Privacy Policy

Version: 1.0

Last updated: 04 Feb 2026

Applies to: all individuals who visit arrowdot.ai, create Arrowdot accounts, or use applications built on the Arrowdot platform

Privacy: [email protected]

Security: [email protected]

Abuse: [email protected]

1. Introduction

This Privacy Policy explains how Arrowdot Ltd (“Arrowdot”, “we”, “us”) handles personal data for individuals worldwide when you:

  • visit our website at arrowdot.ai
  • create or manage an Arrowdot account
  • build applications using the Arrowdot platform
  • use applications built by Arrowdot customers (typically under arrowdot.app)

Arrowdot operates globally. This policy applies regardless of where you are located, subject to applicable local laws.

2. Summary

There are three different situations:

  • Website visitors: Arrowdot is the data controller.
  • Customers building apps on Arrowdot: Arrowdot is the data controller for your Arrowdot account data.
  • End users of customer apps: the customer is the data controller. Arrowdot acts only as a data processor.

Details below.

3. Roles and responsibilities

Depending on how Arrowdot is used, different parties act as the data controller.

a) Arrowdot website visitors

Arrowdot is the data controller for personal data relating to visitors to arrowdot.ai.

b) Customers who build apps on Arrowdot

If you create or manage an Arrowdot account, Arrowdot is the data controller for personal data relating to: your user account; authentication details; billing and support contacts; platform usage linked to your account. This covers data needed to operate and secure the Arrowdot service.

c) End users of apps built on Arrowdot

If you interact with an application built by an Arrowdot customer (for example under arrowdot.app or arrowdot.ai/share): the organisation that published the app is the data controller; Arrowdot acts only as a data processor on that customer’s behalf. This means: the customer decides what personal data is collected and why; the customer must provide their own privacy notice; Arrowdot processes data only according to that customer’s instructions and our Data Processing Addendum. Arrowdot does not determine the purposes or means of processing for customer-built applications and does not provide privacy notices to end users of those apps.

If you have questions about a specific app, please contact the organisation that operates that app directly.

4. Personal data we collect

Website visitors

IP address; device and browser information; pages viewed and referral source; cookie preferences; name and email address if a visitor uses our contact form, newsletter subscription form or other similar services. Used for site operation, security, and basic analytics.

Arrowdot account holders and users

name and email address; organisation; authentication credentials; usage logs and audit events; support communications; billing details (via payment providers). Used to provide the platform, manage accounts, secure systems, and offer support.

End users of customer apps

Arrowdot may process personal data submitted through customer-built applications (for example form inputs or uploaded files). Arrowdot does not control this data. The customer determines what is collected and why.

5. How we use personal data

Where Arrowdot is the data controller, we use personal data to:

  • provide and operate the Arrowdot platform and website
  • authenticate users and manage accounts
  • secure systems and prevent abuse
  • respond to support requests
  • bill customers
  • comply with legal obligations

We do not sell personal data.

Arrowdot may use third-party AI/LLM providers to operate certain platform features, including build-time app generation (for example turning prompts and specifications into code and outputs). Arrowdot may dynamically select between providers for these platform features. We do not use Customer Data or Outputs to train AI models unless a customer explicitly opts in in writing.

Where Arrowdot acts as the data controller (for website visitors and Arrowdot account holders), we rely on:

  • contract (to provide the service)
  • legitimate interests (security, fraud prevention, service improvement)
  • consent (cookies where required, or opt-ins to communications)
  • legal obligation (accounting and compliance)

Where Arrowdot acts as the data processor (for end users of customer-built applications), processing is governed by our Data Processing Addendum and the customer’s instructions.

7. Cookies

We use essential cookies and optional analytics cookies on arrowdot.ai.

We use Google Analytics 4 (GA4) to collect aggregated website usage statistics (such as pages viewed, device type, and approximate location). This data is used to understand how visitors use our site and improve our service.

Cookie preferences can be managed via our cookie banner and more information can be found at Cookie Policy

8. Sub-processors

We use trusted service providers for hosting, email, monitoring, and related infrastructure.

Our current sub-processors are listed at: Subprocessors

9. International transfers

Arrowdot operates globally, and personal data may be processed in countries other than where you live.

Arrowdot operates globally, and personal data may be processed and stored in multiple regions where Arrowdot or its providers operate, including the United Kingdom and the United States. Arrowdot operates a multi-region platform and, at this time, does not provide customer-specific regional isolation. Customer data may be processed across regions to support availability, performance, and reliability.

Where personal data is transferred outside the UK or EEA, we use approved safeguards including:

  • EU Standard Contractual Clauses (2021/914)
  • UK International Data Transfer Addendum

Details are available in our Data Processing Addendum.

10. Data retention

  • Arrowdot account data: retained for the duration of your account
  • Customer data: retained for the service term and deleted or anonymised within 30 days after termination (unless legally required)
  • Website analytics: typically retained for up to 12 months

Customers control retention for any storage or integrations they connect themselves.

11. Security

We apply technical and organisational measures including:

  • encryption in transit and at rest
  • MFA and role-based access control
  • audit logging
  • backups and recovery testing
  • secure development practices

12. Your rights

Depending on your location and how you interact with Arrowdot, you may have rights to:

  • access your personal data
  • correct inaccuracies
  • request deletion
  • object to processing
  • receive a copy of your data
  • withdraw consent

Requests can be sent to: [email protected]

If your data is processed via a customer-built application, please contact that customer directly.

13. US privacy disclosures

If you are a resident of the United States, you may have additional privacy rights depending on your state of residence.

No sale of personal information

Arrowdot does not sell personal information.

Disclosure of personal information

We may disclose personal information to service providers (for example hosting, security, monitoring, support, and AI providers used for platform features) to operate the website and provide the Arrowdot service.

Your rights

Depending on your state, you may have rights to request access to, correction of, or deletion of your personal information. Some states also provide a right to opt out of certain types of disclosures of personal information.

To make a request, contact [email protected]. We will respond as required by applicable law and may need to verify your request.

14. Children

Arrowdot is not intended for children under 18.

15. Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page.

16. Contact