Loading…
Loading…
Arc and Delta Ltd (trading as Aricase) | England and Wales
Last updated: 16 June 2026
Privacy summary
This summary explains the key points of our Privacy Policy. The full policy below contains the detailed legal information.
Aricase uses your personal data to create and manage your account, provide the Aricase platform, process your case information, generate AI-assisted outputs, provide optional human review, process payments, keep the service secure, and respond to support requests.
Because Aricase helps with employment disputes, the information you choose to provide may include sensitive information such as health or disability details, pregnancy or maternity information, trade union membership, racial or ethnic origin, religious beliefs, sexual orientation, gender reassignment, or other protected-characteristic information.
We use trusted service providers for hosting, database storage, authentication, file storage, AI processing, payments, email delivery, analytics, error monitoring, and security. Some providers may process data outside the UK.
We do not sell your personal data. We do not use your case data to train AI models, and we do not permit our AI providers to use your personal data to train their models.
You have rights over your personal data, including the right to ask for access, correction, deletion, restriction, portability, objection, and withdrawal of consent where consent is the basis for processing.
You can contact us about privacy or data rights at support@aricase.ai.
This Privacy Policy explains how Arc and Delta Ltd (trading as Aricase) collects, uses, stores, and protects your personal data when you use the Aricase platform ("Platform"). We comply with the UK General Data Protection Regulation ("UK GDPR") as tailored by the Data Protection Act 2018 ("DPA 2018") and the Privacy and Electronic Communications Regulations 2003 ("PECR").
Arc and Delta Ltd (trading as Aricase)
Registered in England and Wales
Companies House number: 17240873
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Registered with the Information Commissioner's Office (ICO)
Email: support@aricase.ai
We do not have a designated Data Protection Officer. Data protection queries should be directed to support@aricase.ai.
We collect the following categories of personal data:
Because employment disputes may involve protected characteristics, the case data you provide may include special category personal data under UK GDPR Article 9, such as:
See section 5 for the legal basis on which we process this sensitive data.
We do not store your card number or payment method details. These are held securely by Stripe.
You may provide personal data about third parties (such as your employer, managers, or colleagues) when using the Platform. You are responsible for ensuring you have a legitimate reason to share that data. We process it solely to provide the Platform to you.
We are not responsible for informing third parties whose personal data you upload. This responsibility rests with you.
Where you provide special category personal data as part of building your case, our legal basis is:
The table below sets out the main purposes for which we process your personal data and the legal basis under UK GDPR Article 6 that we rely upon.
| Purpose | Legal Basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — performance of a contract |
| Providing the Platform and its features | Art. 6(1)(b) — performance of a contract |
| Processing payments and managing subscriptions | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (receipts, account alerts, subscription status) | Art. 6(1)(b) — performance of a contract |
| Processing your case data through AI to generate outputs | Art. 6(1)(b) — performance of a contract |
| Providing human case review (Guidance Expert tier) | Art. 6(1)(b) — performance of a contract |
| Maintaining fraud prevention, security, and abuse protection | Art. 6(1)(f) — legitimate interests (protection of our services and users) |
| Improving the Platform and fixing bugs (using anonymised or aggregated data) | Art. 6(1)(f) — legitimate interests (improving our service) |
| Responding to support queries | Art. 6(1)(f) — legitimate interests; Art. 6(1)(b) where query relates to the contract |
| Complying with legal obligations (e.g. tax, accounting records) | Art. 6(1)(c) — legal obligation |
| Defending or pursuing legal claims | Art. 6(1)(f) — legitimate interests |
The Platform transmits your case data to third-party AI service providers to generate responses, document drafts, case analyses, and other outputs. Our current AI sub-processors are listed in section 10. These providers may change from time to time; the sub-processors table reflects the current position.
We do not permit our AI providers to use your personal data to train their models. AI-generated outputs are informational and may contain errors — see our Terms & Conditions section 4.
AI-generated outputs (case analyses, assessments, document drafts) are informational guidance only — not binding decisions. Under UK GDPR Article 22:
Session authentication cookies (set by Supabase) are required for the Platform to function. No consent is required for these.
We use PostHog (PostHog, Inc., EU-hosted) to collect anonymised usage analytics — for example, which pages are visited and where users encounter difficulties. PostHog is configured with persistence disabled, meaning no tracking cookies or persistent identifiers are written to your device. Data is processed in the European Union.
We will only use PostHog analytics if you have given your consent via the cookie banner. You can withdraw your consent at any time by clicking "Cookie preferences" in the footer and selecting Decline. Withdrawing consent stops all further analytics capture immediately.
We use Vercel Analytics and Vercel Speed Insights (Vercel Inc., USA) to collect aggregate, anonymised data about page performance and visitor counts. These tools do not set cookies, do not use persistent device identifiers, and do not track individual users. We rely on our legitimate interests in monitoring platform stability (UK GDPR Article 6(1)(f)) for this processing.
No advertising cookies, retargeting pixels, or behavioural tracking are used. We do not use Google Analytics or Meta Pixel.
We share your personal data only with trusted third-party service providers ("sub-processors") who process data on our behalf and under our instruction. We do not sell your personal data.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database (PostgreSQL), authentication, and file storage | EU (London, eu-west-2) |
| Anthropic | AI processing — generating case guidance, analysis, and documents from your case information | USA |
| xAI | AI processing — generating case guidance, analysis, and documents from your case information | USA |
| AI processing — generating case guidance, analysis, and documents from your case information; also optical character recognition (OCR) for image-format evidence uploads | USA | |
| OpenAI | AI processing — generating case guidance, analysis, and documents from your case information | USA |
| OpenRouter | AI routing service — transmits AI requests to the providers above on our behalf; your case data may pass through OpenRouter to reach them | USA |
| Stripe | Payment processing and subscription management | USA / EU |
| Vercel | Platform hosting, edge delivery, and anonymised aggregate performance monitoring (Vercel Analytics and Speed Insights — cookieless, no personal data) | USA / EU |
| Resend | Transactional email delivery (account emails, receipts, alerts) | USA |
| PostHog | Anonymised product analytics (cookieless) | EU |
| Upstash | Rate limiting infrastructure (does not store personal data beyond temporary request metadata) | EU |
| Sentry | Error monitoring (may capture limited technical data about errors, not case content) | USA / EU |
We may also disclose your personal data to:
Several of our sub-processors are located in the USA (see section 10). Transfers are made under International Data Transfer Agreements (IDTAs) or the UK Extension to the EU-US Data Privacy Framework, as required by UK GDPR Articles 44-49. Where data is transferred outside the UK, we take steps to ensure it receives a level of protection essentially equivalent to that under UK data protection law.
We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account legal obligations and legitimate operational needs.
| Data Category | Retention Period | Trigger |
|---|---|---|
| Case data, chat history, uploaded documents, and AI-generated outputs | While your account is active, plus a limited period afterwards | Kept while your subscription is active. After your subscription ends or you close your account, we keep this data only as long as needed to let you reactivate and to handle any data request, then delete or anonymise it. You can ask us to delete it sooner at any time. |
| Account data (name, email) | While your account is active, plus a limited period afterwards | Kept while your account is open; deleted or anonymised after closure once no longer needed, subject to any legal retention obligations. |
| Payment and billing records | 7 years | From transaction date — required by HMRC and accounting obligations |
| Support communications | 2 years | From date of communication — for audit and dispute resolution purposes |
| AI usage logs (technical, no personal content) | 2 years | For service monitoring and capacity planning |
| Error and security logs | 90 days | Rolling retention for security monitoring |
Where you request deletion of your account, we will delete or anonymise your personal data where there is no legal obligation requiring us to retain it, and we aim to complete deletion requests within one month. Payment records subject to tax law retention obligations cannot be deleted early.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
No system is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by UK GDPR Article 34.
Under UK GDPR and DPA 2018, you have the following rights in relation to your personal data:
We will not charge a fee for exercising your rights in normal circumstances. We will respond to requests within one calendar month, or notify you of an extension (up to a further two months) where the request is complex.
Email support@aricase.aiwith the subject line "Data Rights Request". We may ask you to verify your identity. We will respond within one calendar month.
From 19 June 2026, section 164A DPA 2018 (inserted by the Data (Use and Access) Act 2025) requires an internal complaints step before escalating to the regulator.
Email support@aricase.ai with "Data complaint" in the subject line, or use our contact form. We will acknowledge within 30 days and respond with the outcome.
If unsatisfied, you may complain to the Information Commissioner's Office: ico.org.uk | 0303 123 1113
We do not send marketing emails. All communications are transactional. If we introduce marketing in future, we will seek your prior consent.
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us atsupport@aricase.ai and we will delete it promptly.
We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the current version.
Where changes are material, we will take reasonable steps to notify you before or when the changes take effect, for example by email, an in-app notice, or another appropriate method.
Non-material changes, such as clarifications, formatting changes, corrections, or updates required to reflect minor operational changes, may be made by updating this page.
Arc and Delta Ltd (trading as Aricase)
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: support@aricase.ai