Privacy Policy

Arrvo ("we", "us", "our") is a software-as-a-service product operated from the United Kingdom. We provide automated WhatsApp appointment reminders and no-show protection tools to service businesses.

If you have any questions about this policy, please contact us at hello@arrvo.app.

We collect and process the following categories of personal data:

• Account data — your name, email address, and hashed password when you create an Arrvo account.
• Business data — your business name, type, phone number, timezone, and address.
• Client data — names, phone numbers, email addresses, and appointment history that you upload or enter for your own clients.
• Message data — WhatsApp messages sent and received through the Arrvo platform on your behalf.
• Usage data — pages visited, actions taken within the app, and error logs, used to improve the product.
• Payment data — if you use our deposit-capture feature, payment details are handled directly by Stripe and never stored on our servers.

We use the data we collect to:

• Provide, operate, and improve the Arrvo service.
• Send automated WhatsApp reminders and notifications to your clients on your instruction.
• Send you transactional emails (account verification, password reset, important service updates).
• Detect and prevent fraud, abuse, and security incidents.
• Comply with our legal obligations under UK law.

We do not sell your data or your clients' data to third parties, and we do not use it for advertising.

We process personal data under the following lawful bases:

• Contract — processing necessary to provide the services you have signed up for.
• Legitimate interests — product improvement, security monitoring, and fraud prevention.
• Legal obligation — where we are required to process data to comply with applicable law.
• Consent — where we explicitly request it (e.g. marketing communications).

As a business using Arrvo to process your clients' data, you act as the data controller for that data, and Arrvo acts as the data processor. You are responsible for ensuring you have a lawful basis to send your clients WhatsApp messages and to store their personal data within Arrvo.

Arrvo sends WhatsApp messages to your clients on your behalf via the Meta WhatsApp Business API. You are responsible for ensuring that:

• Your clients have opted in to receive WhatsApp communications from your business.
• You honour opt-out requests promptly within the Arrvo dashboard.
• Your use of client data complies with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

Arrvo records opt-in and opt-out timestamps to assist you in demonstrating compliance.

• Account data is retained for as long as your account is active, plus 90 days after deletion to allow for recovery or legal disputes.
• Client and appointment data is retained for as long as your account is active. You can delete individual clients at any time.
• Message logs are retained for 12 months.
• Security and audit logs are retained for up to 24 months.

We use the following sub-processors to operate Arrvo:

• Fly.io — cloud hosting and database storage (data stored in the EU/UK).
• Meta (WhatsApp Business API) — delivery of WhatsApp messages.
• Stripe — payment processing for deposit capture (PCI-DSS compliant).
• Resend — transactional email delivery.

Each sub-processor is bound by appropriate data processing agreements. No data is transferred outside the UK/EEA without appropriate safeguards in place.

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — request deletion of your data (subject to legal retention obligations).
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at hello@arrvo.app. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Arrvo does not use tracking or advertising cookies. We use only essential session storage (in your browser's localStorage) to keep you logged in. No third-party analytics or advertising scripts are loaded.

We take security seriously. Passwords are hashed using bcrypt. Access tokens are short-lived JWTs. Refresh tokens are stored as hashed values. All data in transit is encrypted via TLS. Our infrastructure is hosted on Fly.io with persistent encrypted volumes.

If you discover a security vulnerability, please disclose it responsibly to hello@arrvo.app.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date above. Continued use of Arrvo after changes take effect constitutes your acceptance of the revised policy.

Arrvo
United Kingdom
hello@arrvo.app
@GetArrvoApp