LEGAL DOCUMENT

Privacy Policy

Last updated: June 7, 2026 · Effective: June 7, 2026

1. Who We Are

ABR Venture ("ABR," "we," "us," "our") operates ARIS, a Master Prompt Generator accessible at www.alwaysberushing.com/aris ("the Service"). ARIS is owned and operated by Isaac Rushing.

Contact: support@alwaysberushing.com

2. Information We Collect

2a. Account Information

  • Email address and password — when you create an account via email/password registration (managed by Supabase Auth)
  • Google account information — if you sign in with Google OAuth, we receive your name, email address, and profile picture from Google
  • User profile — a profile record is created automatically in our database upon first sign-in

2b. Content You Generate

  • Conversation history — for authenticated users, your chat messages and AI responses may be stored in our database (Supabase / PostgreSQL) to enable session persistence and multi-device sync
  • Identity Core data— responses you provide to ARIS's onboarding intake (HVE) are used within your session to personalize AI output. For authenticated users, this may be persisted to your profile

2c. API Keys (User-Provided)

If you use your own API keys (Anthropic, OpenAI, xAI/Grok), those keys are stored exclusively in your browser's localStorage. They are never transmitted to or stored on ABR Venture servers. You are solely responsible for the security of keys stored in your browser.

2d. Automatically Collected Information

  • Usage analytics — pages visited, session duration, feature interactions, and error events (collected via PostHog)
  • IP address — collected temporarily by our rate-limiting infrastructure (Upstash Redis) to enforce per-IP request limits; not stored beyond the rate-limit window (hourly rolling)
  • Browser and device data — browser type, device type, operating system, screen resolution (collected via PostHog analytics)

2e. What We Do Not Collect

We do not collect payment information, government IDs, biometric data, or sensitive personal data categories under GDPR/CCPA. We do not store your third-party API keys on our servers.

3. How AI Requests Are Processed

ARIS routes your chat messages to AI providers based on the selected model. Understanding where your prompts go is important:

ProviderKey SourceYour prompts are sent to
Google Gemini (default)ABR Venture server-side keyGoogle's Gemini API (subject to Google AI Terms)
Anthropic ClaudeYour own API key (localStorage)Anthropic's API under your account's terms (Anthropic Privacy)
OpenAI / ChatGPTYour own API key (localStorage)OpenAI's API under your account's terms (OpenAI Privacy)
xAI / GrokYour own API key (localStorage)xAI's API under your account's terms (xAI Privacy)

All AI requests are proxied through our server at /api/chat. When you use the default Gemini provider, your prompt content passes through our server before being forwarded to Google. When you use your own key, your prompt is still routed through our server but your API key is sent directly from your browser in the request header and is not logged or stored.

4. How We Use Your Information

  • Provide and operate the ARIS Service
  • Authenticate your identity and secure your account (Supabase Auth)
  • Persist your conversation history across devices (logged-in users)
  • Enforce rate limits to protect the Service from abuse
  • Analyze usage patterns to improve the product (PostHog analytics)
  • Respond to support requests and inquiries
  • Comply with legal obligations
  • Prevent fraud, abuse, and security incidents

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data under the following legal bases:

  • Contract performance — account creation, authentication, and delivering the Service you signed up for
  • Legitimate interests — analytics, rate limiting, security monitoring, and fraud prevention
  • Legal obligation — compliance with applicable law
  • Consent — where we have obtained your explicit consent (e.g., optional analytics); you may withdraw consent at any time

6. Third-Party Services

The following third-party services process data as part of delivering ARIS:

ServicePurposeData Processed
SupabaseAuthentication, database (PostgreSQL), Row-Level SecurityEmail, hashed passwords, conversation history, user profiles
VercelHosting, edge deployment, TLS terminationIP addresses, HTTP request logs (Vercel standard logs)
PostHogProduct analyticsUsage events, session data, browser/device info, anonymized user IDs
UpstashRedis-based rate limitingIP addresses and user UUIDs (stored temporarily, rolling hourly window)
Google Gemini APIDefault AI inference providerPrompt content (chat messages) when using the default Gemini provider

Each third-party service operates under its own privacy policy linked above. When you use your own API keys (Claude, ChatGPT, Grok), your prompts are additionally governed by those providers' policies.

7. Cookies and Tracking

ServicePurposeType
Supabase AuthSession token storage (authentication)Strictly necessary
PostHogProduct analytics and session replayAnalytics (third-party)
VercelEdge performance and securityStrictly necessary
localStorage (browser)User settings, API keys, guest session data — stored only on your deviceFunctional (first-party)

You can opt out of PostHog analytics by enabling "Do Not Track" in your browser settings. Disabling strictly necessary cookies will prevent authentication from functioning.

8. Data Retention

  • Account and conversation data — retained for the life of your account. Deleting your account removes all associated data within 30 days.
  • Rate limit data (Upstash) — IP addresses and user UUIDs are retained in Redis for a rolling 1-hour window, then automatically expired.
  • Analytics data (PostHog)— retained per PostHog's default retention settings (up to 7 years for event data; we apply a 12-month rolling retention for identifiable session data).
  • Server logs (Vercel)— retained per Vercel's standard log retention (typically 7 days for runtime logs).
  • Support correspondence — retained for up to 3 years for record-keeping.

9. Data Security

  • Encryption in transit — all communication uses HTTPS/TLS enforced via Vercel edge and HSTS headers
  • Encryption at rest — Supabase encrypts data at rest using AES-256
  • Row-Level Security (RLS) — database policies enforce that users can only access their own records; no cross-user data access is possible via the application layer
  • Rate limiting — 20 requests/hour (anonymous) and 60 requests/hour (authenticated) enforced at the middleware layer
  • Input validation — all API inputs are validated and sanitized server-side; body size is capped at 100KB
  • Security headers — X-Frame-Options DENY, X-Content-Type-Options nosniff, XSS-Protection, Content Security Policy, and HSTS applied to all responses
  • API key isolation — your third-party API keys never leave your device; they are not logged or stored on our servers

No system is 100% secure. We take reasonable and industry-standard precautions, but cannot guarantee absolute security. Report security concerns to support@alwaysberushing.com.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion— request deletion of your account and all associated data ("right to be forgotten")
  • Portability — receive your conversation and profile data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Restrict processing — request that we limit how we use your data while a dispute is resolved
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any right, email support@alwaysberushing.com. We will respond within 30 days.

11. California Privacy Rights (CCPA)

California residents have the right to: know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

To submit a CCPA request, contact support@alwaysberushing.com.

12. Children's Privacy

ARIS is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us immediately and we will delete it.

13. International Data Transfers

Your data may be processed in the United States and other countries where our service providers (Supabase, Vercel, PostHog, Upstash, Google) operate. By using ARIS, you consent to this transfer. For EEA users, we rely on Standard Contractual Clauses (SCCs) where required by applicable law, via our service providers' DPA agreements.

14. Changes to This Policy

We may update this Privacy Policy periodically. The "Last updated" date reflects the most recent revision. Continued use of ARIS after changes constitutes acceptance of the updated policy. For material changes, we will display a notice in the application.

15. Contact

Isaac Rushing — ABR Venture
support@alwaysberushing.com