Privacy Policy

Last updated: May 9, 2026

Aranzolm Technologies LLC ("Aranzolm," "we," "us") provides software-as-a-service applications and technical consulting services, primarily to non-profit organizations. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to our website, our hosted SaaS applications, and the consulting services we deliver.

1. Who this policy covers

This policy applies to:

Visitors to our marketing websites.
SaaS customers who sign up for, subscribe to, or use one of our hosted applications (for example, our Salesforce-to-website embed plugin).
Consulting clients who engage Aranzolm for software engineering, integration, or technical consulting work.
End users of our customers' sites when our embedded content is rendered on a third-party page. Our customers are the data controllers for those interactions; we act as their service provider/processor.

2. Information we collect

From visitors and prospects

Information you submit through contact forms, demo requests, or email (name, email address, organization, message).
Basic technical data about your visit: IP address, browser, device type, referring page, pages viewed, and timestamps. We use this for security, debugging, and aggregate analytics — not to build advertising profiles.

From SaaS customers

Account data: name, email, password (stored as a salted hash, never in plaintext), organization, and account status.
Billing data: we use Paddle as our merchant of record. Paddle collects payment-card and tax information directly. We receive and store only billing metadata such as plan, transaction ID, country, and renewal status. We do not see or store full card numbers.
Integration credentials and tokens: if you connect a third-party system (for example, Salesforce or Airtable) to one of our applications, we store the access tokens, API keys, and connection settings required to fetch data on your behalf. Sensitive credentials are encrypted at rest using AES-GCM with keys held only by our application servers.
Configuration data: the queries, layouts, allowed origins, and other settings you create inside the application.
Customer data fetched via integrations: records pulled from your Salesforce org or other connected platforms for the purpose of rendering the views you have configured. This data passes through our servers and is cached transiently to make rendering fast. We do not mine, sell, or train models on customer data.
Usage data: request logs (timestamps, paths, response codes), error reports, and aggregate metrics, used to operate and improve the service.
Support communications: the content of emails, calls, screenshots, and screen-share recordings you send us when requesting support.

From consulting clients

Contact and contracting information for the people we work with.
Project materials you share with us — code, documents, credentials, screenshots — for the purpose of performing the engagement. We treat these as confidential under our consulting agreement.
If you grant us access to your systems (Salesforce orgs, hosting accounts, repositories, etc.), we may incidentally see data stored in those systems while performing the work. We do not export or retain that data beyond what is needed to deliver the engagement.

From end users of customer sites

When our embed code runs on a customer's site, the visitor's browser makes requests to our servers. Those requests carry standard HTTP metadata (IP address, user-agent, referrer, the embed identifier). We use this data only to serve the embed, enforce allowed-origin restrictions, and protect the service from abuse. End users should consult the privacy policy of the site they are visiting; that site's operator is the controller for those interactions.

3. How we use information

Provide, operate, and secure our services and websites.
Authenticate accounts and protect against fraud and abuse.
Process subscriptions, renewals, and refunds (via Paddle).
Send transactional messages — welcome emails, password resets, billing notices, security alerts, and service announcements.
Provide customer support and respond to your questions.
Diagnose and fix bugs, monitor performance, and improve our products.
Comply with our legal obligations and enforce our terms.

We do not sell personal information, do not use it to train machine-learning models, and do not serve behavioral advertising.

4. Service providers (subprocessors)

We use a small number of vendors to operate our services. We share only the information each one needs to do its job, and each is bound by a contract requiring appropriate confidentiality and security.

Vendor	Purpose	Data shared
DigitalOcean	Application and database hosting	All operational data (encrypted at rest where applicable)
Paddle	Payments, taxes, invoicing (merchant of record)	Name, email, billing address, payment details
Resend	Transactional email delivery	Recipient email and message contents
Sentry	Error and crash reporting	Error stack traces, request metadata, IP address (truncated)
Google Workspace	Business email and document storage	Email correspondence and shared documents

If you connect a third-party platform to our service (e.g. Salesforce, Airtable), that platform is also acting as a subprocessor for that connection on your instructions. The platform's own privacy policy governs how it handles your data on its side.

We will update this list when we add or change material subprocessors. Customers under a written data-processing agreement will receive advance notice as specified in that agreement.

5. Cookies and similar technologies

Our marketing site does not use third-party advertising or analytics cookies. Our SaaS applications use a small number of strictly-necessary cookies and tokens to keep you signed in and to protect against cross-site request forgery. We do not use cookies for cross-site tracking.

6. How long we keep information

Account and billing records: for as long as your account is active, plus up to seven years afterward to satisfy tax, accounting, and legal-defense obligations.
Customer data fetched through integrations: kept only as long as needed to serve your configured views; transient caches are short-lived and automatically expire.
Support correspondence: typically retained for up to three years.
Server and security logs: typically 30–90 days.
Consulting project materials: retained per the engagement contract, then deleted or returned to the client.

You may request deletion of your data at any time (see Section 9). We will delete or anonymize information sooner than the periods above when it is no longer needed for the purpose for which it was collected.

7. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information, including:

TLS encryption for all data in transit.
AES-GCM encryption at rest for sensitive credentials such as integration access tokens and API keys.
Salted password hashing using a modern algorithm (Argon2).
Principle-of-least-privilege access for staff, with named accounts and audit logging.
Patching, monitoring, and isolated production environments.

No system is perfectly secure. If we discover a security incident affecting your information, we will notify you and any required regulators in accordance with applicable law.

8. International transfers

Aranzolm is based in the United States. If you access our services from another country, your information will be transferred to and processed in the United States. Where required (for example, for personal data of EU/UK residents), we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our subprocessors and customers.

9. Your rights and choices

Depending on where you live, you may have the right to access, correct, export, delete, or restrict processing of your personal information, and to object to certain processing. These rights apply to information we hold as a controller. For information we hold as a processor on behalf of a customer (for example, records pulled into your account from your Salesforce org), please direct your request to the customer; we will support them in responding.

To exercise a right, email info@aranzolm.com. We will verify your identity and respond within the timeframes required by applicable law.

California residents: we do not sell or "share" personal information as those terms are defined under the CCPA/CPRA. You may request access, correction, or deletion as described above.

EU/UK/EEA residents: you may lodge a complaint with your local data-protection authority. Our legal bases for processing are: performance of a contract (to provide the service you signed up for), legitimate interests (to secure and improve our services), consent (where you have given it), and compliance with legal obligations.

10. Children's privacy

Our services are not directed to children under 13 (or under 16 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, for active customers, send a notice by email or in-app. Continued use of our services after the effective date constitutes acceptance of the updated policy.

12. Contact us

For privacy questions, requests, or complaints, email us at info@aranzolm.com or write to: