Announcing Ara's backing from Y Combinator.Privacy Policy
Last updated: May 2026
The Short Version
We don't look at your code, conversations, or AI interactions. In local mode, your work stays entirely on your machine. In cloud mode, your sessions run in isolated containers that are destroyed when you're done. We collect only what's needed to run the service.
Local Mode
On your computer (we never see it):
- Your conversations with AI
- Your code and files
- Your API keys and credentials
- Configuration and settings
- Message history and logs
All of this lives in your local Ara directory and never leaves your computer to reach our servers. We literally cannot access it.
Cloud Mode
When you use Ara Cloud, sessions run in isolated containers on our infrastructure. Here's what we handle:
Account information:
- Email address (from Google sign-in)
- Subscription status and billing details (via Stripe)
- Session metadata (start time, duration, resource usage)
Credentials you provide:
- AI provider API keys are stored encrypted and only injected into your active session containers
- We do not log, read, or use your API keys for any purpose other than passing them to your session
Session data:
- Your session workspace is backed up to private encrypted storage so you can resume later
- Session containers are isolated — no other user or Ara staff can access a running session
- When you delete your account, all session data and backups are permanently removed
Connected Google Services
You may optionally connect Google services (Gmail, Calendar, Drive, and others) to use within your Ara sessions. When you do:
- We request only the permissions (OAuth scopes) you explicitly approve
- Google OAuth access is used only to provide features you request within Ara sessions, based on the scopes you approve
- For Google Calendar, this may include calendar data in approved scopes (such as calendars, events, and availability) needed to execute your requested actions
- Tokens are injected into your isolated session container and are not accessible to anyone else
- You can disconnect Google services any time from your account settings, and you can also revoke access in Google Account permissions
Ara is designed to minimize Google data handling outside your active session, but data you request (including calendar details) can be processed and may appear in session workspace files, chat history, and backups according to this policy's retention section.
To revoke access directly from Google, visit Google Account permissions.
What We Collect on This Website and App
We use PostHog to collect anonymous product analytics — page views, button clicks, and other interaction events — so we can see which parts of Ara people actually use. We use Sentry to capture crash reports and errors so we can fix them. No personal content from your sessions, no session replays of your screen, and no screenshots are collected. Both services receive an anonymous device-level ID, not your name or email.
Your AI Traffic
In local mode, AI requests go directly from your computer to your chosen provider using your own API keys. In cloud mode, AI requests go from your session container to the provider. In both cases, we never intercept, log, or store your AI conversations.
Your AI provider's privacy policies apply to those interactions:
Data Retention
- Account data is retained while your account is active
- Session backups are retained until you delete them or your account
- Encrypted credentials are deleted when you remove them or delete your account
- Infrastructure logs (no personal data) are retained for up to 30 days for debugging
Third-Party Services
- Supabase — authentication and database (privacy policy)
- Stripe — payment processing (privacy policy)
- Vercel — website hosting (privacy policy)
- PostHog — anonymous product analytics (privacy policy)
- Sentry — crash and error reporting (privacy policy)
Compliance
We are working toward HIPAA and SOC 2 Type II (AICPA) attestation, targeting 2026. Certifications take real audits and real time; this section is updated as we progress.
- SOC 2 Type II (AICPA) — in progress. Type I in audit prep; Type II targeted late 2026.
- HIPAA — in progress. BAA program in development; available on request as the program matures.
- GDPR — aligned. DPA available on request.
For interim documentation or procurement questions, contact security@ara.so.
Changes
We may update this policy. Changes will be reflected here with an updated date. For significant changes, we'll notify you via email or an in-app notice.