policy

We may update this policy periodically. Changes are communicated via:

Email notification for material changes
Banner notice on the platform
Version history at bottom of this document

Continued use after changes constitutes acceptance of the updated policy.

Contact Us

Privacy Inquiries

Email: privacy@aragora.ai Response Time: Within 3 business days

Data Protection Officer

For EU/EEA users: Email: dpo@aragora.ai

Mailing Address

Aragora, Inc.
Attn: Privacy Team
[Address to be added]

Regulatory Information

Supervisory Authority

EU/EEA users may lodge complaints with their local data protection authority.

California Privacy Rights (CCPA)

California residents have additional rights including:

Right to know what personal information is collected
Right to delete personal information
Right to opt out of sale (we do not sell data)
Right to non-discrimination

Document History

Version	Date	Changes
1.0.0	2026-01-14	Initial release

Overview​

Information We Collect​

Information You Provide​

Information Collected Automatically​

Information from Third Parties​

How We Use Your Information​

Service Delivery​

Improvement and Analytics​

Communication​

Legal and Security​

Data Retention​

Data Sharing​

We DO NOT:​

We MAY share data with:​

Your Rights​

Access and Portability​

Correction​

Deletion​

Restriction and Objection​

How to Exercise Your Rights​

Data Subject Access Request (DSAR) Process​

Submitting a Request​

Verification​

Response Timeline​

International Data Transfers​

Data Location​

Transfer Mechanisms​

EU/EEA Users​

Security​

Technical Measures​

Organizational Measures​

SOC 2 Certification​

Cookies and Tracking​

Essential Cookies​

Analytics (Optional)​

Your Choices​

Children's Privacy​

Changes to This Policy​

Contact Us​

Privacy Inquiries​

Data Protection Officer​

Mailing Address​

Regulatory Information​

Supervisory Authority​

California Privacy Rights (CCPA)​

Document History​