Privacy Notice

Arus is a product of Nalara. This Privacy Notice explains how we collect, use, and protect your information when you use the Arus service ("the Service").

Account Information

• Email address (for account registration and login)
• Display name (optional)
• Authentication data managed by our auth service (password hashes, OAuth tokens)

Link Data

• WhatsApp phone numbers you enter for link generation
• Pre-filled messages you compose
• Click counts per link (aggregated, not per-user)

Technical Data

• IP address (for rate limiting only, not stored permanently)
• Browser type and device (standard HTTP headers)

• WhatsApp conversation content — we never see, store, or transmit your chats
• Contact lists or phone book data
• Location data
• Third-party tracking cookies on redirect pages
• Personal data of the people who click your links (we only count clicks, not who clicked)

• Provide the Service: Generate links, perform redirects, display analytics
• Authentication: Verify your identity and manage sessions via our centralized auth service
• Rate limiting: Prevent abuse of the link creation and redirect endpoints
• Improvement: Aggregate, anonymized usage data to improve the Service

We do NOT sell, rent, or share your personal data with third parties for marketing purposes.

Link data is stored in Upstash Redis (serverless, encrypted at rest). Authentication data is managed by the Nalara Auth Service (separate, centralized infrastructure). Both systems use encryption in transit (TLS).

Your data is processed in cloud regions in Asia-Pacific (primarily Singapore and Indonesia).

• Links: Stored indefinitely while your account is active. Deleted upon account deletion.
• Rate limit data: Automatically expires within 1 hour.
• Account data: Retained until you request deletion. Soft-deleted first, then permanently removed after 30 days.

We use the following third-party services:

• Upstash: Redis database hosting (link data, click counters)
• Google: OAuth authentication provider (if you choose to sign in with Google)
• Vercel: Application hosting and Edge network

Each third-party service has its own privacy policy. We recommend reviewing them.

We use essential cookies only:

• access_token: HttpOnly session cookie for authentication (15 minutes)
• refresh_token: HttpOnly cookie for session renewal (7 days)
• oauth_state: Temporary CSRF protection cookie during Google sign-in (10 minutes)

We do NOT use analytics cookies, advertising cookies, or third-party tracking pixels. Redirect pages (/go/[id]) set no cookies at all.

You have the right to:

• Access your personal data stored in the Service
• Correct inaccurate data
• Delete your account and associated data
• Export your link data
• Withdraw consent for data processing

To exercise these rights, contact us through the Service or at the email address provided on our website.

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children.

We may update this Privacy Notice from time to time. We will notify you of material changes via email or in-app notice. Continued use after changes constitutes acceptance.

For privacy-related questions or to exercise your data rights, contact us via the Service or at the contact information provided on our website.

See also our Terms of Use and Refund Policy.