Skip to main content

Privacy

Privacy overview

This page describes how the product is designed to handle data in a typical self-hosted or operator-run deployment. It is not legal advice and does not replace a data processing agreement your counsel reviews.

  • What we process

    Accounts (email, name, password hash), organization and membership records, scan configuration, crawl and scan results, findings, evidence artifacts, billing identifiers synced from Stripe, and audit-style logs for operator accountability. Exact fields live in the application database schema for this deployment.

  • Crawl and scan content

    The engine fetches URLs you authorize (or submit for instant scans). That can include page HTML, assets needed for analysis, and derived artifacts (for example screenshots where configured). Retention follows this deployment's settings and operator practice—not a promise of indefinite storage.

  • AI and model providers

    Where draft assist is enabled, bounded context may be sent to the model provider configured in your environment. That provider is a subprocessor for those flows; see Subprocessors.

  • Your controls

    Organization owners and admins can manage members, API keys, and many product settings inside the app. For export, deletion, or DPA-level requests, contact your deployment operator.

Questions: sales@aros.dev. Also see Security & privacy and Terms of service.