ARUSTO

Privacy Policy

Arusto Inc.

5901 Mariposa Ct, Coral Gables, FL 33146

support@arusto.ai | legal@arusto.ai

Effective Date: April 24, 2026

Last Updated: April 24, 2026

TABLE OF CONTENTS

  1. Introduction
  2. Definitions
  3. Scope
  4. Data We Collect
  5. Legal Basis for Processing
  6. AI and Machine Learning Data Processing
  7. Data Security
  8. Data Locations and Residency
  9. Data Sharing
  10. Your Rights
  11. Data Retention
  12. Incident Response & Breach Notification
  13. Compliance
  14. Children's Privacy
  15. Contact

1. Introduction

Arusto Inc. operates an AI-powered learning content creation platform that transforms raw documents, videos, audio, and other materials into structured learning content including courses, assessments, SCORM modules, and related outputs.

This Privacy Policy applies to: our website (arusto.ai), the Arusto Service platform, and related products and services.

2. Definitions

  • "Customer Content" -- Documents, videos, audio, images, text, data, or materials you upload or create
  • "Service Data" -- Usage analytics, performance metrics, diagnostics (excludes Customer Content and Personal Data)
  • "Personal Data" -- Information identifying a natural person (per GDPR, CCPA, FERPA)
  • "Sub-processor" -- Contractor engaged by Arusto to process personal data

3. Scope

Applies to: Registered Users, Enterprise Customers, Government Customers, Education Institutions, and Visitors.

For Enterprise and Government customers, a separate Data Processing Agreement (DPA) may be required.

4. Data We Collect

4.1 Customer Content

Documents, video/audio files, course outlines, assessments, metadata.

Critical: Customer Content is NOT used to train or improve Arusto's AI models. Strict separation maintained between Customer Content, Service Data, and model training data.

4.2 Personal Data

  • Account info: name, email, phone, job title, org affiliation
  • Usage data: log-in times, features used, IP address, device info
  • Government/Enterprise: authorized user names, roles, training records
  • Third parties: SSO providers, billing processors

4.3 Automatic Collection

Cookies, analytics, error logging, compliance/audit logs.

5. Legal Basis for Processing

Contractual Performance, Legitimate Interest, Legal Obligation, and Consent.

For EU Data Subjects: Standard Contractual Clauses (SCCs) for international transfers.

6. AI and Machine Learning Data Processing

Your Customer Content is NOT:

  • Used to train Arusto's AI models
  • Shared with third parties for model improvement
  • Used to create competing products
  • Retained longer than necessary

Your Customer Content IS:

  • Processed only to deliver the Service
  • Encrypted in transit and at rest
  • Accessible only to authorized personnel
  • Deleted upon termination or request

Strict architectural separation enforced through database isolation, access control lists, audit logging, and regular compliance reviews.

7. Data Security

  • Encryption: AES-256 at rest, TLS 1.2+ in transit
  • Access Controls: RBAC, MFA for admin, least privilege
  • Security Ops: 24/7 monitoring, vulnerability scanning, annual pen testing
  • Compliance Pathway: ISO 27001, SOC 2 Type II, FedRAMP Moderate, FISMA
  • Personnel: Background checks, annual training, vendor risk assessments

8. Data Locations and Residency

All Customer Content and Personal Data stored exclusively in the United States.

For international processing needs: Standard Contractual Clauses (SCCs).

For US government customers: data remains within US territory, CUI handling procedures available, NIST/FedRAMP pathway.

9. Data Sharing

We do NOT sell, rent, or trade your data. Sub-processors include: cloud hosting (AWS/Azure), CDNs, analytics, payment processors, support systems, video processing, AI inference engines.

Current sub-processor list maintained at [INSERT URL].

10. Your Rights

US (CCPA/CPRA): Access, delete, correct, port, opt-out. Contact: privacy@arusto.ai

EU (GDPR): Access, rectification, erasure, restrict, port, object, withdraw consent. Contact: legal@arusto.ai

FERPA: Access educational records, request amendments, restrict disclosure. Arusto acts as School Official.

11. Data Retention

  • Customer Content: Duration of subscription + 30 days
  • Personal Data: 30 days post-termination
  • Backups: Up to 90 days
  • Billing records: 7 years
  • Export: Available for 30 days post-termination in standard formats

12. Incident Response & Breach Notification

  • 24 hours: Isolate systems, assess scope
  • 24-72 hours: Root cause analysis, identify affected data
  • Within 72 hours: Notify customers, individuals (if required), regulators
  • Root cause analysis shared with enterprise customers within 30 days

13. Compliance

  • GDPR: Full compliance -- lawful basis, data subject rights, DPIAs, SCCs
  • CCPA/CPRA: Transparency, consumer rights, non-discrimination
  • State Laws: VA, CO, CT, UT and additional states
  • FERPA: School Official status, educational record protection
  • Government: FISMA, NIST, FedRAMP pathway, FAR/DFARS acknowledgment

14. Children's Privacy

Not intended for children under 13 (COPPA) or 16 (GDPR). For educational use, FERPA provides additional protections.

15. Contact

Privacy: privacy@arusto.ai | legal@arusto.ai

Mail: Arusto Inc., Attn: Privacy Team, 5901 Mariposa Ct, Coral Gables, FL 33146