Privacy Policy
Last updated: April 21, 2026
This Privacy Policy explains how ByteWave SAS, a company duly registered in Colombia ("ByteWave", "we"), collects, uses, shares and protects personal data when you use Arisform, available at arisform.com (the "Service").
It is designed to comply with Colombian Law 1581 of 2012 (Habeas Data) and Decree 1377 of 2013, and, where applicable, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).
1. Data Controller
The data controller (responsable del tratamiento) for personal data processed through the Service is:
- ByteWave SAS
- Colombia
- Contact: admin@bytewaveind.com
For GDPR purposes, the same entity acts as data controller for account and billing data and as data processor for cloud-billing metadata you connect through the Service.
2. Data We Collect
2.1 Account data
Through our authentication provider Clerk, we collect your name, email address, profile image (if provided) and authentication metadata. We never see your password.
2.2 Cloud usage and billing metadata
Once you connect a cloud account, we use read-only IAM credentials to retrieve, among others: service-level cost and usage records, resource identifiers, regions, account IDs, tags, and utilization metrics. We do not access application data, database contents, logs, code or secrets stored in your cloud.
2.3 Payment data
If you subscribe to a paid plan, our payment processor collects the payment-method data required to process the transaction. We never store your full payment card number on our servers.
2.4 Technical and diagnostic data
We collect IP address, browser type, device, pages visited, and error traces through Sentry to operate and secure the Service. Sensitive request headers such as Authorization and Cookie are scrubbed at source before they reach Sentry.
2.5 Communications
When you email us, submit a form, or request support, we retain the content of the communication and your contact details to respond and for legal record-keeping.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) | Legal basis (Colombia) |
|---|---|---|
| Provide and operate the Service | Performance of a contract | Authorization granted by the data subject on account creation |
| Generate cost recommendations | Performance of a contract | Authorization |
| Billing and fraud prevention | Legal obligation / Legitimate interest | Legal obligation |
| Security, error monitoring, abuse prevention | Legitimate interest | Authorization / Legal obligation |
| Service improvements and analytics (aggregated) | Legitimate interest | Authorization |
| Transactional communications | Performance of a contract | Authorization |
| Marketing (opt-in only) | Consent | Prior, express and informed authorization |
4. Subprocessors and Sharing
We share personal data with the following subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Clerk, Inc. | Authentication / user management | USA |
| Supabase, Inc. | Database and file storage | USA / EU |
| Amazon Web Services | Source of cloud billing data | Customer-selected |
| Anthropic, PBC | AI-generated recommendations | USA |
| Railway / Vercel | Hosting of backend and frontend | USA / EU |
| Upstash | Redis cache for performance | USA / EU |
| Sentry | Error monitoring | USA / EU |
| Payment processor (Stripe or equivalent) | Subscription payments | USA / EU |
We do not sell personal data. We do not share personal data for cross-context behavioral advertising as defined by the CCPA.
4.1 Default data residency
Unless otherwise agreed in writing, account data, cost snapshots, recommendations and diagnostic logs are stored in United States regions (AWS us-east-1). Backend compute runs in the same region. AI inference for recommendation generation is performed by Anthropic in the United States.
4.2 EU data residency (Enterprise)
Enterprise customers subject to GDPR, national data-protection laws or internal policies that require EU data residency can request a dedicated EU tenant, in which case account data, cost snapshots and recommendations are stored in AWS eu-central-1 (Frankfurt). AI inference continues to be performed in the United States under Standard Contractual Clauses, unless otherwise agreed in writing. Contact admin@bytewaveind.com to arrange an EU deployment.
5. International Transfers
Because the Service is hosted with providers located outside Colombia and, potentially, outside the European Economic Area, your personal data may be transferred internationally. Where a transfer is made to a jurisdiction that does not provide an adequate level of protection, we rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum where applicable, or the equivalent mechanism recognized by Colombian authority SIC ( Superintendencia de Industria y Comercio).
We provide customers with a signed Data Processing Addendum (DPA) on request, including the current list of subprocessors and the applicable transfer mechanism for each.
6. Retention
- Account data: retained while your account is active and for up to 24 months after termination, unless a shorter term is required or a longer term is necessary for legal defense or legal obligations.
- Cloud cost snapshots and recommendations: retained for the period defined by your plan (see pricing) and permanently deleted thereafter.
- Billing records: retained for the period required by Colombian tax and accounting law (minimum 10 years).
- Diagnostic logs: typically retained for up to 90 days.
7. Security
We apply technical and organizational measures including:
- Encryption in transit (TLS 1.2+);
- Encryption at rest for our managed database;
- Row-level security in the database so each organization can only access its own rows;
- Cross-account IAM role-based access to AWS with read-only scope and
ExternalIdconfused-deputy protection; - Scrubbing of sensitive HTTP headers in error reports;
- Principle of least privilege for internal personnel.
No system is perfectly secure. We commit to notify affected users and competent authorities of a confirmed personal-data breach within the timeframes required by applicable law.
8. Your Rights
8.1 Under Colombian Law 1581/2012
As a data subject (titular), you have the right to:
- know, update and rectify your personal data, in particular when it is partial, inaccurate, incomplete, divided or misleading;
- request proof of the authorization granted;
- be informed, upon request, about the use that has been made of your personal data;
- file complaints with the Superintendencia de Industria y Comercio (SIC) for violations of Law 1581/2012;
- revoke your authorization and/or request the deletion of your data when the processing does not respect constitutional and legal principles, rights and guarantees;
- access your personal data free of charge.
8.2 Under GDPR (if you are in the EU/EEA/UK)
You have the right to access, rectify, erase, restrict, or object to processing, and the right to data portability. You may lodge a complaint with your local supervisory authority.
8.3 Under CCPA/CPRA (if you are a California resident)
You have the right to know what personal information we collect, to delete it, to correct it, to opt out of "sale" or "sharing" (we do neither), and the right to non-discrimination for exercising these rights.
8.4 How to exercise
Send your request to admin@bytewaveind.com from the email address associated with your account. We will respond within the timeframes prescribed by applicable law (15 business days in Colombia; one month under GDPR; 45 days under CCPA), and may extend once where legally permitted.
9. Children's Privacy
The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have, please contact us and we will delete it.
10. Cookies and Similar Technologies
The Service uses strictly necessary cookies for authentication (Clerk), and functional cookies to remember session preferences. We do not use advertising cookies. When we add analytics in the future, we will update this Policy and, where required, request your consent through a cookie banner.
11. Changes to this Policy
We may update this Policy to reflect changes in the Service or applicable law. Updates take effect upon posting; for material changes we will provide prominent notice in the Service or by email at least fifteen (15) days before the new version becomes effective.
12. Contact
For any privacy question, or to exercise your rights, contact us at admin@bytewaveind.com.