Legal

Privacy Policy

Effective: March 6, 2026Last Updated: March 6, 2026

1. Introduction

ARX QM Holdings, Inc. (“ARX,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at arxqm.com (the “Website”), use our platform and services (collectively, the “Services”), or otherwise interact with us.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Services.

ARX QM Holdings, Inc. is incorporated in the State of Delaware, United States, with its principal place of business in Fort Wayne, Indiana.

2. Information We Collect

2.1 Information You Provide Directly

We may collect the following categories of personal information that you voluntarily provide to us:

  • Account Information: Name, email address, company name, job title, and password when you create an account or request access to our platform.
  • Contact Information: Name, email address, phone number, and company information when you contact us, request a demo, or submit inquiries.
  • Payment Information: Billing address and payment method details. Payment processing is handled by our third-party payment processors; we do not store complete credit card numbers on our servers.
  • Communications: Any information you provide when you communicate with us, including support requests, feedback, and survey responses.
  • Professional Information: Company name, industry, job title, and role when you register for enterprise services.

2.2 Product-Specific Data

When you use ARX products, we collect additional data necessary to deliver persistent AI memory services:

  • Context Data: Knowledge graph data derived from connected sources and AI interactions. This includes structured representations of your accumulated context, stored on your behalf to power persistent AI memory across sessions and providers.
  • OAuth Tokens: Encrypted access tokens from third-party services used to import your data. Tokens are stored encrypted and can be revoked at any time from your account settings. We do not use these tokens for any purpose other than the data import you authorize.
  • Usage Data: Interaction patterns, search queries, and feature usage. This data is used to improve the accuracy and relevance of your experience.
  • Billing Information: Subscription tier and payment method details. All payment processing is handled by Stripe. We never store full card numbers or raw payment credentials on our servers.

2.3 Information Collected Automatically

When you access our Services, we automatically collect certain information, including:

  • Device Information: Browser type and version, operating system, device type, screen resolution, and unique device identifiers.
  • Network Information: IP address, internet service provider, and approximate geographic location derived from your IP address.
  • Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, and similar tracking technologies. See our Cookie Policy for more information.

2.4 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Business partners and integration providers
  • Publicly available sources and databases
  • Analytics and advertising partners
  • Single sign-on (SSO) and identity providers when you authenticate through them

3. How We Use Your Information

We use your personal information for the following purposes:

  • Service Delivery: To provide, maintain, and improve our Services, process transactions, and manage your account.
  • Personalization: Building and refining your persistent AI context, generating cross-session insights, and improving the accuracy of your knowledge graph based on your connected sources and interactions.
  • Product Improvement: Aggregated, anonymized usage patterns to improve context quality and service accuracy across the platform. We do not use individually identifiable context data for product improvement without your explicit consent.
  • Communication: To respond to your inquiries, send service-related notices, and provide customer support.
  • Security: To detect, prevent, and address technical issues, fraud, unauthorized access, and other harmful activity.
  • Analytics: To understand how users interact with our Services, analyze trends, and improve user experience.
  • Marketing: To send promotional communications where you have opted in. You may opt out at any time (see Section 8).
  • Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
  • Contractual Obligations: To fulfill our contractual obligations to enterprise customers under service agreements.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, non-essential cookies, connecting third-party data sources).
  • Contract Performance: Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
  • Legitimate Interests: Where processing is necessary for our legitimate interests (e.g., fraud prevention, network security, improving our Services), provided these interests are not overridden by your rights and freedoms.
  • Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject.

You may withdraw your consent at any time by contacting us at privacy@arxqm.com or using the opt-out mechanisms described in this policy.

5. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: With trusted third-party vendors who perform services on our behalf. These providers are contractually obligated to protect your data and may only use it to perform the services we have engaged them to provide. Our current third-party service providers include:
    • Google OAuth / Firebase Auth: Authentication provider for account sign-in, including SSO.
    • Stripe: Payment processing for subscription billing.
    • Sentry: Error monitoring and crash reporting to help us diagnose and fix product issues.
    • Cloudflare: Hosting, content delivery network (CDN), and security infrastructure.
    • Firebase: Authentication infrastructure supporting account management.
  • Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as a business asset. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
  • Legal Requirements: When required by law, regulation, legal process, or enforceable governmental request; to enforce our Terms of Service; or to protect the rights, property, or safety of ARX, our users, or others.
  • With Your Consent: In any other circumstances where we have your explicit consent to share your information.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about how you use our Services. Our cookie consent mechanism allows you to manage your preferences for non-essential cookies.

Essential cookies are required for the basic functionality of our Website and cannot be disabled. Non-essential cookies (analytics, marketing, and functional cookies) are only activated after you provide consent through our cookie banner.

For detailed information about the cookies we use and how to manage your cookie preferences, please review our Cookie Policy.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting obligations. The retention period depends on the context of our relationship with you and the nature of the data:

  • Account Data: Retained for the duration of your account and for up to 30 days after account deletion, unless a longer retention period is required by law.
  • Engram Data: Retained for the duration of your account. All engrams are permanently deleted within 30 days of account deletion. You may also request deletion of individual engrams at any time from Settings > Privacy.
  • OAuth Tokens: Revoked and deleted immediately upon disconnecting a source or deleting your account. We do not retain any OAuth credentials after authorization is revoked.
  • Connector Import Data: Raw data imported from connected sources (e.g., Spotify listening history, YouTube watch history) is processed into engrams and then deleted within 7 days of import. Only the resulting engrams are retained long-term.
  • Transaction Records: Retained for up to 7 years to comply with tax, accounting, and financial regulations.
  • Marketing Preferences: Retained until you opt out or withdraw consent.
  • Usage and Analytics Data: Retained in aggregated or anonymized form for up to 26 months.
  • Support Communications: Retained for up to 3 years after resolution.

When data is no longer needed, we will securely delete or anonymize it in accordance with our data retention schedules and applicable law.

8. Your Privacy Rights

8.1 ARX Product Rights

Regardless of your location, all ARX users have the following rights with respect to their product data:

  • Data Portability: You can export your engrams in a standard format at any time from Settings > Privacy. Exported data includes all knowledge graph entries, source mappings, and preference signals we have stored on your behalf.
  • Right to Deletion: Request complete deletion of your account and all associated engrams via Settings > Privacy, or by emailing privacy@arxqm.com. Deletion is processed within 30 days.
  • Source Disconnection: You may disconnect any linked third-party source at any time from Settings > Connected Sources. Disconnecting a source immediately revokes our access and triggers deletion of the associated OAuth token.

8.2 Rights Under GDPR (EEA/UK/Switzerland Residents)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

  • Right of Access: You may request a copy of the personal data we hold about you.
  • Right to Rectification: You may request that we correct inaccurate or incomplete personal data.
  • Right to Erasure: You may request that we delete your personal data, subject to certain legal exceptions.
  • Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances.
  • Right to Data Portability: You may request to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: You may object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

8.3 Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share it.
  • Right to Delete: You may request the deletion of your personal information, subject to certain legal exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit the use and disclosure of your sensitive personal information.

To exercise your CCPA rights, contact us at privacy@arxqm.com. We will verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf.

8.4 Opt-Out of Marketing Communications (CAN-SPAM)

In compliance with the CAN-SPAM Act, all marketing emails we send will clearly identify ARX as the sender, include a valid physical postal address, and contain a clear and conspicuous unsubscribe mechanism. You may opt out of receiving marketing communications at any time by:

  • Clicking the “unsubscribe” link in any marketing email
  • Emailing us at privacy@arxqm.com with the subject line “Unsubscribe”
  • Updating your communication preferences in your account settings

We will process your opt-out request within 10 business days. Please note that you may continue to receive transactional or service-related communications.

9. Children’s Privacy (COPPA)

Our Services are not directed to children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 years of age. If we become aware that we have collected personal information from a child under 13, we will take steps to promptly delete such information from our systems.

If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at privacy@arxqm.com, and we will take appropriate steps to investigate and address the issue.

For users between the ages of 13 and 18, we require parental or guardian consent prior to the collection or processing of personal information, where required by applicable law.

10. International Data Transfers

Your personal information may be transferred to and processed in countries other than your country of residence, including the United States, where our primary servers are located. These countries may have data protection laws that differ from those of your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Data Processing Agreements with our service providers
  • Other lawful transfer mechanisms as required under applicable law

11. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Encrypted storage of all OAuth tokens using AES-256
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection and security practices
  • Incident response and breach notification procedures

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service before providing personal information.

13. Do Not Track Signals

Some web browsers may transmit “Do Not Track” (DNT) signals. We honor DNT signals and do not track, plant cookies, or use advertising when a DNT browser mechanism is in place. We also honor the Global Privacy Control (GPC) signal as a valid opt-out preference under CCPA.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the revised Privacy Policy on this page with an updated “Last Updated” date. For material changes, we will provide notice through the Services or by sending you an email to the address associated with your account.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

ARX QM Holdings, Inc.

Privacy Officer

Email: privacy@arxqm.com

Website: arxqm.com

Dover, Delaware, United States

For GDPR-related inquiries, you may also lodge a complaint with the relevant supervisory authority in your jurisdiction. For CCPA requests, we will respond within 45 days of receiving a verifiable consumer request.