Privacy Policy

Last updated: May 2026

1. Introduction

Arepa.AI LLC ("Arepa.AI," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at arepa.ai, our AI-powered business plan and website generation platform, and our WhatsApp-based management tools (collectively, the "Service"). By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly, including: your name, email address, and phone number when you create an account; your business idea descriptions, industry, target market, location, and other business-related information you share with our AI assistant; payment information processed securely through Stripe (we do not store your full credit card number); WhatsApp phone number and message content if you use our WhatsApp integration; and any feedback, support requests, or correspondence you send to us.

2.2 Information Collected Automatically

When you use the Service, we automatically collect: device information (browser type, operating system, device identifiers); IP address and approximate geographic location; pages visited, features used, and actions taken within the Service; date, time, and duration of your sessions; referral URLs and search terms that led you to our Service; and performance data such as page load times and errors.

2.3 AI-Generated Data

When you use our AI features, we generate and store: business plans, financial projections, and market research tailored to your inputs; brand identities including logos, color schemes, and brand guidelines; website configurations and content; and marketing strategies and action plans. This generated content is associated with your account and project.

2.4 Cookies and Tracking Technologies

We use Vercel Analytics for basic website analytics. We use essential cookies required for authentication and session management. We do not use third-party advertising cookies or trackers. You can control cookie preferences through your browser settings.

3. How We Use Your Information

We use your information to: provide, operate, and maintain the Service, including generating AI-powered business plans, websites, and marketing strategies; process your transactions and manage your subscription; communicate with you about your account, updates, and support requests; respond to your messages via WhatsApp when you use our WhatsApp integration; improve and optimize the Service using anonymized and aggregated usage data; detect, prevent, and address fraud, abuse, and technical issues; comply with legal obligations and enforce our Terms of Service; and send you service-related announcements (you cannot opt out of these while using the Service).

4. How We Share Your Information

We do not sell your personal information. We share your data only with the following categories of service providers who are necessary to operate the Service, and only to the extent needed for their specific function:

4.1 Service Providers (Sub-Processors)

Supabase Inc. (San Francisco, CA, USA) — database hosting, user authentication, and data storage. Your account data, project data, and chat history are stored in Supabase-managed PostgreSQL databases. Stripe Inc. (San Francisco, CA, USA) — payment processing. Stripe processes your payment information directly; we receive only a payment confirmation and last four digits of your card. Vercel Inc. (San Francisco, CA, USA) — web application hosting and analytics. Vercel serves our web application and collects basic analytics data. Google LLC (Mountain View, CA, USA) — AI processing via Gemini models. Your business descriptions and project data are sent to Google's AI APIs to generate business plans, research, and content. Data is processed under Google's Cloud Data Processing terms. OpenAI Inc. (San Francisco, CA, USA) — AI processing via GPT models (fallback). When primary AI models are unavailable, your data may be processed by OpenAI's APIs. Data is processed under OpenAI's Business terms with no training on your data. Anthropic PBC (San Francisco, CA, USA) — AI processing via Claude models (fallback). When primary AI models are unavailable, your data may be processed by Anthropic's APIs. Data is processed under Anthropic's Commercial terms with no training on your data. Meta Platforms Inc. (Menlo Park, CA, USA) — WhatsApp Business API. If you use our WhatsApp integration, your phone number and message content are processed through Meta's WhatsApp Business platform. Upstash Inc. (San Francisco, CA, USA) — Redis caching for WhatsApp message deduplication and rate limiting. Only message identifiers are stored temporarily.

4.2 Legal and Safety Disclosures

We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

5. AI Data Processing

Your business descriptions and related information are processed by third-party AI models (Google Gemini, OpenAI GPT, Anthropic Claude) to generate your deliverables. We send only the minimum data necessary for each AI task. AI providers process your data under their respective commercial/business terms, which prohibit using your data to train their models. We do not use your individual business data to train or fine-tune AI models. We may use anonymized, aggregated usage patterns to improve our service quality, prompt engineering, and template selection algorithms.

6. Data Security

We implement industry-standard security measures to protect your information, including: encryption in transit (TLS/SSL) for all data transmitted between your device and our servers; encryption at rest for stored data in our databases; row-level security (RLS) in our database ensuring strict tenant isolation — your data is never accessible to other users; secure authentication via Supabase Auth with JWT token management; regular security reviews of our infrastructure and code. While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. Specifically: account data is retained for the duration of your active account; project data (business plans, websites, generated content) is retained for the duration of your active account; chat and conversation history is retained for 24 months from the last message; payment records are retained for 7 years as required by tax and accounting regulations; WhatsApp session data is retained for 12 months from last interaction; anonymized analytics data may be retained indefinitely. Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8. International Data Transfers

Arepa.AI is based in the United States. If you access the Service from outside the United States, including from Latin America or the European Economic Area, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer. For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers. For users in Brazil, we comply with the LGPD (Lei Geral de Proteção de Dados) requirements for international data transfers.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose about you; request deletion of your personal information; opt out of the sale of personal information (we do not sell your data); and not be discriminated against for exercising your privacy rights. To exercise these rights, contact us at legal@arepa.ai.

9.2 Brazil Residents (LGPD)

If you are a resident of Brazil, under the Lei Geral de Proteção de Dados you have the right to: confirm the existence of processing of your data; access your data; correct incomplete, inaccurate, or outdated data; anonymize, block, or delete unnecessary or excessive data; request data portability to another service provider; delete personal data processed with your consent; obtain information about public and private entities with which we shared your data; and revoke consent at any time. To exercise these rights, contact us at legal@arepa.ai.

9.3 European Economic Area Residents (GDPR)

If you are a resident of the EEA, you have the right to: access your personal data and receive a copy; rectify inaccurate personal data; erase your personal data (right to be forgotten); restrict processing of your personal data; data portability; object to processing based on legitimate interests; lodge a complaint with your local data protection authority; and withdraw consent at any time where processing is based on consent. Our legal bases for processing are: consent (for WhatsApp communications and optional analytics), contract performance (for providing the Service), and legitimate interests (for service improvement and fraud prevention). To exercise these rights, contact us at legal@arepa.ai.

9.4 All Users

Regardless of your location, all Arepa.AI users can: access and download their project data from the dashboard; update their account information at any time; delete their account through account settings or by contacting us; opt out of WhatsApp communications by sending "STOP" to our business number; and request a copy of their data by emailing legal@arepa.ai. We will respond to all rights requests within 30 days.

10. Children's Privacy

The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at legal@arepa.ai.

11. Third-Party Links

The Service may contain links to third-party websites or services that are not owned or controlled by Arepa.AI. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we may also notify you by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at: Arepa.AI LLC, Email: legal@arepa.ai. For privacy-specific inquiries, you may also email privacy@arepa.ai.