Privacy Policy

1. Introduction and Scope

Arrivd ("we," "us," or "our") operates the Arrivd mobile application ("App"). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use the App, and describes the rights available to you.

This Privacy Policy applies to all users of the App, including:

• Residents of California (subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act — collectively, "CCPA/CPRA");
• Residents of the European Economic Area and United Kingdom (subject to the General Data Protection Regulation and UK GDPR — collectively, "GDPR"); and
• All other users worldwide.

This Privacy Policy is incorporated into and forms part of our Terms of Service. In the event of any conflict between the Terms of Service and this Privacy Policy with respect to the handling of personal information, this Privacy Policy controls. By using the App, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy applies specifically to the App. It does not apply to third-party websites, services, or applications that may be linked from the App, including Google's services, which are governed by Google's own privacy policies.

2. Information We Collect

2.1 Information You Provide Directly

• Account registration: name, email address, and password (stored in hashed form);
• Payment information: processed securely by our third-party payment processor. We do not store full payment card numbers or CVV codes on our servers;
• Support and communications: messages or inquiries you send to us via email or in-app support channels.

2.2 Gmail Data Accessed via Google OAuth

When you connect your Gmail account, we access your email using the gmail.readonly OAuth scope, which provides read-only access to your messages, threads, labels, and settings. We access this data solely for the purpose of identifying and parsing order-related emails.

Raw email content is never stored on our servers. Only parsed order metadata is retained. We do not cache, copy, or archive your Gmail messages.

2.3 Information Collected Automatically

• Device information: device type, operating system version, and unique device identifiers;
• App usage data: features accessed, session duration, in-app interactions, and crash/error reports;
• Log data: IP address, access timestamps, and App version number.

3. How We Use Your Information

The specific purposes for which we use your personal information are described throughout this Privacy Policy in the context of each category of data we collect and each feature of the App.

4. Google API Services — Limited Use Disclosure

Arrivd's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The following restrictions apply without exception:

• We use Gmail data only to provide and improve the order-tracking features that are prominently visible in the App's user interface.
• We do not transfer Gmail data to third parties for any purpose other than as strictly necessary to provide the App, comply with applicable law, or as part of a business transfer with your prior consent.
• We do not use Gmail data to serve advertisements of any kind, including retargeted, personalized, or interest-based advertising.
• We do not use Gmail data to train AI or machine learning models beyond improving email parsing accuracy within the App's core function.
• No Arrivd employee or contractor will read your Gmail messages except: (a) with your affirmative consent for a specific message for troubleshooting purposes; (b) as necessary for a security investigation; (c) as required to comply with applicable law; or (d) where data is fully aggregated and anonymized for internal operational purposes.

The App has been designed to use the narrowest Gmail OAuth scope necessary (gmail.readonly) and undergoes annual Tier 2 CASA (Cloud Application Security Assessment) certification as required by Google for apps accessing restricted Gmail API scopes.

5. Lawful Basis for Processing — EEA and UK Users

For users in the European Economic Area and United Kingdom, we rely on the following lawful bases under Article 6 of the GDPR. Details of our lawful basis for each processing activity are available upon request at privacy@arrivd.ai.

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting privacy@arrivd.ai.

6. Data Sharing and Disclosure

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We may disclose your personal information only in the following circumstances:

6.1 Service Providers

We engage third-party service providers to assist in operating the App, including cloud hosting, payment processing, and analytics. These providers are:

• Bound by written data processing agreements;
• Prohibited from using your data for their own purposes;
• Required to implement data protection standards equivalent to those we apply; and
• Disclosed in our Privacy Policy as required by CCPA/CPRA and GDPR.

Categories of service providers we use include: cloud infrastructure providers, payment processors, crash reporting and analytics providers, and customer support platforms.

6.2 Legal Requirements

We may disclose personal information when required by law, regulation, court order, subpoena, or government request, or where we believe disclosure is necessary to protect the rights, property, or safety of Arrivd, our users, or the public.

6.3 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your personal information may be transferred to the successor entity. We will notify you via email and/or a prominent in-App notice prior to such a transfer and will require the successor to honor this Privacy Policy or provide you with a new policy.

6.4 With Your Consent

We will share your personal information with third parties for any purpose not described above only with your explicit prior consent.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.

We use automated processes to delete or anonymize data when retention periods expire. You may request earlier deletion of your data as described in Section 9.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of data at rest;
• Access controls limiting employee access to personal information on a need-to-know basis;
• Annual Tier 2 CASA (Cloud Application Security Assessment) certification as required by Google for apps using restricted Gmail API scopes; and
• Regular internal security reviews and vulnerability assessments.

No method of electronic transmission or storage is 100% secure. While we strive to protect your information using industry-standard practices, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you as required by applicable law, including within 72 hours where required under GDPR.

9. Your Privacy Rights

9.1 All Users

All users of the App have the right to:

• Access and update their account information through the App settings at any time;
• Disconnect their Gmail account at any time, after which we will stop accessing Gmail data. Previously parsed order data may be retained per Section 7; and
• Request deletion of their account and associated personal information by contacting privacy@arrivd.ai.

9.2 California Residents — CCPA/CPRA Rights

California residents have the following rights under the CCPA/CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties to whom it has been disclosed in the preceding 12 months.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions permitted by law.
• Right to Correct: Request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required.
• Right to Limit Sensitive Personal Information: We do not use or disclose sensitive personal information beyond the purposes permitted by the CCPA/CPRA without your consent.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

To submit a CCPA/CPRA request, contact us at privacy@arrivd.ai with sufficient information to verify your identity. We will respond within 45 days. We may extend this period by an additional 45 days where necessary, with prior notice. We do not charge a fee for reasonable requests.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We will require written proof of authorization and may verify your identity directly.

9.3 EEA and UK Residents — GDPR Rights

If you are located in the EEA or UK, you have the following rights under the GDPR:

• Right of Access: Request a copy of the personal information we hold about you (Article 15 GDPR).
• Right to Rectification: Request correction of inaccurate or incomplete personal information (Article 16 GDPR).
• Right to Erasure: Request deletion of your personal information where it is no longer necessary, or where you withdraw consent, subject to our legal retention obligations (Article 17 GDPR).
• Right to Restriction of Processing: Request that we restrict our processing of your personal information in certain circumstances (Article 18 GDPR).
• Right to Data Portability: Receive your personal information in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible (Article 20 GDPR).
• Right to Object: Object to processing based on legitimate interests, including profiling (Article 21 GDPR).
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant DPA in your EU member state) if you believe we have violated your rights.

To exercise these rights, contact us at privacy@arrivd.ai. We will respond within 30 days. If we are unable to meet this deadline, we will notify you and provide a revised timeline.

10. International Data Transfers

Arrivd is based in California, United States. If you are located in the EEA or UK, your personal information will be transferred to and processed in the United States. The United States has not received an adequacy decision from the European Commission or the UK ICO for general commercial data transfers.

We rely on the following mechanisms to ensure your personal information receives adequate protection during international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission (June 2021) for transfers from the EEA to the United States; and
• The UK International Data Transfer Agreement (IDTA) or EU SCCs with the UK Addendum, as approved by the UK Information Commissioner's Office, for transfers from the United Kingdom.

We conduct Transfer Impact Assessments (TIAs) as required and implement supplementary measures where necessary to ensure that the level of protection afforded by the SCCs is not undermined by the laws of the destination country. You may request a copy of the applicable transfer mechanism by contacting privacy@arrivd.ai.

Note: As of December 19, 2025, the European Commission renewed its adequacy decision for the United Kingdom under the EU GDPR, valid through December 27, 2031. EU-to-UK transfers are therefore not restricted transfers requiring SCCs.

11. Children's Privacy

The App is not directed to individuals under 18 years of age. We do not knowingly collect, use, or disclose personal information from anyone under 18. This is consistent with our Terms of Service eligibility requirements.

We do not knowingly collect personal information from children under 13 as defined under the Children's Online Privacy Protection Act ("COPPA"). If we become aware that we have inadvertently collected personal information from a user under 13, we will take prompt steps to delete that information from our records. If you believe that we may have collected information from a user under 13, please contact us immediately at privacy@arrivd.ai.

12. Do Not Track

The App does not respond to "Do Not Track" signals from browsers, as no uniform standard for honoring such signals currently exists. We do not track users across third-party websites for advertising purposes.

13. California-Specific Disclosures

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: name, email address, IP address, device identifiers;
• Commercial information: order records, purchase history derived from parsed emails;
• Internet or other electronic network activity: App usage data, log data; and
• Inferences: no inferences are drawn from personal information to create profiles about users for advertising purposes.

13.2 No Sale or Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. Accordingly, we do not offer a "Do Not Sell or Share My Personal Information" opt-out because no such activity occurs.

13.3 Sensitive Personal Information

We do not collect or process sensitive personal information as defined by the CCPA/CPRA (such as social security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, or biometric data) beyond what is strictly necessary to provide the App. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA/CPRA without your consent.

13.4 Categories of Third Parties with Whom Personal Information Is Disclosed

In the preceding 12 months, we have disclosed personal information for business purposes to the following categories of third parties: cloud infrastructure service providers, payment processors, crash reporting and analytics vendors, and customer support platforms. All such disclosures are governed by written data processing agreements.

13.5 Privacy Policy Accessibility

As required by the CCPA/CPRA, this Privacy Policy is accessible from within the App's settings menu, from our App Store and Google Play listings, and at our website. This policy is updated at least annually and whenever material changes occur.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or App features. We will notify you of material changes by:

• Posting the updated Privacy Policy within the App and making it accessible from the App's settings menu;
• Updating the "Effective Date" at the top of this policy; and
• Sending a notification to your registered email address at least 30 days before material changes take effect.

Your continued use of the App after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must stop using the App and may request deletion of your account.

15. Contact Us

For privacy-related questions, requests, complaints, or to exercise your privacy rights, please contact our Privacy Team:

Arrivd — Privacy Team

Email: privacy@arrivd.ai

General inquiries: legal@arrivd.ai

Effective Date: March 1, 2026