Legal

Privacy Policy

Last updated: April 14, 2026

At ARA, we handle sensitive customer conversations on behalf of GCC businesses. Protecting that data isn't a legal checkbox — it's core to why our product exists. This policy explains what we collect, how we use it, and the rights you have over it.

01 Introduction

This Privacy Policy explains how ARA ("we", "us", or "our") collects, uses, discloses, and protects information when you use our AI receptionist services, websites, and related applications (collectively, the "Services"). By using the Services, you agree to the practices described in this policy.

ARA is designed for businesses — primarily clinics and restaurants — operating in the Gulf Cooperation Council (GCC) region. This policy is aligned with the Saudi Personal Data Protection Law (PDPL), the UAE Federal Decree-Law No. 45 of 2021, and other applicable GCC data protection frameworks.

02 Information We Collect

We collect information that you provide directly, information collected automatically when you use the Services, and information we receive from third parties.

  • Account data: business name, contact name, email, phone number, business type, country, and billing address.
  • Call and conversation data: inbound phone numbers, call recordings, transcripts, summaries, and metadata required to route and complete bookings.
  • Customer data: information your end customers provide during calls, such as names, phone numbers, appointment preferences, and dietary requirements. This data is processed on your behalf.
  • Usage data: dashboard interactions, IP address, device type, browser, and log data used to operate and secure the Services.
  • Payment data: payment is processed by PCI-compliant providers. We do not store full card numbers on our systems.

03 How We Use Information

We use information to provide and improve the Services, including:

  • Operating the AI receptionist, processing calls, and creating bookings.
  • Generating transcripts and post-call summaries for your dashboard.
  • Sending service-related communications (invoices, security notices, product updates).
  • Analyzing usage to improve accuracy, reliability, and performance.
  • Preventing fraud, abuse, and unauthorized access.
  • Complying with legal obligations and responding to lawful requests.

05 Data Sharing and Disclosure

We do not sell personal data. We share information only with:

  • Sub-processors that help us operate the Services (telephony providers, cloud hosting, speech-to-text, language models, payment processors). Each sub-processor is bound by written data protection obligations.
  • Your organization — authorized users of your workspace may access the data collected for your business.
  • Legal authorities — when required by applicable law, court order, or to protect rights and safety.

06 Data Residency and International Transfers

Customer call recordings, transcripts, and booking data are stored in-region (GCC or EU data centers) by default. Limited operational metadata may be processed in other jurisdictions solely to provide the Services. Where cross-border transfers occur, we use appropriate safeguards such as Standard Contractual Clauses.

07 Data Retention

We retain personal data only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Call recordings and transcripts are retained for the period you configure in your dashboard (default: 180 days). You may request earlier deletion in accordance with your rights.

08 Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, and regular security reviews. No system is perfectly secure, so we cannot guarantee absolute security.

09 Your Rights

Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. To exercise these rights, contact us at the address below. We will respond within the timeframe required by applicable law.

10 Children's Privacy

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps to delete it.

11 Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where appropriate, provide additional notice through the Services. Your continued use of the Services after changes become effective means you accept the revised policy.

12 Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact our Data Protection Officer at [email protected], or write to us at ARA, Riyadh, Saudi Arabia.

Questions about this policy? See our Terms of Service or reach our team directly.

Contact us