Privacy Policy

Last updated: March 4, 2026

1. Introduction

ArvoDocs LLC ("we," "us," "our"), a Texas limited liability company, operates the ArvoDocs quality management platform. This Privacy Policy describes how we collect, use, and protect your information.

2. Information We Collect

Account information: Name, email address, company name, and billing information when you create an account or subscribe to a paid plan.

Usage data: Log data, device information, browser type, IP address, and pages visited. We use this to improve the Service.

Your QMS data: Documents, quality events, supplier records, and other content you upload to the Service. This is your data — see Section 5.

3. How We Use Your Information

We use your information to: provide and maintain the Service; process billing; send transactional emails (account confirmations, billing receipts, security alerts); improve the Service based on aggregate usage patterns; respond to support requests; comply with legal obligations.

We do not sell your personal information. We do not use your QMS data for advertising or marketing purposes.

4. Data Security

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). We use SOC 2-aligned infrastructure hosted in the United States. Access to production systems is restricted and logged. We conduct regular security reviews.

5. Your QMS Data

Your QMS data (documents, records, quality events, etc.) belongs to you. We do not access it except to provide the Service, troubleshoot issues with your permission, or comply with legal requirements. We do not use your QMS data to train models, build products, or share with third parties.

6. Audit Trail Data

ArvoDocs maintains a comprehensive, immutable audit trail of all actions taken within the platform. This audit trail is a core design feature required to support compliance with FDA 21 CFR Part 11 and EU Annex 11, which mandate that electronic records include a complete and tamper-proof history of changes.

Audit trail data cannot be modified, overwritten, or deleted — even upon request. This is a regulatory requirement, not a system limitation. The immutability of the audit trail protects both you and your regulators by ensuring a trustworthy record of all quality management activities.

If you have questions about specific audit trail records, contact privacy@arvodocs.com.

7. Data Retention

We retain your account data for as long as your account is active. Upon cancellation, you have 90 days to export your data. After that, all data is permanently deleted from our systems and backups within 30 additional days.

8. Sub-processors

We use the following third-party sub-processors to operate the Service:

  • Google Cloud Platform — Cloud hosting and compute infrastructure
  • Firebase (Google) — Authentication services
  • Stripe — Payment processing and billing
  • Resend — Transactional email delivery

All sub-processors are contractually required to protect your data and may only process it to perform services on our behalf. We will notify customers of any changes to our sub-processor list at least 30 days in advance via email. If you object to a new sub-processor, you may terminate your subscription before the change takes effect.

9. International Data Transfers

Your data is stored and processed in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the US for processing.

For EU/EEA customers, we offer Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate safeguards for international data transfers. To request SCCs or a Data Processing Agreement, contact legal@arvodocs.com.

10. Data Breach Notification

In the event of a confirmed data breach that affects your personal data or QMS data, we will notify affected customers within 72 hours of confirmation, in accordance with GDPR Article 33 requirements. Notification will include: the nature of the breach, the categories and approximate number of records affected, likely consequences, and the measures taken or proposed to address the breach.

We will also notify the relevant supervisory authority where required by applicable law.

11. Cookies

We use essential cookies to maintain your session and preferences. We do not use third-party advertising or tracking cookies.

12. Your Rights — General

You can access, update, or delete your account information at any time through the Service. You can export all your data at any time. If you have questions about your data rights, contact us at privacy@arvodocs.com.

13. GDPR Rights (EEA Residents)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — Request a copy of the personal data we hold about you
  • Right to rectification — Request correction of inaccurate or incomplete personal data
  • Right to erasure — Request deletion of your personal data (subject to regulatory retention requirements — see Section 6 regarding audit trail data)
  • Right to restriction — Request that we limit the processing of your personal data
  • Right to data portability — Receive your personal data in a structured, commonly used, machine-readable format
  • Right to object — Object to processing of your personal data based on legitimate interests

To exercise any of these rights, email privacy@arvodocs.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

14. CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know — Request information about the categories and specific pieces of personal information we have collected about you
  • Right to delete — Request deletion of your personal information (subject to regulatory retention requirements)
  • Right to opt-out of sale — We do not sell your personal information to third parties
  • Non-discrimination — We will not discriminate against you for exercising your CCPA rights

To exercise your rights, email privacy@arvodocs.com. We will verify your identity and respond within 45 days.

15. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@arvodocs.com.

16. Data Protection Officer

For all data protection inquiries, requests, or complaints, you may contact our Data Protection Officer at:

Email: privacy@arvodocs.com
ArvoDocs LLC
Attn: Data Protection Officer
Texas, United States

17. Changes

We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use after changes constitutes acceptance.

18. Contact

Questions? Email privacy@arvodocs.com.