The ARMES
Privacy Policy.

Name: ARMES
Availability: InStock
Author: ARMES

Privacy is usually a marketing promise. At ARMES, it is enforced by architecture.

Private Inference

Your queries are processed by AI providers through zero-data-retention endpoints. Not stored, not used for training, not used to build profiles.

Your Private Workspace

What you save is yours. It lives in your workspace. When you delete it, it vanishes forever.

Last Updated

February 20, 2026

Introduction & Data Controller

This Privacy Policy describes how ARMES Labs, Inc. (“ARMES,” “we,” “us,” or “our”), a Delaware S-Corporation, collects, uses, shares, and protects information when you use the ARMES platform, website, APIs, and related services (collectively, the “Services”).

ARMES is built on a dual-layer architecture that separates intelligence (AI processing) from memory (your data). This separation is the foundation of our privacy model: AI providers process your queries but never retain them.

For the purposes of the EU General Data Protection Regulation (“GDPR”) and similar data protection laws, ARMES Labs, Inc. is the data controller for personal data processed through the Services.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.

Data We Collect

We collect only the data necessary to operate and improve the Services. Here is a transparent inventory of what we hold and what we do not.

Information You Provide

Account Information

Email address, display name, and authentication credentials (managed by Firebase).

Conversation Content

Messages you send and receive through ARMES, saved to your private workspace.

Knowledge Base & Notes

Notes, documents, and prompt templates you create within ARMES.

Agent Configurations

Custom bot/agent settings, system prompts, and mode preferences.

Uploaded Files

Files you upload for AI processing (retained for 7 minutes, then permanently purged).

Support Communications

Messages and information you send when contacting support.

Information Collected Automatically

Usage Metadata

Token counts, model selections, and feature usage (aggregate, non-content).

Device & Connection Info

Browser type, operating system, IP address, and general location (country/region).

Log Data

Server logs including timestamps, request paths, and error codes for system health.

Authentication Tokens

Session tokens and refresh tokens managed by Firebase Authentication.

What We Do NOT Collect

Payment card details (handled entirely by Stripe)

Advertising or tracking identifiers

Behavioral profiles for ad targeting

Biometric data

Social media activity outside ARMES

Location data beyond country/region

How We Use Your Data

We use your data only for the purposes described below. We do not sell your personal data. We do not use your data for advertising. We do not build profiles on you.

Providing the Services

Processing your AI queries, storing your conversations and knowledge base, managing your agents, and delivering responses.

Contract performance

Account Management

Creating and maintaining your account, authenticating your identity, and managing subscriptions.

Contract performance

Billing & Payments

Processing subscription payments and managing usage-based billing through Stripe.

Contract performance

Service Improvement

Analyzing aggregate, non-content usage patterns (e.g., which models are popular, feature adoption rates) to improve the platform.

Legitimate interest

Error Diagnosis

Reviewing anonymized error logs to diagnose and fix bugs. See Section 11 for details.

Legitimate interest

Security & Fraud Prevention

Detecting, preventing, and responding to security incidents, abuse, and violations of our Terms.

Legitimate interest / Legal obligation

Communications

Sending transactional emails (receipts, security alerts, service updates). Marketing emails only with your opt-in consent.

Contract / Consent

Legal Compliance

Meeting legal obligations, responding to lawful requests, and enforcing our Terms of Service.

Legal obligation

Private Inference Architecture

They Process. They Forget.

ARMES uses a dual-layer architecture that fundamentally separates AI processing from data storage. This is what we call private inference — and it is the core of our privacy model.

Layer 1: Ephemeral AI Processing

When you send a query to ChatGPT, Claude, Gemini, or any model through ARMES:

1
Routing: Your query travels through our gateway partner, OpenRouter, which enforces private inference endpoints.
2
Processing: The AI provider processes your query and returns a response. Your data is not stored on their servers, not used for model training, and not used to build advertising or behavioral profiles.
3
Deletion: Once the response is generated, the context is discarded by the AI provider. It is never written to persistent storage.

What this means: AI providers cannot learn from you, profile you, or monetize your data — because they are not permitted to retain it.

Layer 2: Your Private Workspace

ARMES stores your conversations, notes, and agent configurations for your benefit — not for training, profiling, or advertising.

Isolated: Your data is stored in your private workspace with row-level security isolation.
Unread: We do not read or mine your content. Only aggregate metadata (e.g., token counts) is used for billing and system health.
Deletable: You can delete any or all of your data at any time. See Section 06.

ARMES Does Not

Train any AI model on your data
Build behavioral or advertising profiles
Sell or monetize your personal data
Share content with advertisers

AI Providers Must Not

Retain your query or response data
Use your data for model improvement
Build user profiles from ARMES queries
Log identifiable information from requests

Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with the service providers necessary to operate ARMES. Each sub-processor is bound by contractual obligations to protect your data.

We explicitly list every major sub-processor so you know exactly where your data flows.

AI Gateway

OpenRouter

Routes queries exclusively to zero-data-retention endpoints. Tracks provider data policies and blocks endpoints without verified ZDR commitments.

Database & Storage

Supabase

Postgres-backed storage with strict row-level security. Hosts your private workspace in AWS US regions.

Authentication

Firebase (Google)

Handles identity verification (Email, Google, GitHub). ARMES never sees or stores your password.

Agent Compute

Render

Isolated execution environment for AI agent processing. Service-to-service communication secured by JWT.

Hosting & Edge

Vercel

Delivers the web application via a secure Edge Network with minimal, privacy-preserving telemetry.

Payments

Stripe

Processes all payments securely. ARMES never sees or stores your credit card number.

When We May Disclose Data

• To comply with applicable law, regulation, or valid legal process (e.g., subpoena or court order).
• To protect the rights, safety, or property of ARMES, our users, or the public.
• In connection with a merger, acquisition, or sale of assets (you will be notified beforehand).
• With your explicit consent.

Data Retention & Deletion

In the digital world, “Delete” often means “Hide.” At ARMES, delete means gone.

Retention Schedule

AI queries (at providers)Not retained

Discarded immediately after response via private inference

Uploaded files7 minutes

Purged automatically after AI processing completes

Conversations & notesUntil you delete them

Stored in your workspace for as long as you choose

Account dataUntil account deletion

Removed when you delete your account

Server logs30 days

Rotated and purged automatically for system health

Billing recordsAs required by law

Tax and financial regulations may require longer retention

How Deletion Works

Immediate Deletion

When you delete a conversation, note, or your entire account, the data is removed from the active database immediately.

Backup Purge (7-Day Buffer)

Deleted data may persist in encrypted cold-storage backups for a maximum of 7 days as a disaster recovery safeguard. After 7 days, it is overwritten and permanently destroyed.

Security

We implement administrative, technical, and physical safeguards designed to protect your data. While no system is 100% secure, we follow industry best practices.

In Transit

TLS 1.3 encryption for all data moving between you, ARMES, and AI providers.

At Rest

Supabase row-level security (RLS) policies isolate each user's data at the database level.

Authentication via Firebase

Service-to-service communication secured

Regular dependency audits and vulnerability scanning

Principle of least privilege for internal access controls

Encrypted backups with automatic rotation and purge schedules

Breach Notification

In the unlikely event of a data breach that affects your personal data, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by applicable law.

International Data Transfers

ARMES Labs, Inc. is based in the United States. If you access our Services from outside the United States, your data may be transferred to, stored in, and processed in the United States and other countries where our sub-processors operate.

Primary Data Location

Your workspace data is stored by Supabase on AWS infrastructure in the United States. Authentication data is managed by Firebase (Google Cloud Platform).

AI Processing

AI queries may be processed by providers located in various countries. Because these queries are processed ephemerally under private inference (no retention, no storage), the data exposure during transit is momentary and no persistent copy exists at the provider.

Safeguards for EU/EEA Users

Where personal data is transferred from the European Economic Area, we rely on appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework, as applicable.

Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. To exercise any of these rights, contact us.

For All Users (and GDPR where applicable)

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate personal data.

Right to Erasure

Request deletion of your personal data (the kill switch).

Right to Data Portability

Export your conversations, notes, and knowledge base.

Right to Restrict Processing

Request that we limit how we process your data in certain circumstances.

Right to Object

Object to processing based on legitimate interest, including direct marketing.

Additional Rights for California Residents (CCPA/CPRA)

Right to Know

Request disclosure of what personal data we collect, use, and share.

Right to Delete

Request deletion of personal data we have collected.

Right to Opt-Out of Sale

We do not sell personal data. This right is satisfied by default.

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

Response Time: We will respond to verified rights requests within 30 days (or sooner where required by law). If we need additional time, we will notify you of the reason and extension period. If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

Children’s Privacy

ARMES is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18.

If we learn that we have collected personal data from a user under 18, we will take steps to delete that data promptly. If you believe a child under 18 has provided us with personal data, please contact us.

Error Diagnostics & Safety

We want to be transparent about the limited circumstances in which we may review data beyond aggregate metrics.

When We May Review Error Data

When an error or failure occurs in the AI processing pipeline, we may review anonymized diagnostic information to identify and fix the issue. When doing so:

We do not have access to your identity in the error log. Diagnostic data is separated from user identifiers.
We do not review the content of your conversations unless strictly necessary to diagnose a specific failure.
Any review is conducted by authorized personnel only, under strict access controls.
Diagnostic data is retained only for the duration necessary to resolve the issue.

This practice is similar to how other AI platforms handle safety-flagged content, but we are committed to minimizing any access to your data. We will never use error diagnostic data for training, profiling, or any purpose other than fixing the specific technical issue.

Cookies & Similar Technologies

ARMES uses a minimal set of cookies, limited to what is strictly necessary for the Services to function. We do not use advertising, tracking, or analytics cookies.

Authentication Cookies

Strictly Necessary

Managed by Supabase and Firebase to maintain your login session securely. These are strictly functional cookies required for the service to operate.

Security Cookies

Strictly Necessary

CSRF tokens and session integrity cookies to protect against cross-site attacks.

Preference Cookies

Functional

Store your UI preferences such as theme (light/dark mode) selection.

No Tracking: We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioral tracking technologies.

Third-Party Links

The Services may contain links to third-party websites, products, or services that are not owned or controlled by ARMES. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party services you access through ARMES. Our inclusion of a link does not imply endorsement of the linked site's privacy practices.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes

For significant changes that affect how we collect, use, or share your data, we will notify you by email (to the address associated with your account) and/or by posting a prominent notice within the Services at least 30 days before the changes take effect.

Minor Changes

For non-material changes (e.g., formatting, clarifications that don't change the substance), we will update the “Last Updated” date at the top of this page.

Your continued use of the Services after any changes become effective constitutes your acceptance of the revised policy.

Contact Us

Questions, concerns, or rights requests? We're here to help.

ARMES Labs, Inc.

Delaware, United States

We aim to respond to all privacy inquiries within 48 hours.

The ARMES
Privacy Policy.

Privacy is usually a marketing promise. At ARMES, it is enforced by architecture.

Private Inference

Your queries are processed by AI providers through zero-data-retention endpoints. Not stored, not used for training, not used to build profiles.

Your Private Workspace

What you save is yours. It lives in your workspace. When you delete it, it vanishes forever.

Last Updated

February 20, 2026

Introduction & Data Controller

For the purposes of the EU General Data Protection Regulation (“GDPR”) and similar data protection laws, ARMES Labs, Inc. is the data controller for personal data processed through the Services.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.

Data We Collect

We collect only the data necessary to operate and improve the Services. Here is a transparent inventory of what we hold and what we do not.

Information You Provide

Account Information

Email address, display name, and authentication credentials (managed by Firebase).

Conversation Content

Messages you send and receive through ARMES, saved to your private workspace.

Knowledge Base & Notes

Notes, documents, and prompt templates you create within ARMES.

Agent Configurations

Custom bot/agent settings, system prompts, and mode preferences.

Uploaded Files

Files you upload for AI processing (retained for 7 minutes, then permanently purged).

Support Communications

Messages and information you send when contacting support.

Information Collected Automatically

Usage Metadata

Token counts, model selections, and feature usage (aggregate, non-content).

Device & Connection Info

Browser type, operating system, IP address, and general location (country/region).

Log Data

Server logs including timestamps, request paths, and error codes for system health.

Authentication Tokens

Session tokens and refresh tokens managed by Firebase Authentication.

What We Do NOT Collect

Payment card details (handled entirely by Stripe)

Advertising or tracking identifiers

Behavioral profiles for ad targeting

Biometric data

Social media activity outside ARMES

Location data beyond country/region

How We Use Your Data

We use your data only for the purposes described below. We do not sell your personal data. We do not use your data for advertising. We do not build profiles on you.

Providing the Services

Processing your AI queries, storing your conversations and knowledge base, managing your agents, and delivering responses.

Contract performance

Account Management

Creating and maintaining your account, authenticating your identity, and managing subscriptions.

Contract performance

Billing & Payments

Processing subscription payments and managing usage-based billing through Stripe.

Contract performance

Service Improvement

Analyzing aggregate, non-content usage patterns (e.g., which models are popular, feature adoption rates) to improve the platform.

Legitimate interest

Error Diagnosis

Reviewing anonymized error logs to diagnose and fix bugs. See Section 11 for details.

Legitimate interest

Security & Fraud Prevention

Detecting, preventing, and responding to security incidents, abuse, and violations of our Terms.

Legitimate interest / Legal obligation

Communications

Sending transactional emails (receipts, security alerts, service updates). Marketing emails only with your opt-in consent.

Contract / Consent

Legal Compliance

Meeting legal obligations, responding to lawful requests, and enforcing our Terms of Service.

Legal obligation

Private Inference Architecture

They Process. They Forget.

ARMES uses a dual-layer architecture that fundamentally separates AI processing from data storage. This is what we call private inference — and it is the core of our privacy model.

Layer 1: Ephemeral AI Processing

When you send a query to ChatGPT, Claude, Gemini, or any model through ARMES:

1
Routing: Your query travels through our gateway partner, OpenRouter, which enforces private inference endpoints.
2
Processing: The AI provider processes your query and returns a response. Your data is not stored on their servers, not used for model training, and not used to build advertising or behavioral profiles.
3
Deletion: Once the response is generated, the context is discarded by the AI provider. It is never written to persistent storage.

What this means: AI providers cannot learn from you, profile you, or monetize your data — because they are not permitted to retain it.

Layer 2: Your Private Workspace

ARMES stores your conversations, notes, and agent configurations for your benefit — not for training, profiling, or advertising.

Isolated: Your data is stored in your private workspace with row-level security isolation.
Unread: We do not read or mine your content. Only aggregate metadata (e.g., token counts) is used for billing and system health.
Deletable: You can delete any or all of your data at any time. See Section 06.

ARMES Does Not

Train any AI model on your data
Build behavioral or advertising profiles
Sell or monetize your personal data
Share content with advertisers

AI Providers Must Not

Retain your query or response data
Use your data for model improvement
Build user profiles from ARMES queries
Log identifiable information from requests

Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with the service providers necessary to operate ARMES. Each sub-processor is bound by contractual obligations to protect your data.

We explicitly list every major sub-processor so you know exactly where your data flows.

AI Gateway

OpenRouter

Routes queries exclusively to zero-data-retention endpoints. Tracks provider data policies and blocks endpoints without verified ZDR commitments.

Database & Storage

Supabase

Postgres-backed storage with strict row-level security. Hosts your private workspace in AWS US regions.

Authentication

Firebase (Google)

Handles identity verification (Email, Google, GitHub). ARMES never sees or stores your password.

Agent Compute

Render

Isolated execution environment for AI agent processing. Service-to-service communication secured by JWT.

Hosting & Edge

Vercel

Delivers the web application via a secure Edge Network with minimal, privacy-preserving telemetry.

Payments

Stripe

Processes all payments securely. ARMES never sees or stores your credit card number.

When We May Disclose Data

• To comply with applicable law, regulation, or valid legal process (e.g., subpoena or court order).
• To protect the rights, safety, or property of ARMES, our users, or the public.
• In connection with a merger, acquisition, or sale of assets (you will be notified beforehand).
• With your explicit consent.

Data Retention & Deletion

In the digital world, “Delete” often means “Hide.” At ARMES, delete means gone.

Retention Schedule

AI queries (at providers)Not retained

Discarded immediately after response via private inference

Uploaded files7 minutes

Purged automatically after AI processing completes

Conversations & notesUntil you delete them

Stored in your workspace for as long as you choose

Account dataUntil account deletion

Removed when you delete your account

Server logs30 days

Rotated and purged automatically for system health

Billing recordsAs required by law

Tax and financial regulations may require longer retention

How Deletion Works

Immediate Deletion

When you delete a conversation, note, or your entire account, the data is removed from the active database immediately.

Backup Purge (7-Day Buffer)

Deleted data may persist in encrypted cold-storage backups for a maximum of 7 days as a disaster recovery safeguard. After 7 days, it is overwritten and permanently destroyed.

Security

We implement administrative, technical, and physical safeguards designed to protect your data. While no system is 100% secure, we follow industry best practices.

In Transit

TLS 1.3 encryption for all data moving between you, ARMES, and AI providers.

At Rest

Supabase row-level security (RLS) policies isolate each user's data at the database level.

Authentication via Firebase

Service-to-service communication secured

Regular dependency audits and vulnerability scanning

Principle of least privilege for internal access controls

Encrypted backups with automatic rotation and purge schedules

Breach Notification

International Data Transfers

Primary Data Location

Your workspace data is stored by Supabase on AWS infrastructure in the United States. Authentication data is managed by Firebase (Google Cloud Platform).

AI Processing

Safeguards for EU/EEA Users

Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. To exercise any of these rights, contact us.

For All Users (and GDPR where applicable)

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate personal data.

Right to Erasure

Request deletion of your personal data (the kill switch).

Right to Data Portability

Export your conversations, notes, and knowledge base.

Right to Restrict Processing

Request that we limit how we process your data in certain circumstances.

Right to Object

Object to processing based on legitimate interest, including direct marketing.

Additional Rights for California Residents (CCPA/CPRA)

Right to Know

Request disclosure of what personal data we collect, use, and share.

Right to Delete

Request deletion of personal data we have collected.

Right to Opt-Out of Sale

We do not sell personal data. This right is satisfied by default.

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

Children’s Privacy

ARMES is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18.

Error Diagnostics & Safety

We want to be transparent about the limited circumstances in which we may review data beyond aggregate metrics.

When We May Review Error Data

When an error or failure occurs in the AI processing pipeline, we may review anonymized diagnostic information to identify and fix the issue. When doing so:

We do not have access to your identity in the error log. Diagnostic data is separated from user identifiers.
We do not review the content of your conversations unless strictly necessary to diagnose a specific failure.
Any review is conducted by authorized personnel only, under strict access controls.
Diagnostic data is retained only for the duration necessary to resolve the issue.

Cookies & Similar Technologies

ARMES uses a minimal set of cookies, limited to what is strictly necessary for the Services to function. We do not use advertising, tracking, or analytics cookies.

Authentication Cookies

Strictly Necessary

Managed by Supabase and Firebase to maintain your login session securely. These are strictly functional cookies required for the service to operate.

Security Cookies

Strictly Necessary

CSRF tokens and session integrity cookies to protect against cross-site attacks.

Preference Cookies

Functional

Store your UI preferences such as theme (light/dark mode) selection.

No Tracking: We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioral tracking technologies.

Third-Party Links

The Services may contain links to third-party websites, products, or services that are not owned or controlled by ARMES. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party services you access through ARMES. Our inclusion of a link does not imply endorsement of the linked site's privacy practices.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes

Minor Changes

For non-material changes (e.g., formatting, clarifications that don't change the substance), we will update the “Last Updated” date at the top of this page.

Your continued use of the Services after any changes become effective constitutes your acceptance of the revised policy.

Contact Us

Questions, concerns, or rights requests? We're here to help.

ARMES Labs, Inc.

Delaware, United States

We aim to respond to all privacy inquiries within 48 hours.

The ARMES Privacy Policy.

Private Inference

Your Private Workspace

Contents

Introduction & Data Controller

Data We Collect

Information You Provide

Information Collected Automatically

What We Do NOT Collect

How We Use Your Data

Providing the Services

Account Management

Billing & Payments

Service Improvement

Error Diagnosis

Security & Fraud Prevention

Communications

Legal Compliance

Private Inference Architecture

They Process. They Forget.

Layer 1: Ephemeral AI Processing

Layer 2: Your Private Workspace

ARMES Does Not

AI Providers Must Not

Data Sharing & Sub-Processors

When We May Disclose Data

Data Retention & Deletion

Retention Schedule

How Deletion Works

Immediate Deletion

Backup Purge (7-Day Buffer)

Security

In Transit

At Rest

Breach Notification

International Data Transfers

Primary Data Location

AI Processing

Safeguards for EU/EEA Users

Your Rights

For All Users (and GDPR where applicable)

Right of Access

Right to Rectification

Right to Erasure

Right to Data Portability

Right to Restrict Processing

Right to Object

Additional Rights for California Residents (CCPA/CPRA)

Right to Know

Right to Delete

Right to Opt-Out of Sale

Right to Non-Discrimination

Children’s Privacy

Error Diagnostics & Safety

When We May Review Error Data

Cookies & Similar Technologies

Authentication Cookies

Security Cookies

Preference Cookies

Third-Party Links

Changes to This Policy

Material Changes

Minor Changes

Contact Us

The ARMES Privacy Policy.

Private Inference

Your Private Workspace

Contents

Introduction & Data Controller

Data We Collect

Information You Provide

Information Collected Automatically

What We Do NOT Collect

How We Use Your Data

Providing the Services

Account Management

Billing & Payments

Service Improvement

Error Diagnosis

Security & Fraud Prevention

The ARMES
Privacy Policy.

The ARMES
Privacy Policy.