Privacy Policy
Last updated: 19 March 2026
1. Data Controller
ArimaiTech (“we”, “us”) is the data controller for personal data processed through PostureIQ. Contact: privacy@arimaitech.com.
2. Data We Collect
| Category | Examples | Legal Basis (GDPR) |
|---|---|---|
| Account data | Email, name, organisation name | Contract performance (Art. 6(1)(b)) |
| M365 configuration data | Tenant policies, Intune profiles, Exchange settings | Contract performance (Art. 6(1)(b)) |
| Usage data | Pages visited, features used, audit timestamps | Legitimate interest (Art. 6(1)(f)) |
| Billing data | Stripe customer ID, plan, subscription status | Contract performance (Art. 6(1)(b)) |
We do not collect or store end-user personal data from your M365 tenant. PostureIQ analyses configuration policies and settings only — not mailbox content, file content, or user activity logs.
3. How We Use Your Data
- Provide and improve the PostureIQ compliance auditing service
- Generate compliance reports and remediation guidance
- Process billing and manage subscriptions
- Send service notifications (audit complete, score changes)
- Respond to support requests
4. Data Residency
- Database: Supabase (PostgreSQL) — EU region (Frankfurt, Germany)
- Application hosting: Vercel — EU edge network
- AI processing: Anthropic API — data is sent for analysis but is not retained or used for training. See Anthropic's privacy policy.
- Billing: Stripe — processes in EU/US with appropriate safeguards
5. Data Retention
- Assessment data: retained for the duration of your subscription plus 90 days
- Account data: retained until account deletion
- Audit logs: retained for 2 years for compliance purposes
- PDF reports: retained in storage until account deletion
6. Your Rights (GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (“right to be forgotten”)
- Export your data in a portable format
- Object to processing based on legitimate interest
- Restrict processing in certain circumstances
Exercise these rights via Settings > Account or by emailing privacy@arimaitech.com.
7. Cookies
PostureIQ uses only essential cookies for authentication session management (Supabase auth tokens). We do not use analytics, advertising, or tracking cookies. No cookie consent is required under GDPR for strictly necessary cookies.
8. Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting | EU edge |
| Stripe | Payment processing | EU/US |
| Anthropic | AI-assisted settings evaluation | US (no data retention) |
| Resend | Transactional email | US |
9. Security
We implement appropriate technical and organisational measures including: encryption in transit (TLS), encryption at rest (Supabase), role-based access control, evidence integrity hashing (SHA-256), and audit logging of all data access.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to the account owner. Continued use after notification constitutes acceptance.
11. Contact
ArimaiTech
Email: privacy@arimaitech.com