Arlo

Privacy Policy

Your data,
handled with care.

Effective May 8, 2026

Arlo is an AI chief of staff for founders. To do that job, we process information from your inbox, calendar, and the channels you connect. This policy explains what we collect, why we collect it, and the controls you have over your data. For the plain-English version, see How Arlo Handles Your Data.

1. Who we are

Arlo (“Arlo,” “we,” “us”) operates the service available at arlo.fyi and connected surfaces (web cockpit, messaging integrations, and any future native apps). For questions about this policy, contact us at privacy@arlo.fyi.

2. Information we collect

Information you provide

  • Account information. Email address, name, profile photo, and authentication identifiers (e.g., Sign in with Apple, Google).
  • Workspace and organization data. Names, roles, and collaborators you add to your Arlo workspace.
  • Waitlist signups. If you join the waitlist, we store your email address so we can notify you when access opens.
  • Billing information. If you subscribe to a paid plan, our payment processor (Stripe) collects your payment details. We do not store full card numbers on our servers.
  • Conversations with Arlo. Messages, prompts, and instructions you send Arlo across web, WhatsApp, Telegram, email, or any other connected channel.

Information from connected services

With your explicit authorization (OAuth, API keys, or equivalent), Arlo accesses content from the services you connect, which may include:

  • Email. Message metadata and content from Gmail or other providers via Nylas, used to triage your inbox and surface what matters.
  • Calendar. Events, attendees, and meeting metadata from Google Calendar to prepare you for upcoming meetings.
  • Collaboration tools. Messages and channels from Slack and similar tools you connect.
  • Contact enrichment. Public information about people you interact with (e.g., professional profiles, company data) gathered from third-party providers like Andi Search and Perplexity.

Information collected automatically

  • Device and log data. IP address, browser type, device identifiers, pages viewed, and timestamps.
  • Usage data.Interactions with Arlo’s features so we can improve the product.
  • Cookies and similar technologies. Used for authentication, preferences, and limited analytics.

3. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the Arlo service.
  • Build a private, persistent narrative and memory layer so Arlo understands you and your business.
  • Generate AI-assisted summaries, replies, briefings, and recommendations.
  • Authenticate you and protect your account.
  • Process payments and manage subscriptions.
  • Communicate with you about product updates, security alerts, and support.
  • Detect, prevent, and respond to abuse, fraud, and security incidents.
  • Comply with legal obligations.

4. AI processing

Arlo uses gpt-oss(OpenAI’s open-weights model family) hosted on Cloudflare Workers AIfor routine AI processing. When you interact with Arlo, relevant context (which may include excerpts of your messages, calendar events, contact data, and stored memory) is sent to Workers AI solely to produce the response you requested. Inference runs inside Cloudflare’s network, the same network where Arlo’s web app and workers run.

OpenAI’s hosted API is retained as a fallback for when Workers AI is unavailable, and is rarely exercised in routine operation. Both providers are bound by contractual commitments prohibiting them from using your content to train their general-purpose models. Your content is processed for the duration needed to fulfill the request and is not used to improve any model outside of Arlo’s own product-specific learning loops.

5. Encryption and security

Sensitive content (including ingested email, calendar data, and long-term memory) is encrypted at rest using envelope encryption tied to your organization. Data in transit is encrypted using TLS. Access to data inside Arlo is enforced by row-level security policies that scope every read and write to your organization.

No system is perfectly secure. We work hard to protect your data, but we cannot guarantee absolute security. If we become aware of a security incident affecting your data, we will notify you in line with applicable law.

6. How we share information

We do not sell your personal data. We share data only:

  • With service providers who help us operate Arlo (e.g., Cloudflare for hosting and AI inference, Neon for the database, OpenAI as a fallback AI provider when Workers AI is unavailable, Stripe for billing, Resend for transactional email, Twilio for messaging, Nylas for email integration). These providers are bound by contracts that limit their use of your data to providing services to us.
  • With your direction, for example when you ask Arlo to send a message, draft a reply, or share a briefing.
  • With your collaborators if you invite them to your workspace or organization.
  • For legal reasons, including responding to lawful requests from public authorities.
  • In a business transfer, such as a merger, acquisition, or sale of assets, subject to standard confidentiality protections.

7. Data retention

We retain your data for as long as your account is active and as needed to provide the service. You can delete specific items at any time, and you can delete your account, which removes your data within 30 days except where we are required to retain it (e.g., financial records, legal obligations). Backups are purged on a rolling 30-day cycle.

If your paid trial ends without a payment method on file, your account becomes dormant: data polling stops and raw email and calendar data are purged within 30 days. Memory, narrative, briefs, and tasks are preserved so you can resume seamlessly if you add a card later. For a hard delete of memory and narrative, email business@arlo.fyi.

8. Your rights and choices

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (subject to legal exceptions).
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for connected services at any time.

To exercise these rights, email privacy@arlo.fyi. You can also disconnect any integration directly from your Arlo settings.

9. International transfers

Arlo is operated from the United States and processes data on infrastructure that may be located in other countries. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to transfer personal data internationally.

10. Children

Arlo is built for founders and operators. The service is not intended for, and we do not knowingly collect personal information from, children under 16.

11. Changes to this policy

We may update this Privacy Policy from time to time. If the changes are material, we will notify you by email or through the product before they take effect. The “Effective” date at the top of this page reflects the latest version.

12. Contact

Questions, requests, or concerns? Reach us at privacy@arlo.fyi.